update privilege FTR tests to work in serverless

elastic · janmonschke · Jan 20, 2025 · Nov 20, 2024 · Nov 21, 2024 · Nov 21, 2024
commit 776816302b27d825b6d7ade28690164c1012c5f4
@@ -4,7 +4,7 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-import { Role } from '../../../../config/services/types';
+import { Role } from '../services/types';
 
 /**
  * Roles for privilege tests

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { User } from '../../../../config/services/types';
+import { User } from '../services/types';
 import {
   secAllV1,
   secNoneV1,

@@ -18,20 +18,32 @@ export function SecuritySolutionESSUtils({
   const supertestWithoutAuth = getService('supertest');
   const security = getService('security');
 
+  const createSuperTest = async (role?: string, password: string = 'changeme') => {
+    if (!role) {
+      return supertestWithoutAuth;
+    }
+    const kbnUrl = formatUrl({
+      ...config.get('servers.kibana'),
+      auth: false,
+    });
+
+    return supertest.agent(kbnUrl).auth(role, password);
+  };
+
   return {
     getUsername: (_role?: string) =>
       Promise.resolve(config.get('servers.kibana.username') as string),
     createSearch: (_role?: string) => Promise.resolve(search),
-    createSuperTest: async (role?: string, password: string = 'changeme') => {
-      if (!role) {
-        return supertestWithoutAuth;
-      }
-      const kbnUrl = formatUrl({
-        ...config.get('servers.kibana'),
-        auth: false,
-      });
 
-      return supertest.agent(kbnUrl).auth(role, password);
+    createSuperTest,
+
+    createSuperTestWithUser: (user: User) => {
+      return createSuperTest(user.username, user.password);
+    },
+
+    cleanUpCustomRole: () => {
+      // In ESS this is a no-op
+      return Promise.resolve();
     },
 
     async createUser(user: User): Promise<void> {

@@ -12,7 +12,8 @@ import { RoleCredentials } from '@kbn/test-suites-serverless/shared/services';
 import type { SendOptions } from '@kbn/ftr-common-functional-services';
 import type { SendOptions as SecureSearchSendOptions } from '@kbn/test-suites-serverless/shared/services/search_secure';
 import type { FtrProviderContext } from '../../ftr_provider_context';
-import type { SecuritySolutionUtilsInterface } from './types';
+import type { SecuritySolutionUtilsInterface, User } from './types';
+import { roles } from '../privileges/roles';
 
 export function SecuritySolutionServerlessUtils({
   getService,
@@ -23,6 +24,7 @@ export function SecuritySolutionServerlessUtils({
   const config = getService('config');
   const log = getService('log');
   const SecureSearch = getService('secureSearch');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
 
   const rolesCredentials = new Map<string, RoleCredentials>();
   const commonRequestHeader = svlCommonApi.getCommonRequestHeader();
@@ -71,6 +73,32 @@ export function SecuritySolutionServerlessUtils({
      */
     createSuperTest,
 
+    createSuperTestWithUser: async (user: User) => {
+      if (user.roles.length > 1) {
+        throw new Error(
+          `This test service only supports authentication for users with a single role. Error for ${
+            user.username
+          } with roles ${user.roles.join(',')}.`
+        );
+      }
+      const userRoleName = user.roles[0];
+      const roleDefinition = roles.find((role) => role.name === userRoleName);
+      if (!roleDefinition) {
+        throw new Error(`Could not find a role definition for ${userRoleName}`);
+      }
+      await svlUserManager.setCustomRole(roleDefinition.privileges);
+      const roleAuthc = await svlUserManager.createM2mApiKeyWithRoleScope('customRole');
+      const superTest = supertest
+        .agent(kbnUrl)
+        .set(svlCommonApi.getInternalRequestHeader())
+        .set(roleAuthc.apiKeyHeader);
+      return superTest;
+    },
+
+    cleanUpCustomRole: async () => {
+      await svlUserManager.deleteCustomRole();
+    },
+
     createSearch: async (role = 'admin') => {
       const apiKeyHeader = rolesCredentials.get(role)?.apiKeyHeader;
 

@@ -18,7 +18,9 @@ export interface SecuritySolutionServerlessSearch extends Omit<SearchSecureServi
 export interface SecuritySolutionUtilsInterface {
   getUsername: (role?: string) => Promise<string>;
   createSuperTest: (role?: string) => Promise<TestAgent<any>>;
+  createSuperTestWithUser: (user: User) => Promise<TestAgent<any>>;
   createSearch: (role?: string) => Promise<SecuritySolutionServerlessSearch>;
+  cleanUpCustomRole: () => Promise<void>;
 }
 
 interface FeaturesPrivileges {
@@ -33,8 +35,8 @@ interface ElasticsearchIndices {
 export interface Role {
   name: string;
   privileges: {
-    elasticsearch?: ElasticSearchPrivilege;
-    kibana?: KibanaPrivilege[];
+    elasticsearch: ElasticSearchPrivilege;
+    kibana: KibanaPrivilege[];
   };
 }
 export interface ElasticSearchPrivilege {
@@ -59,6 +61,8 @@ export interface SecuritySolutionESSUtilsInterface {
   getUsername: (role?: string) => Promise<string>;
   createSearch: (role?: string) => Promise<SearchService>;
   createSuperTest: (role?: string, password?: string) => Promise<TestAgent<any>>;
+  createSuperTestWithUser: (user: User) => Promise<TestAgent<any>>;
+  cleanUpCustomRole: () => Promise<void>;
   createUser: (user: User) => Promise<any>;
   deleteUsers: (userNames: string[]) => Promise<any>;
   createRole: (name: string, role: Role) => Promise<any>;

@@ -8,8 +8,8 @@
 import expect from '@kbn/expect';
 import { FtrProviderContextWithSpaces } from '../../../../ftr_provider_context_with_spaces';
 import { createNote, deleteNote, getNote } from '../../utils/notes';
-import * as users from '../privileges/users';
-import { roles } from '../privileges/roles';
+import * as users from '../../../../config/privileges/users';
+import { roles } from '../../../../config/privileges/roles';
 
 const canOnlyReadUsers = [users.secReadV1User, users.secNotesReadUser];
 const canWriteUsers = [users.secAllV1User, users.secNotesAllUser];
@@ -19,32 +19,39 @@ const cannotWriteUsers = [...canOnlyReadUsers, ...cannotAccessUsers];
 
 export default function ({ getService }: FtrProviderContextWithSpaces) {
   const utils = getService('securitySolutionUtils');
+  const config = getService('config');
+  const isServerless = config.get('serverless');
+  const isEss = !isServerless;
 
   describe('Notes privileges', () => {
     before(async () => {
-      await Promise.all(
-        roles.map((role) => {
-          return utils.createRole(role.name, role);
-        })
-      );
-      await Promise.all(
-        users.allUsers.map((user) => {
-          return utils.createUser(user);
-        })
-      );
+      if (isEss) {
+        await Promise.all(
+          roles.map((role) => {
+            return utils.createRole(role.name, role);
+          })
+        );
+        await Promise.all(
+          users.allUsers.map((user) => {
+            return utils.createUser(user);
+          })
+        );
+      }
     });
     after(async () => {
-      await utils.deleteUsers(users.allUsers.map((user) => user.username));
-      await utils.deleteRoles(roles.map((role) => role.name));
+      if (isEss) {
+        await utils.deleteUsers(users.allUsers.map((user) => user.username));
+        await utils.deleteRoles(roles.map((role) => role.name));
+      }
+    });
+    afterEach(async () => {
+      await utils.cleanUpCustomRole();
     });
 
     describe('read notes', () => {
       let getNoteId = () => '';
       before(async () => {
-        const superTest = await utils.createSuperTest(
-          users.secNotesAllUser.username,
-          users.secNotesAllUser.password
-        );
+        const superTest = await utils.createSuperTestWithUser(users.secNotesAllUser);
         const {
           body: { noteId },
         } = await createNote(superTest, { text: 'test', documentId: '123' });
@@ -53,14 +60,14 @@ export default function ({ getService }: FtrProviderContextWithSpaces) {
 
       canWriteOrReadUsers.forEach((user) => {
         it(`user "${user.username}" can read notes`, async () => {
-          const superTest = await utils.createSuperTest(user.username, user.password);
+          const superTest = await utils.createSuperTestWithUser(user);
           await getNote(superTest, getNoteId()).expect(200);
         });
       });
 
       cannotAccessUsers.forEach((user) => {
         it(`user "${user.username}" cannot read notes`, async () => {
-          const superTest = await utils.createSuperTest(user.username, user.password);
+          const superTest = await utils.createSuperTestWithUser(user);
           await getNote(superTest, getNoteId()).expect(403);
         });
       });
@@ -69,15 +76,15 @@ export default function ({ getService }: FtrProviderContextWithSpaces) {
     describe('create notes', () => {
       canWriteUsers.forEach((user) => {
         it(`user "${user.username}" can create notes`, async () => {
-          const superTest = await utils.createSuperTest(user.username, user.password);
+          const superTest = await utils.createSuperTestWithUser(user);
           const { status } = await createNote(superTest, { text: 'test', documentId: '123' });
           expect(status).to.be(200);
         });
       });
 
       cannotWriteUsers.forEach((user) => {
         it(`user "${user.username}" cannot create notes`, async () => {
-          const superTest = await utils.createSuperTest(user.username, user.password);
+          const superTest = await utils.createSuperTestWithUser(user);
           const { status } = await createNote(superTest, { text: 'test', documentId: '123' });
           expect(status).to.be(403);
         });
@@ -87,10 +94,7 @@ export default function ({ getService }: FtrProviderContextWithSpaces) {
     describe('delete notes', () => {
       let getNoteId = () => '';
       before(async () => {
-        const superTest = await utils.createSuperTest(
-          users.secNotesAllUser.username,
-          users.secNotesAllUser.password
-        );
+        const superTest = await utils.createSuperTestWithUser(users.secNotesAllUser);
         const {
           body: { noteId },
         } = await createNote(superTest, { text: 'test', documentId: '123' });
@@ -99,14 +103,14 @@ export default function ({ getService }: FtrProviderContextWithSpaces) {
 
       canWriteUsers.forEach((user) => {
         it(`user "${user.username}" can delete notes`, async () => {
-          const superTest = await utils.createSuperTest(user.username, user.password);
+          const superTest = await utils.createSuperTestWithUser(user);
           await deleteNote(superTest, getNoteId()).expect(200);
         });
       });
 
       cannotWriteUsers.forEach((user) => {
         it(`user "${user.username}" cannot delete notes`, async () => {
-          const superTest = await utils.createSuperTest(user.username, user.password);
+          const superTest = await utils.createSuperTestWithUser(user);
           await deleteNote(superTest, getNoteId()).expect(403);
         });
       });