Skip to content

Commit

Permalink
[Security Solution] Support Serverless Cypress tests with different r…
Browse files Browse the repository at this point in the history 
…oles (#169017)

**Addresses:** #164451

## Summary

This PR allows to run role based reused between ESS and Serverless Cypress tests.

## Details

The main idea behind is to make environmental differences for tests unnoticeable. As Serverless env already has roles and users but ESS env allows to create any possible role and user we just need to create Serverless roles and corresponding users + specific ESS roles and corresponding users in ESS env before running any ESS tests. This way tests will run in a similar env and don't have to bother by roles/users creation in test suites. This is achieved by using separate Cypress support files (Cypress includes `support/e2e.js` by default) `ess_e2e.ts` and `serverless_e2e.ts` executed for corresponding environments. `ess_e2e.ts` contains logic to create mentioned above roles and users while `serverless_e2e.ts` doesn't contain such logic.

_Only one user created per role and user has the same name as its corresponding role with `changeme` password._

To have an ability to create roles we need to store their definitions somewhere. It's also convenient to have JSON definitions instead of YAML. Plus Serverless roles should be pulled from `project-controller` repo but it's not addressed in this PR. I've chosen the following locations

- Serverless Security roles in `packages/kbn-es/src/serverless_resources/security_roles.json`. While `@kbn/es` is a common package it has `serverless_resources` folder containing `roles.yml` with a mix of `https://github.com/elastic/project-controller/blob/main/internal/project/observability/config/roles.yml`, `https://github.com/elastic/project-controller/blob/main/internal/project/esproject/config/roles.yml` and `https://github.com/elastic/project-controller/blob/main/internal/project/security/config/roles.yml` copied from `project-controller` and used for ES data restore. As there is no automation yet it looks logical to keep Security roles subset next to ES Serverless resources.
- ESS Security specific roles in `x-pack/plugins/security_solution/common/test/ess_roles.json`

On top of that the following has been done

- `reader` role replaced  with `t1_analyst` where possible in tests (besides `e2e/explore/cases/attach_alert_to_case.cy.ts` but it's purely ESS test so it's fine) as `reader` is ESS specific and make harder to run the same tests in ESS and Serverless environments but both roles are almost equivalent
- `login()` helper function accepts all known roles (Serverless + ESS) but throws an exception if a custom ESS role is used under Serverless env
- `x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users` isn't necessary anymore as `security_roles.json` + `ess_roles.json` contain all the necessary data to create roles and users

### Does it enable role support for MKI environments?

No. This PR only enabling role support for Non-MKI Serverless environments. MKI env has predefined roles but not users. This will be addressed in a follow up PR.

## Flaky test runner

Two unskiped in this PR Serverless Cypress tests using non default role `detection_response/detection_alerts/missing_privileges_callout.cy.ts` and `detection_response/prebuilt_rules/prebuilt_rules_install_update_authorization.cy.ts`  [150 runs](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/3723) 🟢 (there is one env related failure but it doesn't look related to the changes in this PR)
  • Loading branch information
@maximpn
maximpn authored Oct 31, 2023
1 parent e7980c6 commit 58adee0
Show file tree
Hide file tree
Showing 104 changed files with 804 additions and 1,443 deletions.
9 changes: 9 additions & 0 deletions packages/kbn-es/src/serverless_resources/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,15 @@

The resources in this directory are used for seeding Elasticsearch Serverless images with users, roles and tokens for SSL and authentication. Serverless requires file realm authentication, so we will bind mount them into the containers at `/usr/share/elasticsearch/config/`.

## Roles

Roles defined in `roles.yml` intended to mock a Serverless deployment. It must be in sync with `project-controller` defined roles and used in real (MKI) environments. In case of some differences tests may pass against Serverless snapshot environment but fail against MKI environments creating confusion.

### Why `security_roles.json` is here?

`security_roles.json` is a subset of defined in `roles.yml` roles in a JSON format and extended with necessary fields
to be compatible with `/api/security/role/{roleName}` endpoint. It's consumed by test environments like Cypress to be able to run different scenarios.

## Users

### Default user
Expand Down
353 changes: 353 additions & 0 deletions packages/kbn-es/src/serverless_resources/security_roles.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,353 @@
{
"t1_analyst": {
"name": "t1_analyst",
"elasticsearch": {
"cluster": [],
"indices": [
{
"names": [".alerts-security*", ".siem-signals-*"],
"privileges": ["read", "write", "maintenance"]
},
{
"names": [
"apm-*-transaction*",
"traces-apm*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*",
"metrics-endpoint.metadata_current_*",
".fleet-agents*",
".fleet-actions*"
],
"privileges": ["read"]
}
],
"run_as": []
},
"kibana": [
{
"feature": {
"ml": ["read"],
"siem": ["read", "read_alerts"],
"securitySolutionAssistant": ["all"],
"securitySolutionCases": ["read"],
"actions": ["read"],
"builtInAlerts": ["read"]
},
"spaces": ["*"],
"base": []
}
]
},
"t2_analyst": {
"name": "t2_analyst",
"elasticsearch": {
"cluster": [],
"indices": [
{
"names": [".alerts-security*", ".siem-signals-*"],
"privileges": ["read", "write", "maintenance"]
},
{
"names": [
".lists*",
".items*",
"apm-*-transaction*",
"traces-apm*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*",
"metrics-endpoint.metadata_current_*",
".fleet-agents*",
".fleet-actions*"
],
"privileges": ["read"]
}
],
"run_as": []
},
"kibana": [
{
"feature": {
"ml": ["read"],
"siem": ["read", "read_alerts"],
"securitySolutionAssistant": ["all"],
"securitySolutionCases": ["read"],
"actions": ["read"],
"builtInAlerts": ["read"]
},
"spaces": ["*"],
"base": []
}
]
},
"t3_analyst": {
"name": "t3_analyst",
"elasticsearch": {
"cluster": [],
"indices": [
{
"names": [
"apm-*-transaction*",
"traces-apm*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*"
],
"privileges": ["read", "write"]
},
{
"names": [".alerts-security*", ".siem-signals-*"],
"privileges": ["read", "write"]
},
{
"names": [".lists*", ".items*"],
"privileges": ["read", "write"]
},
{
"names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"],
"privileges": ["read"]
}
],
"run_as": []
},
"kibana": [
{
"feature": {
"ml": ["read"],
"siem": [
"all",
"read_alerts",
"crud_alerts",
"endpoint_list_all",
"trusted_applications_all",
"event_filters_all",
"host_isolation_exceptions_all",
"blocklist_all",
"policy_management_read",
"host_isolation_all",
"process_operations_all",
"actions_log_management_all",
"file_operations_all"
],
"securitySolutionCases": ["all"],
"actions": ["read"],
"builtInAlerts": ["all"],
"osquery": ["all"]
},
"spaces": ["*"],
"base": []
}
]
},
"rule_author": {
"name": "rule_author",
"elasticsearch": {
"cluster": [],
"indices": [
{
"names": [
"apm-*-transaction*",
"traces-apm*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*",
".lists*",
".items*"
],
"privileges": ["read", "write"]
},
{
"names": [
".alerts-security*",
".preview.alerts-security*",
".internal.preview.alerts-security*",
".siem-signals-*"
],
"privileges": ["read", "write", "maintenance", "view_index_metadata"]
},
{
"names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"],
"privileges": ["read"]
}
],
"run_as": []
},
"kibana": [
{
"feature": {
"ml": ["read"],
"siem": ["all", "read_alerts", "crud_alerts"],
"securitySolutionAssistant": ["all"],
"securitySolutionCases": ["all"],
"actions": ["read"],
"builtInAlerts": ["all"]
},
"spaces": ["*"],
"base": []
}
]
},
"soc_manager": {
"name": "soc_manager",
"elasticsearch": {
"cluster": [],
"indices": [
{
"names": [
"apm-*-transaction*",
"traces-apm*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*",
".lists*",
".items*"
],
"privileges": ["read", "write"]
},
{
"names": [
".alerts-security*",
".preview.alerts-security*",
".internal.preview.alerts-security*",
".siem-signals-*"
],
"privileges": ["read", "write", "manage"]
},
{
"names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"],
"privileges": ["read"]
}
],
"run_as": []
},
"kibana": [
{
"feature": {
"ml": ["read"],
"siem": ["all", "read_alerts", "crud_alerts"],
"securitySolutionAssistant": ["all"],
"securitySolutionCases": ["all"],
"actions": ["all"],
"builtInAlerts": ["all"]
},
"spaces": ["*"],
"base": []
}
]
},
"detections_admin": {
"name": "detections_admin",
"elasticsearch": {
"cluster": ["manage"],
"indices": [
{
"names": [
".siem-signals-*",
".alerts-security*",
".preview.alerts-security*",
".internal.preview.alerts-security*",
".lists*",
".items*",
"apm-*-transaction*",
"traces-apm*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*"
],
"privileges": ["manage", "write", "read"]
},
{
"names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"],
"privileges": ["read"]
}
],
"run_as": []
},
"kibana": [
{
"feature": {
"ml": ["all"],
"siem": ["all", "read_alerts", "crud_alerts"],
"securitySolutionAssistant": ["all"],
"securitySolutionCases": ["all"],
"actions": ["read"],
"builtInAlerts": ["all"],
"dev_tools": ["all"]
},
"spaces": ["*"],
"base": []
}
]
},
"platform_engineer": {
"name": "platform_engineer",
"elasticsearch": {
"cluster": ["manage"],
"indices": [
{
"names": [".lists*", ".items*"],
"privileges": ["all"]
},
{
"names": [
"apm-*-transaction*",
"traces-apm*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*",
"metrics-endpoint.metadata_current_*",
".fleet-agents*",
".fleet-actions*"
],
"privileges": ["all"]
},
{
"names": [
".alerts-security*",
".preview.alerts-security*",
".internal.preview.alerts-security*",
".siem-signals-*"
],
"privileges": ["all"]
}
],
"run_as": []
},
"kibana": [
{
"feature": {
"ml": ["all"],
"siem": ["all", "read_alerts", "crud_alerts"],
"securitySolutionAssistant": ["all"],
"securitySolutionCases": ["all"],
"actions": ["all"],
"builtInAlerts": ["all"]
},
"spaces": ["*"],
"base": []
}
]
}
}
11 changes: 3 additions & 8 deletions packages/kbn-es/tsconfig.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,14 @@
"compilerOptions": {
"outDir": "target/types"
},
"include": [
"**/*.ts",
"**/*.js"
],
"exclude": [
"target/**/*",
],
"include": ["**/*.ts", "**/*.js", "**/*.json"],
"exclude": ["target/**/*"],
"kbn_references": [
"@kbn/tooling-log",
"@kbn/dev-utils",
"@kbn/dev-proc-runner",
"@kbn/ci-stats-reporter",
"@kbn/jest-serializers",
"@kbn/repo-info",
"@kbn/repo-info"
]
}
Loading

0 comments on commit 58adee0

Please sign in to comment.