[ftr] move SAML auth to kbn-test

packages/kbn-test/index.ts

@@ -13,7 +13,7 @@ export { startServersCli, startServers } from './src/functional_tests/start_serv
 
 // @internal
 export { runTestsCli, runTests } from './src/functional_tests/run_tests';
-
+export { SAMLSessionManager } from './src/auth';
 export { runElasticsearch, runKibanaServer } from './src/functional_tests/lib';
 export { getKibanaCliArg, getKibanaCliLoggers } from './src/functional_tests/lib/kibana_cli_args';
 

packages/kbn-test/src/auth/helper.ts

@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { REPO_ROOT } from '@kbn/repo-info';
+import * as fs from 'fs';
+import { resolve } from 'path';
+import { User } from './session_manager';
+
+export const getProjectType = (serverArgs: string[]) => {
+  const svlArg = serverArgs.filter((arg) => arg.startsWith('--serverless'));
+  if (svlArg.length === 0) {
+    throw new Error('--serverless argument is missing in kbnTestServer.serverArgs');
+  }
+  return svlArg[0].split('=')[1];
+};
+
+/**
+ * Loads cloud users from '.ftr/role_users.json'
+ * QAF prepares the file for CI pipelines, make sure to add it manually for local run
+ */
+export const readCloudUsersFromFile = (): Array<[string, User]> => {
+  const cloudRoleUsersFilePath = resolve(REPO_ROOT, '.ftr', 'role_users.json');
+  if (!fs.existsSync(cloudRoleUsersFilePath)) {
+    throw new Error(`Please define user roles with email/password in ${cloudRoleUsersFilePath}`);
+  }
+  const data = fs.readFileSync(cloudRoleUsersFilePath, 'utf8');
+  if (data.length === 0) {
+    throw new Error(`'${cloudRoleUsersFilePath}' is empty: no roles are defined`);
+  }
+
+  return Object.entries(JSON.parse(data)) as Array<[string, User]>;
+};

packages/kbn-test/src/auth/index.ts

@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+export { SAMLSessionManager } from './session_manager';

x-pack/test_serverless/shared/services/user_manager/saml_auth.ts → packages/kbn-test/src/auth/saml_auth.ts

@@ -1,40 +1,32 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import { createSAMLResponse as createMockedSAMLResponse } from '@kbn/mock-idp-plugin/common';
 import { ToolingLog } from '@kbn/tooling-log';
 import axios, { AxiosResponse } from 'axios';
 import * as cheerio from 'cheerio';
-import { parse as parseCookie } from 'tough-cookie';
+import { Cookie, parse as parseCookie } from 'tough-cookie';
 import Url from 'url';
-import { Session } from './svl_user_manager';
-
-export interface CloudSamlSessionParams {
-  email: string;
-  password: string;
-  kbnHost: string;
-  kbnVersion: string;
-  log: ToolingLog;
-}
-
-export interface LocalSamlSessionParams {
-  username: string;
-  email: string;
-  fullname: string;
-  role: string;
-  kbnHost: string;
-  log: ToolingLog;
-}
+import { CloudSamlSessionParams, CreateSamlSessionParams, LocalSamlSessionParams } from './types';
+
+export class Session {
+  readonly cookie;
+  readonly email;
+  readonly fullname;
+  constructor(cookie: Cookie, email: string, fullname: string) {
+    this.cookie = cookie;
+    this.email = email;
+    this.fullname = fullname;
+  }
 
-export interface CreateSamlSessionParams {
-  hostname: string;
-  email: string;
-  password: string;
-  log: ToolingLog;
+  getCookieValue() {
+    return this.cookie.value;
+  }
 }
 
 const cleanException = (url: string, ex: any) => {

packages/kbn-test/src/auth/session_manager.ts

@@ -0,0 +1,135 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { ToolingLog } from '@kbn/tooling-log';
+import Url from 'url';
+import type { Config } from '../functional_test_runner';
+import { KbnClient } from '../kbn_client';
+import { getProjectType, readCloudUsersFromFile } from './helper';
+import { createCloudSAMLSession, createLocalSAMLSession, Session } from './saml_auth';
+
+export interface User {
+  readonly email: string;
+  readonly password: string;
+}
+
+export type Role = string;
+
+export class SAMLSessionManager {
+  private readonly config: Config;
+  private readonly log: ToolingLog;
+  private readonly sessionCache;
+  private readonly isCloud: boolean;
+  private readonly kbnHost: string;
+  private readonly kbnClient: KbnClient;
+  private readonly roleToUserMap: Map<string, User>;
+  private readonly svlProjectType: string;
+  constructor(config: Config, log: ToolingLog, isCloud: boolean) {
+    this.config = config;
+    this.log = log;
+    this.sessionCache = new Map<Role, Session>();
+    this.isCloud = isCloud;
+    this.roleToUserMap = new Map<string, User>();
+
+    const hostOptions = {
+      protocol: this.config.get('servers.kibana.protocol'),
+      hostname: this.config.get('servers.kibana.hostname'),
+      port: isCloud ? undefined : this.config.get('servers.kibana.port'),
+    };
+    this.kbnHost = Url.format(hostOptions);
+    this.kbnClient = new KbnClient({
+      log: this.log,
+      url: Url.format({
+        ...hostOptions,
+        auth: `${this.config.get('servers.kibana.username')}:${this.config.get(
+          'servers.kibana.password'
+        )}`,
+      }),
+    });
+    this.svlProjectType = getProjectType(this.config.get('kbnTestServer.serverArgs'));
+  }
+
+  // we should split packages/kbn-es/src/serverless_resources/roles.yml into 3 different files
+
+  // getLocalUsers = () => {
+  //   const rolesDefinitionFilePath = resolve(
+  //     REPO_ROOT,
+  //     'packages/kbn-es/src/serverless_resources/roles.yml'
+  //   );
+  //   const roles: string[] = Object.keys(loadYaml(fs.readFileSync(rolesDefinitionFilePath, 'utf8')));
+  // };
+
+  private getCloudUsers = () => {
+    // Loading cloud users on the first call
+    if (this.roleToUserMap.size === 0) {
+      const data = readCloudUsersFromFile();
+      for (const [roleName, user] of data) {
+        this.roleToUserMap.set(roleName, user);
+      }
+    }
+
+    return this.roleToUserMap;
+  };
+
+  private getCloudUserByRole = (role: string) => {
+    if (this.getCloudUsers().has(role)) {
+      return this.getCloudUsers().get(role)!;
+    } else {
+      throw new Error(`User with '${role}' role is not defined for ${this.svlProjectType} project`);
+    }
+  };
+
+  private getSessionByRole = async (role: string) => {
+    if (this.sessionCache.has(role)) {
+      return this.sessionCache.get(role)!;
+    }
+
+    let session: Session;
+
+    if (this.isCloud) {
+      this.log.debug(`new SAML authentication with '${role}' role`);
+      const kbnVersion = await this.kbnClient.version.get();
+      const { email, password } = this.getCloudUserByRole(role);
+      session = await createCloudSAMLSession({
+        email,
+        password,
+        kbnHost: this.kbnHost,
+        kbnVersion,
+        log: this.log,
+      });
+    } else {
+      this.log.debug(`new fake SAML authentication with '${role}' role`);
+      session = await createLocalSAMLSession({
+        username: `elastic_${role}`,
+        email: `elastic_${role}@elastic.co`,
+        fullname: `test ${role}`,
+        role,
+        kbnHost: this.kbnHost,
+        log: this.log,
+      });
+    }
+
+    this.sessionCache.set(role, session);
+    return session;
+  };
+
+  async getApiCredentialsForRole(role: string) {
+    const session = await this.getSessionByRole(role);
+    return { Cookie: `sid=${session.getCookieValue()}` };
+  }
+
+  async getSessionCookieForRole(role: string) {
+    const session = await this.getSessionByRole(role);
+    return session.getCookieValue();
+  }
+
+  async getUserData(role: string) {
+    const { email, fullname } = await this.getSessionByRole(role);
+    return { email, fullname };
+  }
+}

packages/kbn-test/src/auth/types.ts

@@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { ToolingLog } from '@kbn/tooling-log';
+
+export interface CloudSamlSessionParams {
+  kbnHost: string;
+  kbnVersion: string;
+  email: string;
+  password: string;
+  log: ToolingLog;
+}
+
+export interface LocalSamlSessionParams {
+  kbnHost: string;
+  email: string;
+  username: string;
+  fullname: string;
+  role: string;
+  log: ToolingLog;
+}
+
+export interface CreateSamlSessionParams {
+  hostname: string;
+  email: string;
+  password: string;
+  log: ToolingLog;
+}

packages/kbn-test/tsconfig.json

@@ -32,5 +32,6 @@
     "@kbn/babel-register",
     "@kbn/repo-packages",
     "@kbn/core-saved-objects-api-server",
+    "@kbn/mock-idp-plugin",
   ]
 }

x-pack/test_serverless/shared/services/index.ts

@@ -5,10 +5,10 @@
  * 2.0.
  */
 
-import { SvlReportingServiceProvider } from './svl_reporting';
 import { SupertestProvider, SupertestWithoutAuthProvider } from './supertest';
 import { SvlCommonApiServiceProvider } from './svl_common_api';
-import { SvlUserManagerProvider } from './user_manager/svl_user_manager';
+import { SvlReportingServiceProvider } from './svl_reporting';
+import { SvlUserManagerProvider } from './svl_user_manager';
 
 export const services = {
   supertest: SupertestProvider,

x-pack/test_serverless/shared/services/svl_user_manager.ts

@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { SAMLSessionManager } from '@kbn/test';
+import { FtrProviderContext } from '../../functional/ftr_provider_context';
+
+export function SvlUserManagerProvider({ getService }: FtrProviderContext) {
+  const config = getService('config');
+  const log = getService('log');
+  const isCloud = !!process.env.TEST_CLOUD;
+  // Sharing the instance within FTR config run means cookies are persistent for each role between tests.
+  const sessionManager = new SAMLSessionManager(config, log, isCloud);
+
+  return sessionManager;
+}