From dbdc3cd01a6f0444ca010e59b7696944ec8ce3f7 Mon Sep 17 00:00:00 2001 From: Dario Gieselaar Date: Mon, 29 Jun 2020 16:17:32 +0200 Subject: [PATCH] [APM] Run API tests as restricted user (#70050) --- x-pack/plugins/apm/readme.md | 25 ++++- .../basic/tests/agent_configuration.ts | 11 +- .../basic/tests/annotations.ts | 6 +- .../basic/tests/custom_link.ts | 11 +- .../basic/tests/feature_controls.ts | 2 +- .../common/authentication.ts | 102 ++++++++++++++++++ .../test/apm_api_integration/common/config.ts | 42 +++++++- .../common/ftr_provider_context.ts | 14 ++- .../trial/tests/annotations.ts | 9 +- 9 files changed, 197 insertions(+), 25 deletions(-) create mode 100644 x-pack/test/apm_api_integration/common/authentication.ts diff --git a/x-pack/plugins/apm/readme.md b/x-pack/plugins/apm/readme.md index cb694712d7c97b..778b1f2ad2d91b 100644 --- a/x-pack/plugins/apm/readme.md +++ b/x-pack/plugins/apm/readme.md @@ -80,19 +80,38 @@ For debugging access Elasticsearch on http://localhost:9220` (elastic/changeme) ### API integration tests +Our tests are separated in two suites: one suite runs with a basic license, and the other +with a trial license (the equivalent of gold+). This requires separate test servers and test runs. + **Start server** +Basic: + +``` +node scripts/functional_tests_server --config x-pack/test/apm_api_integration/basic/config.ts +``` + +Trial: + ``` -node scripts/functional_tests_server --config x-pack/test/api_integration/config.ts +node scripts/functional_tests_server --config x-pack/test/apm_api_integration/trial/config.ts ``` **Run tests** +Basic: + +``` +node scripts/functional_test_runner --config x-pack/test/apm_api_integration/basic/config.ts +``` + +Trial: + ``` -node scripts/functional_test_runner --config x-pack/test/api_integration/config.ts --grep='APM specs' +node scripts/functional_test_runner --config x-pack/test/apm_api_integration/trial/config.ts ``` -APM tests are located in `x-pack/test/api_integration/apis/apm`. +APM tests are located in `x-pack/test/apm_api_integration`. For debugging access Elasticsearch on http://localhost:9220` (elastic/changeme) ### Linting diff --git a/x-pack/test/apm_api_integration/basic/tests/agent_configuration.ts b/x-pack/test/apm_api_integration/basic/tests/agent_configuration.ts index f6750a8eca24e7..9f39da2037f8ea 100644 --- a/x-pack/test/apm_api_integration/basic/tests/agent_configuration.ts +++ b/x-pack/test/apm_api_integration/basic/tests/agent_configuration.ts @@ -10,11 +10,12 @@ import { FtrProviderContext } from '../../common/ftr_provider_context'; // eslint-disable-next-line import/no-default-export export default function agentConfigurationTests({ getService }: FtrProviderContext) { - const supertest = getService('supertest'); + const supertestRead = getService('supertestAsApmReadUser'); + const supertestWrite = getService('supertestAsApmWriteUser'); const log = getService('log'); function searchConfigurations(configuration: any) { - return supertest + return supertestRead .post(`/api/apm/settings/agent-configuration/search`) .send(configuration) .set('kbn-xsrf', 'foo'); @@ -22,7 +23,7 @@ export default function agentConfigurationTests({ getService }: FtrProviderConte async function createConfiguration(config: AgentConfigurationIntake) { log.debug('creating configuration', config.service); - const res = await supertest + const res = await supertestWrite .put(`/api/apm/settings/agent-configuration`) .send(config) .set('kbn-xsrf', 'foo'); @@ -34,7 +35,7 @@ export default function agentConfigurationTests({ getService }: FtrProviderConte async function updateConfiguration(config: AgentConfigurationIntake) { log.debug('updating configuration', config.service); - const res = await supertest + const res = await supertestWrite .put(`/api/apm/settings/agent-configuration?overwrite=true`) .send(config) .set('kbn-xsrf', 'foo'); @@ -46,7 +47,7 @@ export default function agentConfigurationTests({ getService }: FtrProviderConte async function deleteConfiguration({ service }: AgentConfigurationIntake) { log.debug('deleting configuration', service); - const res = await supertest + const res = await supertestWrite .delete(`/api/apm/settings/agent-configuration`) .send({ service }) .set('kbn-xsrf', 'foo'); diff --git a/x-pack/test/apm_api_integration/basic/tests/annotations.ts b/x-pack/test/apm_api_integration/basic/tests/annotations.ts index d4b4892eaf91cd..c522ebcfb5c65e 100644 --- a/x-pack/test/apm_api_integration/basic/tests/annotations.ts +++ b/x-pack/test/apm_api_integration/basic/tests/annotations.ts @@ -10,15 +10,15 @@ import { FtrProviderContext } from '../../common/ftr_provider_context'; // eslint-disable-next-line import/no-default-export export default function annotationApiTests({ getService }: FtrProviderContext) { - const supertest = getService('supertest'); + const supertestWrite = getService('supertestAsApmAnnotationsWriteUser'); function request({ method, url, data }: { method: string; url: string; data?: JsonObject }) { switch (method.toLowerCase()) { case 'post': - return supertest.post(url).send(data).set('kbn-xsrf', 'foo'); + return supertestWrite.post(url).send(data).set('kbn-xsrf', 'foo'); default: - throw new Error(`Unsupported methoed ${method}`); + throw new Error(`Unsupported method ${method}`); } } diff --git a/x-pack/test/apm_api_integration/basic/tests/custom_link.ts b/x-pack/test/apm_api_integration/basic/tests/custom_link.ts index 910c4797f39b76..77fdc83523ca64 100644 --- a/x-pack/test/apm_api_integration/basic/tests/custom_link.ts +++ b/x-pack/test/apm_api_integration/basic/tests/custom_link.ts @@ -10,7 +10,8 @@ import { FtrProviderContext } from '../../common/ftr_provider_context'; // eslint-disable-next-line import/no-default-export export default function customLinksTests({ getService }: FtrProviderContext) { - const supertest = getService('supertest'); + const supertestRead = getService('supertestAsApmReadUser'); + const supertestWrite = getService('supertestAsApmWriteUser'); const log = getService('log'); function searchCustomLinks(filters?: any) { @@ -18,12 +19,12 @@ export default function customLinksTests({ getService }: FtrProviderContext) { pathname: `/api/apm/settings/custom_links`, query: filters, }); - return supertest.get(path).set('kbn-xsrf', 'foo'); + return supertestRead.get(path).set('kbn-xsrf', 'foo'); } async function createCustomLink(customLink: CustomLink) { log.debug('creating configuration', customLink); - const res = await supertest + const res = await supertestWrite .post(`/api/apm/settings/custom_links`) .send(customLink) .set('kbn-xsrf', 'foo'); @@ -35,7 +36,7 @@ export default function customLinksTests({ getService }: FtrProviderContext) { async function updateCustomLink(id: string, customLink: CustomLink) { log.debug('updating configuration', id, customLink); - const res = await supertest + const res = await supertestWrite .put(`/api/apm/settings/custom_links/${id}`) .send(customLink) .set('kbn-xsrf', 'foo'); @@ -47,7 +48,7 @@ export default function customLinksTests({ getService }: FtrProviderContext) { async function deleteCustomLink(id: string) { log.debug('deleting configuration', id); - const res = await supertest + const res = await supertestWrite .delete(`/api/apm/settings/custom_links/${id}`) .set('kbn-xsrf', 'foo'); diff --git a/x-pack/test/apm_api_integration/basic/tests/feature_controls.ts b/x-pack/test/apm_api_integration/basic/tests/feature_controls.ts index f3647c65106c92..42cbef69abbec9 100644 --- a/x-pack/test/apm_api_integration/basic/tests/feature_controls.ts +++ b/x-pack/test/apm_api_integration/basic/tests/feature_controls.ts @@ -9,7 +9,7 @@ import { FtrProviderContext } from '../../common/ftr_provider_context'; // eslint-disable-next-line import/no-default-export export default function featureControlsTests({ getService }: FtrProviderContext) { - const supertest = getService('supertest'); + const supertest = getService('supertestAsApmWriteUser'); const supertestWithoutAuth = getService('supertestWithoutAuth'); const security = getService('security'); const spaces = getService('spaces'); diff --git a/x-pack/test/apm_api_integration/common/authentication.ts b/x-pack/test/apm_api_integration/common/authentication.ts new file mode 100644 index 00000000000000..9c34b4791114a4 --- /dev/null +++ b/x-pack/test/apm_api_integration/common/authentication.ts @@ -0,0 +1,102 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { PromiseReturnType } from '../../../plugins/apm/typings/common'; +import { SecurityServiceProvider } from '../../../../test/common/services/security'; + +type SecurityService = PromiseReturnType; + +export enum ApmUser { + apmReadUser = 'apm_read_user', + apmWriteUser = 'apm_write_user', + apmAnnotationsWriteUser = 'apm_annotations_write_user', +} + +const roles = { + [ApmUser.apmReadUser]: { + elasticsearch: { + cluster: [], + indices: [ + { names: ['observability-annotations'], privileges: ['read', 'view_index_metadata'] }, + ], + }, + kibana: [ + { + base: [], + feature: { + apm: ['read'], + }, + spaces: ['*'], + }, + ], + }, + [ApmUser.apmWriteUser]: { + elasticsearch: { + cluster: [], + indices: [ + { names: ['observability-annotations'], privileges: ['read', 'view_index_metadata'] }, + ], + }, + kibana: [ + { + base: [], + feature: { + apm: ['all'], + }, + spaces: ['*'], + }, + ], + }, + [ApmUser.apmAnnotationsWriteUser]: { + elasticsearch: { + cluster: [], + indices: [ + { + names: ['observability-annotations'], + privileges: [ + 'read', + 'view_index_metadata', + 'index', + 'manage', + 'create_index', + 'create_doc', + ], + }, + ], + }, + }, +}; + +const users = { + [ApmUser.apmReadUser]: { + roles: ['apm_user', ApmUser.apmReadUser], + }, + [ApmUser.apmWriteUser]: { + roles: ['apm_user', ApmUser.apmWriteUser], + }, + [ApmUser.apmAnnotationsWriteUser]: { + roles: ['apm_user', ApmUser.apmWriteUser, ApmUser.apmAnnotationsWriteUser], + }, +}; + +export async function createApmUser(security: SecurityService, apmUser: ApmUser) { + const role = roles[apmUser]; + const user = users[apmUser]; + + if (!role || !user) { + throw new Error(`No configuration found for ${apmUser}`); + } + + await security.role.create(apmUser, role); + + await security.user.create(apmUser, { + full_name: apmUser, + password: APM_TEST_PASSWORD, + roles: user.roles, + }); +} + +export const APM_TEST_PASSWORD = 'changeme'; diff --git a/x-pack/test/apm_api_integration/common/config.ts b/x-pack/test/apm_api_integration/common/config.ts index 83dc597829a3cd..e4dc2a78ae0189 100644 --- a/x-pack/test/apm_api_integration/common/config.ts +++ b/x-pack/test/apm_api_integration/common/config.ts @@ -5,6 +5,11 @@ */ import { FtrConfigProviderContext } from '@kbn/test/types/ftr'; +import supertestAsPromised from 'supertest-as-promised'; +import { format, UrlObject } from 'url'; +import { InheritedFtrProviderContext, InheritedServices } from './ftr_provider_context'; +import { PromiseReturnType } from '../../../plugins/apm/typings/common'; +import { createApmUser, APM_TEST_PASSWORD, ApmUser } from './authentication'; interface Settings { license: 'basic' | 'trial'; @@ -12,6 +17,22 @@ interface Settings { name: string; } +const supertestAsApmUser = (kibanaServer: UrlObject, apmUser: ApmUser) => async ( + context: InheritedFtrProviderContext +) => { + const security = context.getService('security'); + await security.init(); + + await createApmUser(security, apmUser); + + const url = format({ + ...kibanaServer, + auth: `${apmUser}:${APM_TEST_PASSWORD}`, + }); + + return supertestAsPromised(url); +}; + export function createTestConfig(settings: Settings) { const { testFiles, license, name } = settings; @@ -20,14 +41,27 @@ export function createTestConfig(settings: Settings) { require.resolve('../../api_integration/config.ts') ); + const services = xPackAPITestsConfig.get('services') as InheritedServices; + const servers = xPackAPITestsConfig.get('servers'); + + const supertestAsApmReadUser = supertestAsApmUser(servers.kibana, ApmUser.apmReadUser); + return { testFiles, - servers: xPackAPITestsConfig.get('servers'), - services: xPackAPITestsConfig.get('services'), + servers, + services: { + ...services, + supertest: supertestAsApmReadUser, + supertestAsApmReadUser, + supertestAsApmWriteUser: supertestAsApmUser(servers.kibana, ApmUser.apmWriteUser), + supertestAsApmAnnotationsWriteUser: supertestAsApmUser( + servers.kibana, + ApmUser.apmAnnotationsWriteUser + ), + }, junit: { reportName: name, }, - esTestCluster: { ...xPackAPITestsConfig.get('esTestCluster'), license, @@ -36,3 +70,5 @@ export function createTestConfig(settings: Settings) { }; }; } + +export type ApmServices = PromiseReturnType>['services']; diff --git a/x-pack/test/apm_api_integration/common/ftr_provider_context.ts b/x-pack/test/apm_api_integration/common/ftr_provider_context.ts index 90600816d17114..aee3d556605aa6 100644 --- a/x-pack/test/apm_api_integration/common/ftr_provider_context.ts +++ b/x-pack/test/apm_api_integration/common/ftr_provider_context.ts @@ -4,4 +4,16 @@ * you may not use this file except in compliance with the Elastic License. */ -export { FtrProviderContext } from '../../api_integration/ftr_provider_context'; +import { GenericFtrProviderContext } from '@kbn/test/types/ftr'; +import { FtrProviderContext as InheritedFtrProviderContext } from '../../api_integration/ftr_provider_context'; +import { ApmServices } from './config'; + +export type InheritedServices = InheritedFtrProviderContext extends GenericFtrProviderContext< + infer TServices, + {} +> + ? TServices + : {}; + +export { InheritedFtrProviderContext }; +export type FtrProviderContext = GenericFtrProviderContext; diff --git a/x-pack/test/apm_api_integration/trial/tests/annotations.ts b/x-pack/test/apm_api_integration/trial/tests/annotations.ts index 0913d0c4b90bb6..d5b6b8342e5ab2 100644 --- a/x-pack/test/apm_api_integration/trial/tests/annotations.ts +++ b/x-pack/test/apm_api_integration/trial/tests/annotations.ts @@ -13,7 +13,8 @@ const DEFAULT_INDEX_NAME = 'observability-annotations'; // eslint-disable-next-line import/no-default-export export default function annotationApiTests({ getService }: FtrProviderContext) { - const supertest = getService('supertest'); + const supertestRead = getService('supertestAsApmReadUser'); + const supertestWrite = getService('supertestAsApmAnnotationsWriteUser'); const es = getService('es'); function expectContainsObj(source: JsonObject, expected: JsonObject) { @@ -30,13 +31,13 @@ export default function annotationApiTests({ getService }: FtrProviderContext) { function request({ method, url, data }: { method: string; url: string; data?: JsonObject }) { switch (method.toLowerCase()) { case 'get': - return supertest.get(url).set('kbn-xsrf', 'foo'); + return supertestRead.get(url).set('kbn-xsrf', 'foo'); case 'post': - return supertest.post(url).send(data).set('kbn-xsrf', 'foo'); + return supertestWrite.post(url).send(data).set('kbn-xsrf', 'foo'); default: - throw new Error(`Unsupported methoed ${method}`); + throw new Error(`Unsupported method ${method}`); } }