Skip to content

[Security] Quality Gate multi Organization for projects#181027

Merged
dkirchan merged 42 commits intomainfrom
sec-quality-gate-multi-org
Apr 25, 2024
Merged

[Security] Quality Gate multi Organization for projects#181027
dkirchan merged 42 commits intomainfrom
sec-quality-gate-multi-org

Conversation

@dkirchan
Copy link
Contributor

@dkirchan dkirchan commented Apr 17, 2024
edited
Loading

Summary

In order to run the tests concurrently we needed the ability to handle more than one organizations and rotation of api keys in order to create a project.

This effort is covered by the job done for the cloud-handler (@elastic/security-engineering-productivity). The cloud-handler is a Python FastAPI service connected onto a Postgres Database, which handles the muiltiple organizations for the needs of the Security Kibana Quality Gate Testing - including the periodic pipeline and the future efforts to be able to run the tests from Devs against a real MKI.

Description

All the logic is pretty much handled in the parallel_serverless.ts script.
At this point we are getting the combination of PROXY_URL, PROXY_CLIENT_ID and PROXY_SECRET. All of these three should be defined as the first defines the URL of the proxy service and the latter define the authentication with the service.

If all the three of the above mentioned variables are available, plus if the healthcheck for the service to be up and running is successful (runs in this line) then the script starts creating environments through the proxy handler. Otherwise it goes back to the default single org execution (with the problems we have faced and tackling with this effort).

If the flow procceeds with the proxy service then it creates the environment (the create environment request body is not changed at all so no change needs to be done in the test codebase) and then a response is returned indicating in the response body the organization-name that is being used.
e.g.:

{
    "alias": "local-gizmo-tests-e2ebcd",
    "cloud_id": "local-gizmo-tests:ZXUtd2VzdC0xLmF3cy5xYS5lbGFzdGljLmNsb3VkJGUyZWJjZGZmMzY0YTRmYjliMjRmOGVkMGM0MjI2NThlLmVzJGUyZWJjZGZmMzY0YTRmYjliMjRmOGVkMGM0MjI2NThlLmti",
    "project_id": "e2ebcdff364a4fb9b24f8ed0c422658e",
    "name": "local-gizmo-tests",
    "region_id": "aws-eu-west-1",
    "project_type": "security",
    "admin_features_package": "standard",
    "creds_password": "f6RoNM84wQ4tBml3p13069uJ",
    "creds_username": "admin",
    "elasticsearch_endpoint": "https://local-gizmo-tests-e2ebcd.es.eu-west-1.aws.qa.elastic.cloud",
    "kibana_endpoint": "https://local-gizmo-tests-e2ebcd.kb.eu-west-1.aws.qa.elastic.cloud",
    "created_at": "2024-04-22T15:05:28.970745",
    "id": 1856,
    "organization_id": 16,
    **"organization_name": "sec-sol-auto-01"**
}

Then this organization name is used to define the file with the roles which the saml authentication will be using in order to authenticate the users. This change is implemented in the following parts:

Relevant successful executions:

@ghost
Copy link

ghost commented Apr 17, 2024

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
  • /oblt-deploy-serverless : Deploy a serverless Kibana instance using the Observability test environments.
  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

dkirchan and others added 20 commits April 17, 2024 17:42
@dkirchan
Merge branch 'main' into sec-quality-gate-multi-org
eca6c09
@dkirchan
Merge branch 'main' into sec-quality-gate-multi-org
38c1c61
@dkirchan
Fixed periodic/quality gate
aa48c60
@dkirchan
Merge branch 'main' into sec-quality-gate-multi-org
79d268c
@dkirchan
Merge branch 'main' into sec-quality-gate-multi-org
bce609d
@dkirchan
Temp: testing commit
fc6ebf8
@dkirchan
Merge branch 'sec-quality-gate-multi-org' of github.com:elastic/kiban…
d180488 
…a into sec-quality-gate-multi-org
@dkirchan
Merge branch 'main' into sec-quality-gate-multi-org
fc77f7d
@dkirchan
Restored gen ai tests
b19f8e1
@dkirchan
Merge branch 'sec-quality-gate-multi-org' of github.com:elastic/kiban…
1865014 
…a into sec-quality-gate-multi-org
@dkirchan
Fixed dependency
aa9acd8
@dkirchan
Changing the MKI Use latest commit flag
ff9a2fd
@dkirchan
Cleanup of the PR
4233281
@dkirchan
Merge branch 'main' into sec-quality-gate-multi-org
952da19
@dkirchan
Added security to proxy_handler
c017a74
@dkirchan
Merge branch 'sec-quality-gate-multi-org' of github.com:elastic/kiban…
304b02c 
…a into sec-quality-gate-multi-org
@dkirchan
Attempt to fix btoa issue
f0a45c3
@dkirchan
Merge branch 'main' into sec-quality-gate-multi-org
a18c212
@dkirchan
Merge branch 'main' into sec-quality-gate-multi-org
e67dbb2
@dkirchan
Reinstated create_docker_image.yml
82a8d2f
@dkirchan dkirchan force-pushed the sec-quality-gate-multi-org branch from 2eac833 to 82a8d2f Compare April 24, 2024 10:52
@dkirchan dkirchan requested review from a team, maximpn, oatkiller and patrykkopycinski April 24, 2024 13:18
@banderror
Copy link
Contributor

banderror commented Apr 24, 2024

Files by Code Owner

MadameSheema

  • x-pack/plugins/security_solution/scripts/run_cypress/parallel_serverless.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/cloud_project_handler.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/project_handler.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/proxy_project_handler.ts

banderror

  • x-pack/plugins/security_solution/scripts/run_cypress/parallel_serverless.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/cloud_project_handler.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/project_handler.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/proxy_project_handler.ts

elastic/appex-qa

  • packages/kbn-test/src/auth/session_manager.ts

elastic/kibana-operations

  • .buildkite/pipelines/security_solution/api_integration.yml
  • .buildkite/pipelines/security_solution/api_integration_serverless_release.yml
  • .buildkite/pipelines/security_solution_quality_gate/mki_security_solution_defend_workflows.yml
  • .buildkite/pipelines/security_solution_quality_gate/mki_security_solution_detection_engine.yml
  • .buildkite/pipelines/security_solution_quality_gate/mki_security_solution_entity_analytics.yml
  • .buildkite/pipelines/security_solution_quality_gate/mki_security_solution_explore.yml
  • .buildkite/pipelines/security_solution_quality_gate/mki_security_solution_gen_ai.yml
  • .buildkite/pipelines/security_solution_quality_gate/mki_security_solution_investigations.yml
  • .buildkite/pipelines/security_solution_quality_gate/mki_security_solution_rule_management.yml
  • .buildkite/scripts/pipelines/security_solution_quality_gate/api_integration/api-integration-tests.sh
  • .buildkite/scripts/pipelines/security_solution_quality_gate/prepare_vault_entries.sh
  • .buildkite/scripts/pipelines/security_solution_quality_gate/security_solution_cypress/mki_security_solution_cypress.sh
  • .buildkite/scripts/pipelines/security_solution_quality_gate/upload_image_metadata.sh
  • packages/kbn-test/src/auth/session_manager.ts

elastic/security-detections-response

  • x-pack/test/security_solution_cypress/cypress/support/saml_auth.ts

elastic/security-engineering-productivity

  • x-pack/test/security_solution_cypress/cypress/support/saml_auth.ts

elastic/security-solution

  • x-pack/plugins/security_solution/scripts/run_cypress/parallel_serverless.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/cloud_project_handler.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/project_handler.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/proxy_project_handler.ts

elastic/security-threat-hunting

  • x-pack/test/security_solution_cypress/cypress/support/saml_auth.ts

maximpn

  • x-pack/plugins/security_solution/scripts/run_cypress/parallel_serverless.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/cloud_project_handler.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/project_handler.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/proxy_project_handler.ts

oatkiller

  • x-pack/plugins/security_solution/scripts/run_cypress/parallel_serverless.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/cloud_project_handler.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/project_handler.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/proxy_project_handler.ts

patrykkopycinski

  • x-pack/plugins/security_solution/scripts/run_cypress/parallel_serverless.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/cloud_project_handler.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/project_handler.ts
  • x-pack/plugins/security_solution/scripts/run_cypress/project_handler/proxy_project_handler.ts

logeekal
logeekal approved these changes Apr 25, 2024
View reviewed changes
Copy link
Contributor

@logeekal logeekal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Solution changes look good. But since there so much ts code, it must have accompanying unit tests.

Could you please add those unit tests in current or follow up PR? Thanks.

@kibana-ci
Copy link

kibana-ci commented Apr 25, 2024

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #5 / Dataset Quality Dataset quality flyout goes to log explorer for degraded docs when show all is clicked

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/test 264 265 +1
Unknown metric groups

API count

id before after diff
@kbn/test 312 313 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dkirchan

@dkirchan dkirchan merged commit 34c4449 into main Apr 25, 2024
@dkirchan dkirchan deleted the sec-quality-gate-multi-org branch April 25, 2024 12:50
@kibanamachine kibanamachine mentioned this pull request Apr 25, 2024
Merged
kpatticha pushed a commit to kpatticha/kibana that referenced this pull request Apr 26, 2024
@dkirchan @kibanamachine
@MadameSheema @kpatticha
[Security] Quality Gate multi Organization for projects (elastic#181027)
fa84e02 
## Summary

In order to run the tests concurrently we needed the ability to handle
more than one organizations and rotation of api keys in order to create
a project.

This effort is covered by the job done for the cloud-handler
(@elastic/security-engineering-productivity). The cloud-handler is a
Python FastAPI service connected onto a Postgres Database, which handles
the muiltiple organizations for the needs of the Security Kibana Quality
Gate Testing - including the periodic pipeline and the future efforts to
be able to run the tests from Devs against a real MKI.

## Description 
All the logic is pretty much handled in the `parallel_serverless.ts`
script.
[At this
point](https://github.com/elastic/kibana/pull/181027/files#diff-a05c7d7d8448c53e20bbd60881deb4786bfffa3cdf654447732aed02e12b3867R223)
we are getting the combination of PROXY_URL, PROXY_CLIENT_ID and
PROXY_SECRET. All of these three should be defined as the first defines
the URL of the proxy service and the latter define the authentication
with the service.

If all the three of the above mentioned variables are available, plus if
the healthcheck for the service to be up and running is successful
([runs in this
line](https://github.com/elastic/kibana/pull/181027/files#diff-a05c7d7d8448c53e20bbd60881deb4786bfffa3cdf654447732aed02e12b3867R255))
then the script starts creating environments through the proxy handler.
Otherwise it goes back to the default single org execution (with the
problems we have faced and tackling with this effort).

If the flow procceeds with the proxy service then it creates the
environment (the create environment request body is not changed at all
so no change needs to be done in the test codebase) and then a response
is returned indicating in the response body the organization-name that
is being used.
e.g.:
```
{
    "alias": "local-gizmo-tests-e2ebcd",
    "cloud_id": "local-gizmo-tests:ZXUtd2VzdC0xLmF3cy5xYS5lbGFzdGljLmNsb3VkJGUyZWJjZGZmMzY0YTRmYjliMjRmOGVkMGM0MjI2NThlLmVzJGUyZWJjZGZmMzY0YTRmYjliMjRmOGVkMGM0MjI2NThlLmti",
    "project_id": "e2ebcdff364a4fb9b24f8ed0c422658e",
    "name": "local-gizmo-tests",
    "region_id": "aws-eu-west-1",
    "project_type": "security",
    "admin_features_package": "standard",
    "creds_password": "f6RoNM84wQ4tBml3p13069uJ",
    "creds_username": "admin",
    "elasticsearch_endpoint": "https://local-gizmo-tests-e2ebcd.es.eu-west-1.aws.qa.elastic.cloud",
    "kibana_endpoint": "https://local-gizmo-tests-e2ebcd.kb.eu-west-1.aws.qa.elastic.cloud",
    "created_at": "2024-04-22T15:05:28.970745",
    "id": 1856,
    "organization_id": 16,
    **"organization_name": "sec-sol-auto-01"**
}
```

Then this organization name is used to define the file with the roles
which the saml authentication will be using in order to authenticate the
users. This change is implemented in the following parts:
- [The PROXY_ORG Cypress env
var](https://github.com/elastic/kibana/pull/181027/files#diff-a05c7d7d8448c53e20bbd60881deb4786bfffa3cdf654447732aed02e12b3867R475)
is defined.
- [A roles filename is
created](https://github.com/elastic/kibana/pull/181027/files#diff-5537ddd27eb2b8d7a4809e1bd9a28a4e6c23f3caa6a9b504b9c94ee037070315R34)
if only the PROXY_ORG is defined and handed over to the
SamlSessionManager.
- [If the roles filename is
provided,](https://github.com/elastic/kibana/pull/181027/files#diff-f63bfdabc35b838460de6b7e758d1bc168b54ba6ff418a8ad936d716c88af964R51)
then it respects it, otherwise it uses the default `role_users.json`


## Relevant successful executions:
-
https://buildkite.com/elastic/security-serverless-quality-gate-kibana-periodic/builds/202
-
https://buildkite.com/elastic/security-serverless-quality-gate-kibana-periodic/builds/203

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Gloria Hornero <gloria.hornero@elastic.co>
@kibanamachine kibanamachine mentioned this pull request May 10, 2024
Merged
@mgiota mgiota mentioned this pull request May 27, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@delanni delanni delanni approved these changes

@patrykkopycinski patrykkopycinski patrykkopycinski approved these changes

@logeekal logeekal logeekal approved these changes

@MadameSheema MadameSheema MadameSheema approved these changes

@banderror banderror Awaiting requested review from banderror

@oatkiller oatkiller Awaiting requested review from oatkiller

@maximpn maximpn Awaiting requested review from maximpn

Assignees

@dkirchan dkirchan

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.14.0 v8.15.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@dkirchan @elasticmachine @MadameSheema @banderror @kibana-ci @delanni @patrykkopycinski @logeekal @kibanamachine