[ftr] move SAML auth to kbn-test #172678
[ftr] move SAML auth to kbn-test #172678
Conversation
…o/kibana into ftr/move-saml-auth-to-kbn-test
| const log = getService('log'); | ||
| const isCloud = !!process.env.TEST_CLOUD; | ||
| // Sharing the instance within FTR config run means cookies are persistent for each role between tests. | ||
| const sessionManager = new SAMLSessionManager(config, log, isCloud); |
There was a problem hiding this comment.
I'm not sure if Cypress test runner has access to config instance, so I imagine a possible alternative like:
new SAMLSessionManager(kbnHost, auth, log, isCloud)where kbnHost and auth FTR and Cypress runner should provide on its own:
const kbnHost = {
protocol: config.get('servers.kibana.protocol'),
hostname: config.get('servers.kibana.hostname'),
port: isCloud ? undefined : config.get('servers.kibana.port'),
};
const auth = { username: config.get('servers.kibana.username')}, password: config.get('servers.kibana.password') }@MadameSheema @pheyos wdyt?
There was a problem hiding this comment.
I believe the alternative is the best one for Cypress usage. Thanks :)
| // getLocalUsers = () => { | ||
| // const rolesDefinitionFilePath = resolve( | ||
| // REPO_ROOT, | ||
| // 'packages/kbn-es/src/serverless_resources/roles.yml' | ||
| // ); | ||
| // const roles: string[] = Object.keys(loadYaml(fs.readFileSync(rolesDefinitionFilePath, 'utf8'))); | ||
| // }; |
There was a problem hiding this comment.
Is this commented out intentionally?
There was a problem hiding this comment.
I was thinking to split packages/kbn-es/src/serverless_resources/roles.yml into 3 files and read as part of role validation when we run tests locally. But I will do it later to not keep PR open for long
There was a problem hiding this comment.
Note: Currently folks can specify non-existing role in the test and I believe tests will pass locally/Kibana CI. But it will fail on MKI pipeline since that role does not exist in real Cloud env.
…o/kibana into ftr/move-saml-auth-to-kbn-test
| username: config.get('servers.kibana.username'), | ||
| password: config.get('servers.kibana.password'), |
There was a problem hiding this comment.
question: just for my understanding: what are these credentials for?
There was a problem hiding this comment.
@azasypkin it turns out we need to create instance of KbnClient to fetch Kibana version and for cloud we pass credentials to the client.
packages/kbn-test/src/auth/helper.ts
Outdated
| import * as fs from 'fs'; | ||
| import { User } from './session_manager'; | ||
|
|
||
| export const getProjectType = (serverArgs: string[]) => { |
There was a problem hiding this comment.
question: I see this function isn't used anywhere yet, is it just a leftover or is it reserved for some future use?
There was a problem hiding this comment.
I remove it in fac981e. Originally I planned to split svl roles yml into 3 files and validate roles per project, but decided to move it to the follow-up PR.
…o/kibana into ftr/move-saml-auth-to-kbn-test
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
dmlemeshko
added
release_note:skip
…o/kibana into ftr/move-saml-auth-to-kbn-test
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Public APIs missing comments
History
To update your PR or re-run it, just comment with: |
…ing (#172655) Relates to: * #166340 * #170852 * #170417 * #172678 ## Summary In this PR we are using the code implemented on #170417 and #172678 to allow SAML and role testing inside Cypress. * We are creating a Cypress task to use the above-developed code and be able to retrieve a session cookie given a role. * We updated the login task to know how we should perform the login depending if we are in Serverless (MKI or serverless FTR) or ESS * In the parallel serverless script: * We are updating the `BASE_ENV_URL` variable to use the proper QA environment (pending to be done in follow-up PRs, to extract this value so it is not hardcoded cc @dkirchan ) * We are adding the `IS_SERVERLESS` environment variable needed for the logic on the login task. This changed implied to update the `es_archiver` file to continue work as expected. * We have added the `TEST_CLOUD_HOST_NAME` environment variable needed for the code we are reusing to retrieve the session cookie for MKI. * We have updated the Security Solution quality gate script to set the `role_users.json` file needed by the code we are reusing to get the different session cookies on MKI * We have adjusted the tests because the username now follows the pattern `test <role>` (@dmlemeshko is it possible to have as username just the role? Is this something that can impact other tests and teams?) * We have [skipped](#173168) a test that got unstable after the changes. ## How to test it in your machine ### Serverless FTR 1. Navigate to `x-pack/test/security_solution_cypress` 2. Execute `yarn cypress:open:qa:serverless` 3. Click on `E2E testing` 4. Click on any test to execute it ### Serverless MKI Setup a valid Elastic Cloud API key for QA environment: 1. Navigate to QA environment. 2. Click on the `User menu button` located on the top right of the header. 3. Click on `Organization`. 5. Click on the `API keys` tab. 6. Click on `Create API key` button. 7. Add a name, set an expiration date, assign an organization owner role. 8. Click on `Create API key` 9. Save the value of the key Store the saved key on `~/.elastic/cloud.json` using the following format: ```json { "api_key": { "qa": "<API_KEY>" } } ``` Store the email and password of the account you used to login in the QA Environment at the root directory of your Kibana project on `.ftr/role_users.json`, using the following format: ```json { "admin": { "email": "<email>", "password": "<password>" } } ``` If you want to execute a test with a role different from the default one, make sure you have created the user under your organization and is added to the above json following the format: ```json { "admin": { "email": "<email>", "password": "<password>" }, "<roleName>": { "email": "<email>", "password": "<password>" } } ``` 1. Navigate to `x-pack/test/security_solution_cypress` 2. Execute `yarn cypress:open:qa:serverless` 3. Click on `E2E testing` 4. Click on any test to execute it --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Summary
This PR moves SAML session creation from FTR service to
@kbn/test. It should simplify its adoption in non-FTR context, e.g. Cypress tests or jest integration tests:use it in your tests