[FTR] allow to call roleScopedSupertest service with Cookie header #192727
Conversation
…/kibana into ftr/improve-test-auth-options
…/kibana into ftr/improve-test-auth-options
…/kibana into ftr/improve-test-auth-options
dmlemeshko
added
v9.0.0
release_note:skip
…/kibana into ftr/improve-test-auth-options
dmlemeshko
changed the title
| supertestAdminWithCookieCredentials = await roleScopedSupertest.getSupertestWithRoleScope( | ||
| 'admin', | ||
| { | ||
| useCookieHeader: true, | ||
| withInternalHeaders: true, | ||
| } | ||
| ); |
There was a problem hiding this comment.
Since all the APIs in this suite are internal, we use supertest scoped to Admin role and cookie header for auth
| supertestAdminWithCookieCredentials = await roleScopedSupertest.getSupertestWithRoleScope( | ||
| 'admin', | ||
| { | ||
| useCookieHeader: true, | ||
| withInternalHeaders: true, | ||
| } | ||
| ); |
There was a problem hiding this comment.
Since all the APIs in this suite are internal, we use supertest scoped to Admin role and cookie header for auth
| supertestAdminWithCookieCredentials = await roleScopedSupertest.getSupertestWithRoleScope( | ||
| 'admin', | ||
| { | ||
| useCookieHeader: true, | ||
| withInternalHeaders: true, | ||
| withCustomHeaders: { | ||
| [ELASTIC_HTTP_VERSION_HEADER]: KQL_TELEMETRY_ROUTE_LATEST_VERSION, | ||
| 'content-type': 'application/json', | ||
| }, | ||
| } | ||
| ); |
There was a problem hiding this comment.
Since all the APIs in this suite are internal, we use supertest scoped to Admin role and cookie header for auth. Repeated headers moved directly to scoped supertest creation.
packages/kbn-ftr-common-functional-services/services/saml_auth/saml_auth_provider.ts
Outdated
Show resolved
Hide resolved
x-pack/test/api_integration/deployment_agnostic/services/role_scoped_supertest.ts
Outdated
Show resolved
Hide resolved
x-pack/test_serverless/api_integration/test_suites/common/platform_security/api_keys.ts
Show resolved
Hide resolved
There was a problem hiding this comment.
Just a note - we'll want to revisit these when we make Spaces CRUD APIs public and enable multiple spaces in serverless.
x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts
Show resolved
Hide resolved
...serverless/api_integration/test_suites/common/platform_security/roles_routes_feature_flag.ts
Show resolved
Hide resolved
x-pack/test_serverless/api_integration/test_suites/common/platform_security/views.ts
Outdated
Show resolved
Hide resolved
Co-authored-by: Jeramy Soucy <[email protected]>
Co-authored-by: Jeramy Soucy <[email protected]>
…/kibana into ftr/improve-test-auth-options
| @@ -68,7 +68,7 @@ export default function ({ getService }: FtrProviderContext) { | |||
|
|
|||
| ({ body, status } = await supertestWithoutAuth | |||
There was a problem hiding this comment.
Looks like this one was missed
| ({ body, status } = await supertestWithoutAuth | |
| ({ body, status } = await supertestAdminWithCookieCredentials |
There was a problem hiding this comment.
But this scenario is testing the case without auth: we suppose to get 401.
On main we don't set API key header https://github.com/elastic/kibana/blob/main/x-pack/test_serverless/api_integration/test_suites/common/platform_security/api_keys.ts#L69-L79
Should I keep it as is?
There was a problem hiding this comment.
Ah I see. I think that was maybe unintentional, looking at the comment
// expect a rejection because we're not using the internal header
I think the test was intended to fail for not utilizing the internal header, like with the other test cases.
But, this is on our team, not yours. I don't want to hold up your PR. I can fix this when I open a PR to adjust the access level for some of our other endopints.
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
History
To update your PR or re-run it, just comment with: cc @dmlemeshko |
Summary
During the sync with kibana-security team we agreed on how Kibana APIs should be tested:
API Authentication in Kibana: Public vs. Internal APIs
Kibana provides both public and internal APIs, each requiring authentication with the correct privileges. However, the method of testing these APIs varies, depending on how they are untilized by end users.
Public APIs: When testing HTTP requests to public APIs, API key-based authentication should be used. It reflect how end user call these APIs. Due to existing restrictions, we utilize
Adminuser credentials to generate API keys for various roles. While the API key permissions are correctly scoped according to the assigned role, the user will internally be recognized asAdminduring authentication.Internal APIs: Direct HTTP requests to internal APIs are generally not expected. However, for testing purposes, authentication should be performed using the Cookie header. This approach simulates client-side behavior during browser interactions, mirroring how internal APIs are indirectly invoked.
To simplify the process of creating/updating the tests, this PR makes few changes to
roleScopedSupertestserviceI updated some of the existing tests according to the new approach.
Docs for serverless and deployment-agnostic api integration tests were updated accordingly