[FTR] enable roles management testing for Observability project (#196514

) ## Summary This PR makes changes in FTR `saml_auth` service to allow creating custom role for Oblt serverless project, when roles management is explicitly enabled with `--xpack.security.roleManagementEnabled=true` in Kibana server arguments. I also added [role_management/custom_role_access.ts ](x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts) as a test example. Currently roles management is enabled in `x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts` and after this PR is merged, more tests with custom roles can be added for Oblt project. How to run tests: ``` node scripts/functional_tests --config x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts ``` (cherry picked from commit 16c965f)
elastic · Oct 18, 2024 · a2b973c · a2b973c
1 parent 9ad35b8
commit a2b973c
Show file tree

Hide file tree

Showing 7 changed files with 165 additions and 4 deletions.
diff --git a/packages/kbn-ftr-common-functional-services/services/saml_auth/saml_auth_provider.ts b/packages/kbn-ftr-common-functional-services/services/saml_auth/saml_auth_provider.ts
@@ -33,7 +33,7 @@ export interface KibanaRoleDescriptors {
 }
 
 const throwIfRoleNotSet = (role: string, customRole: string, roleDescriptors: Map<string, any>) => {
-  if (role === customRole && !roleDescriptors.has(customRole)) {
+  if (role === customRole && !roleDescriptors.get(customRole)) {
     throw new Error(
       `Set privileges for '${customRole}' using 'samlAuth.setCustomRole' before authentication.`
     );
@@ -179,7 +179,7 @@ export function SamlAuthProvider({ getService }: FtrProviderContext) {
       if (!isCustomRoleEnabled) {
         throw new Error(`Custom roles are not supported for the current deployment`);
       }
-      log.debug(`Updating role ${CUSTOM_ROLE}`);
+      log.debug(`Updating role '${CUSTOM_ROLE}'`);
       const adminCookieHeader = await getAdminCredentials();
 
       const customRoleDescriptors = {
@@ -199,6 +199,28 @@ export function SamlAuthProvider({ getService }: FtrProviderContext) {
       supportedRoleDescriptors.set(CUSTOM_ROLE, customRoleDescriptors);
     },
 
+    async deleteCustomRole() {
+      if (!isCustomRoleEnabled) {
+        throw new Error(`Custom roles are not supported for the current deployment`);
+      }
+
+      if (supportedRoleDescriptors.get(CUSTOM_ROLE)) {
+        log.debug(`Deleting role '${CUSTOM_ROLE}'`);
+        const adminCookieHeader = await getAdminCredentials();
+
+        // Resetting descriptors for the custom role, even if role deletion fails
+        supportedRoleDescriptors.set(CUSTOM_ROLE, null);
+        log.debug(`'${CUSTOM_ROLE}' descriptors  were reset`);
+
+        const { status } = await supertestWithoutAuth
+          .delete(`/api/security/role/${CUSTOM_ROLE}`)
+          .set(INTERNAL_REQUEST_HEADERS)
+          .set(adminCookieHeader);
+
+        expect(status).to.be(204);
+      }
+    },
+
     getCommonRequestHeader() {
       return COMMON_REQUEST_HEADERS;
     },

diff --git a/packages/kbn-ftr-common-functional-services/services/saml_auth/serverless/auth_provider.ts b/packages/kbn-ftr-common-functional-services/services/saml_auth/serverless/auth_provider.ts
@@ -34,8 +34,18 @@ const getDefaultServerlessRole = (projectType: string) => {
   }
 };
 
+const isRoleManagementExplicitlyEnabled = (args: string[]): boolean => {
+  const roleManagementArg = args.find((arg) =>
+    arg.startsWith('--xpack.security.roleManagementEnabled=')
+  );
+
+  // Return true if the value is explicitly set to 'true', otherwise false
+  return roleManagementArg?.split('=')[1] === 'true' || false;
+};
+
 export class ServerlessAuthProvider implements AuthProvider {
   private readonly projectType: string;
+  private readonly roleManagementEnabled: boolean;
   private readonly rolesDefinitionPath: string;
 
   constructor(config: Config) {
@@ -45,6 +55,10 @@ export class ServerlessAuthProvider implements AuthProvider {
       return acc + (match ? match[1] : '');
     }, '') as ServerlessProjectType;
 
+    // Indicates whether role management was explicitly enabled using
+    // the `--xpack.security.roleManagementEnabled=true` flag.
+    this.roleManagementEnabled = isRoleManagementExplicitlyEnabled(kbnServerArgs);
+
     if (!isServerlessProjectType(this.projectType)) {
       throw new Error(`Unsupported serverless projectType: ${this.projectType}`);
     }
@@ -70,7 +84,9 @@ export class ServerlessAuthProvider implements AuthProvider {
   }
 
   isCustomRoleEnabled() {
-    return projectTypesWithCustomRolesEnabled.includes(this.projectType);
+    return (
+      projectTypesWithCustomRolesEnabled.includes(this.projectType) || this.roleManagementEnabled
+    );
   }
 
   getCustomRole() {

diff --git a/x-pack/test_serverless/README.md b/x-pack/test_serverless/README.md
@@ -207,6 +207,8 @@ describe("my internal APIs test suite", async function() {
 With custom native roles now enabled for the Security and Search projects on MKI, the FTR supports
 defining and authenticating with custom roles in both UI functional tests and API integration tests.
 
+To test role management within the Observability project, you can execute the tests using the existing [config.feature_flags.ts](x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts), where this functionality is explicitly enabled. Though the config is not run on MKI, it provides the ability to test custom roles in Kibana CI before the functionality is enabled in MKI. When roles management is enabled on MKI, these tests can be migrated to the regular FTR config and will be run on MKI.
+
 For compatibility with MKI, the role name `customRole` is reserved for use in tests. The test user is automatically assigned to this role, but before logging in via the browser, generating a cookie header, or creating an API key in each test suite, the role’s privileges must be updated.
 
 Note: We are still working on a solution to run these tests against MKI. In the meantime, please tag the suite with `skipMKI`.
@@ -229,6 +231,9 @@ await samlAuth.setCustomRole({
 });
 // Then, log in via the browser as a user with the newly defined privileges
 await pageObjects.svlCommonPage.loginWithCustomRole();
+
+// Make sure to delete the custom role in the 'after' hook
+await samlAuth.deleteCustomRole();
 ```
 
 FTR api_integration test example:
@@ -251,8 +256,9 @@ await samlAuth.setCustomRole({
 // Then, generate an API key with the newly defined privileges
 const roleAuthc = await samlAuth.createM2mApiKeyWithRoleScope('customRole');
 
-// Remember to invalidate the API key after use
+// Remember to invalidate the API key after use and delete the custom role
 await samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc);
+await samlAuth.deleteCustomRole();
 ```
 
 ### Testing with feature flags

diff --git a/x-pack/test_serverless/functional/test_suites/observability/index.feature_flags.ts b/x-pack/test_serverless/functional/test_suites/observability/index.feature_flags.ts
@@ -10,6 +10,7 @@ import { FtrProviderContext } from '../../ftr_provider_context';
 export default function ({ loadTestFile }: FtrProviderContext) {
   describe('serverless observability UI - feature flags', function () {
     // add tests that require feature flags, defined in config.feature_flags.ts
+    loadTestFile(require.resolve('./role_management'));
     loadTestFile(require.resolve('./infra'));
     loadTestFile(require.resolve('../common/platform_security/navigation/management_nav_cards.ts'));
     loadTestFile(require.resolve('../common/platform_security/roles.ts'));

diff --git a/...est_serverless/functional/test_suites/observability/role_management/custom_role_access.ts b/...est_serverless/functional/test_suites/observability/role_management/custom_role_access.ts
@@ -0,0 +1,100 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { FtrProviderContext } from '../../../ftr_provider_context';
+import { RoleCredentials } from '../../../../shared/services';
+
+export default function ({ getPageObjects, getService }: FtrProviderContext) {
+  const pageObjects = getPageObjects(['svlCommonPage', 'timePicker', 'common', 'header']);
+  const samlAuth = getService('samlAuth');
+  const supertestWithoutAuth = getService('supertestWithoutAuth');
+  const esArchiver = getService('esArchiver');
+  const kibanaServer = getService('kibanaServer');
+  const testSubjects = getService('testSubjects');
+  let roleAuthc: RoleCredentials;
+
+  describe('With custom role', function () {
+    // skipping on MKI while we are working on a solution
+    this.tags(['skipMKI']);
+    before(async () => {
+      await esArchiver.loadIfNeeded('test/functional/fixtures/es_archiver/logstash_functional');
+      await kibanaServer.importExport.load('test/functional/fixtures/kbn_archiver/discover');
+      await kibanaServer.uiSettings.update({
+        defaultIndex: 'logstash-*',
+      });
+      await samlAuth.setCustomRole({
+        elasticsearch: {
+          indices: [{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata'] }],
+        },
+        kibana: [
+          {
+            feature: {
+              discover: ['read'],
+            },
+            spaces: ['*'],
+          },
+        ],
+      });
+      // login with custom role
+      await pageObjects.svlCommonPage.loginWithCustomRole();
+      await pageObjects.svlCommonPage.assertUserAvatarExists();
+    });
+
+    after(async () => {
+      await esArchiver.unload('test/functional/fixtures/es_archiver/logstash_functional');
+      await kibanaServer.importExport.unload('test/functional/fixtures/kbn_archiver/discover');
+      await kibanaServer.uiSettings.replace({});
+      await kibanaServer.savedObjects.cleanStandardList();
+      if (roleAuthc) {
+        await samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc);
+      }
+      // delete custom role
+      await samlAuth.deleteCustomRole();
+    });
+
+    it('should have limited navigation menu', async () => {
+      await pageObjects.svlCommonPage.assertUserAvatarExists();
+      // discover navigation link is present
+      await testSubjects.existOrFail('~nav-item-id-last-used-logs-viewer');
+
+      // all other links in navigation menu are hidden
+      await testSubjects.missingOrFail('~nav-item-id-dashboards');
+      await testSubjects.missingOrFail('~nav-item-id-observability-overview:alerts');
+      await testSubjects.missingOrFail('~nav-item-id-observability-overview:cases');
+      await testSubjects.missingOrFail('~nav-item-id-slo');
+      await testSubjects.missingOrFail('~nav-item-id-aiops');
+      await testSubjects.missingOrFail('~nav-item-id-inventory');
+      await testSubjects.missingOrFail('~nav-item-id-apm');
+      await testSubjects.missingOrFail('~nav-item-id-metrics');
+      await testSubjects.missingOrFail('~nav-item-id-synthetics');
+
+      // TODO: 'Add data' and 'Project Settings' should be hidden
+      // await testSubjects.missingOrFail('~nav-item-id-observabilityOnboarding');
+      // await testSubjects.missingOrFail('~nav-item-id-project_settings_project_nav');
+    });
+
+    it('should access Discover app', async () => {
+      await pageObjects.common.navigateToApp('discover');
+      await pageObjects.timePicker.setDefaultAbsoluteRange();
+      await pageObjects.header.waitUntilLoadingHasFinished();
+      expect(await testSubjects.exists('unifiedHistogramChart')).to.be(true);
+      expect(await testSubjects.exists('discoverQueryHits')).to.be(true);
+    });
+
+    it('should access console with API key', async () => {
+      roleAuthc = await samlAuth.createM2mApiKeyWithRoleScope('customRole');
+      const { body } = await supertestWithoutAuth
+        .get('/api/console/api_server')
+        .set(roleAuthc.apiKeyHeader)
+        .set(samlAuth.getInternalRequestHeader())
+        .set({ 'kbn-xsrf': 'true' })
+        .expect(200);
+      expect(body.es).to.be.ok();
+    });
+  });
+}
diff --git a/x-pack/test_serverless/functional/test_suites/observability/role_management/index.ts b/x-pack/test_serverless/functional/test_suites/observability/role_management/index.ts
@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrProviderContext } from '../../../ftr_provider_context';
+
+export default function ({ loadTestFile }: FtrProviderContext) {
+  describe('Role Management', function () {
+    loadTestFile(require.resolve('./custom_role_access'));
+  });
+}
diff --git a/x-pack/test_serverless/functional/test_suites/search/custom_role_access.ts b/x-pack/test_serverless/functional/test_suites/search/custom_role_access.ts
@@ -53,6 +53,8 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
       if (roleAuthc) {
         await samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc);
       }
+      // delete custom role
+      await samlAuth.deleteCustomRole();
     });
 
     it('should have limited navigation menu', async () => {