From 193eb2ed4836fac6e24345a5ff465b004a15ee7d Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Tue, 17 Oct 2023 14:05:08 +0200 Subject: [PATCH 01/30] add support for role in serverless cypress security solution tests --- .../kbn-es/src/serverless_resources/README.md | 11 + .../src/serverless_resources/roles.json | 346 ++++++++++++++++++ .../security_solution/common/test/index.ts | 6 +- .../cypress/cypress_ci_serverless.config.ts | 1 + .../cypress/cypress_serverless.config.ts | 1 + .../missing_privileges_callout.cy.ts | 4 +- .../install_update_authorization.cy.ts | 10 +- .../authorization/all_rules_read_only.cy.ts | 4 +- .../rule_details_flow/read_only_view.cy.ts | 4 +- .../read_only.cy.ts | 4 +- .../explore/cases/attach_alert_to_case.cy.ts | 2 +- .../investigations/timelines/creation.cy.ts | 4 +- .../cypress/tasks/common.ts | 5 +- .../cypress/tasks/login.ts | 211 ++++++----- .../cypress/tasks/navigation.ts | 6 +- 15 files changed, 504 insertions(+), 115 deletions(-) create mode 100644 packages/kbn-es/src/serverless_resources/roles.json diff --git a/packages/kbn-es/src/serverless_resources/README.md b/packages/kbn-es/src/serverless_resources/README.md index 8ead2197be3ea..2aaf5f42e8f16 100644 --- a/packages/kbn-es/src/serverless_resources/README.md +++ b/packages/kbn-es/src/serverless_resources/README.md @@ -2,6 +2,17 @@ The resources in this directory are used for seeding Elasticsearch Serverless images with users, roles and tokens for SSL and authentication. Serverless requires file realm authentication, so we will bind mount them into the containers at `/usr/share/elasticsearch/config/`. +## Roles + +Roles defined in `roles.yml` is a combination of roles from `project-controller` like [security roles](https://github.com/elastic/project-controller/blob/main/internal/project/security/config/roles.yml). + +### Why `roles.json` is here? + +`roles.json` is a subset of defined in `roles.yml` roles defined in a JSON format and extended with necessary fields +to be compatible with `/api/security/role/{roleName}` endpoint. Cypress (and not only) tests use the roles to test behavior under specific roles. For example Security Solution reuses tests between ESS and Serverless and having the same roles is crucial here. Ideally it should be an automated process to transform +`project-controller` roles into `roles.yml` and `roles.json` but it's not done yet. This way it's logical to have +dependent files next to each other. + ## Users ### Default user diff --git a/packages/kbn-es/src/serverless_resources/roles.json b/packages/kbn-es/src/serverless_resources/roles.json new file mode 100644 index 0000000000000..de2741381bccb --- /dev/null +++ b/packages/kbn-es/src/serverless_resources/roles.json @@ -0,0 +1,346 @@ +{ + "t1_analyst": { + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [".alerts-security*", ".siem-signals-*"], + "privileges": ["read", "write", "maintenance"] + }, + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", + "metrics-endpoint.metadata_current_*", + ".fleet-agents*", + ".fleet-actions*" + ], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["read", "read_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["read"], + "actions": ["read"], + "builtInAlerts": ["read"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "t2_analyst": { + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [".alerts-security*", ".siem-signals-*"], + "privileges": ["read", "write", "maintenance"] + }, + { + "names": [ + ".lists*", + ".items*", + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", + "metrics-endpoint.metadata_current_*", + ".fleet-agents*", + ".fleet-actions*" + ], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["read", "read_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["read"], + "actions": ["read"], + "builtInAlerts": ["read"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "t3_analyst": { + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "privileges": ["read", "write"] + }, + { + "names": [".alerts-security*", ".siem-signals-*"], + "privileges": ["read", "write"] + }, + { + "names": [".lists*", ".items*"], + "privileges": ["read", "write"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": [ + "all", + "read_alerts", + "crud_alerts", + "endpoint_list_all", + "trusted_applications_all", + "event_filters_all", + "host_isolation_exceptions_all", + "blocklist_all", + "policy_management_read", + "host_isolation_all", + "process_operations_all", + "actions_log_management_all", + "file_operations_all" + ], + "securitySolutionCases": ["all"], + "actions": ["read"], + "builtInAlerts": ["all"], + "osquery": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "rule_author": { + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", + ".lists*", + ".items*" + ], + "privileges": ["read", "write"] + }, + { + "names": [ + ".alerts-security*", + ".preview.alerts-security*", + ".internal.preview.alerts-security*", + ".siem-signals-*" + ], + "privileges": ["read", "write", "maintenance", "view_index_metadata"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["all", "read_alerts", "crud_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "actions": ["read"], + "builtInAlerts": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "soc_manager": { + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", + ".lists*", + ".items*" + ], + "privileges": ["read", "write"] + }, + { + "names": [ + ".alerts-security*", + ".preview.alerts-security*", + ".internal.preview.alerts-security*", + ".siem-signals-*" + ], + "privileges": ["read", "write", "manage"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["all", "read_alerts", "crud_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "actions": ["all"], + "builtInAlerts": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "detections_admin": { + "elasticsearch": { + "cluster": ["manage"], + "indices": [ + { + "names": [ + ".siem-signals-*", + ".alerts-security*", + ".preview.alerts-security*", + ".internal.preview.alerts-security*", + ".lists*", + ".items*", + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "privileges": ["manage", "write", "read"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["all"], + "siem": ["all", "read_alerts", "crud_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "actions": ["read"], + "builtInAlerts": ["all"], + "dev_tools": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "platform_engineer": { + "elasticsearch": { + "cluster": ["manage"], + "indices": [ + { + "names": [".lists*", ".items*"], + "privileges": ["all"] + }, + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*", + "metrics-endpoint.metadata_current_*", + ".fleet-agents*", + ".fleet-actions*" + ], + "privileges": ["all"] + }, + { + "names": [ + ".alerts-security*", + ".preview.alerts-security*", + ".internal.preview.alerts-security*", + ".siem-signals-*" + ], + "privileges": ["all"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["all"], + "siem": ["all", "read_alerts", "crud_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "actions": ["all"], + "builtInAlerts": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + } +} diff --git a/x-pack/plugins/security_solution/common/test/index.ts b/x-pack/plugins/security_solution/common/test/index.ts index bb1d5e9db489a..409e7cae96c81 100644 --- a/x-pack/plugins/security_solution/common/test/index.ts +++ b/x-pack/plugins/security_solution/common/test/index.ts @@ -5,12 +5,16 @@ * 2.0. */ +import type roleDefinitions from '@kbn/es/src/serverless_resources/roles.json'; + +export type SecurityRoleName = keyof typeof roleDefinitions; + // For the source of these roles please consult the PR these were introduced https://github.com/elastic/kibana/pull/81866#issue-511165754 export enum ROLES { soc_manager = 'soc_manager', - reader = 'reader', t1_analyst = 't1_analyst', t2_analyst = 't2_analyst', + t3_analyst = 't3_analyst', hunter = 'hunter', hunter_no_actions = 'hunter_no_actions', rule_author = 'rule_author', diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts index 3a1be3ed0221a..15e541879a41b 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts @@ -16,6 +16,7 @@ export default defineCypressConfig({ }, defaultCommandTimeout: 150000, env: { + IS_SERVERLESS: true, grepFilterSpecs: true, grepOmitFiltered: true, grepTags: '@serverless --@brokenInServerless --@skipInServerless', diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts index b925e18a83478..c06e4e786ead3 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts @@ -22,6 +22,7 @@ export default defineCypressConfig({ viewportWidth: 1680, numTestsKeptInMemory: 10, env: { + IS_SERVERLESS: true, grepFilterSpecs: true, grepTags: '@serverless --@brokenInServerless --@skipInServerless', }, diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts index f38899300ed7f..3ef89ed458d45 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts @@ -24,8 +24,8 @@ import { import { ruleDetailsUrl } from '../../../urls/rule_details'; const loadPageAsReadOnlyUser = (url: string) => { - login(ROLES.reader); - visit(url, { role: ROLES.reader }); + login(ROLES.t1_analyst); + visit(url, { role: ROLES.t1_analyst }); waitForPageTitleToBeShown(); }; diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts index f95a4274a5181..c48ae7e4792cb 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts @@ -57,20 +57,18 @@ const RULE_2 = createRuleAssetSavedObject({ }); const loadPageAsReadOnlyUser = (url: string) => { - login(ROLES.reader); - visit(url, { role: ROLES.reader }); + login(ROLES.t1_analyst); + visit(url, { role: ROLES.t1_analyst }); }; const loginPageAsWriteAuthorizedUser = (url: string) => { - login(ROLES.hunter); + login(ROLES.t3_analyst); visit(url); }; -// TODO: https://github.com/elastic/kibana/issues/164451 We should find a way to make this spec work in Serverless -// TODO: https://github.com/elastic/kibana/issues/161540 describe( 'Detection rules, Prebuilt Rules Installation and Update - Authorization/RBAC', - { tags: ['@ess', '@serverless', '@skipInServerless'] }, + { tags: ['@ess', '@serverless'] }, () => { beforeEach(() => { preventPrebuiltRulesPackageInstallation(); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts index 9b7ef2a116b30..51fdcd6c242f1 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts @@ -34,8 +34,8 @@ describe('All rules - read only', { tags: ['@ess', '@serverless', '@skipInServer }); beforeEach(() => { - login(ROLES.reader); - visitRulesManagementTable(ROLES.reader); + login(ROLES.t1_analyst); + visitRulesManagementTable(ROLES.t1_analyst); cy.get(RULE_NAME).should('have.text', getNewRule().name); }); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts index fafbb2232e55b..935668db1a5a6 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts @@ -54,8 +54,8 @@ describe('Exceptions viewer read only', { tags: ['@ess'] }, () => { ); }); - login(ROLES.reader); - visitRulesManagementTable(ROLES.reader); + login(ROLES.t1_analyst); + visitRulesManagementTable(ROLES.t1_analyst); goToRuleDetailsOf('Test exceptions rule'); goToExceptionsTab(); }); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts index b0ba8beae3821..b115508e2b598 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts @@ -31,8 +31,8 @@ describe('Shared exception lists - read only', { tags: ['@ess', '@skipInServerle // Create exception list not used by any rules createExceptionList(getExceptionList(), getExceptionList().list_id); - login(ROLES.reader); - visit(EXCEPTIONS_URL, { role: ROLES.reader }); + login(ROLES.t1_analyst); + visit(EXCEPTIONS_URL, { role: ROLES.t1_analyst }); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts index f10681a516146..407dd5b8a22ea 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts @@ -37,7 +37,7 @@ describe('Alerts timeline', { tags: ['@ess'] }, () => { context('Privileges: read only', () => { beforeEach(() => { - loadDetectionsPage(ROLES.reader); + loadDetectionsPage(ROLES.t1_analyst); }); it('should not allow user with read only privileges to attach alerts to existing cases', () => { diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts index b7236d7ea0d80..9ffeade285dc7 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts @@ -88,8 +88,8 @@ describe('Timelines', (): void => { context('Privileges: READ', { tags: '@ess' }, () => { beforeEach(() => { - login(ROLES.reader); - visitWithTimeRange(OVERVIEW_URL, { role: ROLES.reader }); + login(ROLES.t1_analyst); + visitWithTimeRange(OVERVIEW_URL, { role: ROLES.t1_analyst }); }); it('should not be able to create/update timeline ', () => { diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/common.ts b/x-pack/test/security_solution_cypress/cypress/tasks/common.ts index f42916db561f5..3d1e86bf006c7 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/common.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/common.ts @@ -25,7 +25,10 @@ export const API_AUTH = Object.freeze({ pass: Cypress.env('ELASTICSEARCH_PASSWORD'), }); -export const API_HEADERS = Object.freeze({ 'kbn-xsrf': 'cypress' }); +export const API_HEADERS = Object.freeze({ + 'kbn-xsrf': 'cypress-creds', + 'x-elastic-internal-origin': 'security-solution', +}); export const rootRequest = ( options: Partial diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts index e01b80e7c1f06..71952bde867a4 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts @@ -8,10 +8,12 @@ import * as yaml from 'js-yaml'; import type { UrlObject } from 'url'; import Url from 'url'; - -import type { ROLES } from '@kbn/security-solution-plugin/common/test'; import { LoginState } from '@kbn/security-plugin/common/login_state'; +import { Role } from '@kbn/security-plugin/common'; +import roleDefinitions from '@kbn/es/src/serverless_resources/roles.json'; +import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { LOGOUT_URL } from '../urls/navigation'; +import { rootRequest } from './common'; /** * Credentials in the `kibana.dev.yml` config file will be used to authenticate @@ -43,6 +45,47 @@ const ELASTICSEARCH_USERNAME = 'ELASTICSEARCH_USERNAME'; */ const ELASTICSEARCH_PASSWORD = 'ELASTICSEARCH_PASSWORD'; +/** + * The `IS_SERVERLESS` environment variable specifies wether the currently running + * environment is serverless snapshot. + */ +const IS_SERVERLESS = 'IS_SERVERLESS'; + +/** + * The `IS_SERVERLESS` environment variable specifies wether the currently running + * environment is a real MKI. + */ +const CLOUD_SERVERLESS = 'CLOUD_SERVERLESS'; + +/** + * Authenticates with Kibana using, if specified, credentials specified by + * environment variables. The credentials in `kibana.dev.yml` will be used + * for authentication when the environment variables are unset. + * + * To speed the execution of tests, prefer this non-interactive authentication, + * which is faster than authentication via Kibana's interactive login page. + */ +export const login = (role?: SecurityRoleName) => { + if (role != null) { + loginWithRole(role); + } else if (credentialsProvidedByEnvironment()) { + loginViaEnvironmentCredentials(); + } else { + loginViaConfig(); + } +}; + +export interface User { + username: string; + password: string; +} + +export const loginWithUser = (user: User) => { + cy.session(user, () => { + loginWithUsernameAndPassword(user.username, user.password); + }); +}; + /** * cy.visit will default to the baseUrl which uses the default kibana test user * This function will override that functionality in cy.visit by building the baseUrl @@ -51,7 +94,7 @@ const ELASTICSEARCH_PASSWORD = 'ELASTICSEARCH_PASSWORD'; * @param role string role/user to log in with * @param route string route to visit */ -export const getUrlWithRoute = (role: ROLES, route: string) => { +export const getUrlWithRoute = (role: SecurityRoleName, route: string) => { const url = Cypress.config().baseUrl; const kibana = new URL(String(url)); const theUrl = `${Url.format({ @@ -66,11 +109,6 @@ export const getUrlWithRoute = (role: ROLES, route: string) => { return theUrl; }; -export interface User { - username: string; - password: string; -} - /** * Builds a URL with basic auth using the passed in user. * @@ -94,78 +132,30 @@ export const constructUrlWithUser = (user: User, route: string) => { return builtUrl.href; }; -const getCurlScriptEnvVars = () => ({ - ELASTICSEARCH_URL: Cypress.env('ELASTICSEARCH_URL'), - ELASTICSEARCH_USERNAME: Cypress.env('ELASTICSEARCH_USERNAME'), - ELASTICSEARCH_PASSWORD: Cypress.env('ELASTICSEARCH_PASSWORD'), - KIBANA_URL: Cypress.config().baseUrl, -}); - -const postRoleAndUser = (role: ROLES) => { - const env = getCurlScriptEnvVars(); - const detectionsRoleScriptPath = `../../plugins/security_solution/server/lib/detection_engine/scripts/roles_users/${role}/post_detections_role.sh`; - const detectionsRoleJsonPath = `../../plugins/security_solution/server/lib/detection_engine/scripts/roles_users/${role}/detections_role.json`; - const detectionsUserScriptPath = `../../plugins/security_solution/server/lib/detection_engine/scripts/roles_users/${role}/post_detections_user.sh`; - const detectionsUserJsonPath = `../../plugins/security_solution/server/lib/detection_engine/scripts/roles_users/${role}/detections_user.json`; - - // post the role - cy.exec(`bash ${detectionsRoleScriptPath} ${detectionsRoleJsonPath}`, { - env, - }); - - // post the user associated with the role to elasticsearch - cy.exec(`bash ${detectionsUserScriptPath} ${detectionsUserJsonPath}`, { - env, - }); -}; - -export const deleteRoleAndUser = (role: ROLES) => { - const env = getCurlScriptEnvVars(); - const detectionsUserDeleteScriptPath = `../../plugins/security_solution/server/lib/detection_engine/scripts/roles_users/${role}/delete_detections_user.sh`; - - // delete the role - cy.exec(`bash ${detectionsUserDeleteScriptPath}`, { - env, - }); -}; +/** + * Authenticates with a predefined role. + * + * It takes into account ESS and Serverless differences. Serverless already has specific roles and we can't + * add new ones while ESS allows to freely add new roles. As we reuse tests between ESS and Serverless it's + * essential to have the same predefined roles. Supported roles set is limited, see `SecurityRoleName`. + * + * @param role role name + */ +const loginWithRole = (role: SecurityRoleName) => { + const roleDefinition = roleDefinitions[role]; -const loginWithUsernameAndPassword = (username: string, password: string) => { - const baseUrl = Cypress.config().baseUrl; - if (!baseUrl) { - throw Error(`Cypress config baseUrl not set!`); + if (!roleDefinition) { + throw new Error(`An attempt to log in with unsupported role ${role}`); } - // Programmatically authenticate without interacting with the Kibana login page. - const headers = { 'kbn-xsrf': 'cypress-creds', 'x-elastic-internal-origin': 'security-solution' }; - cy.request({ headers, url: `${baseUrl}/internal/security/login_state` }).then( - (loginState) => { - const basicProvider = loginState.body.selector.providers.find( - (provider) => provider.type === 'basic' - ); - - return cy.request({ - url: `${baseUrl}/internal/security/login`, - method: 'POST', - headers, - body: { - providerType: basicProvider?.type, - providerName: basicProvider?.name, - currentURL: '/', - params: { username, password }, - }, - }); - } - ); -}; + if (!Cypress.env(IS_SERVERLESS) && !Cypress.env(CLOUD_SERVERLESS)) { + createRole({ name: role, ...roleDefinition }); -export const loginWithUser = (user: User) => { - cy.session(user, () => { - loginWithUsernameAndPassword(user.username, user.password); - }); -}; + const username = role; + const password = 'changeme'; -const loginWithRole = (role: ROLES) => { - postRoleAndUser(role); + createUser(username, password, [role]); + } cy.log(`origin: ${Cypress.config().baseUrl}`); cy.session(role, () => { @@ -173,24 +163,6 @@ const loginWithRole = (role: ROLES) => { }); }; -/** - * Authenticates with Kibana using, if specified, credentials specified by - * environment variables. The credentials in `kibana.dev.yml` will be used - * for authentication when the environment variables are unset. - * - * To speed the execution of tests, prefer this non-interactive authentication, - * which is faster than authentication via Kibana's interactive login page. - */ -export const login = (role?: ROLES) => { - if (role != null) { - loginWithRole(role); - } else if (credentialsProvidedByEnvironment()) { - loginViaEnvironmentCredentials(); - } else { - loginViaConfig(); - } -}; - /** * Returns `true` if the credentials used to login to Kibana are provided * via environment variables @@ -259,3 +231,56 @@ export const getEnvAuth = (): User => { export const logout = () => { cy.visit(LOGOUT_URL); }; + +const createRole = (role: Role): void => { + const { name: roleName, ...roleDefinition } = role; + + rootRequest({ + method: 'PUT', + url: `/api/security/role/${roleName}`, + body: roleDefinition, + }); +}; + +const createUser = (username: string, password: string, roles: string[] = []): void => { + const user = { + username, + password, + roles, + full_name: username, + email: '', + }; + + rootRequest({ + method: 'POST', + url: `/internal/security/users/${username}`, + body: user, + }); +}; + +const loginWithUsernameAndPassword = (username: string, password: string) => { + const baseUrl = Cypress.config().baseUrl; + if (!baseUrl) { + throw Error(`Cypress config baseUrl not set!`); + } + + // Programmatically authenticate without interacting with the Kibana login page. + rootRequest({ + url: `${baseUrl}/internal/security/login_state`, + }).then((loginState) => { + const basicProvider = loginState.body.selector.providers.find( + (provider) => provider.type === 'basic' + ); + + return rootRequest({ + url: `${baseUrl}/internal/security/login`, + method: 'POST', + body: { + providerType: basicProvider?.type, + providerName: basicProvider?.name, + currentURL: '/', + params: { username, password }, + }, + }); + }); +}; diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts b/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts index dc12c26d1f9c9..d9fb3ed443712 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts @@ -7,8 +7,8 @@ import { encode } from '@kbn/rison'; -import type { ROLES } from '@kbn/security-solution-plugin/common/test'; import { NEW_FEATURES_TOUR_STORAGE_KEYS } from '@kbn/security-solution-plugin/common/constants'; +import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { hostDetailsUrl, userDetailsUrl } from '../urls/navigation'; import { constructUrlWithUser, getUrlWithRoute, User } from './login'; @@ -16,7 +16,7 @@ export const visit = ( url: string, options?: { visitOptions?: Partial; - role?: ROLES; + role?: SecurityRoleName; } ) => { cy.visit(options?.role ? getUrlWithRoute(options.role, url) : url, { @@ -35,7 +35,7 @@ export const visitWithTimeRange = ( url: string, options?: { visitOptions?: Partial; - role?: ROLES; + role?: SecurityRoleName; } ) => { const timerangeConfig = { From 8c2b5bc6546d498022d676b96f4b88d97f2636bd Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Tue, 17 Oct 2023 17:06:09 +0200 Subject: [PATCH 02/30] get rid of reader role --- .../plugins/security_solution/common/test/index.ts | 11 +++++++++++ .../missing_privileges_callout.cy.ts | 12 ++++++------ .../install_update_authorization.cy.ts | 10 +++++----- .../authorization/all_rules_read_only.cy.ts | 6 +++--- .../rule_details_flow/read_only_view.cy.ts | 6 +++--- .../shared_exception_list_page/read_only.cy.ts | 6 +++--- .../e2e/explore/cases/attach_alert_to_case.cy.ts | 10 +++++++--- .../e2e/investigations/timelines/creation.cy.ts | 6 +++--- .../cypress/tasks/rules_management.ts | 4 ++-- 9 files changed, 43 insertions(+), 28 deletions(-) diff --git a/x-pack/plugins/security_solution/common/test/index.ts b/x-pack/plugins/security_solution/common/test/index.ts index 409e7cae96c81..befd257ffb5b5 100644 --- a/x-pack/plugins/security_solution/common/test/index.ts +++ b/x-pack/plugins/security_solution/common/test/index.ts @@ -9,9 +9,20 @@ import type roleDefinitions from '@kbn/es/src/serverless_resources/roles.json'; export type SecurityRoleName = keyof typeof roleDefinitions; +export enum SERVERLESS_ROLES { + t1_analyst = 't1_analyst', + t2_analyst = 't2_analyst', + t3_analyst = 't3_analyst', + rule_author = 'rule_author', + soc_manager = 'soc_manager', + detections_admin = 'detections_admin', + platform_engineer = 'platform_engineer', +} + // For the source of these roles please consult the PR these were introduced https://github.com/elastic/kibana/pull/81866#issue-511165754 export enum ROLES { soc_manager = 'soc_manager', + reader = 'reader', t1_analyst = 't1_analyst', t2_analyst = 't2_analyst', t3_analyst = 't3_analyst', diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts index 3ef89ed458d45..7105263d44bb5 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import { SERVERLESS_ROLES } from '@kbn/security-solution-plugin/common/test'; import { ALERTS_URL } from '../../../urls/navigation'; import { RULES_MANAGEMENT_URL } from '../../../urls/rules_management'; @@ -24,14 +24,14 @@ import { import { ruleDetailsUrl } from '../../../urls/rule_details'; const loadPageAsReadOnlyUser = (url: string) => { - login(ROLES.t1_analyst); - visit(url, { role: ROLES.t1_analyst }); + login(SERVERLESS_ROLES.t1_analyst); + visit(url, { role: SERVERLESS_ROLES.t1_analyst }); waitForPageTitleToBeShown(); }; const loadPageAsPlatformEngineer = (url: string) => { - login(ROLES.platform_engineer); - visit(url, { role: ROLES.platform_engineer }); + login(SERVERLESS_ROLES.platform_engineer); + visit(url, { role: SERVERLESS_ROLES.platform_engineer }); waitForPageTitleToBeShown(); }; @@ -117,7 +117,7 @@ describe('Detections > Callouts', { tags: ['@ess', '@skipInServerless'] }, () => context('On Rules Management page', () => { beforeEach(() => { - login(ROLES.platform_engineer); + login(SERVERLESS_ROLES.platform_engineer); loadPageAsPlatformEngineer(RULES_MANAGEMENT_URL); }); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts index c48ae7e4792cb..b199b105d5fb1 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts @@ -10,7 +10,7 @@ import { RULES_ADD_PATH, RULES_UPDATES, } from '@kbn/security-solution-plugin/common/constants'; -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import { SERVERLESS_ROLES } from '@kbn/security-solution-plugin/common/test'; import { createRuleAssetSavedObject } from '../../../helpers/rules'; import { @@ -57,13 +57,13 @@ const RULE_2 = createRuleAssetSavedObject({ }); const loadPageAsReadOnlyUser = (url: string) => { - login(ROLES.t1_analyst); - visit(url, { role: ROLES.t1_analyst }); + login(SERVERLESS_ROLES.t1_analyst); + visit(url, { role: SERVERLESS_ROLES.t1_analyst }); }; const loginPageAsWriteAuthorizedUser = (url: string) => { - login(ROLES.t3_analyst); - visit(url); + login(SERVERLESS_ROLES.t3_analyst); + visit(url, { role: SERVERLESS_ROLES.t3_analyst }); }; describe( diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts index 51fdcd6c242f1..a7a485584da68 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import { SERVERLESS_ROLES } from '@kbn/security-solution-plugin/common/test'; import { getNewRule } from '../../../../objects/rule'; import { @@ -34,8 +34,8 @@ describe('All rules - read only', { tags: ['@ess', '@serverless', '@skipInServer }); beforeEach(() => { - login(ROLES.t1_analyst); - visitRulesManagementTable(ROLES.t1_analyst); + login(SERVERLESS_ROLES.t1_analyst); + visitRulesManagementTable(SERVERLESS_ROLES.t1_analyst); cy.get(RULE_NAME).should('have.text', getNewRule().name); }); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts index 935668db1a5a6..95c97483c0385 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import { SERVERLESS_ROLES } from '@kbn/security-solution-plugin/common/test'; import { getExceptionList } from '../../../objects/exception'; import { getNewRule } from '../../../objects/rule'; @@ -54,8 +54,8 @@ describe('Exceptions viewer read only', { tags: ['@ess'] }, () => { ); }); - login(ROLES.t1_analyst); - visitRulesManagementTable(ROLES.t1_analyst); + login(SERVERLESS_ROLES.t1_analyst); + visitRulesManagementTable(SERVERLESS_ROLES.t1_analyst); goToRuleDetailsOf('Test exceptions rule'); goToExceptionsTab(); }); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts index b115508e2b598..3a4ba61631ac8 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import { SERVERLESS_ROLES } from '@kbn/security-solution-plugin/common/test'; import { getExceptionList } from '../../../../objects/exception'; import { @@ -31,8 +31,8 @@ describe('Shared exception lists - read only', { tags: ['@ess', '@skipInServerle // Create exception list not used by any rules createExceptionList(getExceptionList(), getExceptionList().list_id); - login(ROLES.t1_analyst); - visit(EXCEPTIONS_URL, { role: ROLES.t1_analyst }); + login(SERVERLESS_ROLES.t1_analyst); + visit(EXCEPTIONS_URL, { role: SERVERLESS_ROLES.t1_analyst }); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts index 407dd5b8a22ea..fc9e30e75d54f 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts @@ -4,7 +4,11 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import { + ROLES, + SecurityRoleName, + SERVERLESS_ROLES, +} from '@kbn/security-solution-plugin/common/test'; import { getNewRule } from '../../../objects/rule'; @@ -19,7 +23,7 @@ import { ALERTS_URL } from '../../../urls/navigation'; import { ATTACH_ALERT_TO_CASE_BUTTON, TIMELINE_CONTEXT_MENU_BTN } from '../../../screens/alerts'; import { LOADING_INDICATOR } from '../../../screens/security_header'; -const loadDetectionsPage = (role: ROLES) => { +const loadDetectionsPage = (role: SecurityRoleName) => { login(role); visit(ALERTS_URL, { role }); waitForAlertsToPopulate(); @@ -37,7 +41,7 @@ describe('Alerts timeline', { tags: ['@ess'] }, () => { context('Privileges: read only', () => { beforeEach(() => { - loadDetectionsPage(ROLES.t1_analyst); + loadDetectionsPage(SERVERLESS_ROLES.t1_analyst); }); it('should not allow user with read only privileges to attach alerts to existing cases', () => { diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts index 9ffeade285dc7..8ae79ddf37a3e 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import { SERVERLESS_ROLES } from '@kbn/security-solution-plugin/common/test'; import { getTimeline } from '../../../objects/timeline'; @@ -88,8 +88,8 @@ describe('Timelines', (): void => { context('Privileges: READ', { tags: '@ess' }, () => { beforeEach(() => { - login(ROLES.t1_analyst); - visitWithTimeRange(OVERVIEW_URL, { role: ROLES.t1_analyst }); + login(SERVERLESS_ROLES.t1_analyst); + visitWithTimeRange(OVERVIEW_URL, { role: SERVERLESS_ROLES.t1_analyst }); }); it('should not be able to create/update timeline ', () => { diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/rules_management.ts b/x-pack/test/security_solution_cypress/cypress/tasks/rules_management.ts index 5f795ce97d524..663692aa905d4 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/rules_management.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/rules_management.ts @@ -5,13 +5,13 @@ * 2.0. */ -import type { ROLES } from '@kbn/security-solution-plugin/common/test'; +import type { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { LAST_BREADCRUMB, RULE_MANAGEMENT_PAGE_BREADCRUMB } from '../screens/breadcrumbs'; import { RULES_MANAGEMENT_URL } from '../urls/rules_management'; import { resetRulesTableState } from './common'; import { visit } from './navigation'; -export function visitRulesManagementTable(role?: ROLES): void { +export function visitRulesManagementTable(role?: SecurityRoleName): void { resetRulesTableState(); // Clear persistent rules filter data before page loading visit(RULES_MANAGEMENT_URL, { role }); } From a7e49ca2182b82f2e5e7752ae77d3129110f3400 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Tue, 17 Oct 2023 19:07:40 +0200 Subject: [PATCH 03/30] include json files --- packages/kbn-es/tsconfig.json | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/packages/kbn-es/tsconfig.json b/packages/kbn-es/tsconfig.json index deece402b3794..75059c2ef69cd 100644 --- a/packages/kbn-es/tsconfig.json +++ b/packages/kbn-es/tsconfig.json @@ -3,19 +3,14 @@ "compilerOptions": { "outDir": "target/types" }, - "include": [ - "**/*.ts", - "**/*.js" - ], - "exclude": [ - "target/**/*", - ], + "include": ["**/*.ts", "**/*.js", "**/*.json"], + "exclude": ["target/**/*"], "kbn_references": [ "@kbn/tooling-log", "@kbn/dev-utils", "@kbn/dev-proc-runner", "@kbn/ci-stats-reporter", "@kbn/jest-serializers", - "@kbn/repo-info", + "@kbn/repo-info" ] } From 1fd9c16d7884c9bc99e4acd299c12eca4243c4dd Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Tue, 17 Oct 2023 21:20:28 +0200 Subject: [PATCH 04/30] fix typings --- .../common/services/security_solution/roles_users_utils.ts | 2 ++ .../test/security_solution_cypress/cypress/tasks/edit_rule.ts | 4 ++-- .../security_solution_cypress/cypress/tasks/navigation.ts | 2 +- .../security_solution_cypress/cypress/tasks/rule_details.ts | 4 ++-- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/x-pack/test/common/services/security_solution/roles_users_utils.ts b/x-pack/test/common/services/security_solution/roles_users_utils.ts index f8e18fadc992e..b54d09776a368 100644 --- a/x-pack/test/common/services/security_solution/roles_users_utils.ts +++ b/x-pack/test/common/services/security_solution/roles_users_utils.ts @@ -53,6 +53,8 @@ export const createUserAndRole = async ( return postRoleAndUser(ROLES.t1_analyst, t1AnalystRole, t1AnalystUser, getService); case ROLES.t2_analyst: return postRoleAndUser(ROLES.t2_analyst, t2AnalystRole, t2AnalystUser, getService); + case ROLES.t3_analyst: + throw new Error('t3_analyst role is currently unsupported'); case ROLES.hunter: return postRoleAndUser(ROLES.hunter, hunterRole, hunterUser, getService); case ROLES.hunter_no_actions: diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/edit_rule.ts b/x-pack/test/security_solution_cypress/cypress/tasks/edit_rule.ts index fa7e2bd175dc0..2101f77ac3be5 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/edit_rule.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/edit_rule.ts @@ -5,12 +5,12 @@ * 2.0. */ -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { BACK_TO_RULE_DETAILS, EDIT_SUBMIT_BUTTON } from '../screens/edit_rule'; import { editRuleUrl } from '../urls/edit_rule'; import { visit } from './navigation'; -export function visitEditRulePage(ruleId: string, role?: ROLES): void { +export function visitEditRulePage(ruleId: string, role?: SecurityRoleName): void { visit(editRuleUrl(ruleId), { role }); } diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts b/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts index d9fb3ed443712..77fc8872878d4 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts @@ -74,7 +74,7 @@ export const visitWithTimeRange = ( }); }; -export const visitTimeline = (timelineId: string, role?: ROLES) => { +export const visitTimeline = (timelineId: string, role?: SecurityRoleName) => { const route = `/app/security/timelines?timeline=(id:'${timelineId}',isOpen:!t)`; cy.visit(role ? getUrlWithRoute(role, route) : route, { onBeforeLoad: disableNewFeaturesTours, diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/rule_details.ts b/x-pack/test/security_solution_cypress/cypress/tasks/rule_details.ts index a81be48d229e9..e80b1f505564f 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/rule_details.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/rule_details.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import type { Exception } from '../objects/exception'; import { RULE_MANAGEMENT_PAGE_BREADCRUMB } from '../screens/breadcrumbs'; import { PAGE_CONTENT_SPINNER } from '../screens/common/page'; @@ -47,7 +47,7 @@ import { visit } from './navigation'; interface VisitRuleDetailsPageOptions { tab?: RuleDetailsTabs; - role?: ROLES; + role?: SecurityRoleName; } export function visitRuleDetailsPage(ruleId: string, options?: VisitRuleDetailsPageOptions): void { From be5bbe1c78fa1d2782cb852fefb1d836075be784 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Wed, 18 Oct 2023 14:30:57 +0200 Subject: [PATCH 05/30] add temporal t3_analyst role --- .../scripts/roles_users/index.ts | 1 + .../t3_analyst/detections_role.json | 59 +++++++++++++++++++ .../t3_analyst/detections_user.json | 6 ++ .../scripts/roles_users/t3_analyst/index.ts | 10 ++++ .../security_solution/roles_users_utils.ts | 4 +- 5 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_role.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_user.json create mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/index.ts diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts index 7bcef506a6671..bb91bd005c307 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts @@ -14,3 +14,4 @@ export * from './rule_author'; export * from './soc_manager'; export * from './t1_analyst'; export * from './t2_analyst'; +export * from './t3_analyst'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_role.json new file mode 100644 index 0000000000000..85c12bee29857 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_role.json @@ -0,0 +1,59 @@ +{ + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "privileges": ["read", "write"] + }, + { + "names": [".alerts-security*", ".siem-signals-*"], + "privileges": ["read", "write"] + }, + { + "names": [".lists*", ".items*"], + "privileges": ["read", "write"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": [ + "all", + "read_alerts", + "crud_alerts", + "endpoint_list_all", + "trusted_applications_all", + "event_filters_all", + "host_isolation_exceptions_all", + "blocklist_all", + "policy_management_read", + "host_isolation_all", + "process_operations_all", + "actions_log_management_all", + "file_operations_all" + ], + "securitySolutionCases": ["all"], + "actions": ["read"], + "builtInAlerts": ["all"], + "osquery": ["all"] + }, + "spaces": ["*"] + } + ] +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_user.json new file mode 100644 index 0000000000000..8b72a15aeb310 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_user.json @@ -0,0 +1,6 @@ +{ + "password": "changeme", + "roles": ["t3_analyst"], + "full_name": "t3 analyst", + "email": "detections-reader@example.com" +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/index.ts new file mode 100644 index 0000000000000..665536b4b3887 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/index.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t3AnalystUser from './detections_user.json'; +import * as t3AnalystRole from './detections_role.json'; +export { t3AnalystUser, t3AnalystRole }; diff --git a/x-pack/test/common/services/security_solution/roles_users_utils.ts b/x-pack/test/common/services/security_solution/roles_users_utils.ts index b54d09776a368..bb2dc5830d58a 100644 --- a/x-pack/test/common/services/security_solution/roles_users_utils.ts +++ b/x-pack/test/common/services/security_solution/roles_users_utils.ts @@ -9,6 +9,7 @@ import { assertUnreachable } from '@kbn/security-solution-plugin/common/utility_ import { t1AnalystUser, t2AnalystUser, + t3AnalystUser, hunterUser, hunterNoActionsUser, ruleAuthorUser, @@ -18,6 +19,7 @@ import { readerUser, t1AnalystRole, t2AnalystRole, + t3AnalystRole, hunterRole, hunterNoActionsRole, ruleAuthorRole, @@ -54,7 +56,7 @@ export const createUserAndRole = async ( case ROLES.t2_analyst: return postRoleAndUser(ROLES.t2_analyst, t2AnalystRole, t2AnalystUser, getService); case ROLES.t3_analyst: - throw new Error('t3_analyst role is currently unsupported'); + return postRoleAndUser(ROLES.t3_analyst, t3AnalystRole, t3AnalystUser, getService); case ROLES.hunter: return postRoleAndUser(ROLES.hunter, hunterRole, hunterUser, getService); case ROLES.hunter_no_actions: From c929d1fe217fd6a4df67f1c56c4e048098a2fc2a Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 19 Oct 2023 23:27:15 +0200 Subject: [PATCH 06/30] support both ess and serverless roles --- .../{roles.json => security_roles.json} | 0 .../common/test/ess_roles.json | 95 +++++++++++++++++++ .../security_solution/common/test/index.ts | 23 ++--- .../missing_privileges_callout.cy.ts | 12 +-- .../install_update_authorization.cy.ts | 10 +- .../authorization/all_rules_read_only.cy.ts | 6 +- .../rule_details_flow/read_only_view.cy.ts | 6 +- .../read_only.cy.ts | 6 +- .../explore/cases/attach_alert_to_case.cy.ts | 8 +- .../investigations/timelines/creation.cy.ts | 6 +- .../cypress/tasks/login.ts | 26 +++-- 11 files changed, 146 insertions(+), 52 deletions(-) rename packages/kbn-es/src/serverless_resources/{roles.json => security_roles.json} (100%) create mode 100644 x-pack/plugins/security_solution/common/test/ess_roles.json diff --git a/packages/kbn-es/src/serverless_resources/roles.json b/packages/kbn-es/src/serverless_resources/security_roles.json similarity index 100% rename from packages/kbn-es/src/serverless_resources/roles.json rename to packages/kbn-es/src/serverless_resources/security_roles.json diff --git a/x-pack/plugins/security_solution/common/test/ess_roles.json b/x-pack/plugins/security_solution/common/test/ess_roles.json new file mode 100644 index 0000000000000..87c56e473accc --- /dev/null +++ b/x-pack/plugins/security_solution/common/test/ess_roles.json @@ -0,0 +1,95 @@ +{ + "hunter": { + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "privileges": ["read", "write"] + }, + { + "names": [".alerts-security*", ".siem-signals-*"], + "privileges": ["read", "write"] + }, + { + "names": [".lists*", ".items*"], + "privileges": ["read", "write"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["all", "read_alerts", "crud_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "actions": ["read"], + "builtInAlerts": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, + "hunter_no_actions": { + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + "apm-*-transaction*", + "traces-apm*", + "auditbeat-*", + "endgame-*", + "filebeat-*", + "logs-*", + "packetbeat-*", + "winlogbeat-*" + ], + "privileges": ["read", "write"] + }, + { + "names": [".alerts-security*", ".siem-signals-*"], + "privileges": ["read", "write"] + }, + { + "names": [".lists*", ".items*"], + "privileges": ["read", "write"] + }, + { + "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], + "privileges": ["read"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["all", "read_alerts", "crud_alerts"], + "securitySolutionAssistant": ["all"], + "securitySolutionCases": ["all"], + "builtInAlerts": ["all"] + }, + "spaces": ["*"], + "base": [] + } + ] + } +} diff --git a/x-pack/plugins/security_solution/common/test/index.ts b/x-pack/plugins/security_solution/common/test/index.ts index befd257ffb5b5..9016c4e02270a 100644 --- a/x-pack/plugins/security_solution/common/test/index.ts +++ b/x-pack/plugins/security_solution/common/test/index.ts @@ -5,11 +5,15 @@ * 2.0. */ -import type roleDefinitions from '@kbn/es/src/serverless_resources/roles.json'; +import type serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; +import type essRoleDefinitions from './ess_roles.json'; -export type SecurityRoleName = keyof typeof roleDefinitions; +type ServerlessSecurityRoleName = keyof typeof serverlessRoleDefinitions; +type EssSecurityRoleName = keyof typeof essRoleDefinitions; +export type SecurityRoleName = ServerlessSecurityRoleName | EssSecurityRoleName; -export enum SERVERLESS_ROLES { +export enum ROLES { + // Serverless roles t1_analyst = 't1_analyst', t2_analyst = 't2_analyst', t3_analyst = 't3_analyst', @@ -17,20 +21,9 @@ export enum SERVERLESS_ROLES { soc_manager = 'soc_manager', detections_admin = 'detections_admin', platform_engineer = 'platform_engineer', -} - -// For the source of these roles please consult the PR these were introduced https://github.com/elastic/kibana/pull/81866#issue-511165754 -export enum ROLES { - soc_manager = 'soc_manager', - reader = 'reader', - t1_analyst = 't1_analyst', - t2_analyst = 't2_analyst', - t3_analyst = 't3_analyst', + // ESS roles below hunter = 'hunter', hunter_no_actions = 'hunter_no_actions', - rule_author = 'rule_author', - platform_engineer = 'platform_engineer', - detections_admin = 'detections_admin', } /** diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts index 7105263d44bb5..3ef89ed458d45 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { SERVERLESS_ROLES } from '@kbn/security-solution-plugin/common/test'; +import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { ALERTS_URL } from '../../../urls/navigation'; import { RULES_MANAGEMENT_URL } from '../../../urls/rules_management'; @@ -24,14 +24,14 @@ import { import { ruleDetailsUrl } from '../../../urls/rule_details'; const loadPageAsReadOnlyUser = (url: string) => { - login(SERVERLESS_ROLES.t1_analyst); - visit(url, { role: SERVERLESS_ROLES.t1_analyst }); + login(ROLES.t1_analyst); + visit(url, { role: ROLES.t1_analyst }); waitForPageTitleToBeShown(); }; const loadPageAsPlatformEngineer = (url: string) => { - login(SERVERLESS_ROLES.platform_engineer); - visit(url, { role: SERVERLESS_ROLES.platform_engineer }); + login(ROLES.platform_engineer); + visit(url, { role: ROLES.platform_engineer }); waitForPageTitleToBeShown(); }; @@ -117,7 +117,7 @@ describe('Detections > Callouts', { tags: ['@ess', '@skipInServerless'] }, () => context('On Rules Management page', () => { beforeEach(() => { - login(SERVERLESS_ROLES.platform_engineer); + login(ROLES.platform_engineer); loadPageAsPlatformEngineer(RULES_MANAGEMENT_URL); }); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts index b199b105d5fb1..052306817a87d 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/prebuilt_rules/install_update_authorization.cy.ts @@ -10,7 +10,7 @@ import { RULES_ADD_PATH, RULES_UPDATES, } from '@kbn/security-solution-plugin/common/constants'; -import { SERVERLESS_ROLES } from '@kbn/security-solution-plugin/common/test'; +import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { createRuleAssetSavedObject } from '../../../helpers/rules'; import { @@ -57,13 +57,13 @@ const RULE_2 = createRuleAssetSavedObject({ }); const loadPageAsReadOnlyUser = (url: string) => { - login(SERVERLESS_ROLES.t1_analyst); - visit(url, { role: SERVERLESS_ROLES.t1_analyst }); + login(ROLES.t1_analyst); + visit(url, { role: ROLES.t1_analyst }); }; const loginPageAsWriteAuthorizedUser = (url: string) => { - login(SERVERLESS_ROLES.t3_analyst); - visit(url, { role: SERVERLESS_ROLES.t3_analyst }); + login(ROLES.t3_analyst); + visit(url, { role: ROLES.t3_analyst }); }; describe( diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts index a7a485584da68..51fdcd6c242f1 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/authorization/all_rules_read_only.cy.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { SERVERLESS_ROLES } from '@kbn/security-solution-plugin/common/test'; +import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { getNewRule } from '../../../../objects/rule'; import { @@ -34,8 +34,8 @@ describe('All rules - read only', { tags: ['@ess', '@serverless', '@skipInServer }); beforeEach(() => { - login(SERVERLESS_ROLES.t1_analyst); - visitRulesManagementTable(SERVERLESS_ROLES.t1_analyst); + login(ROLES.t1_analyst); + visitRulesManagementTable(ROLES.t1_analyst); cy.get(RULE_NAME).should('have.text', getNewRule().name); }); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts index 95c97483c0385..935668db1a5a6 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/rule_details_flow/read_only_view.cy.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { SERVERLESS_ROLES } from '@kbn/security-solution-plugin/common/test'; +import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { getExceptionList } from '../../../objects/exception'; import { getNewRule } from '../../../objects/rule'; @@ -54,8 +54,8 @@ describe('Exceptions viewer read only', { tags: ['@ess'] }, () => { ); }); - login(SERVERLESS_ROLES.t1_analyst); - visitRulesManagementTable(SERVERLESS_ROLES.t1_analyst); + login(ROLES.t1_analyst); + visitRulesManagementTable(ROLES.t1_analyst); goToRuleDetailsOf('Test exceptions rule'); goToExceptionsTab(); }); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts index 3a4ba61631ac8..b115508e2b598 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/exceptions/shared_exception_lists_management/shared_exception_list_page/read_only.cy.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { SERVERLESS_ROLES } from '@kbn/security-solution-plugin/common/test'; +import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { getExceptionList } from '../../../../objects/exception'; import { @@ -31,8 +31,8 @@ describe('Shared exception lists - read only', { tags: ['@ess', '@skipInServerle // Create exception list not used by any rules createExceptionList(getExceptionList(), getExceptionList().list_id); - login(SERVERLESS_ROLES.t1_analyst); - visit(EXCEPTIONS_URL, { role: SERVERLESS_ROLES.t1_analyst }); + login(ROLES.t1_analyst); + visit(EXCEPTIONS_URL, { role: ROLES.t1_analyst }); // Using cy.contains because we do not care about the exact text, // just checking number of lists shown diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts index fc9e30e75d54f..07a6533caf5a1 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts @@ -4,11 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { - ROLES, - SecurityRoleName, - SERVERLESS_ROLES, -} from '@kbn/security-solution-plugin/common/test'; +import { ROLES, SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { getNewRule } from '../../../objects/rule'; @@ -41,7 +37,7 @@ describe('Alerts timeline', { tags: ['@ess'] }, () => { context('Privileges: read only', () => { beforeEach(() => { - loadDetectionsPage(SERVERLESS_ROLES.t1_analyst); + loadDetectionsPage(ROLES.t1_analyst); }); it('should not allow user with read only privileges to attach alerts to existing cases', () => { diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts index 8ae79ddf37a3e..9ffeade285dc7 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/timelines/creation.cy.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { SERVERLESS_ROLES } from '@kbn/security-solution-plugin/common/test'; +import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { getTimeline } from '../../../objects/timeline'; @@ -88,8 +88,8 @@ describe('Timelines', (): void => { context('Privileges: READ', { tags: '@ess' }, () => { beforeEach(() => { - login(SERVERLESS_ROLES.t1_analyst); - visitWithTimeRange(OVERVIEW_URL, { role: SERVERLESS_ROLES.t1_analyst }); + login(ROLES.t1_analyst); + visitWithTimeRange(OVERVIEW_URL, { role: ROLES.t1_analyst }); }); it('should not be able to create/update timeline ', () => { diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts index 71952bde867a4..cfaabf8d3872c 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts @@ -10,7 +10,8 @@ import type { UrlObject } from 'url'; import Url from 'url'; import { LoginState } from '@kbn/security-plugin/common/login_state'; import { Role } from '@kbn/security-plugin/common'; -import roleDefinitions from '@kbn/es/src/serverless_resources/roles.json'; +import serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; +import essRoleDefinitions from '@kbn/security-solution-plugin/common/test/ess_roles.json'; import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { LOGOUT_URL } from '../urls/navigation'; import { rootRequest } from './common'; @@ -142,24 +143,33 @@ export const constructUrlWithUser = (user: User, route: string) => { * @param role role name */ const loginWithRole = (role: SecurityRoleName) => { - const roleDefinition = roleDefinitions[role]; - - if (!roleDefinition) { - throw new Error(`An attempt to log in with unsupported role ${role}`); - } + const password = 'changeme'; if (!Cypress.env(IS_SERVERLESS) && !Cypress.env(CLOUD_SERVERLESS)) { + const roleDefinition = + serverlessRoleDefinitions[role as keyof typeof serverlessRoleDefinitions] ?? + essRoleDefinitions[role as keyof typeof essRoleDefinitions]; + + if (!roleDefinition) { + throw new Error( + `Unable to find role definition "${role}" in @kbn/security-solution-plugin/common/test/ess_roles.json.` + ); + } + createRole({ name: role, ...roleDefinition }); const username = role; - const password = 'changeme'; createUser(username, password, [role]); + } else { + if (!(role in serverlessRoleDefinitions)) { + throw new Error(`An attempt to log in with unsupported by Serverless role "${role}".`); + } } cy.log(`origin: ${Cypress.config().baseUrl}`); cy.session(role, () => { - loginWithUsernameAndPassword(role, 'changeme'); + loginWithUsernameAndPassword(role, password); }); }; From bede842e3fe611a35ade9a8fc0dcf2552e314a28 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Fri, 20 Oct 2023 09:18:50 +0200 Subject: [PATCH 07/30] explicitly include JSON roles --- x-pack/plugins/security_solution/tsconfig.json | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/plugins/security_solution/tsconfig.json b/x-pack/plugins/security_solution/tsconfig.json index 59acd2f3422cb..16ad154a95d83 100644 --- a/x-pack/plugins/security_solution/tsconfig.json +++ b/x-pack/plugins/security_solution/tsconfig.json @@ -9,6 +9,7 @@ "server/**/*", "scripts/**/*", // have to declare *.json explicitly due to https://github.com/microsoft/TypeScript/issues/25636 + "common/**/*.json", "server/**/*.json", "scripts/**/*.json", "public/**/*.json", From e14ac51e4fdd496b2385324b181f5e259866ae18 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Tue, 24 Oct 2023 12:05:09 +0200 Subject: [PATCH 08/30] create role and users before running tests --- .../security_solution/common/test/index.ts | 7 ++- .../cypress/cypress.config.ts | 1 + .../cypress/cypress_ci.config.ts | 1 + .../cypress/cypress_ci_serverless.config.ts | 1 + .../cypress_ci_serverless_qa.config.ts | 1 + .../cypress/cypress_serverless.config.ts | 1 + .../cypress/support/cypress_grep.d.ts | 12 +++++ .../cypress/support/e2e.js | 39 --------------- .../cypress/support/ess_e2e.ts | 40 +++++++++++++++ .../cypress/support/serverless_e2e.ts | 20 ++++++++ .../cypress/support/setup_users.ts | 50 +++++++++++++++++++ .../cypress/tasks/login.ts | 42 +++++----------- 12 files changed, 144 insertions(+), 71 deletions(-) create mode 100644 x-pack/test/security_solution_cypress/cypress/support/cypress_grep.d.ts delete mode 100644 x-pack/test/security_solution_cypress/cypress/support/e2e.js create mode 100644 x-pack/test/security_solution_cypress/cypress/support/ess_e2e.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/support/serverless_e2e.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/support/setup_users.ts diff --git a/x-pack/plugins/security_solution/common/test/index.ts b/x-pack/plugins/security_solution/common/test/index.ts index 9016c4e02270a..fb2b4c120d201 100644 --- a/x-pack/plugins/security_solution/common/test/index.ts +++ b/x-pack/plugins/security_solution/common/test/index.ts @@ -5,11 +5,14 @@ * 2.0. */ -import type serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; +import serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; import type essRoleDefinitions from './ess_roles.json'; type ServerlessSecurityRoleName = keyof typeof serverlessRoleDefinitions; type EssSecurityRoleName = keyof typeof essRoleDefinitions; + +export const KNOWN_SERVERLESS_ROLES = Object.keys(serverlessRoleDefinitions); + export type SecurityRoleName = ServerlessSecurityRoleName | EssSecurityRoleName; export enum ROLES { @@ -21,7 +24,7 @@ export enum ROLES { soc_manager = 'soc_manager', detections_admin = 'detections_admin', platform_engineer = 'platform_engineer', - // ESS roles below + // ESS roles hunter = 'hunter', hunter_no_actions = 'hunter_no_actions', } diff --git a/x-pack/test/security_solution_cypress/cypress/cypress.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress.config.ts index d7f0bbc7a0254..0b174dc44e4cb 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress.config.ts @@ -25,6 +25,7 @@ export default defineCypressConfig({ viewportWidth: 1680, numTestsKeptInMemory: 10, e2e: { + supportFile: 'cypress/support/ess_e2e.ts', experimentalRunAllSpecs: true, experimentalMemoryManagement: true, experimentalCspAllowList: ['default-src', 'script-src', 'script-src-elem'], diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_ci.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_ci.config.ts index efb3b64d36f4d..1e68362b55746 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_ci.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_ci.config.ts @@ -33,6 +33,7 @@ export default defineCypressConfig({ viewportHeight: 946, viewportWidth: 1680, e2e: { + supportFile: 'cypress/support/ess_e2e.ts', baseUrl: 'http://localhost:5601', experimentalMemoryManagement: true, experimentalCspAllowList: ['default-src', 'script-src', 'script-src-elem'], diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts index 15e541879a41b..b60f2dade1807 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts @@ -34,6 +34,7 @@ export default defineCypressConfig({ viewportHeight: 946, viewportWidth: 1680, e2e: { + supportFile: 'cypress/support/serverless_e2e.ts', baseUrl: 'http://localhost:5601', experimentalCspAllowList: ['default-src', 'script-src', 'script-src-elem'], experimentalMemoryManagement: true, diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts index e76893eceea36..c9a34b09ddceb 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts @@ -36,6 +36,7 @@ export default defineCypressConfig({ viewportHeight: 946, viewportWidth: 1680, e2e: { + supportFile: 'cypress/support/serverless_e2e.ts', baseUrl: 'http://localhost:5601', experimentalCspAllowList: ['default-src', 'script-src', 'script-src-elem'], experimentalMemoryManagement: true, diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts index c06e4e786ead3..bc6b98283ec22 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts @@ -27,6 +27,7 @@ export default defineCypressConfig({ grepTags: '@serverless --@brokenInServerless --@skipInServerless', }, e2e: { + supportFile: 'cypress/support/serverless_e2e.ts', experimentalCspAllowList: ['default-src', 'script-src', 'script-src-elem'], experimentalRunAllSpecs: true, experimentalMemoryManagement: true, diff --git a/x-pack/test/security_solution_cypress/cypress/support/cypress_grep.d.ts b/x-pack/test/security_solution_cypress/cypress/support/cypress_grep.d.ts new file mode 100644 index 0000000000000..d771f32f48672 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/support/cypress_grep.d.ts @@ -0,0 +1,12 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +declare module '@cypress/grep' { + function registerCypressGrep(): void; + + export = registerCypressGrep; +} diff --git a/x-pack/test/security_solution_cypress/cypress/support/e2e.js b/x-pack/test/security_solution_cypress/cypress/support/e2e.js deleted file mode 100644 index 4335470845f9b..0000000000000 --- a/x-pack/test/security_solution_cypress/cypress/support/e2e.js +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -// *********************************************************** -// This example support/index.js is processed and -// loaded automatically before your test files. -// -// This is a great place to put global configuration and -// behavior that modifies Cypress. -// -// You can change the location of this file or turn off -// automatically serving support files with the -// 'supportFile' configuration option. -// -// You can read more here: -// https://on.cypress.io/configuration -// *********************************************************** - -// Import commands.js using ES2015 syntax: -import './commands'; -import 'cypress-real-events/support'; -import registerCypressGrep from '@cypress/grep'; - -before(() => { - cy.task('esArchiverLoad', { archiveName: 'auditbeat' }); -}); - -registerCypressGrep(); - -Cypress.on('uncaught:exception', () => { - return false; -}); - -// Alternatively you can use CommonJS syntax: -// require('./commands') diff --git a/x-pack/test/security_solution_cypress/cypress/support/ess_e2e.ts b/x-pack/test/security_solution_cypress/cypress/support/ess_e2e.ts new file mode 100644 index 0000000000000..e6255bd6a1e66 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/support/ess_e2e.ts @@ -0,0 +1,40 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import './commands'; +import 'cypress-real-events/support'; +import registerCypressGrep from '@cypress/grep'; +import serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; +import essRoleDefinitions from '@kbn/security-solution-plugin/common/test/ess_roles.json'; +import { setupUsers } from './setup_users'; + +before(() => { + cy.task('esArchiverLoad', { archiveName: 'auditbeat' }); +}); + +// Create Serverless and ESS roles and corresponding users. This helps to seamlessly reuse tests +// between ESS and Serverless having all the necessary users set up. +before(() => { + const allSupportedRoles = [ + ...Object.keys(serverlessRoleDefinitions).map((serverlessRoleName) => ({ + name: serverlessRoleName, + ...serverlessRoleDefinitions[serverlessRoleName as keyof typeof serverlessRoleDefinitions], + })), + ...Object.keys(essRoleDefinitions).map((essRoleName) => ({ + name: essRoleName, + ...essRoleDefinitions[essRoleName as keyof typeof essRoleDefinitions], + })), + ]; + + setupUsers(allSupportedRoles); +}); + +registerCypressGrep(); + +Cypress.on('uncaught:exception', () => { + return false; +}); diff --git a/x-pack/test/security_solution_cypress/cypress/support/serverless_e2e.ts b/x-pack/test/security_solution_cypress/cypress/support/serverless_e2e.ts new file mode 100644 index 0000000000000..b682a56710d9c --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/support/serverless_e2e.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import './commands'; +import 'cypress-real-events/support'; +import registerCypressGrep from '@cypress/grep'; + +before(() => { + cy.task('esArchiverLoad', { archiveName: 'auditbeat' }); +}); + +registerCypressGrep(); + +Cypress.on('uncaught:exception', () => { + return false; +}); diff --git a/x-pack/test/security_solution_cypress/cypress/support/setup_users.ts b/x-pack/test/security_solution_cypress/cypress/support/setup_users.ts new file mode 100644 index 0000000000000..e1dc4c952eac7 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/support/setup_users.ts @@ -0,0 +1,50 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { Role } from '@kbn/security-plugin/common'; +import { rootRequest } from '../tasks/common'; + +/** + * Utility function creates roles and corresponding users per each role with names + * matching role names. Each user gets the same `password` passed in which is + * `changeme` by default. + * + * @param roles an array of security `Role`s + * @param password custom password if `changeme` doesn't fit + */ +export function setupUsers(roles: Role[], password = 'changeme'): void { + for (const role of roles) { + createRole(role); + createUser(role.name, password, [role.name]); + } +} + +function createRole(role: Role): void { + const { name: roleName, ...roleDefinition } = role; + + rootRequest({ + method: 'PUT', + url: `/api/security/role/${roleName}`, + body: roleDefinition, + }); +} + +function createUser(username: string, password: string, roles: string[] = []): void { + const user = { + username, + password, + roles, + full_name: username, + email: '', + }; + + rootRequest({ + method: 'POST', + url: `/internal/security/users/${username}`, + body: user, + }); +} diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts index cfaabf8d3872c..7ec2139deef61 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts @@ -10,9 +10,10 @@ import type { UrlObject } from 'url'; import Url from 'url'; import { LoginState } from '@kbn/security-plugin/common/login_state'; import { Role } from '@kbn/security-plugin/common'; -import serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; -import essRoleDefinitions from '@kbn/security-solution-plugin/common/test/ess_roles.json'; -import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; +import { + SecurityRoleName, + KNOWN_SERVERLESS_ROLES, +} from '@kbn/security-solution-plugin/common/test'; import { LOGOUT_URL } from '../urls/navigation'; import { rootRequest } from './common'; @@ -134,39 +135,20 @@ export const constructUrlWithUser = (user: User, route: string) => { }; /** - * Authenticates with a predefined role. - * - * It takes into account ESS and Serverless differences. Serverless already has specific roles and we can't - * add new ones while ESS allows to freely add new roles. As we reuse tests between ESS and Serverless it's - * essential to have the same predefined roles. Supported roles set is limited, see `SecurityRoleName`. + * Authenticates with a predefined role * * @param role role name */ const loginWithRole = (role: SecurityRoleName) => { - const password = 'changeme'; - - if (!Cypress.env(IS_SERVERLESS) && !Cypress.env(CLOUD_SERVERLESS)) { - const roleDefinition = - serverlessRoleDefinitions[role as keyof typeof serverlessRoleDefinitions] ?? - essRoleDefinitions[role as keyof typeof essRoleDefinitions]; - - if (!roleDefinition) { - throw new Error( - `Unable to find role definition "${role}" in @kbn/security-solution-plugin/common/test/ess_roles.json.` - ); - } - - createRole({ name: role, ...roleDefinition }); - - const username = role; - - createUser(username, password, [role]); - } else { - if (!(role in serverlessRoleDefinitions)) { - throw new Error(`An attempt to log in with unsupported by Serverless role "${role}".`); - } + if ( + (Cypress.env(IS_SERVERLESS) || Cypress.env(CLOUD_SERVERLESS)) && + !KNOWN_SERVERLESS_ROLES.includes(role) + ) { + throw new Error(`An attempt to log in with unsupported by Serverless role "${role}".`); } + const password = 'changeme'; + cy.log(`origin: ${Cypress.config().baseUrl}`); cy.session(role, () => { loginWithUsernameAndPassword(role, password); From 221d9e80ed7867e16a07500787e6771319813908 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Tue, 24 Oct 2023 12:06:54 +0200 Subject: [PATCH 09/30] unskip missing privileges callout serverless cypress tests --- .../detection_alerts/missing_privileges_callout.cy.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts index 3ef89ed458d45..d6b4aec5bf3ea 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_alerts/missing_privileges_callout.cy.ts @@ -44,8 +44,7 @@ const waitForPageTitleToBeShown = () => { cy.get(PAGE_TITLE).should('be.visible'); }; -// TODO: https://github.com/elastic/kibana/issues/161539 -describe('Detections > Callouts', { tags: ['@ess', '@skipInServerless'] }, () => { +describe('Detections > Callouts', { tags: ['@ess', '@serverless'] }, () => { before(() => { // First, we have to open the app on behalf of a privileged user in order to initialize it. // Otherwise the app will be disabled and show a "welcome"-like page. From 5f4f5dea6d40dfeb713941111bddb61dbe0a1697 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Tue, 24 Oct 2023 12:10:33 +0200 Subject: [PATCH 10/30] update readme --- packages/kbn-es/src/serverless_resources/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/kbn-es/src/serverless_resources/README.md b/packages/kbn-es/src/serverless_resources/README.md index 2aaf5f42e8f16..acf81c030afba 100644 --- a/packages/kbn-es/src/serverless_resources/README.md +++ b/packages/kbn-es/src/serverless_resources/README.md @@ -8,9 +8,9 @@ Roles defined in `roles.yml` is a combination of roles from `project-controller` ### Why `roles.json` is here? -`roles.json` is a subset of defined in `roles.yml` roles defined in a JSON format and extended with necessary fields +`security_roles.json` is a subset of defined in `roles.yml` roles defined in a JSON format and extended with necessary fields to be compatible with `/api/security/role/{roleName}` endpoint. Cypress (and not only) tests use the roles to test behavior under specific roles. For example Security Solution reuses tests between ESS and Serverless and having the same roles is crucial here. Ideally it should be an automated process to transform -`project-controller` roles into `roles.yml` and `roles.json` but it's not done yet. This way it's logical to have +`project-controller` roles into `roles.yml` and `security_roles.json` but it's not done yet. This way it's logical to have dependent files next to each other. ## Users From b7a75ef00ec9b8b396daeb3f643fcaed0799d667 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Tue, 24 Oct 2023 12:14:00 +0200 Subject: [PATCH 11/30] add CLOUD_SERVERLESS to the config --- .../cypress/cypress_ci_serverless_qa.config.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts index c9a34b09ddceb..1213353b53c1b 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts @@ -16,6 +16,7 @@ export default defineCypressConfig({ }, defaultCommandTimeout: 150000, env: { + CLOUD_SERVERLESS: true, grepFilterSpecs: true, grepOmitFiltered: true, grepTags: '@serverlessQA --@brokenInServerless --@skipInServerless', From 568a355b12445f9d6be9452be62c5c6fc705384a Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Tue, 24 Oct 2023 12:20:09 +0200 Subject: [PATCH 12/30] remove unused functions --- .../cypress/tasks/login.ts | 27 ------------------- 1 file changed, 27 deletions(-) diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts index 7ec2139deef61..8b28e429226d2 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts @@ -9,7 +9,6 @@ import * as yaml from 'js-yaml'; import type { UrlObject } from 'url'; import Url from 'url'; import { LoginState } from '@kbn/security-plugin/common/login_state'; -import { Role } from '@kbn/security-plugin/common'; import { SecurityRoleName, KNOWN_SERVERLESS_ROLES, @@ -224,32 +223,6 @@ export const logout = () => { cy.visit(LOGOUT_URL); }; -const createRole = (role: Role): void => { - const { name: roleName, ...roleDefinition } = role; - - rootRequest({ - method: 'PUT', - url: `/api/security/role/${roleName}`, - body: roleDefinition, - }); -}; - -const createUser = (username: string, password: string, roles: string[] = []): void => { - const user = { - username, - password, - roles, - full_name: username, - email: '', - }; - - rootRequest({ - method: 'POST', - url: `/internal/security/users/${username}`, - body: user, - }); -}; - const loginWithUsernameAndPassword = (username: string, password: string) => { const baseUrl = Cypress.config().baseUrl; if (!baseUrl) { From 31d9de6bcaff5de1d437b7eb3d185d3b6857fce7 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Tue, 24 Oct 2023 14:00:15 +0200 Subject: [PATCH 13/30] get rid of "reader" role --- .../security_solution/roles_users_utils.ts | 4 -- .../group10/read_privileges.ts | 65 ------------------- 2 files changed, 69 deletions(-) diff --git a/x-pack/test/common/services/security_solution/roles_users_utils.ts b/x-pack/test/common/services/security_solution/roles_users_utils.ts index bb2dc5830d58a..3ead60140729f 100644 --- a/x-pack/test/common/services/security_solution/roles_users_utils.ts +++ b/x-pack/test/common/services/security_solution/roles_users_utils.ts @@ -16,7 +16,6 @@ import { socManagerUser, platformEngineerUser, detectionsAdminUser, - readerUser, t1AnalystRole, t2AnalystRole, t3AnalystRole, @@ -26,7 +25,6 @@ import { socManagerRole, platformEngineerRole, detectionsAdminRole, - readerRole, } from '@kbn/security-solution-plugin/server/lib/detection_engine/scripts/roles_users'; import { ROLES } from '@kbn/security-solution-plugin/common/test'; @@ -77,8 +75,6 @@ export const createUserAndRole = async ( platformEngineerUser, getService ); - case ROLES.reader: - return postRoleAndUser(ROLES.reader, readerRole, readerUser, getService); default: return assertUnreachable(role); } diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts index fa5453f07d22f..b95c6771367f4 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts @@ -77,71 +77,6 @@ export default ({ getService }: FtrProviderContext) => { }); }); - it('should return expected privileges for a "reader" user', async () => { - await createUserAndRole(getService, ROLES.reader); - const { body } = await supertestWithoutAuth - .get(DETECTION_ENGINE_PRIVILEGES_URL) - .auth(ROLES.reader, 'changeme') - .send() - .expect(200); - expect(body).to.eql({ - username: 'reader', - has_all_requested: false, - cluster: { - monitor_ml: false, - manage_ccr: false, - manage_index_templates: false, - monitor_watcher: false, - monitor_transform: false, - read_ilm: false, - manage_api_key: false, - manage_security: false, - manage_own_api_key: false, - manage_saml: false, - all: false, - manage_ilm: false, - manage_ingest_pipelines: false, - read_ccr: false, - manage_rollup: false, - monitor: false, - manage_watcher: false, - manage: false, - manage_transform: false, - manage_token: false, - manage_ml: false, - manage_pipeline: false, - monitor_rollup: false, - transport_client: false, - create_snapshot: false, - }, - index: { - '.alerts-security.alerts-default': { - all: false, - manage_ilm: false, - read: true, - create_index: false, - read_cross_cluster: false, - index: false, - monitor: false, - delete: false, - manage: false, - delete_index: false, - create_doc: false, - view_index_metadata: true, - create: false, - manage_follow_index: false, - manage_leader_index: false, - maintenance: true, - write: false, - }, - }, - application: {}, - is_authenticated: true, - has_encryption_key: true, - }); - await deleteUserAndRole(getService, ROLES.reader); - }); - it('should return expected privileges for a "t1_analyst" user', async () => { await createUserAndRole(getService, ROLES.t1_analyst); const { body } = await supertestWithoutAuth From 3d9a1f41ba32c632f35eab91b1650ab63ebfb57f Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Tue, 24 Oct 2023 14:00:39 +0200 Subject: [PATCH 14/30] add missing @kbn/es dependency --- x-pack/test/security_solution_cypress/cypress/tsconfig.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/test/security_solution_cypress/cypress/tsconfig.json b/x-pack/test/security_solution_cypress/cypress/tsconfig.json index b82ce28aa8f04..107ea01fb028c 100644 --- a/x-pack/test/security_solution_cypress/cypress/tsconfig.json +++ b/x-pack/test/security_solution_cypress/cypress/tsconfig.json @@ -38,6 +38,7 @@ "@kbn/lists-plugin", "@kbn/securitysolution-list-constants", "@kbn/security-plugin", - "@kbn/management-settings-ids" + "@kbn/management-settings-ids", + "@kbn/es" ] } From 2a9d884e1cc484e7fc2757ec0240d497cd3af058 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Tue, 24 Oct 2023 22:28:09 +0200 Subject: [PATCH 15/30] fix endpoint roles related tests --- .../scripts/roles_users/README.md | 13 -- .../roles_users/detections_admin/README.md | 1 - .../delete_detections_user.sh | 11 -- .../detections_admin/detections_role.json | 44 ------ .../detections_admin/detections_user.json | 6 - .../detections_admin/get_detections_role.sh | 11 -- .../roles_users/detections_admin/index.ts | 10 -- .../detections_admin/post_detections_role.sh | 12 -- .../detections_admin/post_detections_user.sh | 14 -- .../scripts/roles_users/hunter/README.md | 11 -- .../hunter/delete_detections_user.sh | 11 -- .../roles_users/hunter/detections_role.json | 45 ------ .../roles_users/hunter/detections_user.json | 6 - .../roles_users/hunter/get_detections_role.sh | 11 -- .../scripts/roles_users/hunter/index.ts | 10 -- .../hunter/post_detections_role.sh | 14 -- .../hunter/post_detections_user.sh | 14 -- .../roles_users/hunter_no_actions/README.md | 11 -- .../delete_detections_user.sh | 11 -- .../hunter_no_actions/detections_role.json | 44 ------ .../hunter_no_actions/detections_user.json | 6 - .../hunter_no_actions/get_detections_role.sh | 11 -- .../roles_users/hunter_no_actions/index.ts | 10 -- .../hunter_no_actions/post_detections_role.sh | 14 -- .../hunter_no_actions/post_detections_user.sh | 14 -- .../scripts/roles_users/index.ts | 17 --- .../roles_users/platform_engineer/README.md | 5 - .../delete_detections_user.sh | 11 -- .../platform_engineer/detections_role.json | 49 ------- .../platform_engineer/detections_user.json | 6 - .../platform_engineer/get_detections_role.sh | 11 -- .../roles_users/platform_engineer/index.ts | 10 -- .../platform_engineer/post_detections_role.sh | 14 -- .../platform_engineer/post_detections_user.sh | 15 -- .../scripts/roles_users/reader/README.md | 3 - .../reader/delete_detections_user.sh | 11 -- .../roles_users/reader/detections_role.json | 38 ----- .../roles_users/reader/detections_user.json | 6 - .../roles_users/reader/get_detections_role.sh | 11 -- .../scripts/roles_users/reader/index.ts | 10 -- .../reader/post_detections_role.sh | 15 -- .../reader/post_detections_user.sh | 14 -- .../scripts/roles_users/rule_author/README.md | 5 - .../rule_author/delete_detections_user.sh | 11 -- .../rule_author/detections_role.json | 48 ------- .../rule_author/detections_user.json | 6 - .../rule_author/get_detections_role.sh | 11 -- .../scripts/roles_users/rule_author/index.ts | 10 -- .../rule_author/post_detections_role.sh | 14 -- .../rule_author/post_detections_user.sh | 14 -- .../scripts/roles_users/soc_manager/README.md | 5 - .../soc_manager/delete_detections_user.sh | 11 -- .../soc_manager/detections_role.json | 48 ------- .../soc_manager/detections_user.json | 6 - .../soc_manager/get_detections_role.sh | 11 -- .../scripts/roles_users/soc_manager/index.ts | 10 -- .../soc_manager/post_detections_role.sh | 15 -- .../soc_manager/post_detections_user.sh | 15 -- .../scripts/roles_users/t1_analyst/README.md | 3 - .../t1_analyst/delete_detections_user.sh | 11 -- .../t1_analyst/detections_role.json | 37 ----- .../t1_analyst/detections_user.json | 6 - .../t1_analyst/get_detections_role.sh | 11 -- .../scripts/roles_users/t1_analyst/index.ts | 10 -- .../t1_analyst/post_detections_role.sh | 15 -- .../t1_analyst/post_detections_user.sh | 14 -- .../scripts/roles_users/t2_analyst/README.md | 5 - .../t2_analyst/delete_detections_user.sh | 11 -- .../t2_analyst/detections_role.json | 42 ------ .../t2_analyst/detections_user.json | 6 - .../t2_analyst/get_detections_role.sh | 11 -- .../scripts/roles_users/t2_analyst/index.ts | 10 -- .../t2_analyst/post_detections_role.sh | 14 -- .../t2_analyst/post_detections_user.sh | 14 -- .../t3_analyst/detections_role.json | 59 -------- .../t3_analyst/detections_user.json | 6 - .../scripts/roles_users/t3_analyst/index.ts | 10 -- .../security_solution/roles_users_utils.ts | 130 +++--------------- .../group1/check_privileges.ts | 10 +- .../group1/preview_rules.ts | 10 +- .../group10/create_signals_migrations.ts | 6 +- .../group10/delete_signals_migrations.ts | 4 +- .../group10/finalize_signals_migrations.ts | 6 +- .../group10/get_signals_migration_status.ts | 6 +- .../group10/import_export_rules.ts | 6 +- .../group10/import_rules.ts | 10 +- .../group10/open_close_signals.ts | 10 +- .../group10/read_privileges.ts | 30 ++-- .../security_and_spaces/tests/import_rules.ts | 10 +- .../workflows/role_based_add_edit_comments.ts | 20 +-- .../role_based_rule_exceptions_workflows.ts | 8 +- .../rule_creation/create_rules.ts | 8 +- .../apps/endpoint/endpoint_permissions.ts | 24 ++-- 93 files changed, 109 insertions(+), 1335 deletions(-) delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/README.md delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/README.md delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/delete_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_user.json delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/get_detections_role.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/index.ts delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_role.sh delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/README.md delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/delete_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_user.json delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/get_detections_role.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/index.ts delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_role.sh delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/README.md delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/delete_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_role.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_user.json delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/get_detections_role.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/index.ts delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_role.sh delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/README.md delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/delete_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_user.json delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/get_detections_role.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/index.ts delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_role.sh delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/README.md delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/delete_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_user.json delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/get_detections_role.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/index.ts delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_role.sh delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/README.md delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/delete_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_user.json delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/get_detections_role.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/index.ts delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_role.sh delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/README.md delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/delete_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_user.json delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/get_detections_role.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/index.ts delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_role.sh delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/README.md delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/delete_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_user.json delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/get_detections_role.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/index.ts delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_role.sh delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/README.md delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/delete_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_user.json delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/get_detections_role.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/index.ts delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_role.sh delete mode 100755 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_user.sh delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_role.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_user.json delete mode 100644 x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/index.ts diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/README.md deleted file mode 100644 index 3d6ac856a79ad..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/README.md +++ /dev/null @@ -1,13 +0,0 @@ -1. When first starting up elastic, detections will not be available until you visit the page with a SOC Manager role or Platform Engineer role -2. I gave the Hunter role "all" privileges for saved objects management and builtInAlerts so that they can create rules. -3. Rule Author has the ability to create rules and create value lists - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :------------------------------------------: | :----------: | :-------------------------------: | :---------: | :--------------: | :---------------: | :------------------------------: | -| Reader (read-only user) | read | read | read | read | read | read | -| T1 Analyst | read | read | none | read | read | read, write | -| T2 Analyst | read | read | read | read | read | read, write | -| Hunter / T3 Analyst | read, write | read | read | read, write | read | read, write | -| Rule Author / Manager / Detections Engineer | read, write | read | read, write | read, write | read | read, write, view_index_metadata | -| SOC Manager | read, write | read | read, write | read, write | all | read, write, manage | -| Platform Engineer (data ingest, cluster ops) | read, write | all | all | read, write | all | all | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/README.md deleted file mode 100644 index 2ebcedcc75d95..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/README.md +++ /dev/null @@ -1 +0,0 @@ -This user contains all the possible privileges listed in our detections privileges docs https://www.elastic.co/guide/en/security/current/detections-permissions-section.html This user has higher privileges than the Platform Engineer user diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/delete_detections_user.sh deleted file mode 100755 index c8bcdb151e740..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/detections_admin diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json deleted file mode 100644 index 133083cec2601..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_role.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "elasticsearch": { - "cluster": ["manage"], - "indices": [ - { - "names": [ - ".siem-signals-*", - ".alerts-security*", - ".preview.alerts-security*", - ".internal.preview.alerts-security*", - ".lists*", - ".items*", - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "privileges": ["manage", "write", "read"] - }, - { - "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["all"], - "siem": ["all", "read_alerts", "crud_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["all"], - "actions": ["read"], - "builtInAlerts": ["all"], - "dev_tools": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_user.json deleted file mode 100644 index 9910d9b516a20..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["detections_admin"], - "full_name": "Detections User", - "email": "detections-user@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/get_detections_role.sh deleted file mode 100755 index a29728642ed40..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/detections_admin | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/index.ts deleted file mode 100644 index 5ed44652b5946..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as detectionsAdminUser from './detections_user.json'; -import * as detectionsAdminRole from './detections_role.json'; -export { detectionsAdminUser, detectionsAdminRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_role.sh deleted file mode 100755 index 56b3901700c8c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_role.sh +++ /dev/null @@ -1,12 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/detections_admin \ --d @detections_role.json diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_user.sh deleted file mode 100755 index 55f845128889b..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/detections_admin/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/detections_admin \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/README.md deleted file mode 100644 index 1344c5bbb0891..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/README.md +++ /dev/null @@ -1,11 +0,0 @@ -This user can CRUD rules and signals. The main difference here is the user has - -```json -"builtInAlerts": ["all"], -``` - -privileges whereas the T1 and T2 have "read" privileges which prevents them from creating rules - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :-----------------: | :----------: | :------------------: | :---: | :--------------: | :---------------: | :------------: | -| Hunter / T3 Analyst | read, write | read | read | read, write | read | read, write | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/delete_detections_user.sh deleted file mode 100755 index 595f0a49282d8..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/hunter diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json deleted file mode 100644 index 23a1256dac4aa..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_role.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "privileges": ["read", "write"] - }, - { - "names": [".alerts-security*", ".siem-signals-*"], - "privileges": ["read", "write"] - }, - { - "names": [".lists*", ".items*"], - "privileges": ["read", "write"] - }, - { - "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["all", "read_alerts", "crud_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["all"], - "actions": ["read"], - "builtInAlerts": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_user.json deleted file mode 100644 index f9454cc0ad2fe..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["hunter"], - "full_name": "Hunter", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/get_detections_role.sh deleted file mode 100755 index 7ec850ce220bb..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/hunter | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/index.ts deleted file mode 100644 index 3411589de7721..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as hunterUser from './detections_user.json'; -import * as hunterRole from './detections_role.json'; -export { hunterUser, hunterRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_role.sh deleted file mode 100755 index debffe0fcac4c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_role.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/hunter \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_user.sh deleted file mode 100755 index ab2a053081394..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/hunter \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/README.md deleted file mode 100644 index 7708972614098..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/README.md +++ /dev/null @@ -1,11 +0,0 @@ -This user can CRUD rules and signals. The main difference here is the user has - -```json -"builtInAlerts": ["all"], -``` - -privileges whereas the T1 and T2 have "read" privileges which prevents them from creating rules - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :-----------------: | :----------: | :------------------: | :---: | :--------------: | :---------------: | :------------: | -| Hunter / T3 Analyst | read, write | read | read | read, write | none | read, write | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/delete_detections_user.sh deleted file mode 100755 index 8f2ffcb27f111..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/hunter_no_actions diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_role.json deleted file mode 100644 index 6b392c18f8caa..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_role.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "privileges": ["read", "write"] - }, - { - "names": [".alerts-security*", ".siem-signals-*"], - "privileges": ["read", "write"] - }, - { - "names": [".lists*", ".items*"], - "privileges": ["read", "write"] - }, - { - "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["all", "read_alerts", "crud_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["all"], - "builtInAlerts": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_user.json deleted file mode 100644 index c059863b3ca1f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["hunter_no_actions"], - "full_name": "Hunter No Actions", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/get_detections_role.sh deleted file mode 100755 index 49deae0c6c450..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/hunter_no_actions | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/index.ts deleted file mode 100644 index 16d50f9b59daa..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as hunterNoActionsUser from './detections_user.json'; -import * as hunterNoActionsRole from './detections_role.json'; -export { hunterNoActionsUser, hunterNoActionsRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_role.sh deleted file mode 100755 index aa4f832649b08..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_role.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/hunter_no_actions \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_user.sh deleted file mode 100755 index 4840cf3c903eb..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/hunter_no_actions/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/hunter_no_actions \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts deleted file mode 100644 index bb91bd005c307..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/index.ts +++ /dev/null @@ -1,17 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -export * from './detections_admin'; -export * from './hunter'; -export * from './hunter_no_actions'; -export * from './platform_engineer'; -export * from './reader'; -export * from './rule_author'; -export * from './soc_manager'; -export * from './t1_analyst'; -export * from './t2_analyst'; -export * from './t3_analyst'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/README.md deleted file mode 100644 index b9173c973abab..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/README.md +++ /dev/null @@ -1,5 +0,0 @@ -essentially a superuser for security solution - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :------------------------------------------: | :----------: | :------------------: | :---: | :--------------: | :---------------: | :------------: | -| Platform Engineer (data ingest, cluster ops) | all | all | all | read, write | all | all | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/delete_detections_user.sh deleted file mode 100755 index cb2b0467f44ca..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/platform_engineer diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json deleted file mode 100644 index 17b6e45f8c72d..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_role.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "elasticsearch": { - "cluster": ["manage"], - "indices": [ - { - "names": [".lists*", ".items*"], - "privileges": ["all"] - }, - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", - "metrics-endpoint.metadata_current_*", - ".fleet-agents*", - ".fleet-actions*" - ], - "privileges": ["all"] - }, - { - "names": [ - ".alerts-security*", - ".preview.alerts-security*", - ".internal.preview.alerts-security*", - ".siem-signals-*" - ], - "privileges": ["all"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["all"], - "siem": ["all", "read_alerts", "crud_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["all"], - "actions": ["all"], - "builtInAlerts": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_user.json deleted file mode 100644 index 8c4eab8b05e6e..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["platform_engineer"], - "full_name": "platform engineer", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/get_detections_role.sh deleted file mode 100755 index 95fa058193b58..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/platform_engineer | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/index.ts deleted file mode 100644 index c017c970af35f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as platformEngineerUser from './detections_user.json'; -import * as platformEngineerRole from './detections_role.json'; -export { platformEngineerUser, platformEngineerRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_role.sh deleted file mode 100755 index 1272b309ca60b..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_role.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/platform_engineer \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_user.sh deleted file mode 100755 index bc0f17f09455e..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/platform_engineer/post_detections_user.sh +++ /dev/null @@ -1,15 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/platform_engineer \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/README.md deleted file mode 100644 index 313ccdd9478e2..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/README.md +++ /dev/null @@ -1,3 +0,0 @@ -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Actions Connectors | Signals/Alerts | -| :----: | :----------: | :-------------------------------: | :---: | :--------------: | :----------------: | :------------: | -| Reader | read | read | read | read | read | read | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/delete_detections_user.sh deleted file mode 100755 index 57704f7abf0d3..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/reader diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json deleted file mode 100644 index 137091bc7f795..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_role.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names" : [ - ".siem-signals-*", - ".alerts-security*", - ".lists*", - ".items*", - "metrics-endpoint.metadata_current_*", - ".fleet-agents*", - ".fleet-actions*" - ], - "privileges" : ["read"] - }, - { - "names": [ - "*" - ], - "privileges": ["read", "maintenance", "view_index_metadata"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["read", "read_alerts"], - "securitySolutionAssistant": ["none"], - "securitySolutionCases": ["read"], - "actions": ["read"], - "builtInAlerts": ["read"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_user.json deleted file mode 100644 index 25d514a1d738b..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["reader"], - "full_name": "Reader", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/get_detections_role.sh deleted file mode 100755 index 37db6e10ced55..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/reader | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/index.ts deleted file mode 100644 index bde1710e25aa1..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as readerUser from './detections_user.json'; -import * as readerRole from './detections_role.json'; -export { readerUser, readerRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_role.sh deleted file mode 100755 index 8805d641a8257..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_role.sh +++ /dev/null @@ -1,15 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -# Uses a default if no argument is specified -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/reader \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_user.sh deleted file mode 100755 index 8a93326a820b7..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/reader/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/reader \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/README.md deleted file mode 100644 index 1d2ef736f580c..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/README.md +++ /dev/null @@ -1,5 +0,0 @@ -rule author has the same privileges as hunter with the additional privileges of uploading value lists - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :-----------------------------------------: | :----------: | :------------------: | :---------: | :--------------: | :---------------: | :------------------------------: | -| Rule Author / Manager / Detections Engineer | read, write | read | read, write | read, write | read | read, write, view_index_metadata | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/delete_detections_user.sh deleted file mode 100755 index 112657b1b5b8a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/rule_author diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json deleted file mode 100644 index dafe85548d4d0..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_role.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", - ".lists*", - ".items*" - ], - "privileges": ["read", "write"] - }, - { - "names": [ - ".alerts-security*", - ".preview.alerts-security*", - ".internal.preview.alerts-security*", - ".siem-signals-*" - ], - "privileges": ["read", "write", "maintenance", "view_index_metadata"] - }, - { - "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["all", "read_alerts", "crud_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["all"], - "actions": ["read"], - "builtInAlerts": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_user.json deleted file mode 100644 index ae08072b5890e..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["rule_author"], - "full_name": "rule author", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/get_detections_role.sh deleted file mode 100755 index a4ab0a60400b6..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/rule_author | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/index.ts deleted file mode 100644 index 90efa9179bd10..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as ruleAuthorUser from './detections_user.json'; -import * as ruleAuthorRole from './detections_role.json'; -export { ruleAuthorUser, ruleAuthorRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_role.sh deleted file mode 100755 index e78ae27fa1fbc..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_role.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/rule_author \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_user.sh deleted file mode 100755 index 34b1f10ca6d47..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/rule_author/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/rule_author \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/README.md deleted file mode 100644 index fef99dfed2fbb..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/README.md +++ /dev/null @@ -1,5 +0,0 @@ -SOC Manager has all of the privileges of a rule author role with the additional privilege of managing the signals index. It can't create the signals index though. - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :---------: | :----------: | :------------------: | :---------: | :--------------: | :---------------: | :-----------------: | -| SOC Manager | read, write | read | read, write | read, write | all | read, write, manage | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/delete_detections_user.sh deleted file mode 100755 index 1bf103592b682..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/soc_manager diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json deleted file mode 100644 index 5e3aa868f6147..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", - ".lists*", - ".items*" - ], - "privileges": ["read", "write"] - }, - { - "names": [ - ".alerts-security*", - ".preview.alerts-security*", - ".internal.preview.alerts-security*", - ".siem-signals-*" - ], - "privileges": ["read", "write", "manage"] - }, - { - "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["all", "read_alerts", "crud_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["all"], - "actions": ["all"], - "builtInAlerts": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_user.json deleted file mode 100644 index 18c7cc2312bf5..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["soc_manager"], - "full_name": "SOC manager", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/get_detections_role.sh deleted file mode 100755 index b6bf637bfc9d8..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/soc_manager | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/index.ts deleted file mode 100644 index 4aea99753641d..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as socManagerUser from './detections_user.json'; -import * as socManagerRole from './detections_role.json'; -export { socManagerUser, socManagerRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_role.sh deleted file mode 100755 index bf7c19e2e3ab0..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_role.sh +++ /dev/null @@ -1,15 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -ROLE=(${@:-./detections_role.json}) - - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/soc_manager \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_user.sh deleted file mode 100755 index 447bf7ea7cb00..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/soc_manager/post_detections_user.sh +++ /dev/null @@ -1,15 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/soc_manager \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/README.md deleted file mode 100644 index 9ba0deba763aa..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/README.md +++ /dev/null @@ -1,3 +0,0 @@ -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Actions Connectors | Signals/Alerts | -| :--------: | :----------: | :------------------: | :---: | :--------------: | :----------------: | :------------: | -| T1 Analyst | read | read | none | read | read | read, write | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/delete_detections_user.sh deleted file mode 100755 index d08b15e589bf1..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/t1_analyst diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json deleted file mode 100644 index d670fd9555f59..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { "names": [".alerts-security*", ".siem-signals-*"], "privileges": ["read", "write", "maintenance"] }, - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", - "metrics-endpoint.metadata_current_*", - ".fleet-agents*", - ".fleet-actions*" - ], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["read", "read_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["read"], - "actions": ["read"], - "builtInAlerts": ["read"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_user.json deleted file mode 100644 index 203abec8ad433..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["t1_analyst"], - "full_name": "T1 Analyst", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/get_detections_role.sh deleted file mode 100755 index bbf34ece0d6be..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/t1_analyst | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/index.ts deleted file mode 100644 index 402b29c9ffde2..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t1AnalystUser from './detections_user.json'; -import * as t1AnalystRole from './detections_role.json'; -export { t1AnalystUser, t1AnalystRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_role.sh deleted file mode 100755 index c091b87f29153..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_role.sh +++ /dev/null @@ -1,15 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -# Uses a default if no argument is specified -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/t1_analyst \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_user.sh deleted file mode 100755 index 234ff7d005cf6..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/t1_analyst \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/README.md deleted file mode 100644 index 3988e88870755..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/README.md +++ /dev/null @@ -1,5 +0,0 @@ -This role can view rules. Essentially there is no difference between a T1 and T2 analyst. - -| Role | Data Sources | Security Solution ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts | -| :--------: | :----------: | :------------------: | :---: | :--------------: | :---------------: | :------------: | -| T2 Analyst | read | read | read | read | read | read, write | diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/delete_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/delete_detections_user.sh deleted file mode 100755 index 6dccb0d8c6067..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/delete_detections_user.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XDELETE ${ELASTICSEARCH_URL}/_security/user/t2_analyst diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json deleted file mode 100644 index 4db91de93709a..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_role.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names": [".alerts-security*", ".siem-signals-*"], - "privileges": ["read", "write", "maintenance"] - }, - { - "names": [ - ".lists*", - ".items*", - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*", - "metrics-endpoint.metadata_current_*", - ".fleet-agents*", - ".fleet-actions*" - ], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": ["read", "read_alerts"], - "securitySolutionAssistant": ["all"], - "securitySolutionCases": ["read"], - "actions": ["read"], - "builtInAlerts": ["read"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_user.json deleted file mode 100644 index 3f5da2752314f..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["t2_analyst"], - "full_name": "t2 analyst", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/get_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/get_detections_role.sh deleted file mode 100755 index ce9149d8b9fc7..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/get_detections_role.sh +++ /dev/null @@ -1,11 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XGET ${KIBANA_URL}/api/security/role/t2_analyst | jq -S . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/index.ts deleted file mode 100644 index 5ca611d2ea075..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t2AnalystUser from './detections_user.json'; -import * as t2AnalystRole from './detections_role.json'; -export { t2AnalystUser, t2AnalystRole }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_role.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_role.sh deleted file mode 100755 index 4523b65b67cb7..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_role.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -ROLE=(${@:-./detections_role.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ --XPUT ${KIBANA_URL}/api/security/role/t2_analyst \ --d @${ROLE} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_user.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_user.sh deleted file mode 100755 index 3a901490515af..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/post_detections_user.sh +++ /dev/null @@ -1,14 +0,0 @@ - -# -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. -# - -USER=(${@:-./detections_user.json}) - -curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\ - -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ - ${ELASTICSEARCH_URL}/_security/user/t2_analyst \ --d @${USER} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_role.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_role.json deleted file mode 100644 index 85c12bee29857..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_role.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "elasticsearch": { - "cluster": [], - "indices": [ - { - "names": [ - "apm-*-transaction*", - "traces-apm*", - "auditbeat-*", - "endgame-*", - "filebeat-*", - "logs-*", - "packetbeat-*", - "winlogbeat-*" - ], - "privileges": ["read", "write"] - }, - { - "names": [".alerts-security*", ".siem-signals-*"], - "privileges": ["read", "write"] - }, - { - "names": [".lists*", ".items*"], - "privileges": ["read", "write"] - }, - { - "names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*"], - "privileges": ["read"] - } - ] - }, - "kibana": [ - { - "feature": { - "ml": ["read"], - "siem": [ - "all", - "read_alerts", - "crud_alerts", - "endpoint_list_all", - "trusted_applications_all", - "event_filters_all", - "host_isolation_exceptions_all", - "blocklist_all", - "policy_management_read", - "host_isolation_all", - "process_operations_all", - "actions_log_management_all", - "file_operations_all" - ], - "securitySolutionCases": ["all"], - "actions": ["read"], - "builtInAlerts": ["all"], - "osquery": ["all"] - }, - "spaces": ["*"] - } - ] -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_user.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_user.json deleted file mode 100644 index 8b72a15aeb310..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/detections_user.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "password": "changeme", - "roles": ["t3_analyst"], - "full_name": "t3 analyst", - "email": "detections-reader@example.com" -} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/index.ts deleted file mode 100644 index 665536b4b3887..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t3_analyst/index.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t3AnalystUser from './detections_user.json'; -import * as t3AnalystRole from './detections_role.json'; -export { t3AnalystUser, t3AnalystRole }; diff --git a/x-pack/test/common/services/security_solution/roles_users_utils.ts b/x-pack/test/common/services/security_solution/roles_users_utils.ts index 3ead60140729f..84ea7130ee023 100644 --- a/x-pack/test/common/services/security_solution/roles_users_utils.ts +++ b/x-pack/test/common/services/security_solution/roles_users_utils.ts @@ -5,79 +5,35 @@ * 2.0. */ -import { assertUnreachable } from '@kbn/security-solution-plugin/common/utility_types'; -import { - t1AnalystUser, - t2AnalystUser, - t3AnalystUser, - hunterUser, - hunterNoActionsUser, - ruleAuthorUser, - socManagerUser, - platformEngineerUser, - detectionsAdminUser, - t1AnalystRole, - t2AnalystRole, - t3AnalystRole, - hunterRole, - hunterNoActionsRole, - ruleAuthorRole, - socManagerRole, - platformEngineerRole, - detectionsAdminRole, -} from '@kbn/security-solution-plugin/server/lib/detection_engine/scripts/roles_users'; - -import { ROLES } from '@kbn/security-solution-plugin/common/test'; +import serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; +import essRoleDefinitions from '@kbn/security-solution-plugin/common/test/ess_roles.json'; +import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../ftr_provider_context'; -export { ROLES }; +const allSupportedRoles = { + ...serverlessRoleDefinitions, + ...essRoleDefinitions, +}; /** * creates a security solution centric role and a user (both having the same name) * @param getService * @param role */ -export const createUserAndRole = async ( +export const createRoleAndUser = async ( getService: FtrProviderContext['getService'], - role: ROLES + role: SecurityRoleName ): Promise => { - switch (role) { - case ROLES.detections_admin: - return postRoleAndUser( - ROLES.detections_admin, - detectionsAdminRole, - detectionsAdminUser, - getService - ); - case ROLES.t1_analyst: - return postRoleAndUser(ROLES.t1_analyst, t1AnalystRole, t1AnalystUser, getService); - case ROLES.t2_analyst: - return postRoleAndUser(ROLES.t2_analyst, t2AnalystRole, t2AnalystUser, getService); - case ROLES.t3_analyst: - return postRoleAndUser(ROLES.t3_analyst, t3AnalystRole, t3AnalystUser, getService); - case ROLES.hunter: - return postRoleAndUser(ROLES.hunter, hunterRole, hunterUser, getService); - case ROLES.hunter_no_actions: - return postRoleAndUser( - ROLES.hunter_no_actions, - hunterNoActionsRole, - hunterNoActionsUser, - getService - ); - case ROLES.rule_author: - return postRoleAndUser(ROLES.rule_author, ruleAuthorRole, ruleAuthorUser, getService); - case ROLES.soc_manager: - return postRoleAndUser(ROLES.soc_manager, socManagerRole, socManagerUser, getService); - case ROLES.platform_engineer: - return postRoleAndUser( - ROLES.platform_engineer, - platformEngineerRole, - platformEngineerUser, - getService - ); - default: - return assertUnreachable(role); - } + const securityService = getService('security'); + const roleDefinition = allSupportedRoles[role]; + + await securityService.role.create(role, roleDefinition); + await securityService.user.create(role, { + password: 'changeme', + roles: [role], + full_name: role, + email: 'detections-reader@example.com', + }); }; /** @@ -86,55 +42,11 @@ export const createUserAndRole = async ( * @param roleName The user and role to delete with the same name * @param securityService The security service */ -export const deleteUserAndRole = async ( +export const deleteRoleAndUser = async ( getService: FtrProviderContext['getService'], - roleName: ROLES + roleName: SecurityRoleName ): Promise => { const securityService = getService('security'); await securityService.user.delete(roleName); await securityService.role.delete(roleName); }; - -interface UserInterface { - password: string; - roles: string[]; - full_name: string; - email: string; -} - -interface RoleInterface { - elasticsearch: { - cluster: string[]; - indices: Array<{ - names: string[]; - privileges: string[]; - }>; - }; - kibana: Array<{ - feature: { - ml: string[]; - siem: string[]; - actions?: string[]; - builtInAlerts: string[]; - }; - spaces: string[]; - }>; -} - -export const postRoleAndUser = async ( - roleName: string, - role: RoleInterface, - user: UserInterface, - getService: FtrProviderContext['getService'] -): Promise => { - const securityService = getService('security'); - await securityService.role.create(roleName, { - kibana: role.kibana, - elasticsearch: role.elasticsearch, - }); - await securityService.user.create(roleName, { - password: 'changeme', - full_name: user.full_name, - roles: user.roles, - }); -}; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/check_privileges.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/check_privileges.ts index 3a016fe68618d..1db030f34e311 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/check_privileges.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/check_privileges.ts @@ -19,7 +19,7 @@ import { getThresholdRuleForSignalTesting, deleteAllAlerts, } from '../../utils'; -import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; +import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { @@ -63,7 +63,7 @@ export default ({ getService }: FtrProviderContext) => { ...getRuleForSignalTesting(index), query: 'process.executable: "/usr/bin/sudo"', }; - await createUserAndRole(getService, ROLES.detections_admin); + await createRoleAndUser(getService, ROLES.detections_admin); const { id } = await createRuleWithAuth(supertestWithoutAuth, rule, { user: ROLES.detections_admin, pass: 'changeme', @@ -85,7 +85,7 @@ export default ({ getService }: FtrProviderContext) => { `This rule may not have the required read privileges to the following index patterns: ["${index[0]}"]` ); - await deleteUserAndRole(getService, ROLES.detections_admin); + await deleteRoleAndUser(getService, ROLES.detections_admin); }); }); @@ -102,7 +102,7 @@ export default ({ getService }: FtrProviderContext) => { value: 700, }, }; - await createUserAndRole(getService, ROLES.detections_admin); + await createRoleAndUser(getService, ROLES.detections_admin); const { id } = await createRuleWithAuth(supertestWithoutAuth, rule, { user: ROLES.detections_admin, pass: 'changeme', @@ -124,7 +124,7 @@ export default ({ getService }: FtrProviderContext) => { `This rule may not have the required read privileges to the following index patterns: ["${index[0]}"]` ); - await deleteUserAndRole(getService, ROLES.detections_admin); + await deleteRoleAndUser(getService, ROLES.detections_admin); }); }); }); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/preview_rules.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/preview_rules.ts index b930f43dc9809..823d35bf2869b 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/preview_rules.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/preview_rules.ts @@ -11,7 +11,7 @@ import { DETECTION_ENGINE_RULES_PREVIEW } from '@kbn/security-solution-plugin/co import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../common/ftr_provider_context'; import { deleteAllRules, getSimplePreviewRule, getSimpleRulePreviewOutput } from '../../utils'; -import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; +import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { @@ -88,11 +88,11 @@ export default ({ getService }: FtrProviderContext) => { const role = ROLES.t1_analyst; beforeEach(async () => { - await createUserAndRole(getService, role); + await createRoleAndUser(getService, role); }); afterEach(async () => { - await deleteUserAndRole(getService, role); + await deleteRoleAndUser(getService, role); }); it('should NOT be able to preview a rule', async () => { @@ -109,11 +109,11 @@ export default ({ getService }: FtrProviderContext) => { const role = ROLES.hunter; beforeEach(async () => { - await createUserAndRole(getService, role); + await createRoleAndUser(getService, role); }); afterEach(async () => { - await deleteUserAndRole(getService, role); + await deleteRoleAndUser(getService, role); }); it('should return with an error about not having correct permissions', async () => { diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/create_signals_migrations.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/create_signals_migrations.ts index b5219dccbee49..334c588627216 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/create_signals_migrations.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/create_signals_migrations.ts @@ -23,7 +23,7 @@ import { getIndexNameFromLoad, waitForIndexToPopulate, } from '../../utils'; -import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; +import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; interface CreateResponse { index: string; @@ -188,7 +188,7 @@ export default ({ getService }: FtrProviderContext): void => { }); it('rejects the request if the user does not have sufficient privileges', async () => { - await createUserAndRole(getService, ROLES.t1_analyst); + await createRoleAndUser(getService, ROLES.t1_analyst); await supertestWithoutAuth .post(DETECTION_ENGINE_SIGNALS_MIGRATION_URL) @@ -197,7 +197,7 @@ export default ({ getService }: FtrProviderContext): void => { .send({ index: [legacySignalsIndexName] }) .expect(400); - await deleteUserAndRole(getService, ROLES.t1_analyst); + await deleteRoleAndUser(getService, ROLES.t1_analyst); }); }); }; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/delete_signals_migrations.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/delete_signals_migrations.ts index f1534ed6d9ddf..a7fe7f6cfd74c 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/delete_signals_migrations.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/delete_signals_migrations.ts @@ -15,7 +15,7 @@ import { import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../common/ftr_provider_context'; import { createSignalsIndex, deleteAllAlerts, getIndexNameFromLoad, waitFor } from '../../utils'; -import { createUserAndRole } from '../../../common/services/security_solution'; +import { createRoleAndUser } from '../../../common/services/security_solution'; interface CreateResponse { index: string; @@ -126,7 +126,7 @@ export default ({ getService }: FtrProviderContext): void => { }); it('rejects the request if the user does not have sufficient privileges', async () => { - await createUserAndRole(getService, ROLES.t1_analyst); + await createRoleAndUser(getService, ROLES.t1_analyst); const { body } = await supertestWithoutAuth .delete(DETECTION_ENGINE_SIGNALS_MIGRATION_URL) diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/finalize_signals_migrations.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/finalize_signals_migrations.ts index 17d6ab5a91b0e..6b40f690421fe 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/finalize_signals_migrations.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/finalize_signals_migrations.ts @@ -21,7 +21,7 @@ import { getIndexNameFromLoad, waitFor, } from '../../utils'; -import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; +import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; interface StatusResponse { index: string; @@ -269,7 +269,7 @@ export default ({ getService }: FtrProviderContext): void => { }); it('rejects the request if the user does not have sufficient privileges', async () => { - await createUserAndRole(getService, ROLES.t1_analyst); + await createRoleAndUser(getService, ROLES.t1_analyst); const { body } = await supertestWithoutAuth .post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL) @@ -286,7 +286,7 @@ export default ({ getService }: FtrProviderContext): void => { expect(finalizeResponse.completed).not.to.eql(true); expect(finalizeResponse.error.message).to.match(/^security_exception/); expect(finalizeResponse.error.status_code).to.eql(403); - await deleteUserAndRole(getService, ROLES.t1_analyst); + await deleteRoleAndUser(getService, ROLES.t1_analyst); }); }); }; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/get_signals_migration_status.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/get_signals_migration_status.ts index 03e1b0c1e587b..519b9f7213074 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/get_signals_migration_status.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/get_signals_migration_status.ts @@ -11,7 +11,7 @@ import { DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL } from '@kbn/security-sol import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../common/ftr_provider_context'; import { createSignalsIndex, deleteAllAlerts, getIndexNameFromLoad } from '../../utils'; -import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; +import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { @@ -96,7 +96,7 @@ export default ({ getService }: FtrProviderContext): void => { }); it('rejects the request if the user does not have sufficient privileges', async () => { - await createUserAndRole(getService, ROLES.t1_analyst); + await createRoleAndUser(getService, ROLES.t1_analyst); await supertestWithoutAuth .get(DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL) @@ -105,7 +105,7 @@ export default ({ getService }: FtrProviderContext): void => { .query({ from: '2020-10-10' }) .expect(403); - await deleteUserAndRole(getService, ROLES.t1_analyst); + await deleteRoleAndUser(getService, ROLES.t1_analyst); }); }); }; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_export_rules.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_export_rules.ts index 8943a4b67c99b..15bd23176e502 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_export_rules.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_export_rules.ts @@ -28,7 +28,7 @@ import { getSimpleRule, } from '../../utils'; import { deleteAllExceptions } from '../../../lists_api_integration/utils'; -import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; +import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; // This test was meant to be more full flow, ensuring that // exported rules are able to be reimported as opposed to @@ -43,11 +43,11 @@ export default ({ getService }: FtrProviderContext): void => { describe('import_export_rules_flow', () => { beforeEach(async () => { await createSignalsIndex(supertest, log); - await createUserAndRole(getService, ROLES.soc_manager); + await createRoleAndUser(getService, ROLES.soc_manager); }); afterEach(async () => { - await deleteUserAndRole(getService, ROLES.soc_manager); + await deleteRoleAndUser(getService, ROLES.soc_manager); await deleteAllExceptions(supertest, log); await deleteAllAlerts(supertest, log, es); await deleteAllRules(supertest, log); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_rules.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_rules.ts index dae7835c16020..60b49326e33e1 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_rules.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_rules.ts @@ -42,7 +42,7 @@ import { getRuleSOById, } from '../../utils'; import { deleteAllExceptions } from '../../../lists_api_integration/utils'; -import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; +import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; const getImportRuleBuffer = (connectorId: string) => { const rule1 = { @@ -206,12 +206,12 @@ export default ({ getService }: FtrProviderContext): void => { describe('import_rules', () => { describe('importing rules with different roles', () => { before(async () => { - await createUserAndRole(getService, ROLES.hunter_no_actions); - await createUserAndRole(getService, ROLES.hunter); + await createRoleAndUser(getService, ROLES.hunter_no_actions); + await createRoleAndUser(getService, ROLES.hunter); }); after(async () => { - await deleteUserAndRole(getService, ROLES.hunter_no_actions); - await deleteUserAndRole(getService, ROLES.hunter); + await deleteRoleAndUser(getService, ROLES.hunter_no_actions); + await deleteRoleAndUser(getService, ROLES.hunter); }); beforeEach(async () => { await createSignalsIndex(supertest, log); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/open_close_signals.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/open_close_signals.ts index f66bec45e45a1..76ab5583b0fec 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/open_close_signals.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/open_close_signals.ts @@ -29,7 +29,7 @@ import { waitForRuleSuccess, getRuleForSignalTesting, } from '../../utils'; -import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; +import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { @@ -218,7 +218,7 @@ export default ({ getService }: FtrProviderContext) => { const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); await waitForSignalsToBePresent(supertest, log, 1, [id]); - await createUserAndRole(getService, ROLES.t1_analyst); + await createRoleAndUser(getService, ROLES.t1_analyst); const signalsOpen = await getSignalsByIds(supertest, log, [id]); const signalIds = signalsOpen.hits.hits.map((signal) => signal._id); @@ -245,7 +245,7 @@ export default ({ getService }: FtrProviderContext) => { ); expect(everySignalClosed).to.eql(true); - await deleteUserAndRole(getService, ROLES.t1_analyst); + await deleteRoleAndUser(getService, ROLES.t1_analyst); }); // This fails and should be investigated or removed if it no longer applies @@ -255,7 +255,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForRuleSuccess({ supertest, log, id }); await waitForSignalsToBePresent(supertest, log, 1, [id]); const userAndRole = ROLES.soc_manager; - await createUserAndRole(getService, userAndRole); + await createRoleAndUser(getService, userAndRole); const signalsOpen = await getSignalsByIds(supertest, log, [id]); const signalIds = signalsOpen.hits.hits.map((signal) => signal._id); @@ -280,7 +280,7 @@ export default ({ getService }: FtrProviderContext) => { ); expect(everySignalClosed).to.eql(true); - await deleteUserAndRole(getService, userAndRole); + await deleteRoleAndUser(getService, userAndRole); }); }); }); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts index b95c6771367f4..767b62ab18447 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts @@ -10,7 +10,7 @@ import { DETECTION_ENGINE_PRIVILEGES_URL } from '@kbn/security-solution-plugin/c import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../common/ftr_provider_context'; -import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; +import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { @@ -78,7 +78,7 @@ export default ({ getService }: FtrProviderContext) => { }); it('should return expected privileges for a "t1_analyst" user', async () => { - await createUserAndRole(getService, ROLES.t1_analyst); + await createRoleAndUser(getService, ROLES.t1_analyst); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.t1_analyst, 'changeme') @@ -139,11 +139,11 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteUserAndRole(getService, ROLES.t1_analyst); + await deleteRoleAndUser(getService, ROLES.t1_analyst); }); it('should return expected privileges for a "t2_analyst" user', async () => { - await createUserAndRole(getService, ROLES.t2_analyst); + await createRoleAndUser(getService, ROLES.t2_analyst); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.t2_analyst, 'changeme') @@ -204,11 +204,11 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteUserAndRole(getService, ROLES.t2_analyst); + await deleteRoleAndUser(getService, ROLES.t2_analyst); }); it('should return expected privileges for a "hunter" user', async () => { - await createUserAndRole(getService, ROLES.hunter); + await createRoleAndUser(getService, ROLES.hunter); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.hunter, 'changeme') @@ -269,11 +269,11 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteUserAndRole(getService, ROLES.hunter); + await deleteRoleAndUser(getService, ROLES.hunter); }); it('should return expected privileges for a "rule_author" user', async () => { - await createUserAndRole(getService, ROLES.rule_author); + await createRoleAndUser(getService, ROLES.rule_author); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.rule_author, 'changeme') @@ -334,11 +334,11 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteUserAndRole(getService, ROLES.rule_author); + await deleteRoleAndUser(getService, ROLES.rule_author); }); it('should return expected privileges for a "soc_manager" user', async () => { - await createUserAndRole(getService, ROLES.soc_manager); + await createRoleAndUser(getService, ROLES.soc_manager); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.soc_manager, 'changeme') @@ -399,11 +399,11 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteUserAndRole(getService, ROLES.soc_manager); + await deleteRoleAndUser(getService, ROLES.soc_manager); }); it('should return expected privileges for a "platform_engineer" user', async () => { - await createUserAndRole(getService, ROLES.platform_engineer); + await createRoleAndUser(getService, ROLES.platform_engineer); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.platform_engineer, 'changeme') @@ -464,11 +464,11 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteUserAndRole(getService, ROLES.platform_engineer); + await deleteRoleAndUser(getService, ROLES.platform_engineer); }); it('should return expected privileges for a "detections_admin" user', async () => { - await createUserAndRole(getService, ROLES.detections_admin); + await createRoleAndUser(getService, ROLES.detections_admin); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.detections_admin, 'changeme') @@ -529,7 +529,7 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteUserAndRole(getService, ROLES.detections_admin); + await deleteRoleAndUser(getService, ROLES.detections_admin); }); }); }; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/import_rules.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/import_rules.ts index 002bf3ddda8a4..a557ca720784d 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/import_rules.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/import_rules.ts @@ -29,7 +29,7 @@ import { ruleToNdjson, } from '../../utils'; import { deleteAllExceptions } from '../../../lists_api_integration/utils'; -import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; +import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; const getImportRuleBuffer = (connectorId: string) => { const rule1 = { @@ -103,12 +103,12 @@ export default ({ getService }: FtrProviderContext): void => { describe('import_rules', () => { describe('importing rules with different roles', () => { before(async () => { - await createUserAndRole(getService, ROLES.hunter_no_actions); - await createUserAndRole(getService, ROLES.hunter); + await createRoleAndUser(getService, ROLES.hunter_no_actions); + await createRoleAndUser(getService, ROLES.hunter); }); after(async () => { - await deleteUserAndRole(getService, ROLES.hunter_no_actions); - await deleteUserAndRole(getService, ROLES.hunter); + await deleteRoleAndUser(getService, ROLES.hunter_no_actions); + await deleteRoleAndUser(getService, ROLES.hunter); }); beforeEach(async () => { await createSignalsIndex(supertest, log); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_add_edit_comments.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_add_edit_comments.ts index 3ce0aa0bed874..b2a59d1bfc01a 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_add_edit_comments.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_add_edit_comments.ts @@ -20,8 +20,8 @@ import { getUpdateMinimalExceptionListItemSchemaMock } from '@kbn/lists-plugin/c import { UpdateExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import { deleteAllExceptions } from '../../../../../../lists_api_integration/utils'; import { - createUserAndRole, - deleteUserAndRole, + createRoleAndUser, + deleteRoleAndUser, } from '../../../../../../common/services/security_solution'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; @@ -36,13 +36,13 @@ export default ({ getService }: FtrProviderContext) => { describe('Rule Exceptions', () => { beforeEach(async () => { - await createUserAndRole(getService, detectionAdmin); - await createUserAndRole(getService, socManager); + await createRoleAndUser(getService, detectionAdmin); + await createRoleAndUser(getService, socManager); }); afterEach(async () => { - await deleteUserAndRole(getService, detectionAdmin); - await deleteUserAndRole(getService, socManager); + await deleteRoleAndUser(getService, detectionAdmin); + await deleteRoleAndUser(getService, socManager); await deleteAllExceptions(supertest, log); }); @@ -143,13 +143,13 @@ export default ({ getService }: FtrProviderContext) => { }); describe('Endpoint Exceptions', () => { beforeEach(async () => { - await createUserAndRole(getService, detectionAdmin); - await createUserAndRole(getService, socManager); + await createRoleAndUser(getService, detectionAdmin); + await createRoleAndUser(getService, socManager); }); afterEach(async () => { - await deleteUserAndRole(getService, detectionAdmin); - await deleteUserAndRole(getService, socManager); + await deleteRoleAndUser(getService, detectionAdmin); + await deleteRoleAndUser(getService, socManager); await deleteAllExceptions(supertest, log); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_rule_exceptions_workflows.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_rule_exceptions_workflows.ts index fb5c385ab2c7b..9c35f18d007a7 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_rule_exceptions_workflows.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_rule_exceptions_workflows.ts @@ -62,8 +62,8 @@ import { importFile, } from '../../../../../../lists_api_integration/utils'; import { - createUserAndRole, - deleteUserAndRole, + createRoleAndUser, + deleteRoleAndUser, } from '../../../../../../common/services/security_solution'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; @@ -507,11 +507,11 @@ export default ({ getService }: FtrProviderContext) => { const role = ROLES.t1_analyst; beforeEach(async () => { - await createUserAndRole(getService, role); + await createRoleAndUser(getService, role); }); afterEach(async () => { - await deleteUserAndRole(getService, role); + await deleteRoleAndUser(getService, role); }); it('should NOT be able to create an exception list', async () => { diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/create_rules.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/create_rules.ts index 97b602c4db617..0e2eba842aa1c 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/create_rules.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/create_rules.ts @@ -45,8 +45,8 @@ import { updateUsername, } from '../../utils'; import { - createUserAndRole, - deleteUserAndRole, + createRoleAndUser, + deleteRoleAndUser, } from '../../../../../common/services/security_solution'; import { EsArchivePathBuilder } from '../../../../es_archive_path_builder'; @@ -437,11 +437,11 @@ export default ({ getService }: FtrProviderContext) => { const role = ROLES.t1_analyst; beforeEach(async () => { - await createUserAndRole(getService, role); + await createRoleAndUser(getService, role); }); afterEach(async () => { - await deleteUserAndRole(getService, role); + await deleteRoleAndUser(getService, role); }); it('should NOT be able to create a rule', async () => { diff --git a/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts b/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts index 6e1850373af81..92a75b0be1433 100644 --- a/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts +++ b/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts @@ -7,12 +7,9 @@ import expect from '@kbn/expect'; import { IndexedHostsAndAlertsResponse } from '@kbn/security-solution-plugin/common/endpoint/index_data'; +import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../ftr_provider_context'; -import { - createUserAndRole, - deleteUserAndRole, - ROLES, -} from '../../../common/services/security_solution'; +import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; export default ({ getPageObjects, getService }: FtrProviderContext) => { const PageObjects = getPageObjects(['security', 'endpoint', 'detections', 'hosts']); @@ -35,11 +32,22 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => { }); // Run the same set of tests against all of the Security Solution roles - for (const role of Object.keys(ROLES) as Array) { + const ROLES: SecurityRoleName[] = [ + 't1_analyst', + 't2_analyst', + 'rule_author', + 'soc_manager', + 'detections_admin', + 'platform_engineer', + 'hunter', + 'hunter_no_actions', + ]; + + for (const role of ROLES) { describe(`when running with user/role [${role}]`, () => { before(async () => { // create role/user - await createUserAndRole(getService, ROLES[role]); + await createRoleAndUser(getService, role); // log back in with new uer await PageObjects.security.login(role, 'changeme'); @@ -51,7 +59,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => { await PageObjects.security.forceLogout(); // delete role/user - await deleteUserAndRole(getService, ROLES[role]); + await deleteRoleAndUser(getService, role); }); it('should NOT allow access to endpoint management pages', async () => { From f4be6c21f93091583315d7375e62f97618e6075f Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Wed, 25 Oct 2023 12:20:17 +0200 Subject: [PATCH 16/30] remove env type constants --- .../cypress/cypress_ci_serverless.config.ts | 1 - .../cypress/cypress_ci_serverless_qa.config.ts | 1 - .../cypress/cypress_serverless.config.ts | 1 - 3 files changed, 3 deletions(-) diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts index b60f2dade1807..a4d78e0433852 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts @@ -16,7 +16,6 @@ export default defineCypressConfig({ }, defaultCommandTimeout: 150000, env: { - IS_SERVERLESS: true, grepFilterSpecs: true, grepOmitFiltered: true, grepTags: '@serverless --@brokenInServerless --@skipInServerless', diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts index 1213353b53c1b..c9a34b09ddceb 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts @@ -16,7 +16,6 @@ export default defineCypressConfig({ }, defaultCommandTimeout: 150000, env: { - CLOUD_SERVERLESS: true, grepFilterSpecs: true, grepOmitFiltered: true, grepTags: '@serverlessQA --@brokenInServerless --@skipInServerless', diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts index bc6b98283ec22..dcfeed34f3e8f 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts @@ -22,7 +22,6 @@ export default defineCypressConfig({ viewportWidth: 1680, numTestsKeptInMemory: 10, env: { - IS_SERVERLESS: true, grepFilterSpecs: true, grepTags: '@serverless --@brokenInServerless --@skipInServerless', }, From a31d6112d4ffec0544d000742a2e8ab02fbbe78c Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Wed, 25 Oct 2023 12:58:22 +0200 Subject: [PATCH 17/30] roll back renaming --- .../security_solution/roles_users_utils.ts | 4 +-- .../group1/check_privileges.ts | 10 +++---- .../group1/preview_rules.ts | 10 +++---- .../group10/create_signals_migrations.ts | 6 ++-- .../group10/delete_signals_migrations.ts | 4 +-- .../group10/finalize_signals_migrations.ts | 6 ++-- .../group10/get_signals_migration_status.ts | 6 ++-- .../group10/import_export_rules.ts | 6 ++-- .../group10/import_rules.ts | 10 +++---- .../group10/open_close_signals.ts | 10 +++---- .../group10/read_privileges.ts | 30 +++++++++---------- .../security_and_spaces/tests/import_rules.ts | 10 +++---- .../workflows/role_based_add_edit_comments.ts | 20 ++++++------- .../role_based_rule_exceptions_workflows.ts | 8 ++--- .../rule_creation/create_rules.ts | 8 ++--- .../apps/endpoint/endpoint_permissions.ts | 6 ++-- 16 files changed, 77 insertions(+), 77 deletions(-) diff --git a/x-pack/test/common/services/security_solution/roles_users_utils.ts b/x-pack/test/common/services/security_solution/roles_users_utils.ts index 84ea7130ee023..bc27f8a604df4 100644 --- a/x-pack/test/common/services/security_solution/roles_users_utils.ts +++ b/x-pack/test/common/services/security_solution/roles_users_utils.ts @@ -20,7 +20,7 @@ const allSupportedRoles = { * @param getService * @param role */ -export const createRoleAndUser = async ( +export const createUserAndRole = async ( getService: FtrProviderContext['getService'], role: SecurityRoleName ): Promise => { @@ -42,7 +42,7 @@ export const createRoleAndUser = async ( * @param roleName The user and role to delete with the same name * @param securityService The security service */ -export const deleteRoleAndUser = async ( +export const deleteUserAndRole = async ( getService: FtrProviderContext['getService'], roleName: SecurityRoleName ): Promise => { diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/check_privileges.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/check_privileges.ts index 1db030f34e311..3a016fe68618d 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/check_privileges.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/check_privileges.ts @@ -19,7 +19,7 @@ import { getThresholdRuleForSignalTesting, deleteAllAlerts, } from '../../utils'; -import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; +import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { @@ -63,7 +63,7 @@ export default ({ getService }: FtrProviderContext) => { ...getRuleForSignalTesting(index), query: 'process.executable: "/usr/bin/sudo"', }; - await createRoleAndUser(getService, ROLES.detections_admin); + await createUserAndRole(getService, ROLES.detections_admin); const { id } = await createRuleWithAuth(supertestWithoutAuth, rule, { user: ROLES.detections_admin, pass: 'changeme', @@ -85,7 +85,7 @@ export default ({ getService }: FtrProviderContext) => { `This rule may not have the required read privileges to the following index patterns: ["${index[0]}"]` ); - await deleteRoleAndUser(getService, ROLES.detections_admin); + await deleteUserAndRole(getService, ROLES.detections_admin); }); }); @@ -102,7 +102,7 @@ export default ({ getService }: FtrProviderContext) => { value: 700, }, }; - await createRoleAndUser(getService, ROLES.detections_admin); + await createUserAndRole(getService, ROLES.detections_admin); const { id } = await createRuleWithAuth(supertestWithoutAuth, rule, { user: ROLES.detections_admin, pass: 'changeme', @@ -124,7 +124,7 @@ export default ({ getService }: FtrProviderContext) => { `This rule may not have the required read privileges to the following index patterns: ["${index[0]}"]` ); - await deleteRoleAndUser(getService, ROLES.detections_admin); + await deleteUserAndRole(getService, ROLES.detections_admin); }); }); }); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/preview_rules.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/preview_rules.ts index 823d35bf2869b..b930f43dc9809 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/preview_rules.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/preview_rules.ts @@ -11,7 +11,7 @@ import { DETECTION_ENGINE_RULES_PREVIEW } from '@kbn/security-solution-plugin/co import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../common/ftr_provider_context'; import { deleteAllRules, getSimplePreviewRule, getSimpleRulePreviewOutput } from '../../utils'; -import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; +import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { @@ -88,11 +88,11 @@ export default ({ getService }: FtrProviderContext) => { const role = ROLES.t1_analyst; beforeEach(async () => { - await createRoleAndUser(getService, role); + await createUserAndRole(getService, role); }); afterEach(async () => { - await deleteRoleAndUser(getService, role); + await deleteUserAndRole(getService, role); }); it('should NOT be able to preview a rule', async () => { @@ -109,11 +109,11 @@ export default ({ getService }: FtrProviderContext) => { const role = ROLES.hunter; beforeEach(async () => { - await createRoleAndUser(getService, role); + await createUserAndRole(getService, role); }); afterEach(async () => { - await deleteRoleAndUser(getService, role); + await deleteUserAndRole(getService, role); }); it('should return with an error about not having correct permissions', async () => { diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/create_signals_migrations.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/create_signals_migrations.ts index 334c588627216..b5219dccbee49 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/create_signals_migrations.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/create_signals_migrations.ts @@ -23,7 +23,7 @@ import { getIndexNameFromLoad, waitForIndexToPopulate, } from '../../utils'; -import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; +import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; interface CreateResponse { index: string; @@ -188,7 +188,7 @@ export default ({ getService }: FtrProviderContext): void => { }); it('rejects the request if the user does not have sufficient privileges', async () => { - await createRoleAndUser(getService, ROLES.t1_analyst); + await createUserAndRole(getService, ROLES.t1_analyst); await supertestWithoutAuth .post(DETECTION_ENGINE_SIGNALS_MIGRATION_URL) @@ -197,7 +197,7 @@ export default ({ getService }: FtrProviderContext): void => { .send({ index: [legacySignalsIndexName] }) .expect(400); - await deleteRoleAndUser(getService, ROLES.t1_analyst); + await deleteUserAndRole(getService, ROLES.t1_analyst); }); }); }; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/delete_signals_migrations.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/delete_signals_migrations.ts index a7fe7f6cfd74c..f1534ed6d9ddf 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/delete_signals_migrations.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/delete_signals_migrations.ts @@ -15,7 +15,7 @@ import { import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../common/ftr_provider_context'; import { createSignalsIndex, deleteAllAlerts, getIndexNameFromLoad, waitFor } from '../../utils'; -import { createRoleAndUser } from '../../../common/services/security_solution'; +import { createUserAndRole } from '../../../common/services/security_solution'; interface CreateResponse { index: string; @@ -126,7 +126,7 @@ export default ({ getService }: FtrProviderContext): void => { }); it('rejects the request if the user does not have sufficient privileges', async () => { - await createRoleAndUser(getService, ROLES.t1_analyst); + await createUserAndRole(getService, ROLES.t1_analyst); const { body } = await supertestWithoutAuth .delete(DETECTION_ENGINE_SIGNALS_MIGRATION_URL) diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/finalize_signals_migrations.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/finalize_signals_migrations.ts index 6b40f690421fe..17d6ab5a91b0e 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/finalize_signals_migrations.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/finalize_signals_migrations.ts @@ -21,7 +21,7 @@ import { getIndexNameFromLoad, waitFor, } from '../../utils'; -import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; +import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; interface StatusResponse { index: string; @@ -269,7 +269,7 @@ export default ({ getService }: FtrProviderContext): void => { }); it('rejects the request if the user does not have sufficient privileges', async () => { - await createRoleAndUser(getService, ROLES.t1_analyst); + await createUserAndRole(getService, ROLES.t1_analyst); const { body } = await supertestWithoutAuth .post(DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL) @@ -286,7 +286,7 @@ export default ({ getService }: FtrProviderContext): void => { expect(finalizeResponse.completed).not.to.eql(true); expect(finalizeResponse.error.message).to.match(/^security_exception/); expect(finalizeResponse.error.status_code).to.eql(403); - await deleteRoleAndUser(getService, ROLES.t1_analyst); + await deleteUserAndRole(getService, ROLES.t1_analyst); }); }); }; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/get_signals_migration_status.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/get_signals_migration_status.ts index 519b9f7213074..03e1b0c1e587b 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/get_signals_migration_status.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/get_signals_migration_status.ts @@ -11,7 +11,7 @@ import { DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL } from '@kbn/security-sol import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../common/ftr_provider_context'; import { createSignalsIndex, deleteAllAlerts, getIndexNameFromLoad } from '../../utils'; -import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; +import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext): void => { @@ -96,7 +96,7 @@ export default ({ getService }: FtrProviderContext): void => { }); it('rejects the request if the user does not have sufficient privileges', async () => { - await createRoleAndUser(getService, ROLES.t1_analyst); + await createUserAndRole(getService, ROLES.t1_analyst); await supertestWithoutAuth .get(DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL) @@ -105,7 +105,7 @@ export default ({ getService }: FtrProviderContext): void => { .query({ from: '2020-10-10' }) .expect(403); - await deleteRoleAndUser(getService, ROLES.t1_analyst); + await deleteUserAndRole(getService, ROLES.t1_analyst); }); }); }; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_export_rules.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_export_rules.ts index 15bd23176e502..8943a4b67c99b 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_export_rules.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_export_rules.ts @@ -28,7 +28,7 @@ import { getSimpleRule, } from '../../utils'; import { deleteAllExceptions } from '../../../lists_api_integration/utils'; -import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; +import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; // This test was meant to be more full flow, ensuring that // exported rules are able to be reimported as opposed to @@ -43,11 +43,11 @@ export default ({ getService }: FtrProviderContext): void => { describe('import_export_rules_flow', () => { beforeEach(async () => { await createSignalsIndex(supertest, log); - await createRoleAndUser(getService, ROLES.soc_manager); + await createUserAndRole(getService, ROLES.soc_manager); }); afterEach(async () => { - await deleteRoleAndUser(getService, ROLES.soc_manager); + await deleteUserAndRole(getService, ROLES.soc_manager); await deleteAllExceptions(supertest, log); await deleteAllAlerts(supertest, log, es); await deleteAllRules(supertest, log); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_rules.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_rules.ts index 60b49326e33e1..dae7835c16020 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_rules.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/import_rules.ts @@ -42,7 +42,7 @@ import { getRuleSOById, } from '../../utils'; import { deleteAllExceptions } from '../../../lists_api_integration/utils'; -import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; +import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; const getImportRuleBuffer = (connectorId: string) => { const rule1 = { @@ -206,12 +206,12 @@ export default ({ getService }: FtrProviderContext): void => { describe('import_rules', () => { describe('importing rules with different roles', () => { before(async () => { - await createRoleAndUser(getService, ROLES.hunter_no_actions); - await createRoleAndUser(getService, ROLES.hunter); + await createUserAndRole(getService, ROLES.hunter_no_actions); + await createUserAndRole(getService, ROLES.hunter); }); after(async () => { - await deleteRoleAndUser(getService, ROLES.hunter_no_actions); - await deleteRoleAndUser(getService, ROLES.hunter); + await deleteUserAndRole(getService, ROLES.hunter_no_actions); + await deleteUserAndRole(getService, ROLES.hunter); }); beforeEach(async () => { await createSignalsIndex(supertest, log); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/open_close_signals.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/open_close_signals.ts index 76ab5583b0fec..f66bec45e45a1 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/open_close_signals.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/open_close_signals.ts @@ -29,7 +29,7 @@ import { waitForRuleSuccess, getRuleForSignalTesting, } from '../../utils'; -import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; +import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { @@ -218,7 +218,7 @@ export default ({ getService }: FtrProviderContext) => { const { id } = await createRule(supertest, log, rule); await waitForRuleSuccess({ supertest, log, id }); await waitForSignalsToBePresent(supertest, log, 1, [id]); - await createRoleAndUser(getService, ROLES.t1_analyst); + await createUserAndRole(getService, ROLES.t1_analyst); const signalsOpen = await getSignalsByIds(supertest, log, [id]); const signalIds = signalsOpen.hits.hits.map((signal) => signal._id); @@ -245,7 +245,7 @@ export default ({ getService }: FtrProviderContext) => { ); expect(everySignalClosed).to.eql(true); - await deleteRoleAndUser(getService, ROLES.t1_analyst); + await deleteUserAndRole(getService, ROLES.t1_analyst); }); // This fails and should be investigated or removed if it no longer applies @@ -255,7 +255,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForRuleSuccess({ supertest, log, id }); await waitForSignalsToBePresent(supertest, log, 1, [id]); const userAndRole = ROLES.soc_manager; - await createRoleAndUser(getService, userAndRole); + await createUserAndRole(getService, userAndRole); const signalsOpen = await getSignalsByIds(supertest, log, [id]); const signalIds = signalsOpen.hits.hits.map((signal) => signal._id); @@ -280,7 +280,7 @@ export default ({ getService }: FtrProviderContext) => { ); expect(everySignalClosed).to.eql(true); - await deleteRoleAndUser(getService, userAndRole); + await deleteUserAndRole(getService, userAndRole); }); }); }); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts index 767b62ab18447..b95c6771367f4 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group10/read_privileges.ts @@ -10,7 +10,7 @@ import { DETECTION_ENGINE_PRIVILEGES_URL } from '@kbn/security-solution-plugin/c import { ROLES } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../common/ftr_provider_context'; -import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; +import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { @@ -78,7 +78,7 @@ export default ({ getService }: FtrProviderContext) => { }); it('should return expected privileges for a "t1_analyst" user', async () => { - await createRoleAndUser(getService, ROLES.t1_analyst); + await createUserAndRole(getService, ROLES.t1_analyst); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.t1_analyst, 'changeme') @@ -139,11 +139,11 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteRoleAndUser(getService, ROLES.t1_analyst); + await deleteUserAndRole(getService, ROLES.t1_analyst); }); it('should return expected privileges for a "t2_analyst" user', async () => { - await createRoleAndUser(getService, ROLES.t2_analyst); + await createUserAndRole(getService, ROLES.t2_analyst); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.t2_analyst, 'changeme') @@ -204,11 +204,11 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteRoleAndUser(getService, ROLES.t2_analyst); + await deleteUserAndRole(getService, ROLES.t2_analyst); }); it('should return expected privileges for a "hunter" user', async () => { - await createRoleAndUser(getService, ROLES.hunter); + await createUserAndRole(getService, ROLES.hunter); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.hunter, 'changeme') @@ -269,11 +269,11 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteRoleAndUser(getService, ROLES.hunter); + await deleteUserAndRole(getService, ROLES.hunter); }); it('should return expected privileges for a "rule_author" user', async () => { - await createRoleAndUser(getService, ROLES.rule_author); + await createUserAndRole(getService, ROLES.rule_author); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.rule_author, 'changeme') @@ -334,11 +334,11 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteRoleAndUser(getService, ROLES.rule_author); + await deleteUserAndRole(getService, ROLES.rule_author); }); it('should return expected privileges for a "soc_manager" user', async () => { - await createRoleAndUser(getService, ROLES.soc_manager); + await createUserAndRole(getService, ROLES.soc_manager); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.soc_manager, 'changeme') @@ -399,11 +399,11 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteRoleAndUser(getService, ROLES.soc_manager); + await deleteUserAndRole(getService, ROLES.soc_manager); }); it('should return expected privileges for a "platform_engineer" user', async () => { - await createRoleAndUser(getService, ROLES.platform_engineer); + await createUserAndRole(getService, ROLES.platform_engineer); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.platform_engineer, 'changeme') @@ -464,11 +464,11 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteRoleAndUser(getService, ROLES.platform_engineer); + await deleteUserAndRole(getService, ROLES.platform_engineer); }); it('should return expected privileges for a "detections_admin" user', async () => { - await createRoleAndUser(getService, ROLES.detections_admin); + await createUserAndRole(getService, ROLES.detections_admin); const { body } = await supertestWithoutAuth .get(DETECTION_ENGINE_PRIVILEGES_URL) .auth(ROLES.detections_admin, 'changeme') @@ -529,7 +529,7 @@ export default ({ getService }: FtrProviderContext) => { is_authenticated: true, has_encryption_key: true, }); - await deleteRoleAndUser(getService, ROLES.detections_admin); + await deleteUserAndRole(getService, ROLES.detections_admin); }); }); }; diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/import_rules.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/import_rules.ts index a557ca720784d..002bf3ddda8a4 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/import_rules.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/import_rules.ts @@ -29,7 +29,7 @@ import { ruleToNdjson, } from '../../utils'; import { deleteAllExceptions } from '../../../lists_api_integration/utils'; -import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; +import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; const getImportRuleBuffer = (connectorId: string) => { const rule1 = { @@ -103,12 +103,12 @@ export default ({ getService }: FtrProviderContext): void => { describe('import_rules', () => { describe('importing rules with different roles', () => { before(async () => { - await createRoleAndUser(getService, ROLES.hunter_no_actions); - await createRoleAndUser(getService, ROLES.hunter); + await createUserAndRole(getService, ROLES.hunter_no_actions); + await createUserAndRole(getService, ROLES.hunter); }); after(async () => { - await deleteRoleAndUser(getService, ROLES.hunter_no_actions); - await deleteRoleAndUser(getService, ROLES.hunter); + await deleteUserAndRole(getService, ROLES.hunter_no_actions); + await deleteUserAndRole(getService, ROLES.hunter); }); beforeEach(async () => { await createSignalsIndex(supertest, log); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_add_edit_comments.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_add_edit_comments.ts index b2a59d1bfc01a..3ce0aa0bed874 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_add_edit_comments.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_add_edit_comments.ts @@ -20,8 +20,8 @@ import { getUpdateMinimalExceptionListItemSchemaMock } from '@kbn/lists-plugin/c import { UpdateExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import { deleteAllExceptions } from '../../../../../../lists_api_integration/utils'; import { - createRoleAndUser, - deleteRoleAndUser, + createUserAndRole, + deleteUserAndRole, } from '../../../../../../common/services/security_solution'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; @@ -36,13 +36,13 @@ export default ({ getService }: FtrProviderContext) => { describe('Rule Exceptions', () => { beforeEach(async () => { - await createRoleAndUser(getService, detectionAdmin); - await createRoleAndUser(getService, socManager); + await createUserAndRole(getService, detectionAdmin); + await createUserAndRole(getService, socManager); }); afterEach(async () => { - await deleteRoleAndUser(getService, detectionAdmin); - await deleteRoleAndUser(getService, socManager); + await deleteUserAndRole(getService, detectionAdmin); + await deleteUserAndRole(getService, socManager); await deleteAllExceptions(supertest, log); }); @@ -143,13 +143,13 @@ export default ({ getService }: FtrProviderContext) => { }); describe('Endpoint Exceptions', () => { beforeEach(async () => { - await createRoleAndUser(getService, detectionAdmin); - await createRoleAndUser(getService, socManager); + await createUserAndRole(getService, detectionAdmin); + await createUserAndRole(getService, socManager); }); afterEach(async () => { - await deleteRoleAndUser(getService, detectionAdmin); - await deleteRoleAndUser(getService, socManager); + await deleteUserAndRole(getService, detectionAdmin); + await deleteUserAndRole(getService, socManager); await deleteAllExceptions(supertest, log); }); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_rule_exceptions_workflows.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_rule_exceptions_workflows.ts index 9c35f18d007a7..fb5c385ab2c7b 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_rule_exceptions_workflows.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/exceptions/workflows/role_based_rule_exceptions_workflows.ts @@ -62,8 +62,8 @@ import { importFile, } from '../../../../../../lists_api_integration/utils'; import { - createRoleAndUser, - deleteRoleAndUser, + createUserAndRole, + deleteUserAndRole, } from '../../../../../../common/services/security_solution'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; @@ -507,11 +507,11 @@ export default ({ getService }: FtrProviderContext) => { const role = ROLES.t1_analyst; beforeEach(async () => { - await createRoleAndUser(getService, role); + await createUserAndRole(getService, role); }); afterEach(async () => { - await deleteRoleAndUser(getService, role); + await deleteUserAndRole(getService, role); }); it('should NOT be able to create an exception list', async () => { diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/create_rules.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/create_rules.ts index 0e2eba842aa1c..97b602c4db617 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/create_rules.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/rule_creation/create_rules.ts @@ -45,8 +45,8 @@ import { updateUsername, } from '../../utils'; import { - createRoleAndUser, - deleteRoleAndUser, + createUserAndRole, + deleteUserAndRole, } from '../../../../../common/services/security_solution'; import { EsArchivePathBuilder } from '../../../../es_archive_path_builder'; @@ -437,11 +437,11 @@ export default ({ getService }: FtrProviderContext) => { const role = ROLES.t1_analyst; beforeEach(async () => { - await createRoleAndUser(getService, role); + await createUserAndRole(getService, role); }); afterEach(async () => { - await deleteRoleAndUser(getService, role); + await deleteUserAndRole(getService, role); }); it('should NOT be able to create a rule', async () => { diff --git a/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts b/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts index 92a75b0be1433..51d6ae8bcfadc 100644 --- a/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts +++ b/x-pack/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts @@ -9,7 +9,7 @@ import expect from '@kbn/expect'; import { IndexedHostsAndAlertsResponse } from '@kbn/security-solution-plugin/common/endpoint/index_data'; import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../ftr_provider_context'; -import { createRoleAndUser, deleteRoleAndUser } from '../../../common/services/security_solution'; +import { createUserAndRole, deleteUserAndRole } from '../../../common/services/security_solution'; export default ({ getPageObjects, getService }: FtrProviderContext) => { const PageObjects = getPageObjects(['security', 'endpoint', 'detections', 'hosts']); @@ -47,7 +47,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => { describe(`when running with user/role [${role}]`, () => { before(async () => { // create role/user - await createRoleAndUser(getService, role); + await createUserAndRole(getService, role); // log back in with new uer await PageObjects.security.login(role, 'changeme'); @@ -59,7 +59,7 @@ export default ({ getPageObjects, getService }: FtrProviderContext) => { await PageObjects.security.forceLogout(); // delete role/user - await deleteRoleAndUser(getService, role); + await deleteUserAndRole(getService, role); }); it('should NOT allow access to endpoint management pages', async () => { From 19b333b024a1ea756dc3255f78a0a6574aa7932e Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Wed, 25 Oct 2023 20:25:26 +0200 Subject: [PATCH 18/30] update readme --- packages/kbn-es/src/serverless_resources/README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/packages/kbn-es/src/serverless_resources/README.md b/packages/kbn-es/src/serverless_resources/README.md index acf81c030afba..29da27cddb8d6 100644 --- a/packages/kbn-es/src/serverless_resources/README.md +++ b/packages/kbn-es/src/serverless_resources/README.md @@ -4,14 +4,12 @@ The resources in this directory are used for seeding Elasticsearch Serverless im ## Roles -Roles defined in `roles.yml` is a combination of roles from `project-controller` like [security roles](https://github.com/elastic/project-controller/blob/main/internal/project/security/config/roles.yml). +Roles defined in `roles.yml` intended to mock a Serverless deployment. -### Why `roles.json` is here? +### Why `security_roles.json` is here? -`security_roles.json` is a subset of defined in `roles.yml` roles defined in a JSON format and extended with necessary fields -to be compatible with `/api/security/role/{roleName}` endpoint. Cypress (and not only) tests use the roles to test behavior under specific roles. For example Security Solution reuses tests between ESS and Serverless and having the same roles is crucial here. Ideally it should be an automated process to transform -`project-controller` roles into `roles.yml` and `security_roles.json` but it's not done yet. This way it's logical to have -dependent files next to each other. +`security_roles.json` is a subset of defined in `roles.yml` roles in a JSON format and extended with necessary fields +to be compatible with `/api/security/role/{roleName}` endpoint. It's consumed by test environments like Cypress to be able to run different scenarios. ## Users From f5b399d927a3fa42f6be1c38da5c43fe30d3678e Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 26 Oct 2023 00:56:05 +0200 Subject: [PATCH 19/30] use only one support file --- .../cypress/cypress.config.ts | 1 - .../cypress/cypress_ci.config.ts | 1 - .../cypress/cypress_ci_serverless.config.ts | 1 - .../cypress_ci_serverless_qa.config.ts | 1 - .../cypress/cypress_serverless.config.ts | 1 - .../cypress/e2e/explore/cases/creation.cy.ts | 5 ++- .../cypress/env_var_names_constants.ts | 30 +++++++++++++ .../cypress/support/e2e.ts | 43 +++++++++++++++++++ .../cypress/support/ess_e2e.ts | 40 ----------------- .../cypress/support/serverless_e2e.ts | 20 --------- .../cypress/tasks/common.ts | 5 ++- .../cypress/tasks/login.ts | 30 +++---------- 12 files changed, 85 insertions(+), 93 deletions(-) create mode 100644 x-pack/test/security_solution_cypress/cypress/env_var_names_constants.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/support/e2e.ts delete mode 100644 x-pack/test/security_solution_cypress/cypress/support/ess_e2e.ts delete mode 100644 x-pack/test/security_solution_cypress/cypress/support/serverless_e2e.ts diff --git a/x-pack/test/security_solution_cypress/cypress/cypress.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress.config.ts index 0b174dc44e4cb..d7f0bbc7a0254 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress.config.ts @@ -25,7 +25,6 @@ export default defineCypressConfig({ viewportWidth: 1680, numTestsKeptInMemory: 10, e2e: { - supportFile: 'cypress/support/ess_e2e.ts', experimentalRunAllSpecs: true, experimentalMemoryManagement: true, experimentalCspAllowList: ['default-src', 'script-src', 'script-src-elem'], diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_ci.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_ci.config.ts index 1e68362b55746..efb3b64d36f4d 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_ci.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_ci.config.ts @@ -33,7 +33,6 @@ export default defineCypressConfig({ viewportHeight: 946, viewportWidth: 1680, e2e: { - supportFile: 'cypress/support/ess_e2e.ts', baseUrl: 'http://localhost:5601', experimentalMemoryManagement: true, experimentalCspAllowList: ['default-src', 'script-src', 'script-src-elem'], diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts index a4d78e0433852..3a1be3ed0221a 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless.config.ts @@ -33,7 +33,6 @@ export default defineCypressConfig({ viewportHeight: 946, viewportWidth: 1680, e2e: { - supportFile: 'cypress/support/serverless_e2e.ts', baseUrl: 'http://localhost:5601', experimentalCspAllowList: ['default-src', 'script-src', 'script-src-elem'], experimentalMemoryManagement: true, diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts index c9a34b09ddceb..e76893eceea36 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_ci_serverless_qa.config.ts @@ -36,7 +36,6 @@ export default defineCypressConfig({ viewportHeight: 946, viewportWidth: 1680, e2e: { - supportFile: 'cypress/support/serverless_e2e.ts', baseUrl: 'http://localhost:5601', experimentalCspAllowList: ['default-src', 'script-src', 'script-src-elem'], experimentalMemoryManagement: true, diff --git a/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts b/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts index dcfeed34f3e8f..b925e18a83478 100644 --- a/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts +++ b/x-pack/test/security_solution_cypress/cypress/cypress_serverless.config.ts @@ -26,7 +26,6 @@ export default defineCypressConfig({ grepTags: '@serverless --@brokenInServerless --@skipInServerless', }, e2e: { - supportFile: 'cypress/support/serverless_e2e.ts', experimentalCspAllowList: ['default-src', 'script-src', 'script-src-elem'], experimentalRunAllSpecs: true, experimentalMemoryManagement: true, diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/creation.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/creation.cy.ts index 79730b3c45854..6e66299f5d42a 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/creation.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/creation.cy.ts @@ -53,6 +53,7 @@ import { login } from '../../../tasks/login'; import { visit, visitWithTimeRange } from '../../../tasks/navigation'; import { CASES_URL, OVERVIEW_URL } from '../../../urls/navigation'; +import { ELASTICSEARCH_USERNAME } from '../../../env_var_names_constants'; // Tracked by https://github.com/elastic/security-team/issues/7696 describe('Cases', { tags: ['@ess', '@serverless'] }, () => { @@ -107,10 +108,10 @@ describe('Cases', { tags: ['@ess', '@serverless'] }, () => { ); cy.get(CASE_DETAILS_USERNAMES) .eq(REPORTER) - .should('have.text', Cypress.env('ELASTICSEARCH_USERNAME')); + .should('have.text', Cypress.env(ELASTICSEARCH_USERNAME)); cy.get(CASE_DETAILS_USERNAMES) .eq(PARTICIPANTS) - .should('have.text', Cypress.env('ELASTICSEARCH_USERNAME')); + .should('have.text', Cypress.env(ELASTICSEARCH_USERNAME)); cy.get(CASE_DETAILS_TAGS).should('have.text', expectedTags); EXPECTED_METRICS.forEach((metric) => { diff --git a/x-pack/test/security_solution_cypress/cypress/env_var_names_constants.ts b/x-pack/test/security_solution_cypress/cypress/env_var_names_constants.ts new file mode 100644 index 0000000000000..a6b8203075afa --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/env_var_names_constants.ts @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +/** + * The `CYPRESS_ELASTICSEARCH_USERNAME` environment variable specifies the + * username to be used when authenticating with Kibana + */ +export const ELASTICSEARCH_USERNAME = 'ELASTICSEARCH_USERNAME'; + +/** + * The `CYPRESS_ELASTICSEARCH_PASSWORD` environment variable specifies the + * username to be used when authenticating with Kibana + */ +export const ELASTICSEARCH_PASSWORD = 'ELASTICSEARCH_PASSWORD'; + +/** + * The `IS_SERVERLESS` environment variable specifies wether the currently running + * environment is serverless snapshot. + */ +export const IS_SERVERLESS = 'IS_SERVERLESS'; + +/** + * The `IS_SERVERLESS` environment variable specifies wether the currently running + * environment is a real MKI. + */ +export const CLOUD_SERVERLESS = 'CLOUD_SERVERLESS'; diff --git a/x-pack/test/security_solution_cypress/cypress/support/e2e.ts b/x-pack/test/security_solution_cypress/cypress/support/e2e.ts new file mode 100644 index 0000000000000..ea912e9077239 --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/support/e2e.ts @@ -0,0 +1,43 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import './commands'; +import 'cypress-real-events/support'; +import registerCypressGrep from '@cypress/grep'; +import serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; +import essRoleDefinitions from '@kbn/security-solution-plugin/common/test/ess_roles.json'; +import { setupUsers } from './setup_users'; +import { CLOUD_SERVERLESS, IS_SERVERLESS } from '../env_var_names_constants'; + +before(() => { + cy.task('esArchiverLoad', { archiveName: 'auditbeat' }); +}); + +if (!Cypress.env(IS_SERVERLESS) && !Cypress.env(CLOUD_SERVERLESS)) { + // Create Serverless and ESS roles and corresponding users. This helps to seamlessly reuse tests + // between ESS and Serverless having all the necessary users set up. + before(() => { + const allSupportedRoles = [ + ...Object.keys(serverlessRoleDefinitions).map((serverlessRoleName) => ({ + name: serverlessRoleName, + ...serverlessRoleDefinitions[serverlessRoleName as keyof typeof serverlessRoleDefinitions], + })), + ...Object.keys(essRoleDefinitions).map((essRoleName) => ({ + name: essRoleName, + ...essRoleDefinitions[essRoleName as keyof typeof essRoleDefinitions], + })), + ]; + + setupUsers(allSupportedRoles); + }); +} + +registerCypressGrep(); + +Cypress.on('uncaught:exception', () => { + return false; +}); diff --git a/x-pack/test/security_solution_cypress/cypress/support/ess_e2e.ts b/x-pack/test/security_solution_cypress/cypress/support/ess_e2e.ts deleted file mode 100644 index e6255bd6a1e66..0000000000000 --- a/x-pack/test/security_solution_cypress/cypress/support/ess_e2e.ts +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import './commands'; -import 'cypress-real-events/support'; -import registerCypressGrep from '@cypress/grep'; -import serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; -import essRoleDefinitions from '@kbn/security-solution-plugin/common/test/ess_roles.json'; -import { setupUsers } from './setup_users'; - -before(() => { - cy.task('esArchiverLoad', { archiveName: 'auditbeat' }); -}); - -// Create Serverless and ESS roles and corresponding users. This helps to seamlessly reuse tests -// between ESS and Serverless having all the necessary users set up. -before(() => { - const allSupportedRoles = [ - ...Object.keys(serverlessRoleDefinitions).map((serverlessRoleName) => ({ - name: serverlessRoleName, - ...serverlessRoleDefinitions[serverlessRoleName as keyof typeof serverlessRoleDefinitions], - })), - ...Object.keys(essRoleDefinitions).map((essRoleName) => ({ - name: essRoleName, - ...essRoleDefinitions[essRoleName as keyof typeof essRoleDefinitions], - })), - ]; - - setupUsers(allSupportedRoles); -}); - -registerCypressGrep(); - -Cypress.on('uncaught:exception', () => { - return false; -}); diff --git a/x-pack/test/security_solution_cypress/cypress/support/serverless_e2e.ts b/x-pack/test/security_solution_cypress/cypress/support/serverless_e2e.ts deleted file mode 100644 index b682a56710d9c..0000000000000 --- a/x-pack/test/security_solution_cypress/cypress/support/serverless_e2e.ts +++ /dev/null @@ -1,20 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import './commands'; -import 'cypress-real-events/support'; -import registerCypressGrep from '@cypress/grep'; - -before(() => { - cy.task('esArchiverLoad', { archiveName: 'auditbeat' }); -}); - -registerCypressGrep(); - -Cypress.on('uncaught:exception', () => { - return false; -}); diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/common.ts b/x-pack/test/security_solution_cypress/cypress/tasks/common.ts index 3d1e86bf006c7..3337d122ab936 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/common.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/common.ts @@ -11,6 +11,7 @@ import { KIBANA_LOADING_ICON } from '../screens/security_header'; import { EUI_BASIC_TABLE_LOADING } from '../screens/common/controls'; import { deleteAllDocuments } from './api_calls/elasticsearch'; import { DEFAULT_ALERTS_INDEX_PATTERN } from './api_calls/alerts'; +import { ELASTICSEARCH_PASSWORD, ELASTICSEARCH_USERNAME } from '../env_var_names_constants'; const primaryButton = 0; @@ -21,8 +22,8 @@ const primaryButton = 0; const dndSloppyClickDetectionThreshold = 5; export const API_AUTH = Object.freeze({ - user: Cypress.env('ELASTICSEARCH_USERNAME'), - pass: Cypress.env('ELASTICSEARCH_PASSWORD'), + user: Cypress.env(ELASTICSEARCH_USERNAME), + pass: Cypress.env(ELASTICSEARCH_PASSWORD), }); export const API_HEADERS = Object.freeze({ diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts index 8b28e429226d2..fa54a1f5f1c62 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts @@ -15,6 +15,12 @@ import { } from '@kbn/security-solution-plugin/common/test'; import { LOGOUT_URL } from '../urls/navigation'; import { rootRequest } from './common'; +import { + CLOUD_SERVERLESS, + ELASTICSEARCH_PASSWORD, + ELASTICSEARCH_USERNAME, + IS_SERVERLESS, +} from '../env_var_names_constants'; /** * Credentials in the `kibana.dev.yml` config file will be used to authenticate @@ -34,30 +40,6 @@ const ELASTICSEARCH_USERNAME_CONFIG_PATH = 'config.elasticsearch.username'; */ const ELASTICSEARCH_PASSWORD_CONFIG_PATH = 'config.elasticsearch.password'; -/** - * The `CYPRESS_ELASTICSEARCH_USERNAME` environment variable specifies the - * username to be used when authenticating with Kibana - */ -const ELASTICSEARCH_USERNAME = 'ELASTICSEARCH_USERNAME'; - -/** - * The `CYPRESS_ELASTICSEARCH_PASSWORD` environment variable specifies the - * username to be used when authenticating with Kibana - */ -const ELASTICSEARCH_PASSWORD = 'ELASTICSEARCH_PASSWORD'; - -/** - * The `IS_SERVERLESS` environment variable specifies wether the currently running - * environment is serverless snapshot. - */ -const IS_SERVERLESS = 'IS_SERVERLESS'; - -/** - * The `IS_SERVERLESS` environment variable specifies wether the currently running - * environment is a real MKI. - */ -const CLOUD_SERVERLESS = 'CLOUD_SERVERLESS'; - /** * Authenticates with Kibana using, if specified, credentials specified by * environment variables. The credentials in `kibana.dev.yml` will be used From 3cfcc4002dd30a9b7b985d09ad9b974f01c59463 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 26 Oct 2023 08:46:35 +0200 Subject: [PATCH 20/30] add back reader role for ESS only tests --- .../common/test/ess_roles.json | 38 +++++++++++++++++++ .../security_solution/common/test/index.ts | 1 + .../explore/cases/attach_alert_to_case.cy.ts | 2 +- 3 files changed, 40 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/common/test/ess_roles.json b/x-pack/plugins/security_solution/common/test/ess_roles.json index 87c56e473accc..7134c19ec345a 100644 --- a/x-pack/plugins/security_solution/common/test/ess_roles.json +++ b/x-pack/plugins/security_solution/common/test/ess_roles.json @@ -1,4 +1,42 @@ { + "reader": { + "elasticsearch": { + "cluster": [], + "indices": [ + { + "names": [ + ".siem-signals-*", + ".alerts-security*", + ".lists*", + ".items*", + "metrics-endpoint.metadata_current_*", + ".fleet-agents*", + ".fleet-actions*" + ], + "privileges": ["read"] + }, + { + "names": ["*"], + "privileges": ["read", "maintenance", "view_index_metadata"] + } + ], + "run_as": [] + }, + "kibana": [ + { + "feature": { + "ml": ["read"], + "siem": ["read", "read_alerts"], + "securitySolutionAssistant": ["none"], + "securitySolutionCases": ["read"], + "actions": ["read"], + "builtInAlerts": ["read"] + }, + "spaces": ["*"], + "base": [] + } + ] + }, "hunter": { "elasticsearch": { "cluster": [], diff --git a/x-pack/plugins/security_solution/common/test/index.ts b/x-pack/plugins/security_solution/common/test/index.ts index fb2b4c120d201..de385a7cb95fb 100644 --- a/x-pack/plugins/security_solution/common/test/index.ts +++ b/x-pack/plugins/security_solution/common/test/index.ts @@ -25,6 +25,7 @@ export enum ROLES { detections_admin = 'detections_admin', platform_engineer = 'platform_engineer', // ESS roles + reader = 'reader', hunter = 'hunter', hunter_no_actions = 'hunter_no_actions', } diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts index 07a6533caf5a1..83f31f35bc7ad 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/explore/cases/attach_alert_to_case.cy.ts @@ -37,7 +37,7 @@ describe('Alerts timeline', { tags: ['@ess'] }, () => { context('Privileges: read only', () => { beforeEach(() => { - loadDetectionsPage(ROLES.t1_analyst); + loadDetectionsPage(ROLES.reader); }); it('should not allow user with read only privileges to attach alerts to existing cases', () => { From a29b1606533403afe83f5cacdecb72652395a08a Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 26 Oct 2023 11:00:14 +0200 Subject: [PATCH 21/30] fix a misprint --- .../cypress/env_var_names_constants.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/test/security_solution_cypress/cypress/env_var_names_constants.ts b/x-pack/test/security_solution_cypress/cypress/env_var_names_constants.ts index a6b8203075afa..20f44653f72f0 100644 --- a/x-pack/test/security_solution_cypress/cypress/env_var_names_constants.ts +++ b/x-pack/test/security_solution_cypress/cypress/env_var_names_constants.ts @@ -24,7 +24,7 @@ export const ELASTICSEARCH_PASSWORD = 'ELASTICSEARCH_PASSWORD'; export const IS_SERVERLESS = 'IS_SERVERLESS'; /** - * The `IS_SERVERLESS` environment variable specifies wether the currently running + * The `CLOUD_SERVERLESS` environment variable specifies wether the currently running * environment is a real MKI. */ export const CLOUD_SERVERLESS = 'CLOUD_SERVERLESS'; From b88ad9bff5e1d569b12673142f7a9132dfae7147 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 26 Oct 2023 11:26:06 +0200 Subject: [PATCH 22/30] reexport role definitions constants from security solution common folder --- .../serverless_resources/security_roles.json | 7 ++++++ .../common/test/ess_roles.json | 3 +++ .../security_solution/common/test/index.ts | 5 +++-- .../security_solution/roles_users_utils.ts | 16 ++++++++------ .../cypress/support/e2e.ts | 22 ++++++++----------- .../cypress/tasks/login.ts | 4 ++-- 6 files changed, 33 insertions(+), 24 deletions(-) diff --git a/packages/kbn-es/src/serverless_resources/security_roles.json b/packages/kbn-es/src/serverless_resources/security_roles.json index de2741381bccb..5ac286a41c164 100644 --- a/packages/kbn-es/src/serverless_resources/security_roles.json +++ b/packages/kbn-es/src/serverless_resources/security_roles.json @@ -1,5 +1,6 @@ { "t1_analyst": { + "name": "t1_analyst", "elasticsearch": { "cluster": [], "indices": [ @@ -42,6 +43,7 @@ ] }, "t2_analyst": { + "name": "t2_analyst", "elasticsearch": { "cluster": [], "indices": [ @@ -86,6 +88,7 @@ ] }, "t3_analyst": { + "name": "t3_analyst", "elasticsearch": { "cluster": [], "indices": [ @@ -147,6 +150,7 @@ ] }, "rule_author": { + "name": "rule_author", "elasticsearch": { "cluster": [], "indices": [ @@ -197,6 +201,7 @@ ] }, "soc_manager": { + "name": "soc_manager", "elasticsearch": { "cluster": [], "indices": [ @@ -247,6 +252,7 @@ ] }, "detections_admin": { + "name": "detections_admin", "elasticsearch": { "cluster": ["manage"], "indices": [ @@ -293,6 +299,7 @@ ] }, "platform_engineer": { + "name": "platform_engineer", "elasticsearch": { "cluster": ["manage"], "indices": [ diff --git a/x-pack/plugins/security_solution/common/test/ess_roles.json b/x-pack/plugins/security_solution/common/test/ess_roles.json index 7134c19ec345a..d21fe90e2de02 100644 --- a/x-pack/plugins/security_solution/common/test/ess_roles.json +++ b/x-pack/plugins/security_solution/common/test/ess_roles.json @@ -1,5 +1,6 @@ { "reader": { + "name": "reader", "elasticsearch": { "cluster": [], "indices": [ @@ -38,6 +39,7 @@ ] }, "hunter": { + "name": "hunter", "elasticsearch": { "cluster": [], "indices": [ @@ -85,6 +87,7 @@ ] }, "hunter_no_actions": { + "name": "hunter_no_actions", "elasticsearch": { "cluster": [], "indices": [ diff --git a/x-pack/plugins/security_solution/common/test/index.ts b/x-pack/plugins/security_solution/common/test/index.ts index de385a7cb95fb..ac2fd661320ce 100644 --- a/x-pack/plugins/security_solution/common/test/index.ts +++ b/x-pack/plugins/security_solution/common/test/index.ts @@ -6,12 +6,13 @@ */ import serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; -import type essRoleDefinitions from './ess_roles.json'; +import essRoleDefinitions from './ess_roles.json'; type ServerlessSecurityRoleName = keyof typeof serverlessRoleDefinitions; type EssSecurityRoleName = keyof typeof essRoleDefinitions; -export const KNOWN_SERVERLESS_ROLES = Object.keys(serverlessRoleDefinitions); +export const KNOWN_SERVERLESS_ROLE_DEFINITIONS = serverlessRoleDefinitions; +export const KNOWN_ESS_ROLE_DEFINITIONS = essRoleDefinitions; export type SecurityRoleName = ServerlessSecurityRoleName | EssSecurityRoleName; diff --git a/x-pack/test/common/services/security_solution/roles_users_utils.ts b/x-pack/test/common/services/security_solution/roles_users_utils.ts index bc27f8a604df4..496ec38e3bb10 100644 --- a/x-pack/test/common/services/security_solution/roles_users_utils.ts +++ b/x-pack/test/common/services/security_solution/roles_users_utils.ts @@ -5,14 +5,16 @@ * 2.0. */ -import serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; -import essRoleDefinitions from '@kbn/security-solution-plugin/common/test/ess_roles.json'; -import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; +import { + KNOWN_ESS_ROLE_DEFINITIONS, + KNOWN_SERVERLESS_ROLE_DEFINITIONS, + SecurityRoleName, +} from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../ftr_provider_context'; -const allSupportedRoles = { - ...serverlessRoleDefinitions, - ...essRoleDefinitions, +const KNOWN_ROLE_DEFINITIONS = { + ...KNOWN_SERVERLESS_ROLE_DEFINITIONS, + ...KNOWN_ESS_ROLE_DEFINITIONS, }; /** @@ -25,7 +27,7 @@ export const createUserAndRole = async ( role: SecurityRoleName ): Promise => { const securityService = getService('security'); - const roleDefinition = allSupportedRoles[role]; + const roleDefinition = KNOWN_ROLE_DEFINITIONS[role]; await securityService.role.create(role, roleDefinition); await securityService.user.create(role, { diff --git a/x-pack/test/security_solution_cypress/cypress/support/e2e.ts b/x-pack/test/security_solution_cypress/cypress/support/e2e.ts index ea912e9077239..eb3488178485f 100644 --- a/x-pack/test/security_solution_cypress/cypress/support/e2e.ts +++ b/x-pack/test/security_solution_cypress/cypress/support/e2e.ts @@ -8,8 +8,10 @@ import './commands'; import 'cypress-real-events/support'; import registerCypressGrep from '@cypress/grep'; -import serverlessRoleDefinitions from '@kbn/es/src/serverless_resources/security_roles.json'; -import essRoleDefinitions from '@kbn/security-solution-plugin/common/test/ess_roles.json'; +import { + KNOWN_ESS_ROLE_DEFINITIONS, + KNOWN_SERVERLESS_ROLE_DEFINITIONS, +} from '@kbn/security-solution-plugin/common/test'; import { setupUsers } from './setup_users'; import { CLOUD_SERVERLESS, IS_SERVERLESS } from '../env_var_names_constants'; @@ -18,21 +20,15 @@ before(() => { }); if (!Cypress.env(IS_SERVERLESS) && !Cypress.env(CLOUD_SERVERLESS)) { - // Create Serverless and ESS roles and corresponding users. This helps to seamlessly reuse tests + // Create Serverless + ESS roles and corresponding users. This helps to seamlessly reuse tests // between ESS and Serverless having all the necessary users set up. before(() => { - const allSupportedRoles = [ - ...Object.keys(serverlessRoleDefinitions).map((serverlessRoleName) => ({ - name: serverlessRoleName, - ...serverlessRoleDefinitions[serverlessRoleName as keyof typeof serverlessRoleDefinitions], - })), - ...Object.keys(essRoleDefinitions).map((essRoleName) => ({ - name: essRoleName, - ...essRoleDefinitions[essRoleName as keyof typeof essRoleDefinitions], - })), + const KNOWN_ROLE_DEFINITIONS = [ + ...Object.values(KNOWN_SERVERLESS_ROLE_DEFINITIONS), + ...Object.values(KNOWN_ESS_ROLE_DEFINITIONS), ]; - setupUsers(allSupportedRoles); + setupUsers(KNOWN_ROLE_DEFINITIONS); }); } diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts index fa54a1f5f1c62..743a85ae8f422 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts @@ -11,7 +11,7 @@ import Url from 'url'; import { LoginState } from '@kbn/security-plugin/common/login_state'; import { SecurityRoleName, - KNOWN_SERVERLESS_ROLES, + KNOWN_SERVERLESS_ROLE_DEFINITIONS, } from '@kbn/security-solution-plugin/common/test'; import { LOGOUT_URL } from '../urls/navigation'; import { rootRequest } from './common'; @@ -123,7 +123,7 @@ export const constructUrlWithUser = (user: User, route: string) => { const loginWithRole = (role: SecurityRoleName) => { if ( (Cypress.env(IS_SERVERLESS) || Cypress.env(CLOUD_SERVERLESS)) && - !KNOWN_SERVERLESS_ROLES.includes(role) + !(role in KNOWN_SERVERLESS_ROLE_DEFINITIONS) ) { throw new Error(`An attempt to log in with unsupported by Serverless role "${role}".`); } From b589b10b0d29fbf896e482689f03be37eaec81b9 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 26 Oct 2023 14:00:28 +0200 Subject: [PATCH 23/30] use import type instead of import --- .../test/common/services/security_solution/roles_users_utils.ts | 2 +- .../test/security_solution_cypress/cypress/tasks/edit_rule.ts | 2 +- .../test/security_solution_cypress/cypress/tasks/navigation.ts | 2 +- .../security_solution_cypress/cypress/tasks/rule_details.ts | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/x-pack/test/common/services/security_solution/roles_users_utils.ts b/x-pack/test/common/services/security_solution/roles_users_utils.ts index 496ec38e3bb10..f88a8de03eaf0 100644 --- a/x-pack/test/common/services/security_solution/roles_users_utils.ts +++ b/x-pack/test/common/services/security_solution/roles_users_utils.ts @@ -8,8 +8,8 @@ import { KNOWN_ESS_ROLE_DEFINITIONS, KNOWN_SERVERLESS_ROLE_DEFINITIONS, - SecurityRoleName, } from '@kbn/security-solution-plugin/common/test'; +import type { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { FtrProviderContext } from '../../ftr_provider_context'; const KNOWN_ROLE_DEFINITIONS = { diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/edit_rule.ts b/x-pack/test/security_solution_cypress/cypress/tasks/edit_rule.ts index 2101f77ac3be5..0f3d9ee86529d 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/edit_rule.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/edit_rule.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; +import type { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { BACK_TO_RULE_DETAILS, EDIT_SUBMIT_BUTTON } from '../screens/edit_rule'; import { editRuleUrl } from '../urls/edit_rule'; import { visit } from './navigation'; diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts b/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts index 77fc8872878d4..20e34387d7f12 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/navigation.ts @@ -8,7 +8,7 @@ import { encode } from '@kbn/rison'; import { NEW_FEATURES_TOUR_STORAGE_KEYS } from '@kbn/security-solution-plugin/common/constants'; -import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; +import type { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import { hostDetailsUrl, userDetailsUrl } from '../urls/navigation'; import { constructUrlWithUser, getUrlWithRoute, User } from './login'; diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/rule_details.ts b/x-pack/test/security_solution_cypress/cypress/tasks/rule_details.ts index e80b1f505564f..1dadb67a96987 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/rule_details.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/rule_details.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; +import type { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; import type { Exception } from '../objects/exception'; import { RULE_MANAGEMENT_PAGE_BREADCRUMB } from '../screens/breadcrumbs'; import { PAGE_CONTENT_SPINNER } from '../screens/common/page'; From 88ef1c4fbec70f9649a1db48ffdd83f1ed0fcd76 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 26 Oct 2023 14:01:22 +0200 Subject: [PATCH 24/30] specify return types --- .../cypress/tasks/login.ts | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts index 743a85ae8f422..26702a47c9427 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/login.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/login.ts @@ -9,10 +9,8 @@ import * as yaml from 'js-yaml'; import type { UrlObject } from 'url'; import Url from 'url'; import { LoginState } from '@kbn/security-plugin/common/login_state'; -import { - SecurityRoleName, - KNOWN_SERVERLESS_ROLE_DEFINITIONS, -} from '@kbn/security-solution-plugin/common/test'; +import type { SecurityRoleName } from '@kbn/security-solution-plugin/common/test'; +import { KNOWN_SERVERLESS_ROLE_DEFINITIONS } from '@kbn/security-solution-plugin/common/test'; import { LOGOUT_URL } from '../urls/navigation'; import { rootRequest } from './common'; import { @@ -48,7 +46,7 @@ const ELASTICSEARCH_PASSWORD_CONFIG_PATH = 'config.elasticsearch.password'; * To speed the execution of tests, prefer this non-interactive authentication, * which is faster than authentication via Kibana's interactive login page. */ -export const login = (role?: SecurityRoleName) => { +export const login = (role?: SecurityRoleName): void => { if (role != null) { loginWithRole(role); } else if (credentialsProvidedByEnvironment()) { @@ -63,7 +61,7 @@ export interface User { password: string; } -export const loginWithUser = (user: User) => { +export const loginWithUser = (user: User): void => { cy.session(user, () => { loginWithUsernameAndPassword(user.username, user.password); }); @@ -77,7 +75,7 @@ export const loginWithUser = (user: User) => { * @param role string role/user to log in with * @param route string route to visit */ -export const getUrlWithRoute = (role: SecurityRoleName, route: string) => { +export const getUrlWithRoute = (role: SecurityRoleName, route: string): string => { const url = Cypress.config().baseUrl; const kibana = new URL(String(url)); const theUrl = `${Url.format({ @@ -98,7 +96,7 @@ export const getUrlWithRoute = (role: SecurityRoleName, route: string) => { * @param user the user information to build the basic auth with * @param route string route to visit */ -export const constructUrlWithUser = (user: User, route: string) => { +export const constructUrlWithUser = (user: User, route: string): string => { const url = Cypress.config().baseUrl; const kibana = new URL(String(url)); const hostname = kibana.hostname; @@ -120,7 +118,7 @@ export const constructUrlWithUser = (user: User, route: string) => { * * @param role role name */ -const loginWithRole = (role: SecurityRoleName) => { +const loginWithRole = (role: SecurityRoleName): void => { if ( (Cypress.env(IS_SERVERLESS) || Cypress.env(CLOUD_SERVERLESS)) && !(role in KNOWN_SERVERLESS_ROLE_DEFINITIONS) @@ -149,7 +147,7 @@ const credentialsProvidedByEnvironment = (): boolean => * environment variables, and POSTing the username and password directly to * Kibana's `/internal/security/login` endpoint, bypassing the login page (for speed). */ -const loginViaEnvironmentCredentials = () => { +const loginViaEnvironmentCredentials = (): void => { cy.log( `Authenticating via environment credentials from the \`CYPRESS_${ELASTICSEARCH_USERNAME}\` and \`CYPRESS_${ELASTICSEARCH_PASSWORD}\` environment variables` ); @@ -167,7 +165,7 @@ const loginViaEnvironmentCredentials = () => { * `kibana.dev.yml` file and POSTing the username and password directly to * Kibana's `/internal/security/login` endpoint, bypassing the login page (for speed). */ -const loginViaConfig = () => { +const loginViaConfig = (): void => { cy.log( `Authenticating via config credentials \`${ELASTICSEARCH_USERNAME_CONFIG_PATH}\` and \`${ELASTICSEARCH_PASSWORD_CONFIG_PATH}\` from \`${KIBANA_DEV_YML_PATH}\`` ); @@ -201,11 +199,11 @@ export const getEnvAuth = (): User => { } }; -export const logout = () => { +export const logout = (): void => { cy.visit(LOGOUT_URL); }; -const loginWithUsernameAndPassword = (username: string, password: string) => { +const loginWithUsernameAndPassword = (username: string, password: string): void => { const baseUrl = Cypress.config().baseUrl; if (!baseUrl) { throw Error(`Cypress config baseUrl not set!`); From 878b6c5cbb603f4f6dab4b90142ee017683e4c8a Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 26 Oct 2023 14:05:09 +0200 Subject: [PATCH 25/30] remove unused package reference --- x-pack/test/security_solution_cypress/cypress/tsconfig.json | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/test/security_solution_cypress/cypress/tsconfig.json b/x-pack/test/security_solution_cypress/cypress/tsconfig.json index 107ea01fb028c..ff33f1ac69a13 100644 --- a/x-pack/test/security_solution_cypress/cypress/tsconfig.json +++ b/x-pack/test/security_solution_cypress/cypress/tsconfig.json @@ -39,6 +39,5 @@ "@kbn/securitysolution-list-constants", "@kbn/security-plugin", "@kbn/management-settings-ids", - "@kbn/es" ] } From a054d50c0a2095a5f913ad9cb7592f5e1018bcf3 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 26 Oct 2023 15:25:18 +0200 Subject: [PATCH 26/30] fix role creation functionality --- test/common/services/security/role.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/test/common/services/security/role.ts b/test/common/services/security/role.ts index 51b50a5dda82f..99c2ea439bd42 100644 --- a/test/common/services/security/role.ts +++ b/test/common/services/security/role.ts @@ -9,16 +9,20 @@ import util from 'util'; import { ToolingLog } from '@kbn/tooling-log'; import { KbnClient } from '@kbn/test'; +import { Role as SecurityRoleDefinition } from '@kbn/security-plugin/common'; export class Role { constructor(private log: ToolingLog, private kibanaServer: KbnClient) {} - public async create(name: string, role: any) { + public async create(name: string, role: SecurityRoleDefinition) { this.log.debug(`creating role ${name}`); const { data, status, statusText } = await this.kibanaServer.request({ path: `/api/security/role/${name}`, method: 'PUT', - body: role, + body: { + kibana: role.kibana, + elasticsearch: role.elasticsearch, + }, retries: 0, }); if (status !== 204) { From 0dfe59898b94d0413895d7af2fac339c05e8cae1 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 26 Oct 2023 15:35:54 +0200 Subject: [PATCH 27/30] fix tsconfig --- test/tsconfig.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/tsconfig.json b/test/tsconfig.json index fb20896356807..3e69adcc1e49f 100644 --- a/test/tsconfig.json +++ b/test/tsconfig.json @@ -70,6 +70,7 @@ "@kbn/core-http-common", "@kbn/event-annotation-plugin", "@kbn/event-annotation-common", - "@kbn/links-plugin" + "@kbn/links-plugin", + "@kbn/security-plugin" ] } From 284288a9f5ef616df8dfd9c91b7bdb9e8323a825 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Thu, 26 Oct 2023 19:47:24 +0200 Subject: [PATCH 28/30] roll back role type changes --- test/common/services/security/role.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/common/services/security/role.ts b/test/common/services/security/role.ts index 99c2ea439bd42..692a691cd87f4 100644 --- a/test/common/services/security/role.ts +++ b/test/common/services/security/role.ts @@ -9,12 +9,11 @@ import util from 'util'; import { ToolingLog } from '@kbn/tooling-log'; import { KbnClient } from '@kbn/test'; -import { Role as SecurityRoleDefinition } from '@kbn/security-plugin/common'; export class Role { constructor(private log: ToolingLog, private kibanaServer: KbnClient) {} - public async create(name: string, role: SecurityRoleDefinition) { + public async create(name: string, role: any) { this.log.debug(`creating role ${name}`); const { data, status, statusText } = await this.kibanaServer.request({ path: `/api/security/role/${name}`, From 416bfc84f7aa8462bc9cff6d1a368a7406cd2767 Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Mon, 30 Oct 2023 11:47:26 +0100 Subject: [PATCH 29/30] update readme --- packages/kbn-es/src/serverless_resources/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/kbn-es/src/serverless_resources/README.md b/packages/kbn-es/src/serverless_resources/README.md index 29da27cddb8d6..0af28f82a1dec 100644 --- a/packages/kbn-es/src/serverless_resources/README.md +++ b/packages/kbn-es/src/serverless_resources/README.md @@ -4,7 +4,7 @@ The resources in this directory are used for seeding Elasticsearch Serverless im ## Roles -Roles defined in `roles.yml` intended to mock a Serverless deployment. +Roles defined in `roles.yml` intended to mock a Serverless deployment. It must be in sync with `project-controller` defined roles and used in real (MKI) environments. In case of some differences tests may pass against Serverless snapshot environment but fail against MKI environments creating confusion. ### Why `security_roles.json` is here? From ea8a0a58e81e7d31d81af69d805beb6e66a52d3b Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 31 Oct 2023 15:15:43 +0000 Subject: [PATCH 30/30] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- test/tsconfig.json | 1 - 1 file changed, 1 deletion(-) diff --git a/test/tsconfig.json b/test/tsconfig.json index 3e69adcc1e49f..a763d6f6a44d6 100644 --- a/test/tsconfig.json +++ b/test/tsconfig.json @@ -71,6 +71,5 @@ "@kbn/event-annotation-plugin", "@kbn/event-annotation-common", "@kbn/links-plugin", - "@kbn/security-plugin" ] }