Add mock identity provider for serverless #170852
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ess-role-selector
…mann/kibana into serverless-role-selector
…mann/kibana into serverless-role-selector
…mann/kibana into serverless-role-selector
…ess-role-selector
thomheymann
added
the
release_note:skip
Ikuni17
reviewed
Nov 9, 2023
Ikuni17
approved these changes
Nov 10, 2023
…ess-role-selector
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
History
To update your PR or re-run it, just comment with: cc @thomheymann |
kibanamachine
added
v8.12.0
backport:skip
delanni
added a commit
that referenced
this pull request
Nov 15, 2023
Ikuni17
added a commit
to Ikuni17/kibana
that referenced
this pull request
Nov 15, 2023
This reverts commit 1fb0313.
|
Reverted in d09e47a due to breaking production builds. |
jillguyonnet
pushed a commit
to jillguyonnet/kibana
that referenced
this pull request
Nov 16, 2023
Related to [elastic#166340](elastic#166340) ## Summary Add mock identity provider and utils to test serverless user roles. ## Screenshot ### 1. Login selector <img width="767" alt="Screenshot 2023-11-08 at 15 18 18" src="https://github.com/elastic/kibana/assets/190132/82b4a29f-65b4-45d2-bed3-6d9f74043c48"> ### 2. Single sign on screen <img width="437" alt="Screenshot 2023-11-09 at 12 30 46" src="https://github.com/elastic/kibana/assets/190132/3d5b6f26-5409-4169-a627-bcf6d09836d9"> ### 3. User profile page <img width="1041" alt="Screenshot 2023-11-08 at 17 36 22" src="https://github.com/elastic/kibana/assets/190132/50bd4a5a-f9a8-4643-9384-9a352701b011"> ## Testing SAML is only supported by ES when running in SSL mode. 1. To test the mock identity provider run a serverless project in SSL mode using: ```bash yarn es serverless --ssl yarn start --serverless=es --ssl ``` 2. Then access Kibana and login in using "Continue as Test User". --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com> Co-authored-by: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
jillguyonnet
pushed a commit
to jillguyonnet/kibana
that referenced
this pull request
Nov 16, 2023
…stic#171275) ## Summary Fixes type error coming from merge-race: elastic#170852 - adds a new plugin elastic#170856 - changes how plugins should look
jillguyonnet
pushed a commit
to jillguyonnet/kibana
that referenced
this pull request
Nov 16, 2023
This reverts commit 1fb0313.
WafaaNasr
pushed a commit
to WafaaNasr/kibana
that referenced
this pull request
Nov 23, 2023
Attempting to merge elastic#170852 again now that the release artefact step has been fixed as part of elastic#171457 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com> Co-authored-by: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
dmlemeshko
added a commit
that referenced
this pull request
Dec 4, 2023
## Summary ### This PR enables user roles testing in FTR We use SAML authentication to get session cookie for user with the specific role. The cookie is cached on FTR service side so we only make SAML auth one time per user within FTR config run. For Kibana CI service relies on changes coming in #170852 In order to run FTR tests locally against existing MKI project: - add `.ftr/role_users.json` in Kibana root dir ``` { "viewer": { "email": "...", "password": "..." }, "developer": { "email": "...", "password": "..." } } ``` - set Cloud hostname (!not project hostname!) with TEST_CLOUD_HOST_NAME, e.g. `export TEST_CLOUD_HOST_NAME=console.qa.cld.elstc.co` ### How to use: - functional tests: ``` const svlCommonPage = getPageObject('svlCommonPage'); before(async () => { // login with Viewer role await svlCommonPage.loginWithRole('viewer'); // you are logged in in browser and on project home page, start the test }); it('has project header', async () => { await svlCommonPage.assertProjectHeaderExists(); }); ``` - API integration tests: ``` const svlUserManager = getService('svlUserManager'); const supertestWithoutAuth = getService('supertestWithoutAuth'); let credentials: { Cookie: string }; before(async () => { // get auth header for Viewer role credentials = await svlUserManager.getApiCredentialsForRole('viewer'); }); it('returns full status payload for authenticated request', async () => { const { body } = await supertestWithoutAuth .get('/api/status') .set(credentials) .set('kbn-xsrf', 'kibana'); expect(body.name).to.be.a('string'); expect(body.uuid).to.be.a('string'); expect(body.version.number).to.be.a('string'); }); ``` Flaky-test-runner: #1 https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4081 #2 https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4114 --------- Co-authored-by: Robert Oskamp <traeluki@gmail.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
MadameSheema
added a commit
that referenced
this pull request
Dec 13, 2023
…ing (#172655) Relates to: * #166340 * #170852 * #170417 * #172678 ## Summary In this PR we are using the code implemented on #170417 and #172678 to allow SAML and role testing inside Cypress. * We are creating a Cypress task to use the above-developed code and be able to retrieve a session cookie given a role. * We updated the login task to know how we should perform the login depending if we are in Serverless (MKI or serverless FTR) or ESS * In the parallel serverless script: * We are updating the `BASE_ENV_URL` variable to use the proper QA environment (pending to be done in follow-up PRs, to extract this value so it is not hardcoded cc @dkirchan ) * We are adding the `IS_SERVERLESS` environment variable needed for the logic on the login task. This changed implied to update the `es_archiver` file to continue work as expected. * We have added the `TEST_CLOUD_HOST_NAME` environment variable needed for the code we are reusing to retrieve the session cookie for MKI. * We have updated the Security Solution quality gate script to set the `role_users.json` file needed by the code we are reusing to get the different session cookies on MKI * We have adjusted the tests because the username now follows the pattern `test <role>` (@dmlemeshko is it possible to have as username just the role? Is this something that can impact other tests and teams?) * We have [skipped](#173168) a test that got unstable after the changes. ## How to test it in your machine ### Serverless FTR 1. Navigate to `x-pack/test/security_solution_cypress` 2. Execute `yarn cypress:open:qa:serverless` 3. Click on `E2E testing` 4. Click on any test to execute it ### Serverless MKI Setup a valid Elastic Cloud API key for QA environment: 1. Navigate to QA environment. 2. Click on the `User menu button` located on the top right of the header. 3. Click on `Organization`. 5. Click on the `API keys` tab. 6. Click on `Create API key` button. 7. Add a name, set an expiration date, assign an organization owner role. 8. Click on `Create API key` 9. Save the value of the key Store the saved key on `~/.elastic/cloud.json` using the following format: ```json { "api_key": { "qa": "<API_KEY>" } } ``` Store the email and password of the account you used to login in the QA Environment at the root directory of your Kibana project on `.ftr/role_users.json`, using the following format: ```json { "admin": { "email": "<email>", "password": "<password>" } } ``` If you want to execute a test with a role different from the default one, make sure you have created the user under your organization and is added to the above json following the format: ```json { "admin": { "email": "<email>", "password": "<password>" }, "<roleName>": { "email": "<email>", "password": "<password>" } } ``` 1. Navigate to `x-pack/test/security_solution_cypress` 2. Execute `yarn cypress:open:qa:serverless` 3. Click on `E2E testing` 4. Click on any test to execute it --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related to #166340
Summary
Add mock identity provider and utils to test serverless user roles.
Screenshot
1. Login selector
2. Single sign on screen
3. User profile page
Testing
SAML is only supported by ES when running in SSL mode.