[EDR Workflows][Device Control] Trusted Devices cypress coverage#232269
[EDR Workflows][Device Control] Trusted Devices cypress coverage#232269szwarckonrad merged 165 commits intoelastic:mainfrom
Conversation
…/kibana into device-control-rbac
Prerequisite #231167 Followup #232269 This PR implements server-side validation for trusted devices in the Kibana by extending the existing list plugin extension points system. The implementation follows established patterns from trusted apps but supports trusted device-specific requirements, including allowing both Windows and Mac OS types (unlike other artifact types that only support single OS per entry) and validating the 5 supported device fields (`username`, `host`, `device ID`, `manufacturer`, `product ID`). The changes include a new `TrustedDeviceValidator` class, integration across all 9 exception list handlers, and comprehensive API integration tests to ensure proper validation and authorization. Key changes: - New `TrustedDeviceValidator` class extending BaseValidator with full space awareness - Updated all 9 list plugin extension point handlers to include trusted device validation - Added comprehensive integration tests covering unique trusted device validation requirements - Maintains consistency with existing artifact validation patterns while supporting device-specific schema --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
tomsonpl
left a comment
tomsonpl
left a comment
There was a problem hiding this comment.
Nice! I haven't written cypress tests in a while, so even more happy to see you doing it :) LGTM
gergoabraham
left a comment
gergoabraham
left a comment
There was a problem hiding this comment.
nice work on the tests! 🚀
my only issue is the discrepancy between role definitions, would be great to sort those out
...ty_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml
Show resolved
Hide resolved
...s/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts
Outdated
Show resolved
Hide resolved
| - feature_siemV3.endpoint_list_all | ||
| - feature_siemV3.global_artifact_management_all | ||
| - feature_siemV3.trusted_applications_all | ||
| - feature_siemV3.trusted_devices_all |
There was a problem hiding this comment.
It looks like this change in not present in the elasticsearch-controller (yet?). We usually try to keep the role definitions in sync. Otherwise, any testing that relies on this extra privilege might pass locally but fail in MKI runs. What are your plans around this here?
There was a problem hiding this comment.
This feature targets 9.2 and we will most likely add this privilege before the feature freeze. I'm okay with reverting this change and revisiting once we merged controller. CC @gergoabraham
There was a problem hiding this comment.
@pheyos, as we do not have custom roles for serverless in our test suites at the moment, I think there must be a discrepancy somewhere to be able to use the new privileges in cy/ftr tests. the discrepancy is either between elasticsearch-controller and kibana (as the current PR introduces it), or between (elasticsearch-controller + kibana's kbn-es resource) and (kibana's test resource).
do you think one is better than the other? i think updating elasticsearch-controller later should be fine, as this allows us to locally test the new roles, and have CI tests in place for the new features, while these tests are skipped in MKI. but i guess we can go the other way around as well - keeping the new privileges out of kbn-es resource
There was a problem hiding this comment.
Started MKI run based off last commit of this PR - https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-defend-workflows/builds/3331
Passed ✅
There was a problem hiding this comment.
@gergoabraham @szwarckonrad it's true that we can't always be in perfect sync and there's risk in every version of discrepancy.
CI tests in place for the new features, while these tests are skipped in MKI
In this case, I think it makes sense to go this route. If any FTR tests start failing in MKI due to this role definition change (unlikely unless we explicitly add specific tests for it - the tests seem to be mostly in Cypress), then we would have to skip these tests for MKI runs until the role definition in elasticsearch-controller has caught up. With that, I'm going to approve this PR from the AppEx QA point of view.
gergoabraham
left a comment
gergoabraham
left a comment
There was a problem hiding this comment.
thanks for the tests and the changes! 🚀
…stic#232269) Prerequisite elastic#231888 Followup elastic#232374 This PR brings comprehensive Cypress test coverage to Trusted Devices, mirroring the established Trusted Apps testing patterns. We implemented full CRUD operations testing, RBAC permissions validation, and serverless PLI/tier access controls. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
) Prerequisite #232269 Enabled on `9.2` with #237302 This PR allows us to: 1. Verify that enabling the feature doesn't introduce regressions 2. Ensure all Device Control-related tests pass with flag turned on 3. Prepare for seamless cloud deployments with unified configuration --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Gergő Ábrahám <gergo.abraham@elastic.co>
…tic#232374) Prerequisite elastic#232269 Enabled on `9.2` with elastic#237302 This PR allows us to: 1. Verify that enabling the feature doesn't introduce regressions 2. Ensure all Device Control-related tests pass with flag turned on 3. Prepare for seamless cloud deployments with unified configuration --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Gergő Ábrahám <gergo.abraham@elastic.co>
…tic#232374) Prerequisite elastic#232269 Enabled on `9.2` with elastic#237302 This PR allows us to: 1. Verify that enabling the feature doesn't introduce regressions 2. Ensure all Device Control-related tests pass with flag turned on 3. Prepare for seamless cloud deployments with unified configuration --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Gergő Ábrahám <gergo.abraham@elastic.co>
6 participants
Prerequisite #231888
Followup #232374
This PR brings comprehensive Cypress test coverage to Trusted Devices, mirroring the established Trusted Apps testing patterns. We implemented full CRUD operations testing, RBAC permissions validation, and serverless PLI/tier access controls.