[kbn-test] error message if MFA is enabled for test account (elastic#…

…196906) ## Summary Recently few engineers reported issues when running FTR **locally** against MKI project on QA env. It turned out MFA was enabled for the test cloud accounts, that breaks automatic login to the Cloud. This PR checks response for `mfa_required: true` and fails without retrying asking to disable MFA for test account. --------- Co-authored-by: kibanamachine <[email protected]>
shahzad31 · Oct 21, 2024 · 63ebd41 · 63ebd41
1 parent 0e1b2a3
commit 63ebd41
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/packages/kbn-test/src/auth/saml_auth.test.ts b/packages/kbn-test/src/auth/saml_auth.test.ts
@@ -168,6 +168,36 @@ describe('saml_auth', () => {
         'Failed to create the new cloud session, check retry arguments: {"attemptsCount":0,"attemptDelay":100}'
       );
     });
+
+    test(`should fail without retry when response has 'mfa_required: true'`, async () => {
+      axiosRequestMock.mockImplementation((config: AxiosRequestConfig) => {
+        if (config.url?.endsWith('/api/v1/saas/auth/_login')) {
+          return Promise.resolve({
+            data: { user_id: 12345, authenticated: false, mfa_required: true },
+            status: 200,
+          });
+        }
+        return Promise.reject(new Error(`Unexpected URL: ${config.url}`));
+      });
+
+      await expect(
+        createCloudSession(
+          {
+            hostname: 'cloud',
+            email: '[email protected]',
+            password: 'changeme',
+            log,
+          },
+          {
+            attemptsCount: 3,
+            attemptDelay: 100,
+          }
+        )
+      ).rejects.toThrow(
+        'Failed to create the new cloud session: MFA must be disabled for the test account'
+      );
+      expect(axiosRequestMock).toBeCalledTimes(1);
+    });
   });
 
   describe('createSAMLRequest', () => {

diff --git a/packages/kbn-test/src/auth/saml_auth.ts b/packages/kbn-test/src/auth/saml_auth.ts
@@ -134,7 +134,17 @@ export const createCloudSession = async (
                 data[key] = 'REDACTED';
               }
             });
+
+            // MFA must be disabled for test accounts
+            if (data.mfa_required === true) {
+              // Changing MFA configuration requires manual action, skip retry
+              attemptsLeft = 0;
+              throw new Error(
+                `Failed to create the new cloud session: MFA must be disabled for the test account`
+              );
+            }
           }
+
           throw new Error(
             `Failed to create the new cloud session: token is missing in response data\n${JSON.stringify(
               data