-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Detection Engine] Running API tests in Serverless & ESS using Mocha Tagging #166755
[Security Solution][Detection Engine] Running API tests in Serverless & ESS using Mocha Tagging #166755
Changes from 42 commits
c165f2f
423ccde
1e0730c
2189c61
62d8a68
1b95701
82429a7
c01c148
35198f0
5df3507
dbc106e
925014a
9bb3bf8
b08cace
b68b981
ed96e45
16aff77
fd59ac9
591f0fe
bcbabbf
efa734d
6e12eba
7532f52
9199d72
c868a08
d1970aa
88cec41
92899a1
859f525
1776097
2c5008a
4c8ef9e
c1a640e
73ce67c
fba6606
8d48e0f
ce2bcb1
29e5359
a3079e8
2be2e87
4bd64fb
ddf1c1f
31e7d38
3320fd1
bf729e6
480cd92
e08eff9
e2a41b2
7e18355
153cc6a
4ff0cbb
e207ab7
1e7015f
86e2789
a7eda2b
14652fb
4060d23
d566155
2077cc4
f439ae9
8728f5c
50556d0
08a2f8e
7d71d39
e8d3a63
e982ed8
a200c13
993cec6
7f3cb51
76afd5a
204871b
f12cabe
4ba34b1
49c3d0d
3e0c8f0
c6e74ee
b075837
1159b10
e027c42
38aa9d5
4993a71
797ab7c
50e4fc8
c603046
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# security_solution_api_integration | ||
|
||
This directory | ||
serves as a centralized location to place the security solution tests that run in Serverless and ESS environments. | ||
WafaaNasr marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
## Subdirectories | ||
|
||
1. `config` stores base configurations specific to both the Serverless and ESS environments, These configurations build upon the base configuration provided by `xpack/test_serverless` and `x-pack-api_integrations`, incorporating additional settings such as environment variables and tagging options. | ||
|
||
|
||
2. `test_suites` directory now houses all the tests along with their utility functions. As an initial step, | ||
we have introduced the `detection_response` directory to consolidate all the integration tests related to detection and response APIs. | ||
|
||
|
||
## Overview | ||
|
||
- In this directory, Mocha tagging is utilized to assign tags to specific test suites and individual test cases. This tagging system enables the ability to selectively apply tags to test suites and test cases, facilitating the exclusion of specific test cases within a test suite as needed. | ||
|
||
- There are three primary tags that have been defined: @ess, @serverless, and @brokenInServerless | ||
|
||
- Test suites and cases are prefixed with specific tags to determine their execution in particular environments or to exclude them from specific environments. | ||
|
||
ex: | ||
``` | ||
describe('@serverless @ess create_rules', () => { ==> tests in this suite will run in both Ess and Serverless | ||
describe('creating rules', () => {}); | ||
|
||
describe('@brokenInServerless missing timestamps', () => {}); ==> tests in this suite will be excluded in Serverless | ||
|
||
``` | ||
|
||
## Adding new security area's tests | ||
|
||
1. Within the `test_suites` directory, create a new area folder. | ||
2. Introduce `ess.config` and `serverless.config` files to reference the new test files and incorporate any additional custom properties defined in the `CreateTestConfigOptions` interface. | ||
3. In these new configuration files, include references to the base configurations located under the config directory to inherit CI configurations, environment variables, and other settings. | ||
4. Append a new entry in the `ftr_configs.yml` file to enable the execution of the newly added tests within the CI pipeline. | ||
|
||
|
||
## Testing locally | ||
|
||
In the `package.json` file, you'll find commands to configure the server for each environment and to run tests against that specific environment. These commands adhere to the Mocha tagging system, allowing for the inclusion and exclusion of tags, mirroring the setup of the CI pipeline. | ||
|
||
|
||
|
||
|
||
|
WafaaNasr marked this conversation as resolved.
Show resolved
Hide resolved
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Instead of copy-pasting this file, can we / should we import and adjust the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's true, but the good thing the CI will help us identify that since it will fail for the moved tests, and I am imagining after merging this PR the process of moving the tests should be faster than this step. I am also open if you have other thoughts!! |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { CA_CERT_PATH } from '@kbn/dev-utils'; | ||
import { FtrConfigProviderContext, kbnTestConfig, kibanaTestUser } from '@kbn/test'; | ||
import { services } from '../../../api_integration/services'; | ||
|
||
// TODO combine it with | ||
interface CreateTestConfigOptions { | ||
license: string; | ||
ssl?: boolean; | ||
} | ||
|
||
// test.not-enabled is specifically not enabled | ||
const enabledActionTypes = [ | ||
'.email', | ||
'.index', | ||
'.pagerduty', | ||
'.swimlane', | ||
'.server-log', | ||
'.servicenow', | ||
'.slack', | ||
'.webhook', | ||
'test.authorization', | ||
'test.failing', | ||
'test.index-record', | ||
'test.noop', | ||
'test.rate-limit', | ||
]; | ||
|
||
export function createTestConfig(options: CreateTestConfigOptions, testFiles?: string[]) { | ||
const { license = 'trial', ssl = false } = options; | ||
|
||
return async ({ readConfigFile }: FtrConfigProviderContext) => { | ||
const xPackApiIntegrationTestsConfig = await readConfigFile( | ||
require.resolve('../../../api_integration/config.ts') | ||
); | ||
const servers = { | ||
...xPackApiIntegrationTestsConfig.get('servers'), | ||
elasticsearch: { | ||
...xPackApiIntegrationTestsConfig.get('servers.elasticsearch'), | ||
protocol: ssl ? 'https' : 'http', | ||
}, | ||
}; | ||
|
||
return { | ||
testFiles, | ||
servers, | ||
services, | ||
junit: { | ||
reportName: 'X-Pack Detection Engine API Integration Tests', | ||
}, | ||
esTestCluster: { | ||
...xPackApiIntegrationTestsConfig.get('esTestCluster'), | ||
license, | ||
ssl, | ||
serverArgs: [`xpack.license.self_generated.type=${license}`], | ||
}, | ||
kbnTestServer: { | ||
...xPackApiIntegrationTestsConfig.get('kbnTestServer'), | ||
env: { | ||
ELASTICSEARCH_USERNAME: kbnTestConfig.getUrlParts(kibanaTestUser).username, | ||
}, | ||
serverArgs: [ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As I understand this file is a copy of https://github.com/elastic/kibana/blob/main/x-pack/test/detection_engine_api_integration/common/config.ts with little modifications. It looks like some of the parameters may not be required anymore like we don't need that long list of supported actions |
||
...xPackApiIntegrationTestsConfig.get('kbnTestServer.serverArgs'), | ||
`--xpack.actions.allowedHosts=${JSON.stringify(['localhost', 'some.non.existent.com'])}`, | ||
`--xpack.actions.enabledActionTypes=${JSON.stringify(enabledActionTypes)}`, | ||
'--xpack.eventLog.logEntries=true', | ||
`--xpack.securitySolution.alertIgnoreFields=${JSON.stringify([ | ||
'testing_ignored.constant', | ||
'/testing_regex*/', | ||
])}`, // See tests within the file "ignore_fields.ts" which use these values in "alertIgnoreFields" | ||
'--xpack.ruleRegistry.write.enabled=true', | ||
'--xpack.ruleRegistry.write.cache.enabled=false', | ||
'--xpack.ruleRegistry.unsafe.indexUpgrade.enabled=true', | ||
'--xpack.ruleRegistry.unsafe.legacyMultiTenancy.enabled=true', | ||
`--xpack.securitySolution.enableExperimental=${JSON.stringify([ | ||
'previewTelemetryUrlEnabled', | ||
'riskScoringPersistence', | ||
'riskScoringRoutesEnabled', | ||
])}`, | ||
'--xpack.task_manager.poll_interval=1000', | ||
`--xpack.actions.preconfigured=${JSON.stringify({ | ||
'my-test-email': { | ||
actionTypeId: '.email', | ||
name: 'TestEmail#xyz', | ||
config: { | ||
from: '[email protected]', | ||
service: '__json', | ||
}, | ||
secrets: { | ||
user: 'user', | ||
password: 'password', | ||
}, | ||
}, | ||
})}`, | ||
...(ssl | ||
? [ | ||
`--elasticsearch.hosts=${servers.elasticsearch.protocol}://${servers.elasticsearch.hostname}:${servers.elasticsearch.port}`, | ||
`--elasticsearch.ssl.certificateAuthorities=${CA_CERT_PATH}`, | ||
] | ||
: []), | ||
], | ||
}, | ||
mochaOpts: { | ||
grep: '/^(?!.*@brokenInEss).*@ess.*/', | ||
WafaaNasr marked this conversation as resolved.
Show resolved
Hide resolved
|
||
}, | ||
}; | ||
}; | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { createTestConfig } from './config.base'; | ||
|
||
// eslint-disable-next-line import/no-default-export | ||
export default createTestConfig({ | ||
license: 'trial', | ||
ssl: true, | ||
}); | ||
WafaaNasr marked this conversation as resolved.
Show resolved
Hide resolved
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
import { FtrConfigProviderContext, kbnTestConfig, kibanaTestSuperuserServerless } from '@kbn/test'; | ||
|
||
import { services } from '../../../../test_serverless/api_integration/services'; | ||
import type { CreateTestConfigOptions } from '../../../../test_serverless/shared/types'; | ||
|
||
export function createTestConfig(options: Partial<CreateTestConfigOptions>) { | ||
return async ({ readConfigFile }: FtrConfigProviderContext) => { | ||
const svlSharedConfig = await readConfigFile( | ||
require.resolve('../../../../test_serverless/shared/config.base.ts') | ||
); | ||
|
||
return { | ||
...svlSharedConfig.getAll(), | ||
|
||
services: { | ||
...services, | ||
...options.services, | ||
}, | ||
kbnTestServer: { | ||
...svlSharedConfig.get('kbnTestServer'), | ||
|
||
serverArgs: [ | ||
...svlSharedConfig.get('kbnTestServer.serverArgs'), | ||
'--serverless=security', | ||
...(options.kbnServerArgs || []), | ||
], | ||
env: { | ||
...svlSharedConfig.get('kbnTestServer').env, | ||
ELASTICSEARCH_USERNAME: kbnTestConfig.getUrlParts(kibanaTestSuperuserServerless).username, | ||
}, | ||
}, | ||
testFiles: options.testFiles, | ||
junit: options.junit, | ||
|
||
mochaOpts: { | ||
...svlSharedConfig.get('mochaOpts'), | ||
grep: '/^(?!.*@brokenInServerless).*@serverless.*/', | ||
WafaaNasr marked this conversation as resolved.
Show resolved
Hide resolved
|
||
}, | ||
}; | ||
}; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having only two configs for all D&R tests will not scale, unfortunately. We need to split our tests into N groups, where each group will have at least two FTR configs: one for ESS and one for Serverless. In the near future, groups will also have additional FTR configs for enabling feature flags and running tests against enabled features. Please read more about the idea of splitting tests into meaningful groups in #151902.
Also, there's a requirement that each group of FTR tests must run under 40 minutes. This means we should aim at 15-20 minutes at most per group, leaving some time buffer for incidents where CI gets slower than it normally is.
All that can force us to split tests into more or less fine-grained groups, sometimes more fine-grained than our subdomains (exceptions, rule management, etc). I'd say that we will likely have multiple groups per subdomain.
Let's figure out what groups should be created for the tests moved in this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've planned to work on #151902 after completing this PR. This subsequent issue involves some research to determine how we can efficiently group tests based on their relevance and execution time.
The idea behind this PR is to establish the main structural changes first, reducing the number of files and scoping this PR accordingly.
Also approaching the grouping in a separate PR will serve in documenting our approach to grouping tests, making it easier for reviewers to understand. hopefully, this separation of tasks helps streamline the review process and ensures that our tests are organized and well-documented.
I am open to discussing this topic with the whole team