Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.x] [Security Solution] Using API auth for API calls in Serverless Cypress tests (#190152) #199840

Merged
merged 2 commits into from
Nov 12, 2024

Conversation

kibanamachine
Copy link
Contributor

Backport

This will backport the following commits from main to 8.x:

Questions ?

Please refer to the Backport tool documentation

…s tests (elastic#190152)

### Context

In our Cypress tests, we use API calls to set up the data needed to run
the tests. Currently, we are using basic authentication for both ESS and
serverless environments. However, for serverless, we should be using API
key authentication, especially given that basic authentication will be
deprecated soon.

### Challenges

* Handling different authentication methods depending on whether the
environment is serverless or ESS.
* Allowing some tests to access or modify internal indexes.
* Managing how the username is handled across different tests.

### Implentation

To ensure the correct authentication is used based on the environment
where the tests are executed, the `rootRequest` method is used to build
the API request. Within this method, the appropriate authentication type
is selected.

All API calls will use an `admin` API key. The `admin` role is the least
restrictive, which is appropriate for setting up data for tests rather
than validating application behavior. This role minimizes the risk of
issues during setup.

A specific challenge arose when we needed to access or modify internal
indexes, a capability restricted to the `system_indices_superuser` role
for testing purposes. The issue stems from the API key generation
method, which is tied to the user's role rather than the user itself.
Since serverless currently lacks a role that permits access to internal
indexes, we are, upon recommendation from the appex-qa team, using the
Elasticsearch client directly with the `system_indices_superuser` role
for these scenarios.

For tests that assert the username, we made adjustments. Previously, the
`system_indices_superuser` role was used universally, which is no longer
the case for serverless. We now retrieve the username dynamically from
user information instead of hardcoding the value.

### To be discussed

When making modifications related to "username", it became apparent that
we sometimes use "fullname" and, in other cases, "username," even though
they seem intended to represent the same concept. Should we standardize
on a single term across the solution?

---------

Co-authored-by: kibanamachine <[email protected]>
(cherry picked from commit 81af529)
@kibanamachine kibanamachine merged commit 7ecc654 into elastic:8.x Nov 12, 2024
31 checks passed
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

cc @MadameSheema

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants