Removes supertest and superuser from platform security serverless API…

… tests (elastic#194922) Closes elastic#186467 ## Summary Removes remaining usages of `supertest` and `superuser` from platform security serverless API tests. Utilizes admin privileges when testing disabled routes, viewer privileges for all other routes. Uses cookie authentication for internal API calls. ### Tests - x-pack/test_serverless/api_integration/test_suites/common/platform_security/authentication.ts - x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts - Flaky test runner: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7089
kapral18 · Oct 10, 2024 · 8ea2846 · 8ea2846
1 parent a6e22cf
commit 8ea2846
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 52 deletions.
diff --git a/...ck/test_serverless/api_integration/test_suites/common/platform_security/authentication.ts b/...ck/test_serverless/api_integration/test_suites/common/platform_security/authentication.ts
@@ -6,116 +6,123 @@
  */
 
 import expect from 'expect';
+import { SupertestWithRoleScopeType } from '@kbn/test-suites-xpack/api_integration/deployment_agnostic/services';
 import { FtrProviderContext } from '../../../ftr_provider_context';
-import { RoleCredentials } from '../../../../shared/services';
 
 export default function ({ getService }: FtrProviderContext) {
-  const supertest = getService('supertest');
-  const config = getService('config');
-
+  const roleScopedSupertest = getService('roleScopedSupertest');
   const svlCommonApi = getService('svlCommonApi');
-  const svlUserManager = getService('svlUserManager');
-  const supertestWithoutAuth = getService('supertestWithoutAuth');
-  let roleAuthc: RoleCredentials;
+  let supertestAdminWithApiKey: SupertestWithRoleScopeType;
+  let supertestViewerWithApiKey: SupertestWithRoleScopeType;
+  let supertestViewerWithCookieCredentials: SupertestWithRoleScopeType;
+
   describe('security/authentication', function () {
     before(async () => {
-      roleAuthc = await svlUserManager.createM2mApiKeyWithRoleScope('admin');
+      supertestAdminWithApiKey = await roleScopedSupertest.getSupertestWithRoleScope('admin');
+      supertestViewerWithApiKey = await roleScopedSupertest.getSupertestWithRoleScope('viewer');
+      supertestViewerWithCookieCredentials = await roleScopedSupertest.getSupertestWithRoleScope(
+        'viewer',
+        {
+          useCookieHeader: true,
+          withCommonHeaders: true,
+        }
+      );
     });
     after(async () => {
-      await svlUserManager.invalidateM2mApiKeyWithRoleScope(roleAuthc);
+      await supertestAdminWithApiKey.destroy();
+      await supertestViewerWithApiKey.destroy();
+      await supertestViewerWithCookieCredentials.destroy();
     });
     describe('route access', () => {
       describe('disabled', () => {
         // ToDo: uncomment when we disable login
         // it('login', async () => {
-        //   const { body, status } = await supertestWithoutAuth
-        //     .post('/internal/security/login')
-        //     .set(svlCommonApi.getInternalRequestHeader()).set(roleAuthc.apiKeyHeader)
+        //   const { body, status } = await supertestAdminWithApiKey
+        //     .post('/internal/security/login');
         //   svlCommonApi.assertApiNotFound(body, status);
         // });
 
         it('logout (deprecated)', async () => {
-          const { body, status } = await supertestWithoutAuth
+          const { body, status } = await supertestAdminWithApiKey
             .get('/api/security/v1/logout')
-            .set(svlCommonApi.getInternalRequestHeader())
-            .set(roleAuthc.apiKeyHeader);
+            .set(svlCommonApi.getInternalRequestHeader());
           svlCommonApi.assertApiNotFound(body, status);
         });
 
         it('get current user (deprecated)', async () => {
-          const { body, status } = await supertest
+          const { body, status } = await supertestAdminWithApiKey
             .get('/internal/security/v1/me')
             .set(svlCommonApi.getInternalRequestHeader());
           svlCommonApi.assertApiNotFound(body, status);
         });
 
         it('acknowledge access agreement', async () => {
-          const { body, status } = await supertest
+          const { body, status } = await supertestAdminWithApiKey
             .post('/internal/security/access_agreement/acknowledge')
             .set(svlCommonApi.getInternalRequestHeader());
           svlCommonApi.assertApiNotFound(body, status);
         });
 
         describe('OIDC', () => {
           it('OIDC implicit', async () => {
-            const { body, status } = await supertest
+            const { body, status } = await supertestAdminWithApiKey
               .get('/api/security/oidc/implicit')
               .set(svlCommonApi.getInternalRequestHeader());
             svlCommonApi.assertApiNotFound(body, status);
           });
 
           it('OIDC implicit (deprecated)', async () => {
-            const { body, status } = await supertest
+            const { body, status } = await supertestAdminWithApiKey
               .get('/api/security/v1/oidc/implicit')
               .set(svlCommonApi.getInternalRequestHeader());
             svlCommonApi.assertApiNotFound(body, status);
           });
 
           it('OIDC implicit.js', async () => {
-            const { body, status } = await supertest
+            const { body, status } = await supertestAdminWithApiKey
               .get('/internal/security/oidc/implicit.js')
               .set(svlCommonApi.getInternalRequestHeader());
             svlCommonApi.assertApiNotFound(body, status);
           });
 
           it('OIDC callback', async () => {
-            const { body, status } = await supertest
+            const { body, status } = await supertestAdminWithApiKey
               .get('/api/security/oidc/callback')
               .set(svlCommonApi.getInternalRequestHeader());
             svlCommonApi.assertApiNotFound(body, status);
           });
 
           it('OIDC callback (deprecated)', async () => {
-            const { body, status } = await supertest
+            const { body, status } = await supertestAdminWithApiKey
               .get('/api/security/v1/oidc')
               .set(svlCommonApi.getInternalRequestHeader());
             svlCommonApi.assertApiNotFound(body, status);
           });
 
           it('OIDC login', async () => {
-            const { body, status } = await supertest
+            const { body, status } = await supertestAdminWithApiKey
               .post('/api/security/oidc/initiate_login')
               .set(svlCommonApi.getInternalRequestHeader());
             svlCommonApi.assertApiNotFound(body, status);
           });
 
           it('OIDC login (deprecated)', async () => {
-            const { body, status } = await supertest
+            const { body, status } = await supertestAdminWithApiKey
               .post('/api/security/v1/oidc')
               .set(svlCommonApi.getInternalRequestHeader());
             svlCommonApi.assertApiNotFound(body, status);
           });
 
           it('OIDC 3rd party login', async () => {
-            const { body, status } = await supertest
+            const { body, status } = await supertestAdminWithApiKey
               .get('/api/security/oidc/initiate_login')
               .set(svlCommonApi.getInternalRequestHeader());
             svlCommonApi.assertApiNotFound(body, status);
           });
         });
 
         it('SAML callback (deprecated)', async () => {
-          const { body, status } = await supertest
+          const { body, status } = await supertestAdminWithApiKey
             .post('/api/security/v1/saml')
             .set(svlCommonApi.getInternalRequestHeader());
           svlCommonApi.assertApiNotFound(body, status);
@@ -127,9 +134,9 @@ export default function ({ getService }: FtrProviderContext) {
           let body: any;
           let status: number;
 
-          ({ body, status } = await supertest
-            .get('/internal/security/me')
-            .set(svlCommonApi.getCommonRequestHeader()));
+          ({ body, status } = await supertestViewerWithCookieCredentials.get(
+            '/internal/security/me'
+          ));
           // expect a rejection because we're not using the internal header
           expect(body).toEqual({
             statusCode: 400,
@@ -140,24 +147,22 @@ export default function ({ getService }: FtrProviderContext) {
           });
           expect(status).toBe(400);
 
-          ({ body, status } = await supertest
+          ({ body, status } = await supertestViewerWithCookieCredentials
             .get('/internal/security/me')
             .set(svlCommonApi.getInternalRequestHeader()));
           // expect success because we're using the internal header
-          expect(body).toEqual({
-            authentication_provider: { name: '__http__', type: 'http' },
-            authentication_realm: { name: 'file1', type: 'file' },
-            authentication_type: 'realm',
-            elastic_cloud_user: false,
-            email: null,
-            enabled: true,
-            full_name: null,
-            lookup_realm: { name: 'file1', type: 'file' },
-            metadata: {},
-            operator: true,
-            roles: ['superuser'],
-            username: config.get('servers.kibana.username'),
-          });
+          expect(body).toEqual(
+            expect.objectContaining({
+              authentication_provider: { name: 'cloud-saml-kibana', type: 'saml' },
+              authentication_type: 'token',
+              authentication_realm: {
+                name: 'cloud-saml-kibana',
+                type: 'saml',
+              },
+              enabled: true,
+              full_name: 'test viewer',
+            })
+          );
           expect(status).toBe(200);
         });
 
@@ -166,9 +171,9 @@ export default function ({ getService }: FtrProviderContext) {
           let body: any;
           let status: number;
 
-          ({ body, status } = await supertest
-            .post('/internal/security/login')
-            .set(svlCommonApi.getCommonRequestHeader()));
+          ({ body, status } = await supertestViewerWithCookieCredentials.post(
+            '/internal/security/login'
+          ));
           // expect a rejection because we're not using the internal header
           expect(body).toEqual({
             statusCode: 400,
@@ -179,7 +184,7 @@ export default function ({ getService }: FtrProviderContext) {
           });
           expect(status).toBe(400);
 
-          ({ body, status } = await supertest
+          ({ body, status } = await supertestViewerWithCookieCredentials
             .post('/internal/security/login')
             .set(svlCommonApi.getInternalRequestHeader()));
           expect(status).not.toBe(404);
@@ -188,12 +193,12 @@ export default function ({ getService }: FtrProviderContext) {
 
       describe('public', () => {
         it('logout', async () => {
-          const { status } = await supertest.get('/api/security/logout');
+          const { status } = await supertestViewerWithApiKey.get('/api/security/logout');
           expect(status).toBe(302);
         });
 
         it('SAML callback', async () => {
-          const { body, status } = await supertest
+          const { body, status } = await supertestViewerWithApiKey
             .post('/api/security/saml/callback')
             .set(svlCommonApi.getCommonRequestHeader())
             .send({

diff --git a/x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts
@@ -75,7 +75,7 @@ export default function ({ getService }: FtrProviderContext) {
 
         it('get role', async () => {
           const { body, status } = await supertestAdminWithApiKey.get(
-            '/api/security/role/superuser'
+            '/api/security/role/someRole' // mame of the role doesn't matter, we're checking the endpoint doesn't exist
           );
           svlCommonApi.assertApiNotFound(body, status);
         });
@@ -87,7 +87,7 @@ export default function ({ getService }: FtrProviderContext) {
 
         it('delete role', async () => {
           const { body, status } = await supertestAdminWithApiKey.delete(
-            '/api/security/role/superuser'
+            '/api/security/role/someRole' // mame of the role doesn't matter, we're checking the endpoint doesn't exist
           );
           svlCommonApi.assertApiNotFound(body, status);
         });