From 87ff936b340fc75752a7d333ec83832b1f62fdaf Mon Sep 17 00:00:00 2001 From: Jean-Louis Leysens Date: Tue, 1 Aug 2023 10:19:57 +0200 Subject: [PATCH] Turn on internal API restriction for serverless tests (#162636) ## Summary Since we already have some E2E tests running for serverless, this PR turns on the internal API restriction flag to test whether our UI functions _as such_ under these tests. An alternative could be to have a specific smoke test for this, but it seems this is thoroughly covered by piggy-backing off the existing set of tests. Blocks: https://github.com/elastic/kibana/pull/162149 --- .../kbn-test/src/kbn_client/kbn_client_requester.ts | 1 + x-pack/test/api_integration/services/usage_api.ts | 1 + .../apm_api_integration/common/apm_api_supertest.ts | 5 ++++- .../test_suites/common/security_response_headers.ts | 2 +- .../test_suites/common/security_users.ts | 2 +- .../apm_api_integration/common/apm_api_supertest.ts | 5 ++++- .../api_integration/test_suites/observability/fleet.ts | 4 ++-- .../observability/helpers/alerting_api_helper.ts | 2 ++ .../observability/helpers/alerting_wait_for_helpers.ts | 5 ++++- .../test_suites/observability/helpers/data_view.ts | 2 ++ .../observability/threshold_rule/avg_pct_fired.ts | 10 ++++++++-- .../observability/threshold_rule/avg_pct_no_data.ts | 10 ++++++++-- .../threshold_rule/custom_eq_avg_bytes_fired.ts | 10 ++++++++-- .../threshold_rule/documents_count_fired.ts | 10 ++++++++-- .../observability/threshold_rule/group_by_fired.ts | 10 ++++++++-- .../api_integration/test_suites/security/fleet.ts | 4 ++-- x-pack/test_serverless/shared/config.base.ts | 1 + 17 files changed, 65 insertions(+), 19 deletions(-) diff --git a/packages/kbn-test/src/kbn_client/kbn_client_requester.ts b/packages/kbn-test/src/kbn_client/kbn_client_requester.ts index 36a007c1c0d1c..be9ea42d94d66 100644 --- a/packages/kbn-test/src/kbn_client/kbn_client_requester.ts +++ b/packages/kbn-test/src/kbn_client/kbn_client_requester.ts @@ -131,6 +131,7 @@ export class KbnClientRequester { headers: { ...options.headers, 'kbn-xsrf': 'kbn-client', + 'x-elastic-internal-origin': 'kbn-client', }, httpsAgent: this.httpsAgent, responseType: options.responseType, diff --git a/x-pack/test/api_integration/services/usage_api.ts b/x-pack/test/api_integration/services/usage_api.ts index c8b498232a876..fbcddfb3dc512 100644 --- a/x-pack/test/api_integration/services/usage_api.ts +++ b/x-pack/test/api_integration/services/usage_api.ts @@ -31,6 +31,7 @@ export function UsageAPIProvider({ getService }: FtrProviderContext) { const { body } = await supertest .post('/api/telemetry/v2/clusters/_stats') .set('kbn-xsrf', 'xxx') + .set('x-elastic-internal-origin', 'xxx') .send({ refreshCache: true, ...payload }) .expect(200); return body; diff --git a/x-pack/test/apm_api_integration/common/apm_api_supertest.ts b/x-pack/test/apm_api_integration/common/apm_api_supertest.ts index 4d8b39e67b4ab..ac16abff4098b 100644 --- a/x-pack/test/apm_api_integration/common/apm_api_supertest.ts +++ b/x-pack/test/apm_api_integration/common/apm_api_supertest.ts @@ -29,7 +29,10 @@ export function createApmApiClient(st: supertest.SuperTest) { const { method, pathname, version } = formatRequest(endpoint, params.path); const url = format({ pathname, query: params?.query }); - const headers: Record = { 'kbn-xsrf': 'foo' }; + const headers: Record = { + 'kbn-xsrf': 'foo', + 'x-elastic-internal-origin': 'foo', + }; if (version) { headers['Elastic-Api-Version'] = version; diff --git a/x-pack/test_serverless/api_integration/test_suites/common/security_response_headers.ts b/x-pack/test_serverless/api_integration/test_suites/common/security_response_headers.ts index 47f541184a37c..01d1c1b147aa8 100644 --- a/x-pack/test_serverless/api_integration/test_suites/common/security_response_headers.ts +++ b/x-pack/test_serverless/api_integration/test_suites/common/security_response_headers.ts @@ -41,7 +41,7 @@ export default function ({ getService }: FtrProviderContext) { it('redirect endpoint response contains default security headers', async () => { const { header } = await supertest .get(`/logout`) - .set(svlCommonApi.getCommonRequestHeader()) + .set(svlCommonApi.getInternalRequestHeader()) .expect(200); expect(header).toBeDefined(); diff --git a/x-pack/test_serverless/api_integration/test_suites/common/security_users.ts b/x-pack/test_serverless/api_integration/test_suites/common/security_users.ts index af4e97fff06bc..2c82e216505b9 100644 --- a/x-pack/test_serverless/api_integration/test_suites/common/security_users.ts +++ b/x-pack/test_serverless/api_integration/test_suites/common/security_users.ts @@ -17,7 +17,7 @@ export default function ({ getService }: FtrProviderContext) { it('rejects request to create user', async () => { const { body, status } = await supertest .post(`/internal/security/users/some_testuser`) - .set(svlCommonApi.getCommonRequestHeader()) + .set(svlCommonApi.getInternalRequestHeader()) .send({ username: 'some_testuser', password: 'testpassword', roles: [] }); // in a non-serverless environment this would succeed with a 200 diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/apm_api_integration/common/apm_api_supertest.ts b/x-pack/test_serverless/api_integration/test_suites/observability/apm_api_integration/common/apm_api_supertest.ts index 4a6527302f3ab..5b12a44e899c0 100644 --- a/x-pack/test_serverless/api_integration/test_suites/observability/apm_api_integration/common/apm_api_supertest.ts +++ b/x-pack/test_serverless/api_integration/test_suites/observability/apm_api_integration/common/apm_api_supertest.ts @@ -34,7 +34,10 @@ export function createApmApiClient(st: supertest.SuperTest) { const { method, pathname, version } = formatRequest(endpoint, params.path); const url = format({ pathname, query: params?.query }); - const headers: Record = { 'kbn-xsrf': 'foo' }; + const headers: Record = { + 'kbn-xsrf': 'foo', + 'x-elastic-internal-origin': 'foo', + }; if (version) { headers['Elastic-Api-Version'] = version; diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/fleet.ts b/x-pack/test_serverless/api_integration/test_suites/observability/fleet.ts index 06fbe54ca4410..ea5ca79cbefb9 100644 --- a/x-pack/test_serverless/api_integration/test_suites/observability/fleet.ts +++ b/x-pack/test_serverless/api_integration/test_suites/observability/fleet.ts @@ -16,7 +16,7 @@ export default function ({ getService }: FtrProviderContext) { it('rejects request to create a new fleet server hosts', async () => { const { body, status } = await supertest .post('/api/fleet/fleet_server_hosts') - .set(svlCommonApi.getCommonRequestHeader()) + .set(svlCommonApi.getInternalRequestHeader()) .send({ name: 'test', host_urls: ['https://localhost:8220'], @@ -34,7 +34,7 @@ export default function ({ getService }: FtrProviderContext) { it('rejects request to create a new proxy', async () => { const { body, status } = await supertest .post('/api/fleet/proxies') - .set(svlCommonApi.getCommonRequestHeader()) + .set(svlCommonApi.getInternalRequestHeader()) .send({ name: 'test', url: 'https://localhost:8220', diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_api_helper.ts b/x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_api_helper.ts index a50e1b4e85c14..5229cfcfc8db8 100644 --- a/x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_api_helper.ts +++ b/x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_api_helper.ts @@ -21,6 +21,7 @@ export async function createIndexConnector({ const { body } = await supertest .post(`/api/actions/connector`) .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo') .send({ name, config: { @@ -54,6 +55,7 @@ export async function createRule({ const { body } = await supertest .post(`/api/alerting/rule`) .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo') .send({ params, consumer, diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_wait_for_helpers.ts b/x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_wait_for_helpers.ts index 80432a87185e6..fab50cdc92da3 100644 --- a/x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_wait_for_helpers.ts +++ b/x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_wait_for_helpers.ts @@ -25,7 +25,10 @@ export async function waitForRuleStatus({ }): Promise> { return pRetry( async () => { - const response = await supertest.get(`/api/alerting/rule/${id}`); + const response = await supertest + .get(`/api/alerting/rule/${id}`) + .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo'); const { execution_status: executionStatus } = response.body || {}; const { status } = executionStatus || {}; if (status !== expectedStatus) { diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/helpers/data_view.ts b/x-pack/test_serverless/api_integration/test_suites/observability/helpers/data_view.ts index 0b0e85b104962..534bc1446fd3e 100644 --- a/x-pack/test_serverless/api_integration/test_suites/observability/helpers/data_view.ts +++ b/x-pack/test_serverless/api_integration/test_suites/observability/helpers/data_view.ts @@ -21,6 +21,7 @@ export const createDataView = async ({ const { body } = await supertest .post(`/api/content_management/rpc/create`) .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo') .send({ contentTypeId: 'index-pattern', data: { @@ -49,6 +50,7 @@ export const deleteDataView = async ({ const { body } = await supertest .post(`/api/content_management/rpc/delete`) .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo') .send({ contentTypeId: 'index-pattern', id, diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_fired.ts b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_fired.ts index 0fb8c5f976f4a..e03f1f05ad287 100644 --- a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_fired.ts +++ b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_fired.ts @@ -40,8 +40,14 @@ export default function ({ getService }: FtrProviderContext) { }); after(async () => { - await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo'); - await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo'); + await supertest + .delete(`/api/alerting/rule/${ruleId}`) + .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo'); + await supertest + .delete(`/api/actions/connector/${actionId}`) + .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo'); await esClient.deleteByQuery({ index: THRESHOLD_RULE_ALERT_INDEX, query: { term: { 'kibana.alert.rule.uuid': ruleId } }, diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_no_data.ts b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_no_data.ts index 3b3a72954ab4c..7ed52de44810e 100644 --- a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_no_data.ts +++ b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_no_data.ts @@ -35,8 +35,14 @@ export default function ({ getService }: FtrProviderContext) { }); after(async () => { - await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo'); - await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo'); + await supertest + .delete(`/api/alerting/rule/${ruleId}`) + .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo'); + await supertest + .delete(`/api/actions/connector/${actionId}`) + .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo'); await esClient.deleteByQuery({ index: THRESHOLD_RULE_ALERT_INDEX, query: { term: { 'kibana.alert.rule.uuid': ruleId } }, diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/custom_eq_avg_bytes_fired.ts b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/custom_eq_avg_bytes_fired.ts index ef6d56cf641b0..faa9604e762cb 100644 --- a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/custom_eq_avg_bytes_fired.ts +++ b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/custom_eq_avg_bytes_fired.ts @@ -46,8 +46,14 @@ export default function ({ getService }: FtrProviderContext) { }); after(async () => { - await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo'); - await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo'); + await supertest + .delete(`/api/alerting/rule/${ruleId}`) + .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo'); + await supertest + .delete(`/api/actions/connector/${actionId}`) + .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo'); await esClient.deleteByQuery({ index: THRESHOLD_RULE_ALERT_INDEX, query: { term: { 'kibana.alert.rule.uuid': ruleId } }, diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/documents_count_fired.ts b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/documents_count_fired.ts index 52980e329de82..27c5bc17c7cfc 100644 --- a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/documents_count_fired.ts +++ b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/documents_count_fired.ts @@ -40,8 +40,14 @@ export default function ({ getService }: FtrProviderContext) { }); after(async () => { - await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo'); - await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo'); + await supertest + .delete(`/api/alerting/rule/${ruleId}`) + .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo'); + await supertest + .delete(`/api/actions/connector/${actionId}`) + .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo'); await esClient.deleteByQuery({ index: THRESHOLD_RULE_ALERT_INDEX, query: { term: { 'kibana.alert.rule.uuid': ruleId } }, diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/group_by_fired.ts b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/group_by_fired.ts index 1646b4254832e..29d2e64a41874 100644 --- a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/group_by_fired.ts +++ b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/group_by_fired.ts @@ -53,8 +53,14 @@ export default function ({ getService }: FtrProviderContext) { }); after(async () => { - await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo'); - await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo'); + await supertest + .delete(`/api/alerting/rule/${ruleId}`) + .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo'); + await supertest + .delete(`/api/actions/connector/${actionId}`) + .set('kbn-xsrf', 'foo') + .set('x-elastic-internal-origin', 'foo'); await esClient.deleteByQuery({ index: THRESHOLD_RULE_ALERT_INDEX, query: { term: { 'kibana.alert.rule.uuid': ruleId } }, diff --git a/x-pack/test_serverless/api_integration/test_suites/security/fleet.ts b/x-pack/test_serverless/api_integration/test_suites/security/fleet.ts index 06fbe54ca4410..ea5ca79cbefb9 100644 --- a/x-pack/test_serverless/api_integration/test_suites/security/fleet.ts +++ b/x-pack/test_serverless/api_integration/test_suites/security/fleet.ts @@ -16,7 +16,7 @@ export default function ({ getService }: FtrProviderContext) { it('rejects request to create a new fleet server hosts', async () => { const { body, status } = await supertest .post('/api/fleet/fleet_server_hosts') - .set(svlCommonApi.getCommonRequestHeader()) + .set(svlCommonApi.getInternalRequestHeader()) .send({ name: 'test', host_urls: ['https://localhost:8220'], @@ -34,7 +34,7 @@ export default function ({ getService }: FtrProviderContext) { it('rejects request to create a new proxy', async () => { const { body, status } = await supertest .post('/api/fleet/proxies') - .set(svlCommonApi.getCommonRequestHeader()) + .set(svlCommonApi.getInternalRequestHeader()) .send({ name: 'test', url: 'https://localhost:8220', diff --git a/x-pack/test_serverless/shared/config.base.ts b/x-pack/test_serverless/shared/config.base.ts index fa940bb8f3fca..5ee130b96525d 100644 --- a/x-pack/test_serverless/shared/config.base.ts +++ b/x-pack/test_serverless/shared/config.base.ts @@ -33,6 +33,7 @@ export default async () => { }, sourceArgs: ['--no-base-path', '--env.name=development'], serverArgs: [ + `--server.restrictInternalApis=true`, `--server.port=${kbnTestConfig.getPort()}`, '--status.allowAnonymous=true', // We shouldn't embed credentials into the URL since Kibana requests to Elasticsearch should