Turn on internal API restriction for serverless tests (#162636)

## Summary

Since we already have some E2E tests running for serverless, this PR
turns on the internal API restriction flag to test whether our UI
functions _as such_ under these tests.

An alternative could be to have a specific smoke test for this, but it
seems this is thoroughly covered by piggy-backing off the existing set
of tests.

Blocks: #162149

packages/kbn-test/src/kbn_client/kbn_client_requester.ts

@@ -131,6 +131,7 @@ export class KbnClientRequester {
           headers: {
             ...options.headers,
             'kbn-xsrf': 'kbn-client',
+            'x-elastic-internal-origin': 'kbn-client',
           },
           httpsAgent: this.httpsAgent,
           responseType: options.responseType,

x-pack/test/api_integration/services/usage_api.ts

@@ -31,6 +31,7 @@ export function UsageAPIProvider({ getService }: FtrProviderContext) {
     const { body } = await supertest
       .post('/api/telemetry/v2/clusters/_stats')
       .set('kbn-xsrf', 'xxx')
+      .set('x-elastic-internal-origin', 'xxx')
       .send({ refreshCache: true, ...payload })
       .expect(200);
     return body;

x-pack/test/apm_api_integration/common/apm_api_supertest.ts

@@ -29,7 +29,10 @@ export function createApmApiClient(st: supertest.SuperTest<supertest.Test>) {
     const { method, pathname, version } = formatRequest(endpoint, params.path);
     const url = format({ pathname, query: params?.query });
 
-    const headers: Record<string, string> = { 'kbn-xsrf': 'foo' };
+    const headers: Record<string, string> = {
+      'kbn-xsrf': 'foo',
+      'x-elastic-internal-origin': 'foo',
+    };
 
     if (version) {
       headers['Elastic-Api-Version'] = version;

x-pack/test_serverless/api_integration/test_suites/common/security_response_headers.ts

@@ -41,7 +41,7 @@ export default function ({ getService }: FtrProviderContext) {
     it('redirect endpoint response contains default security headers', async () => {
       const { header } = await supertest
         .get(`/logout`)
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
         .expect(200);
 
       expect(header).toBeDefined();

x-pack/test_serverless/api_integration/test_suites/common/security_users.ts

@@ -17,7 +17,7 @@ export default function ({ getService }: FtrProviderContext) {
     it('rejects request to create user', async () => {
       const { body, status } = await supertest
         .post(`/internal/security/users/some_testuser`)
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
         .send({ username: 'some_testuser', password: 'testpassword', roles: [] });
 
       // in a non-serverless environment this would succeed with a 200

x-pack/test_serverless/api_integration/test_suites/observability/apm_api_integration/common/apm_api_supertest.ts

@@ -34,7 +34,10 @@ export function createApmApiClient(st: supertest.SuperTest<supertest.Test>) {
     const { method, pathname, version } = formatRequest(endpoint, params.path);
     const url = format({ pathname, query: params?.query });
 
-    const headers: Record<string, string> = { 'kbn-xsrf': 'foo' };
+    const headers: Record<string, string> = {
+      'kbn-xsrf': 'foo',
+      'x-elastic-internal-origin': 'foo',
+    };
 
     if (version) {
       headers['Elastic-Api-Version'] = version;

x-pack/test_serverless/api_integration/test_suites/observability/fleet.ts

@@ -16,7 +16,7 @@ export default function ({ getService }: FtrProviderContext) {
     it('rejects request to create a new fleet server hosts', async () => {
       const { body, status } = await supertest
         .post('/api/fleet/fleet_server_hosts')
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
         .send({
           name: 'test',
           host_urls: ['https://localhost:8220'],
@@ -34,7 +34,7 @@ export default function ({ getService }: FtrProviderContext) {
     it('rejects request to create a new proxy', async () => {
       const { body, status } = await supertest
         .post('/api/fleet/proxies')
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
         .send({
           name: 'test',
           url: 'https://localhost:8220',

x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_api_helper.ts

@@ -21,6 +21,7 @@ export async function createIndexConnector({
   const { body } = await supertest
     .post(`/api/actions/connector`)
     .set('kbn-xsrf', 'foo')
+    .set('x-elastic-internal-origin', 'foo')
     .send({
       name,
       config: {
@@ -54,6 +55,7 @@ export async function createRule({
   const { body } = await supertest
     .post(`/api/alerting/rule`)
     .set('kbn-xsrf', 'foo')
+    .set('x-elastic-internal-origin', 'foo')
     .send({
       params,
       consumer,

x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_wait_for_helpers.ts

@@ -25,7 +25,10 @@ export async function waitForRuleStatus({
 }): Promise<Record<string, any>> {
   return pRetry(
     async () => {
-      const response = await supertest.get(`/api/alerting/rule/${id}`);
+      const response = await supertest
+        .get(`/api/alerting/rule/${id}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
       const { execution_status: executionStatus } = response.body || {};
       const { status } = executionStatus || {};
       if (status !== expectedStatus) {

x-pack/test_serverless/api_integration/test_suites/observability/helpers/data_view.ts

@@ -21,6 +21,7 @@ export const createDataView = async ({
   const { body } = await supertest
     .post(`/api/content_management/rpc/create`)
     .set('kbn-xsrf', 'foo')
+    .set('x-elastic-internal-origin', 'foo')
     .send({
       contentTypeId: 'index-pattern',
       data: {
@@ -49,6 +50,7 @@ export const deleteDataView = async ({
   const { body } = await supertest
     .post(`/api/content_management/rpc/delete`)
     .set('kbn-xsrf', 'foo')
+    .set('x-elastic-internal-origin', 'foo')
     .send({
       contentTypeId: 'index-pattern',
       id,

x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_fired.ts

@@ -40,8 +40,14 @@ export default function ({ getService }: FtrProviderContext) {
     });
 
     after(async () => {
-      await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo');
-      await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo');
+      await supertest
+        .delete(`/api/alerting/rule/${ruleId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
+      await supertest
+        .delete(`/api/actions/connector/${actionId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
       await esClient.deleteByQuery({
         index: THRESHOLD_RULE_ALERT_INDEX,
         query: { term: { 'kibana.alert.rule.uuid': ruleId } },

x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_no_data.ts

@@ -35,8 +35,14 @@ export default function ({ getService }: FtrProviderContext) {
     });
 
     after(async () => {
-      await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo');
-      await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo');
+      await supertest
+        .delete(`/api/alerting/rule/${ruleId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
+      await supertest
+        .delete(`/api/actions/connector/${actionId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
       await esClient.deleteByQuery({
         index: THRESHOLD_RULE_ALERT_INDEX,
         query: { term: { 'kibana.alert.rule.uuid': ruleId } },

x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/custom_eq_avg_bytes_fired.ts

@@ -46,8 +46,14 @@ export default function ({ getService }: FtrProviderContext) {
     });
 
     after(async () => {
-      await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo');
-      await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo');
+      await supertest
+        .delete(`/api/alerting/rule/${ruleId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
+      await supertest
+        .delete(`/api/actions/connector/${actionId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
       await esClient.deleteByQuery({
         index: THRESHOLD_RULE_ALERT_INDEX,
         query: { term: { 'kibana.alert.rule.uuid': ruleId } },

x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/documents_count_fired.ts

@@ -40,8 +40,14 @@ export default function ({ getService }: FtrProviderContext) {
     });
 
     after(async () => {
-      await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo');
-      await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo');
+      await supertest
+        .delete(`/api/alerting/rule/${ruleId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
+      await supertest
+        .delete(`/api/actions/connector/${actionId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
       await esClient.deleteByQuery({
         index: THRESHOLD_RULE_ALERT_INDEX,
         query: { term: { 'kibana.alert.rule.uuid': ruleId } },

x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/group_by_fired.ts

@@ -53,8 +53,14 @@ export default function ({ getService }: FtrProviderContext) {
     });
 
     after(async () => {
-      await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo');
-      await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo');
+      await supertest
+        .delete(`/api/alerting/rule/${ruleId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
+      await supertest
+        .delete(`/api/actions/connector/${actionId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
       await esClient.deleteByQuery({
         index: THRESHOLD_RULE_ALERT_INDEX,
         query: { term: { 'kibana.alert.rule.uuid': ruleId } },

x-pack/test_serverless/api_integration/test_suites/security/fleet.ts

@@ -16,7 +16,7 @@ export default function ({ getService }: FtrProviderContext) {
     it('rejects request to create a new fleet server hosts', async () => {
       const { body, status } = await supertest
         .post('/api/fleet/fleet_server_hosts')
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
         .send({
           name: 'test',
           host_urls: ['https://localhost:8220'],
@@ -34,7 +34,7 @@ export default function ({ getService }: FtrProviderContext) {
     it('rejects request to create a new proxy', async () => {
       const { body, status } = await supertest
         .post('/api/fleet/proxies')
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
         .send({
           name: 'test',
           url: 'https://localhost:8220',

x-pack/test_serverless/shared/config.base.ts

@@ -33,6 +33,7 @@ export default async () => {
       },
       sourceArgs: ['--no-base-path', '--env.name=development'],
       serverArgs: [
+        `--server.restrictInternalApis=true`,
         `--server.port=${kbnTestConfig.getPort()}`,
         '--status.allowAnonymous=true',
         // We shouldn't embed credentials into the URL since Kibana requests to Elasticsearch should