[7.x] Do not embedd credentials into ES URL and enable anonymous test…

…s. (elastic#88005)
chrisronline · Jan 12, 2021 · fb29691 · fb29691
1 parent 569a7b2
commit fb29691
Show file tree

Hide file tree

Showing 10 changed files with 34 additions and 27 deletions.
diff --git a/test/common/config.js b/test/common/config.js
@@ -44,7 +44,14 @@ export default function () {
  '--logging.json=false',
  `--server.port=${kbnTestConfig.getPort()}`,
  '--status.allowAnonymous=true',
- `--elasticsearch.hosts=${formatUrl(servers.elasticsearch)}`,
+ // We shouldn't embed credentials into the URL since Kibana requests to Elasticsearch should
+ // either include `kibanaServerTestUser` credentials, or credentials provided by the test
+ // user, or none at all in case anonymous access is used.
+ `--elasticsearch.hosts=${formatUrl(
+ Object.fromEntries(
+ Object.entries(servers.elasticsearch).filter(([key]) => key.toLowerCase() !== 'auth')
+ )
+ )}`,
  `--elasticsearch.username=${kibanaServerTestUser.username}`,
  `--elasticsearch.password=${kibanaServerTestUser.password}`,
  `--home.disableWelcomeScreen=true`,

diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js
@@ -45,6 +45,7 @@ require('@kbn/test').runTestsCli([
  require.resolve('../test/security_api_integration/oidc_implicit_flow.config.ts'),
  require.resolve('../test/security_api_integration/token.config.ts'),
  require.resolve('../test/security_api_integration/anonymous.config.ts'),
+ require.resolve('../test/security_api_integration/anonymous_es_anonymous.config.ts'),
  require.resolve('../test/observability_api_integration/basic/config.ts'),
  require.resolve('../test/observability_api_integration/trial/config.ts'),
  require.resolve('../test/encrypted_saved_objects_api_integration/config'),

diff --git a/x-pack/test/functional/page_objects/security_page.ts b/x-pack/test/functional/page_objects/security_page.ts
@@ -4,6 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { adminTestUser } from '@kbn/test';
 import { FtrProviderContext } from '../ftr_provider_context';
 import { AuthenticatedUser, Role } from '../../../plugins/security/common/model';
 
@@ -122,9 +123,8 @@ export function SecurityPageProvider({ getService, getPageObjects }: FtrProvider
  await browser.setLocalStorageItem('home:welcome:show', 'false');
  await waitForLoginForm();
 
- const [superUsername, superPassword] = config.get('servers.elasticsearch.auth').split(':');
- await testSubjects.setValue('loginUsername', username || superUsername);
- await testSubjects.setValue('loginPassword', password || superPassword);
+ await testSubjects.setValue('loginUsername', username || adminTestUser.username);
+ await testSubjects.setValue('loginPassword', password || adminTestUser.password);
  await testSubjects.click('loginSubmit');
 
  await waitForLoginResult(
@@ -162,9 +162,8 @@ export function SecurityPageProvider({ getService, getPageObjects }: FtrProvider
  if (providerType === 'basic' || providerType === 'token') {
  await waitForLoginForm();
 
- const [superUsername, superPassword] = config.get('servers.elasticsearch.auth').split(':');
- await testSubjects.setValue('loginUsername', options?.username ?? superUsername);
- await testSubjects.setValue('loginPassword', options?.password ?? superPassword);
+ await testSubjects.setValue('loginUsername', options?.username ?? adminTestUser.username);
+ await testSubjects.setValue('loginPassword', options?.password ?? adminTestUser.password);
  await testSubjects.click('loginSubmit');
  }
 

diff --git a/x-pack/test/security_api_integration/tests/anonymous/login.ts b/x-pack/test/security_api_integration/tests/anonymous/login.ts
@@ -6,6 +6,7 @@
 
 import expect from '@kbn/expect';
 import request, { Cookie } from 'request';
+import { adminTestUser } from '@kbn/test';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
@@ -55,15 +56,14 @@ export default function ({ getService }: FtrProviderContext) {
  });
 
  it('does not prevent basic login', async () => {
- const [username, password] = config.get('servers.elasticsearch.auth').split(':');
  const response = await supertest
  .post('/internal/security/login')
  .set('kbn-xsrf', 'xxx')
  .send({
  providerType: 'basic',
  providerName: 'basic1',
  currentURL: '/',
- params: { username, password },
+ params: { username: adminTestUser.username, password: adminTestUser.password },
  })
  .expect(200);
 
@@ -79,7 +79,7 @@ export default function ({ getService }: FtrProviderContext) {
  .set('Cookie', cookie.cookieString())
  .expect(200);
 
- expect(user.username).to.eql(username);
+ expect(user.username).to.eql(adminTestUser.username);
  expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic1' });
  expect(user.authentication_type).to.eql('realm');
  // Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud

diff --git a/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts b/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts
@@ -7,6 +7,7 @@
 import expect from '@kbn/expect';
 import request, { Cookie } from 'request';
 import { delay } from 'bluebird';
+import { adminTestUser } from '@kbn/test';
 import { FtrProviderContext } from '../../ftr_provider_context';
 import {
  getMutualAuthenticationResponseToken,
@@ -54,15 +55,14 @@ export default function ({ getService }: FtrProviderContext) {
  });
 
  it('does not prevent basic login', async () => {
- const [username, password] = config.get('servers.elasticsearch.auth').split(':');
  const response = await supertest
  .post('/internal/security/login')
  .set('kbn-xsrf', 'xxx')
  .send({
  providerType: 'basic',
  providerName: 'basic',
  currentURL: '/',
- params: { username, password },
+ params: { username: adminTestUser.username, password: adminTestUser.password },
  })
  .expect(200);
 
@@ -78,7 +78,7 @@ export default function ({ getService }: FtrProviderContext) {
  .set('Cookie', cookie.cookieString())
  .expect(200);
 
- expect(user.username).to.eql(username);
+ expect(user.username).to.eql(adminTestUser.username);
  expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' });
  expect(user.authentication_type).to.eql('realm');
  // Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud

diff --git a/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts b/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts
@@ -8,28 +8,27 @@ import expect from '@kbn/expect';
 import request, { Cookie } from 'request';
 import url from 'url';
 import { delay } from 'bluebird';
+import { adminTestUser } from '@kbn/test';
 import { getStateAndNonce } from '../../../fixtures/oidc/oidc_tools';
 import { FtrProviderContext } from '../../../ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
  const supertest = getService('supertestWithoutAuth');
- const config = getService('config');
 
  describe('OpenID Connect authentication', () => {
  it('should reject API requests if client is not authenticated', async () => {
  await supertest.get('/internal/security/me').set('kbn-xsrf', 'xxx').expect(401);
  });
 
  it('does not prevent basic login', async () => {
- const [username, password] = config.get('servers.elasticsearch.auth').split(':');
  const response = await supertest
  .post('/internal/security/login')
  .set('kbn-xsrf', 'xxx')
  .send({
  providerType: 'basic',
  providerName: 'basic',
  currentURL: '/',
- params: { username, password },
+ params: { username: adminTestUser.username, password: adminTestUser.password },
  })
  .expect(200);
 
@@ -42,10 +41,10 @@ export default function ({ getService }: FtrProviderContext) {
  .set('Cookie', request.cookie(cookies[0])!.cookieString())
  .expect(200);
 
- expect(user.username).to.eql(username);
+ expect(user.username).to.eql(adminTestUser.username);
  expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' });
  expect(user.authentication_type).to.be('realm');
- // Do not assert on the `authentication_realm`, as the value differes for on-prem vs cloud
+ // Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud
  });
 
  describe('initiating handshake', () => {

diff --git a/x-pack/test/security_api_integration/tests/pki/pki_auth.ts b/x-pack/test/security_api_integration/tests/pki/pki_auth.ts
@@ -10,6 +10,7 @@ import { delay } from 'bluebird';
 import { readFileSync } from 'fs';
 import { resolve } from 'path';
 import { CA_CERT_PATH } from '@kbn/dev-utils';
+import { adminTestUser } from '@kbn/test';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
 const CA_CERT = readFileSync(CA_CERT_PATH);
@@ -21,7 +22,6 @@ const UNTRUSTED_CLIENT_CERT = readFileSync(
 
 export default function ({ getService }: FtrProviderContext) {
  const supertest = getService('supertestWithoutAuth');
- const config = getService('config');
 
  function checkCookieIsSet(cookie: Cookie) {
  expect(cookie.value).to.not.be.empty();
@@ -64,7 +64,6 @@ export default function ({ getService }: FtrProviderContext) {
  });
 
  it('does not prevent basic login', async () => {
- const [username, password] = config.get('servers.elasticsearch.auth').split(':');
  const response = await supertest
  .post('/internal/security/login')
  .ca(CA_CERT)
@@ -74,7 +73,7 @@ export default function ({ getService }: FtrProviderContext) {
  providerType: 'basic',
  providerName: 'basic',
  currentURL: '/',
- params: { username, password },
+ params: { username: adminTestUser.username, password: adminTestUser.password },
  })
  .expect(200);
 
@@ -92,7 +91,7 @@ export default function ({ getService }: FtrProviderContext) {
  .set('Cookie', cookie.cookieString())
  .expect(200);
 
- expect(user.username).to.eql(username);
+ expect(user.username).to.eql(adminTestUser.username);
  expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' });
  // Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud
  });

diff --git a/x-pack/test/security_api_integration/tests/saml/saml_login.ts b/x-pack/test/security_api_integration/tests/saml/saml_login.ts
@@ -9,6 +9,7 @@ import url from 'url';
 import { delay } from 'bluebird';
 import expect from '@kbn/expect';
 import request, { Cookie } from 'request';
+import { adminTestUser } from '@kbn/test';
 import {
  getLogoutRequest,
  getSAMLRequestId,
@@ -75,15 +76,14 @@ export default function ({ getService }: FtrProviderContext) {
  });
 
  it('does not prevent basic login', async () => {
- const [username, password] = config.get('servers.elasticsearch.auth').split(':');
  const response = await supertest
  .post('/internal/security/login')
  .set('kbn-xsrf', 'xxx')
  .send({
  providerType: 'basic',
  providerName: 'basic',
  currentURL: '/',
- params: { username, password },
+ params: { username: adminTestUser.username, password: adminTestUser.password },
  })
  .expect(200);
 
@@ -96,7 +96,7 @@ export default function ({ getService }: FtrProviderContext) {
  .set('Cookie', request.cookie(cookies[0])!.cookieString())
  .expect(200);
 
- expect(user.username).to.eql(username);
+ expect(user.username).to.eql(adminTestUser.username);
  expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' });
  expect(user.authentication_type).to.be('realm');
  // Do not assert on the `authentication_realm`, as the value differes for on-prem vs cloud

diff --git a/x-pack/test/security_api_integration/tests/session_idle/cleanup.ts b/x-pack/test/security_api_integration/tests/session_idle/cleanup.ts
@@ -7,6 +7,7 @@
 import request, { Cookie } from 'request';
 import { delay } from 'bluebird';
 import expect from '@kbn/expect';
+import { adminTestUser } from '@kbn/test';
 import type { AuthenticationProvider } from '../../../../plugins/security/common/model';
 import { getSAMLRequestId, getSAMLResponse } from '../../fixtures/saml/saml_tools';
 import { FtrProviderContext } from '../../ftr_provider_context';
@@ -17,7 +18,7 @@ export default function ({ getService }: FtrProviderContext) {
  const config = getService('config');
  const log = getService('log');
  const randomness = getService('randomness');
- const [basicUsername, basicPassword] = config.get('servers.elasticsearch.auth').split(':');
+ const { username: basicUsername, password: basicPassword } = adminTestUser;
  const kibanaServerConfig = config.get('servers.kibana');
 
  async function checkSessionCookie(

diff --git a/x-pack/test/security_api_integration/tests/session_lifespan/cleanup.ts b/x-pack/test/security_api_integration/tests/session_lifespan/cleanup.ts
@@ -7,6 +7,7 @@
 import request, { Cookie } from 'request';
 import { delay } from 'bluebird';
 import expect from '@kbn/expect';
+import { adminTestUser } from '@kbn/test';
 import type { AuthenticationProvider } from '../../../../plugins/security/common/model';
 import { getSAMLRequestId, getSAMLResponse } from '../../fixtures/saml/saml_tools';
 import { FtrProviderContext } from '../../ftr_provider_context';
@@ -16,7 +17,7 @@ export default function ({ getService }: FtrProviderContext) {
  const es = getService('es');
  const config = getService('config');
  const randomness = getService('randomness');
- const [basicUsername, basicPassword] = config.get('servers.elasticsearch.auth').split(':');
+ const { username: basicUsername, password: basicPassword } = adminTestUser;
  const kibanaServerConfig = config.get('servers.kibana');
 
  async function checkSessionCookie(