Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[kbn-test] Disable TLS for svl Kibana #171434

Merged
merged 14 commits into from
Nov 23, 2023
Merged

[kbn-test] Disable TLS for svl Kibana #171434

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
b0ba8d3
clean FTR config, update kbn-test
dmlemeshko Nov 16, 2023
f201186
Merge remote-tracking branch 'upstream/main' into kbn-test/disable-TL…
dmlemeshko Nov 20, 2023
d3c69c3
add mock idp realm back
dmlemeshko Nov 20, 2023
e3bdfd3
Merge remote-tracking branch 'upstream/main' into kbn-test/disable-TL…
dmlemeshko Nov 21, 2023
39eeafd
Revert "add mock idp realm back"
dmlemeshko Nov 21, 2023
f402c98
Merge branch 'main' into kbn-test/disable-TLS-for-Kibana
dmlemeshko Nov 23, 2023
8c5970c
import realm name from @kbn/mock-idp-plugin
dmlemeshko Nov 23, 2023
da2ad1c
fix cypress FTR config by removing SAML args
dmlemeshko Nov 23, 2023
33db15f
[ftr] fix saml_tools to use mock-idp-plugin
dmlemeshko Nov 23, 2023
a662ccf
[security_solution] remove saml override for serverless
dmlemeshko Nov 23, 2023
a8b8a31
Merge branch 'main' into kbn-test/disable-TLS-for-Kibana
dmlemeshko Nov 23, 2023
2680564
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Nov 23, 2023
7227fcd
fix protocol in group_by_fired test
dmlemeshko Nov 23, 2023
1d50df5
Merge branch 'main' into kbn-test/disable-TLS-for-Kibana
dmlemeshko Nov 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions packages/kbn-test/src/es/test_es_cluster.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,10 @@ export interface CreateTestEsClusterOptions {
*/
esArgs?: string[];
esFrom?: string;
esServerlessOptions?: Pick<ServerlessOptions, 'image' | 'tag' | 'resources' | 'host'>;
esServerlessOptions?: Pick<
ServerlessOptions,
'image' | 'tag' | 'resources' | 'host' | 'kibanaUrl'
Copy link
Member Author

@dmlemeshko dmlemeshko Nov 23, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to pass kibanaUrl to ES arguments, as it is used to configure SAML.
See https://github.com/elastic/kibana/pull/170852/files#diff-8f7aba0b3396374d5da09418deddf4ae0c2e31881871e5b59a4c4f5e6b9bdec3R472-R517

>;
esJavaOpts?: string;
/**
* License to run your cluster under. Keep in mind that a `trial` license
Expand Down Expand Up @@ -242,10 +245,7 @@ export function createTestEsCluster<
await firstNode.runServerless({
basePath,
esArgs: customEsArgs,
image: esServerlessOptions?.image,
tag: esServerlessOptions?.tag,
host: esServerlessOptions?.host,
resources: esServerlessOptions?.resources,
...esServerlessOptions,
port,
clean: true,
background: true,
Expand Down
48 changes: 30 additions & 18 deletions packages/kbn-test/src/functional_tests/lib/run_elasticsearch.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
* Side Public License, v 1.
*/

import Url from 'url';
import { resolve } from 'path';
import type { ToolingLog } from '@kbn/tooling-log';
import getPort from 'get-port';
Expand Down Expand Up @@ -160,7 +161,18 @@ async function startEsNode({
return cluster;
}

function getESServerlessOptions(esServerlessImageFromArg: string | undefined, config: Config) {
interface EsServerlessOptions {
host?: string;
resources: string[];
kibanaUrl: string;
tag?: string;
image?: string;
}

function getESServerlessOptions(
esServerlessImageFromArg: string | undefined,
config: Config
): EsServerlessOptions {
const esServerlessImageUrlOrTag =
esServerlessImageFromArg ||
esTestConfig.getESServerlessImage() ||
Expand All @@ -172,24 +184,24 @@ function getESServerlessOptions(esServerlessImageFromArg: string | undefined, co
const serverlessHost: string | undefined =
config.has('esServerlessOptions.host') && config.get('esServerlessOptions.host');

const commonOptions = {
host: serverlessHost,
resources: serverlessResources,
kibanaUrl: Url.format({
protocol: config.get('servers.kibana.protocol'),
hostname: config.get('servers.kibana.hostname'),
port: config.get('servers.kibana.port'),
}),
};

if (esServerlessImageUrlOrTag) {
if (esServerlessImageUrlOrTag.includes(':')) {
return {
resources: serverlessResources,
image: esServerlessImageUrlOrTag,
host: serverlessHost,
};
} else {
return {
resources: serverlessResources,
tag: esServerlessImageUrlOrTag,
host: serverlessHost,
};
}
return {
...commonOptions,
...(esServerlessImageUrlOrTag.includes(':')
? { image: esServerlessImageUrlOrTag }
: { tag: esServerlessImageUrlOrTag }),
};
}

return {
resources: serverlessResources,
host: serverlessHost,
};
return commonOptions;
}
11 changes: 0 additions & 11 deletions x-pack/plugins/security_solution/scripts/run_cypress/get_ftr_config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,17 +171,6 @@ export const getFTRConfig = ({
}
}

// Serverless Specific
if (vars.serverless) {
log.info(`Serverless mode detected`);

vars.esTestCluster.serverArgs.push(
`xpack.security.authc.realms.saml.cloud-saml-kibana.sp.entity_id=http://host.docker.internal:${kibanaPort}`,
`xpack.security.authc.realms.saml.cloud-saml-kibana.sp.logout=http://host.docker.internal:${kibanaPort}/logout`,
`xpack.security.authc.realms.saml.cloud-saml-kibana.sp.acs=http://host.docker.internal:${kibanaPort}/api/security/saml/callback`
);
}
Comment on lines -174 to -183
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was the reason for Cypress tests to fail. Please avoid overriding SAML configuration for both Kibana & ES, we keep things up-to-date in x-pack/test_serverless/shared/config.base.ts

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dmlemeshko if serverless ES is running in docker and Kibana is running locally, then https://github.com/elastic/kibana/blob/main/x-pack/test_serverless/shared/config.base.ts#L78-L80
http://localhost:${servers.kibana.port} is not going to be reachable from ES docker container, because localhost will be referencing the container itself, not the host where Kibana is running

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

http://localhost:${servers.kibana.port} is not going to be reachable from ES docker container, because localhost will be referencing the container itself, not the host where Kibana is running

Just to confirm my understanding, why do you require Kibana to be accessible from the ES container? If you're referring to URLs in sp.{logout|acs}, then it doesn't matter — ES solely uses these URLs to generate a special URL for redirecting users during login or logout. Hence, the important part here is that the user's browser can access these URLs.


if (specFileFTRConfig?.productTypes) {
if (vars.serverless) {
vars.kbnTestServer.serverArgs.push(
Expand Down
30 changes: 16 additions & 14 deletions x-pack/test_serverless/api_integration/services/saml_tools.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,33 +6,35 @@
*/

import expect from '@kbn/expect';
// eslint-disable-next-line @kbn/imports/no_boundary_crossing
import { getSAMLResponse } from '@kbn/security-api-integration-helpers/saml/saml_tools';
import { kbnTestConfig } from '@kbn/test';

import { parse as parseCookie } from 'tough-cookie';
import Url from 'url';

import { createSAMLResponse } from '@kbn/mock-idp-plugin/common';
import { FtrProviderContext } from '../ftr_provider_context';

export function SamlToolsProvider({ getService }: FtrProviderContext) {
const supertestWithoutAuth = getService('supertestWithoutAuth');
const randomness = getService('randomness');
const svlCommonApi = getService('svlCommonApi');

function createSAMLResponse(options = {}) {
return getSAMLResponse({
destination: `http://localhost:${kbnTestConfig.getPort()}/api/security/saml/callback`,
sessionIndex: String(randomness.naturalNumber()),
...options,
});
}
const config = getService('config');

return {
async login(username: string) {
const kibanaUrl = Url.format({
protocol: config.get('servers.kibana.protocol'),
hostname: config.get('servers.kibana.hostname'),
port: config.get('servers.kibana.port'),
pathname: '/api/security/saml/callback',
});
const samlAuthenticationResponse = await supertestWithoutAuth
.post('/api/security/saml/callback')
.set(svlCommonApi.getCommonRequestHeader())
.send({ SAMLResponse: await createSAMLResponse({ username }) });
.send({
SAMLResponse: await createSAMLResponse({
username,
roles: [],
kibanaUrl,
}),
});
Comment on lines +32 to +37
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using @kbn/mock-idp-plugin to get SAML response

expect(samlAuthenticationResponse.status).to.equal(302);
expect(samlAuthenticationResponse.header.location).to.equal('/');
const sessionCookie = parseCookie(samlAuthenticationResponse.header['set-cookie'][0])!;
Expand Down
21 changes: 4 additions & 17 deletions x-pack/test_serverless/shared/config.base.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,16 @@ import {
kibanaTestSuperuserServerless,
getDockerFileMountPath,
} from '@kbn/test';
import { CA_CERT_PATH, KBN_CERT_PATH, KBN_KEY_PATH, kibanaDevServiceAccount } from '@kbn/dev-utils';
import { CA_CERT_PATH, kibanaDevServiceAccount } from '@kbn/dev-utils';
import { commonFunctionalServices } from '@kbn/ftr-common-functional-services';
import { MOCK_IDP_REALM_NAME } from '@kbn/mock-idp-plugin/common';
import { services } from './services';

export default async () => {
const servers = {
kibana: {
...kbnTestConfig.getUrlParts(kibanaTestSuperuserServerless),
protocol: 'https',
protocol: process.env.TEST_CLOUD ? 'https' : 'http',
certificateAuthorities: process.env.TEST_CLOUD ? undefined : [Fs.readFileSync(CA_CERT_PATH)],
},
elasticsearch: {
Expand Down Expand Up @@ -68,16 +69,6 @@ export default async () => {
'xpack.security.authc.realms.jwt.jwt1.order=-98',
`xpack.security.authc.realms.jwt.jwt1.pkc_jwkset_path=${getDockerFileMountPath(jwksPath)}`,
`xpack.security.authc.realms.jwt.jwt1.token_type=access_token`,

'xpack.security.authc.realms.saml.cloud-saml-kibana.attributes.principal=urn:oid:0.0.7',
'xpack.security.authc.realms.saml.cloud-saml-kibana.idp.entity_id=http://www.elastic.co/saml1',
'xpack.security.authc.realms.saml.cloud-saml-kibana.order=101',
`xpack.security.authc.realms.saml.cloud-saml-kibana.idp.metadata.path=${getDockerFileMountPath(
idpPath
)}`,
`xpack.security.authc.realms.saml.cloud-saml-kibana.sp.acs=http://localhost:${servers.kibana.port}/api/security/saml/callback`,
`xpack.security.authc.realms.saml.cloud-saml-kibana.sp.entity_id=http://localhost:${servers.kibana.port}`,
`xpack.security.authc.realms.saml.cloud-saml-kibana.sp.logout=http://localhost:${servers.kibana.port}/logout`,
],
ssl: true, // SSL is required for SAML realm
},
Expand All @@ -89,10 +80,6 @@ export default async () => {
},
sourceArgs: ['--no-base-path', '--env.name=development'],
serverArgs: [
'--server.ssl.enabled=true',
`--server.ssl.key=${KBN_KEY_PATH}`,
`--server.ssl.certificate=${KBN_CERT_PATH}`,
`--server.ssl.certificateAuthorities=${CA_CERT_PATH}`,
`--server.restrictInternalApis=true`,
`--server.port=${servers.kibana.port}`,
'--status.allowAnonymous=true',
Expand Down Expand Up @@ -147,7 +134,7 @@ export default async () => {
// user navigates to `/login` page directly and enters username and password in the login form.
'--xpack.security.authc.selector.enabled=false',
`--xpack.security.authc.providers=${JSON.stringify({
saml: { 'cloud-saml-kibana': { order: 0, realm: 'cloud-saml-kibana' } },
saml: { 'cloud-saml-kibana': { order: 0, realm: MOCK_IDP_REALM_NAME } },
basic: { 'cloud-basic': { order: 1 } },
})}`,
'--xpack.encryptedSavedObjects.encryptionKey="wuGNaIhoMpk5sO4UBxgr3NyW1sFcLgIf"',
Expand Down
2 changes: 1 addition & 1 deletion x-pack/test_serverless/tsconfig.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@
"@kbn/rison",
"@kbn/discover-plugin",
"@kbn/data-plugin",
"@kbn/security-api-integration-helpers",
"@kbn/std",
"@kbn/data-view-field-editor-plugin",
"@kbn/data-plugin",
Expand All @@ -68,5 +67,6 @@
"@kbn/apm-synthtrace",
"@kbn/apm-synthtrace-client",
"@kbn/reporting-export-types-csv-common",
"@kbn/mock-idp-plugin",
]
}