[Osquery] Add Scout API tests for saved queries, packs, and response actions#258534
Merged
csr merged 31 commits intoelastic:mainfrom Mar 25, 2026
Merged
[Osquery] Add Scout API tests for saved queries, packs, and response actions#258534csr merged 31 commits intoelastic:mainfrom
csr merged 31 commits intoelastic:mainfrom
Conversation
csr
added
release_note:skip
csr
changed the title
csr
changed the title
csr
changed the title
csr
commented
Mar 19, 2026
Member
Author
There was a problem hiding this comment.
This FTR API test suite is replaced by the new Scout API tests saved_queries_admin.spec.ts and saved_queries_editor.spec.ts.
What's new:
- We now organize test suites by role (
adminandeditor). We test the endpoints with minimal permissions. The FTR test suite was usingsupertestadmin user privileges for all test cases. - We now define an Osquery API service in the plugin that test cases can elegantly call. We separate helpers from the test cases themselves.
csr
commented
Mar 19, 2026
| ) => { | ||
| const extendedApiServices = apiServices as OsqueryApiServicesFixture; | ||
| extendedApiServices.osquery = getOsqueryApiService({ kbnClient, log }); | ||
| await use(extendedApiServices); |
Member
Author
There was a problem hiding this comment.
We extend the apiServices fixture in the Osquery plugin so tests can access the Osquery API service via apiServices.osquery.
csr
commented
Mar 19, 2026
| responseType: 'json', | ||
| } | ||
| ); | ||
| expect(response).toHaveStatusCode(403); |
Member
Author
There was a problem hiding this comment.
New coverage: packs_viewer.spec.ts and saved_queries_viewer.spec.ts check for 403 unauthorized permission boundaries by attempting to send the request with a user with the viewer role.
csr
commented
Mar 19, 2026
| - navigation | ||
| - observability | ||
| - observability_onboarding | ||
| - osquery |
Member
Author
There was a problem hiding this comment.
This first batch of tests can run in the CI without any Scout customs servers config setup.
csr
commented
Mar 19, 2026
x-pack/platform/plugins/shared/osquery/test/scout/api/tests/packs_editor.spec.ts
Outdated
Show resolved
Hide resolved
csr
commented
Mar 19, 2026
| } | ||
| }); | ||
|
|
||
| apiTest('creates a rule with a single Osquery query action', async ({ apiClient }) => { |
Member
Author
There was a problem hiding this comment.
The Cypress UI test alerts_response_actions_form.cy.ts intercepts the request. Here we test the endpoint directly. Here we also do a GET roundtrip to ensure the data is actually saved correctly on the server.
csr
commented
Mar 19, 2026
| } | ||
| ); | ||
|
|
||
| apiTest('creates a rule with pack-based Osquery action', async ({ apiClient }) => { |
Member
Author
There was a problem hiding this comment.
Similar behavior here - the Cypress UI test intercepts the API request, here we create the rule with a pack-based action and assert the response.
csr
changed the title
Contributor
|
Starting backport for target branches: 9.2, 9.3 https://github.com/elastic/kibana/actions/runs/23547253963 |
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
cc @csr |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
csr
added
backport:skip
Member
Author
|
Skipping backporting as I don't see these FTR API tests exist in earlier branches (such as 9.3). They were introduced early this year via #249338 (this PR skips backporting, too). |
csr
added a commit
to csr/kibana
that referenced
this pull request
Mar 26, 2026
…for "not found" errors (elastic#258883) I noticed while working on Scout API tests (elastic#258534) that the GET endpoints for packs and saved queries return a `500` Internal Server Error when the resource doesn't exist, rather than the usual `404`. This PR fixes it. Worth mentioning that the issue occurs in all surfaces (stateful deployment, ECH, MKI). Some FTR API integration tests were added to ensure coverage. (cherry picked from commit 4301849) # Conflicts: # x-pack/platform/plugins/shared/osquery/server/routes/pack/delete_pack_route.ts # x-pack/platform/plugins/shared/osquery/server/routes/pack/update_pack_route.ts # x-pack/platform/plugins/shared/osquery/server/routes/saved_query/update_saved_query_route.ts # x-pack/platform/test/api_integration/apis/osquery/saved_queries.ts
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Mar 26, 2026
…lastic#258866) I'm working on adding Scout API tests (elastic#258534) and noticed that `created_by_profile_uid` and `updated_by_profile_uid` fields are absent from all Osquery API responses on ECH (Elastic Cloud Hosted), even though the authenticated user clearly has a `profile_uid` available. ## Test it yourself on ECH (dev console) Confirm the user has a `profile_uid`: ```bash GET kbn:/internal/security/me ``` This returns `{ "profile_uid": "u_..." }`. Now create a saved query and check the response keys: ```bash POST kbn:/api/osquery/saved_queries {"id":"profile-uid-test","query":"select 1;","interval":"3600"} ``` The `created_by_profile_uid` and `updated_by_profile_uid` fields are missing from the response on ECH. On local stateful they appear just fine. ## Hypothesis (LLM-assisted) `getUserInfo()` has two code paths for resolving user identity: 1. **Primary**: `userProfiles.getCurrent()` — returns `profile_uid` from the user profile service 2. **Fallback**: `authc.getCurrentUser()` — used when the primary fails or returns `null` The fallback hardcodes `profile_uid: null` instead of reading `user.profile_uid` from the `AuthenticatedUser` object (available since 2022, PR elastic#141092). On ECH (Elastic Cloud Hosted), `userProfiles.getCurrent()` returns `null`, so the fallback is always used. The hardcoded `null` then cascades through route handlers: - Converted to `undefined` via `?? undefined` - Stripped by `JSON.stringify` (packs) or `pickBy` (saved queries) ## Why didn't we spot this sooner and why Scout comes to the rescue The existing FTR API tests [[1](https://github.com/elastic/kibana/blob/main/x-pack/platform/test/api_integration/apis/osquery/saved_queries.ts#L90-L126)] [[2](https://github.com/elastic/kibana/blob/main/x-pack/platform/test/api_integration/apis/osquery/packs.ts#L191-L251)] covering this ground aren't run on ECH. Scout is designed to be [deployment-agnostic](https://www.elastic.co/docs/extend/kibana/scout/best-practices#design-tests-with-a-cloud-first-mindset), so we're easily able to run the same set of tests on different testing surfaces :-)
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Mar 26, 2026
…for "not found" errors (elastic#258883) I noticed while working on Scout API tests (elastic#258534) that the GET endpoints for packs and saved queries return a `500` Internal Server Error when the resource doesn't exist, rather than the usual `404`. This PR fixes it. Worth mentioning that the issue occurs in all surfaces (stateful deployment, ECH, MKI). Some FTR API integration tests were added to ensure coverage.
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Mar 26, 2026
…actions (elastic#258534) This PR adds initial Scout API tests for the Osquery platform plugin. This is a very early step towards breaking down the wonderful work started by PR elastic#252216 in multiple easy-to-review pieces, while still ensuring the tests follow Scout's [best practices](https://www.elastic.co/docs/extend/kibana/scout/best-practices). Note that some of the Cypress tests intercept API calls, which we usually don't recommend doing (a dedicated Scout API test ensure an isolated + clear testing environment). These API tests tests cover saved queries, packs, and detection rule response actions with RBAC permission boundaries so UI tests don't have to intercept these calls or verify this data correctness behavior. These are 7 new Scout API tests. Exact breakdown details available below. ### Coverage Parity Report | Scout spec | Focus | Migrated from FTR? | |---|---|---| | `packs_admin.spec.ts` | Profile UID on create/find | Yes (from `packs.ts`) | | `packs_editor.spec.ts` | Packs CRUD, multi-query, search/filter | Yes (from `packs.ts`) | | `packs_viewer.spec.ts` | RBAC: read allowed, write denied | **New** | | `saved_queries_admin.spec.ts` | Profile UID on create/read/find | Yes (from `saved_queries.ts`) | | `saved_queries_editor.spec.ts` | Saved queries CRUD, search/filter | Yes (from `saved_queries.ts`) | | `saved_queries_viewer.spec.ts` | RBAC: read allowed, write denied | **New** | | `response_actions_rules.spec.ts` | Detection rules with osquery actions | **New** | ### FTR tests still remaining (6 files) -- NOT migrated | FTR file | Tests | API type | Migration notes | |---|---|---|---| | `packs.ts` (2 remaining) | Fleet config multi-line/single-line query format | Internal + Fleet | Requires Fleet agent/package policy setup; consider migrating if Scout supports Fleet fixtures | | `assets.ts` | Prebuilt pack assets status, install/update | Internal (`/internal/osquery/assets`) | Good candidate for Scout migration | | `fleet_wrapper.ts` | 7 Fleet wrapper endpoints (agents, policies, package policies) | Internal (`/internal/osquery/fleet_wrapper/*`) | Requires Fleet agent enrollment; depends on `fleetAndAgents` FTR service | | `privileges_check.ts` | Superuser privileges check | Internal (`/internal/osquery/privileges_check`) | Simple test, easy to migrate | | `status.ts` | Osquery installation status | Internal (`/internal/osquery/status`) | Requires osquery package install; moderate to migrate | | `live_queries.ts` | Live query details and results | Public (`/api/osquery/live_queries`) | Uses ES directly to seed action docs; moderate to migrate | | `history_tags.ts` | 17 tag CRUD tests + aggregation + validation | Public + Internal (`/api/osquery/history`, `/internal/osquery/history/tags`) | Large test suite; uses ES directly for action/response docs; good candidate but substantial effort | ### Follow-ups Further PRs will focus on migrating some of the Cypress tests. This initial PR is a way for me / the team to get acquainted with Osquery / ensure we have some very early (though for now limited) Scout coverage. Feedback welcome! --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
csr
added a commit
to csr/kibana
that referenced
this pull request
Mar 26, 2026
…for "not found" errors (elastic#258883) I noticed while working on Scout API tests (elastic#258534) that the GET endpoints for packs and saved queries return a `500` Internal Server Error when the resource doesn't exist, rather than the usual `404`. This PR fixes it. Worth mentioning that the issue occurs in all surfaces (stateful deployment, ECH, MKI). Some FTR API integration tests were added to ensure coverage. (cherry picked from commit 4301849)
csr
added a commit
to csr/kibana
that referenced
this pull request
Mar 26, 2026
…for "not found" errors (elastic#258883) I noticed while working on Scout API tests (elastic#258534) that the GET endpoints for packs and saved queries return a `500` Internal Server Error when the resource doesn't exist, rather than the usual `404`. This PR fixes it. Worth mentioning that the issue occurs in all surfaces (stateful deployment, ECH, MKI). Some FTR API integration tests were added to ensure coverage. (cherry picked from commit 4301849)
csr
added a commit
that referenced
this pull request
Mar 30, 2026
…f 404 for "not found" errors (#258883) (#259703) # Backport This will backport the following commits from `main` to `9.2`: - [[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for "not found" errors (#258883)](#258883) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Cesare de Cal","email":"cesare.decal@elastic.co"},"sourceCommit":{"committedDate":"2026-03-23T16:09:12Z","message":"[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for \"not found\" errors (#258883)\n\nI noticed while working on Scout API tests\n(#258534) that the GET endpoints\nfor packs and saved queries return a `500` Internal Server Error when\nthe resource doesn't exist, rather than the usual `404`. This PR fixes\nit. Worth mentioning that the issue occurs in all surfaces (stateful\ndeployment, ECH, MKI). Some FTR API integration tests were added to\nensure coverage.","sha":"4301849b361347096590df70c0229d63f63dc932","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport missing","backport:all-open","v9.4.0"],"title":"[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for \"not found\" errors","number":258883,"url":"https://github.com/elastic/kibana/pull/258883","mergeCommit":{"message":"[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for \"not found\" errors (#258883)\n\nI noticed while working on Scout API tests\n(#258534) that the GET endpoints\nfor packs and saved queries return a `500` Internal Server Error when\nthe resource doesn't exist, rather than the usual `404`. This PR fixes\nit. Worth mentioning that the issue occurs in all surfaces (stateful\ndeployment, ECH, MKI). Some FTR API integration tests were added to\nensure coverage.","sha":"4301849b361347096590df70c0229d63f63dc932"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/258883","number":258883,"mergeCommit":{"message":"[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for \"not found\" errors (#258883)\n\nI noticed while working on Scout API tests\n(#258534) that the GET endpoints\nfor packs and saved queries return a `500` Internal Server Error when\nthe resource doesn't exist, rather than the usual `404`. This PR fixes\nit. Worth mentioning that the issue occurs in all surfaces (stateful\ndeployment, ECH, MKI). Some FTR API integration tests were added to\nensure coverage.","sha":"4301849b361347096590df70c0229d63f63dc932"}}]}] BACKPORT-->
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Apr 1, 2026
…actions (elastic#258534) This PR adds initial Scout API tests for the Osquery platform plugin. This is a very early step towards breaking down the wonderful work started by PR elastic#252216 in multiple easy-to-review pieces, while still ensuring the tests follow Scout's [best practices](https://www.elastic.co/docs/extend/kibana/scout/best-practices). Note that some of the Cypress tests intercept API calls, which we usually don't recommend doing (a dedicated Scout API test ensure an isolated + clear testing environment). These API tests tests cover saved queries, packs, and detection rule response actions with RBAC permission boundaries so UI tests don't have to intercept these calls or verify this data correctness behavior. These are 7 new Scout API tests. Exact breakdown details available below. ### Coverage Parity Report | Scout spec | Focus | Migrated from FTR? | |---|---|---| | `packs_admin.spec.ts` | Profile UID on create/find | Yes (from `packs.ts`) | | `packs_editor.spec.ts` | Packs CRUD, multi-query, search/filter | Yes (from `packs.ts`) | | `packs_viewer.spec.ts` | RBAC: read allowed, write denied | **New** | | `saved_queries_admin.spec.ts` | Profile UID on create/read/find | Yes (from `saved_queries.ts`) | | `saved_queries_editor.spec.ts` | Saved queries CRUD, search/filter | Yes (from `saved_queries.ts`) | | `saved_queries_viewer.spec.ts` | RBAC: read allowed, write denied | **New** | | `response_actions_rules.spec.ts` | Detection rules with osquery actions | **New** | ### FTR tests still remaining (6 files) -- NOT migrated | FTR file | Tests | API type | Migration notes | |---|---|---|---| | `packs.ts` (2 remaining) | Fleet config multi-line/single-line query format | Internal + Fleet | Requires Fleet agent/package policy setup; consider migrating if Scout supports Fleet fixtures | | `assets.ts` | Prebuilt pack assets status, install/update | Internal (`/internal/osquery/assets`) | Good candidate for Scout migration | | `fleet_wrapper.ts` | 7 Fleet wrapper endpoints (agents, policies, package policies) | Internal (`/internal/osquery/fleet_wrapper/*`) | Requires Fleet agent enrollment; depends on `fleetAndAgents` FTR service | | `privileges_check.ts` | Superuser privileges check | Internal (`/internal/osquery/privileges_check`) | Simple test, easy to migrate | | `status.ts` | Osquery installation status | Internal (`/internal/osquery/status`) | Requires osquery package install; moderate to migrate | | `live_queries.ts` | Live query details and results | Public (`/api/osquery/live_queries`) | Uses ES directly to seed action docs; moderate to migrate | | `history_tags.ts` | 17 tag CRUD tests + aggregation + validation | Public + Internal (`/api/osquery/history`, `/internal/osquery/history/tags`) | Large test suite; uses ES directly for action/response docs; good candidate but substantial effort | ### Follow-ups Further PRs will focus on migrating some of the Cypress tests. This initial PR is a way for me / the team to get acquainted with Osquery / ensure we have some very early (though for now limited) Scout coverage. Feedback welcome! --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
csr
added a commit
that referenced
this pull request
Apr 1, 2026
…of 404 for "not found" errors (#258883) (#259704) # Backport This will backport the following commits from `main` to `8.19`: - [[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for "not found" errors (#258883)](#258883) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Cesare de Cal","email":"cesare.decal@elastic.co"},"sourceCommit":{"committedDate":"2026-03-23T16:09:12Z","message":"[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for \"not found\" errors (#258883)\n\nI noticed while working on Scout API tests\n(#258534) that the GET endpoints\nfor packs and saved queries return a `500` Internal Server Error when\nthe resource doesn't exist, rather than the usual `404`. This PR fixes\nit. Worth mentioning that the issue occurs in all surfaces (stateful\ndeployment, ECH, MKI). Some FTR API integration tests were added to\nensure coverage.","sha":"4301849b361347096590df70c0229d63f63dc932","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport missing","backport:all-open","v9.4.0"],"title":"[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for \"not found\" errors","number":258883,"url":"https://github.com/elastic/kibana/pull/258883","mergeCommit":{"message":"[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for \"not found\" errors (#258883)\n\nI noticed while working on Scout API tests\n(#258534) that the GET endpoints\nfor packs and saved queries return a `500` Internal Server Error when\nthe resource doesn't exist, rather than the usual `404`. This PR fixes\nit. Worth mentioning that the issue occurs in all surfaces (stateful\ndeployment, ECH, MKI). Some FTR API integration tests were added to\nensure coverage.","sha":"4301849b361347096590df70c0229d63f63dc932"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/258883","number":258883,"mergeCommit":{"message":"[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for \"not found\" errors (#258883)\n\nI noticed while working on Scout API tests\n(#258534) that the GET endpoints\nfor packs and saved queries return a `500` Internal Server Error when\nthe resource doesn't exist, rather than the usual `404`. This PR fixes\nit. Worth mentioning that the issue occurs in all surfaces (stateful\ndeployment, ECH, MKI). Some FTR API integration tests were added to\nensure coverage.","sha":"4301849b361347096590df70c0229d63f63dc932"}}]}] BACKPORT-->
csr
added a commit
that referenced
this pull request
Apr 1, 2026
…f 404 for "not found" errors (#258883) (#259702) # Backport This will backport the following commits from `main` to `9.3`: - [[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for "not found" errors (#258883)](#258883) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Cesare de Cal","email":"cesare.decal@elastic.co"},"sourceCommit":{"committedDate":"2026-03-23T16:09:12Z","message":"[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for \"not found\" errors (#258883)\n\nI noticed while working on Scout API tests\n(#258534) that the GET endpoints\nfor packs and saved queries return a `500` Internal Server Error when\nthe resource doesn't exist, rather than the usual `404`. This PR fixes\nit. Worth mentioning that the issue occurs in all surfaces (stateful\ndeployment, ECH, MKI). Some FTR API integration tests were added to\nensure coverage.","sha":"4301849b361347096590df70c0229d63f63dc932","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport missing","backport:all-open","v9.4.0"],"title":"[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for \"not found\" errors","number":258883,"url":"https://github.com/elastic/kibana/pull/258883","mergeCommit":{"message":"[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for \"not found\" errors (#258883)\n\nI noticed while working on Scout API tests\n(#258534) that the GET endpoints\nfor packs and saved queries return a `500` Internal Server Error when\nthe resource doesn't exist, rather than the usual `404`. This PR fixes\nit. Worth mentioning that the issue occurs in all surfaces (stateful\ndeployment, ECH, MKI). Some FTR API integration tests were added to\nensure coverage.","sha":"4301849b361347096590df70c0229d63f63dc932"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/258883","number":258883,"mergeCommit":{"message":"[Osquery] Fix pack and saved query APIs returning 500 instead of 404 for \"not found\" errors (#258883)\n\nI noticed while working on Scout API tests\n(#258534) that the GET endpoints\nfor packs and saved queries return a `500` Internal Server Error when\nthe resource doesn't exist, rather than the usual `404`. This PR fixes\nit. Worth mentioning that the issue occurs in all surfaces (stateful\ndeployment, ECH, MKI). Some FTR API integration tests were added to\nensure coverage.","sha":"4301849b361347096590df70c0229d63f63dc932"}}]}] BACKPORT-->
csr
added a commit
that referenced
this pull request
Apr 1, 2026
…back (#258866) (#259258) # Backport This will backport the following commits from `main` to `9.3`: - [[Osquery] Fix `profile_uid` dropped in `getUserInfo` authc fallback (#258866)](#258866) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Cesare de Cal","email":"cesare.decal@elastic.co"},"sourceCommit":{"committedDate":"2026-03-20T16:39:00Z","message":"[Osquery] Fix `profile_uid` dropped in `getUserInfo` authc fallback (#258866)\n\nI'm working on adding Scout API tests\n(#258534) and noticed that\n`created_by_profile_uid` and `updated_by_profile_uid` fields are absent\nfrom all Osquery API responses on ECH (Elastic Cloud Hosted), even\nthough the authenticated user clearly has a `profile_uid` available.\n\n## Test it yourself on ECH (dev console)\n\nConfirm the user has a `profile_uid`:\n\n```bash\nGET kbn:/internal/security/me\n```\n\nThis returns `{ \"profile_uid\": \"u_...\" }`.\n\nNow create a saved query and check the response keys:\n\n```bash\nPOST kbn:/api/osquery/saved_queries\n{\"id\":\"profile-uid-test\",\"query\":\"select 1;\",\"interval\":\"3600\"}\n```\n\nThe `created_by_profile_uid` and `updated_by_profile_uid` fields are\nmissing from the response on ECH. On local stateful they appear just\nfine.\n\n## Hypothesis (LLM-assisted)\n\n`getUserInfo()` has two code paths for resolving user identity:\n\n1. **Primary**: `userProfiles.getCurrent()` — returns `profile_uid` from\nthe user profile service\n2. **Fallback**: `authc.getCurrentUser()` — used when the primary fails\nor returns `null`\n\nThe fallback hardcodes `profile_uid: null` instead of reading\n`user.profile_uid` from the `AuthenticatedUser` object (available since\n2022, PR #141092).\n\nOn ECH (Elastic Cloud Hosted), `userProfiles.getCurrent()` returns\n`null`, so the fallback is always used. The hardcoded `null` then\ncascades through route handlers:\n- Converted to `undefined` via `?? undefined`\n- Stripped by `JSON.stringify` (packs) or `pickBy` (saved queries)\n\n## Why didn't we spot this sooner and why Scout comes to the rescue\n\nThe existing FTR API tests\n[[1](https://github.com/elastic/kibana/blob/main/x-pack/platform/test/api_integration/apis/osquery/saved_queries.ts#L90-L126)]\n[[2](https://github.com/elastic/kibana/blob/main/x-pack/platform/test/api_integration/apis/osquery/packs.ts#L191-L251)]\ncovering this ground aren't run on ECH. Scout is designed to be\n[deployment-agnostic](https://www.elastic.co/docs/extend/kibana/scout/best-practices#design-tests-with-a-cloud-first-mindset),\nso we're easily able to run the same set of tests on different testing\nsurfaces :-)","sha":"fe7e2477ddd0d89e13e5a8ff594a22eb4b8e2d5c","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport missing","backport:version","v9.4.0","v9.3.3"],"title":"[Osquery] Fix `profile_uid` dropped in `getUserInfo` authc fallback","number":258866,"url":"https://github.com/elastic/kibana/pull/258866","mergeCommit":{"message":"[Osquery] Fix `profile_uid` dropped in `getUserInfo` authc fallback (#258866)\n\nI'm working on adding Scout API tests\n(#258534) and noticed that\n`created_by_profile_uid` and `updated_by_profile_uid` fields are absent\nfrom all Osquery API responses on ECH (Elastic Cloud Hosted), even\nthough the authenticated user clearly has a `profile_uid` available.\n\n## Test it yourself on ECH (dev console)\n\nConfirm the user has a `profile_uid`:\n\n```bash\nGET kbn:/internal/security/me\n```\n\nThis returns `{ \"profile_uid\": \"u_...\" }`.\n\nNow create a saved query and check the response keys:\n\n```bash\nPOST kbn:/api/osquery/saved_queries\n{\"id\":\"profile-uid-test\",\"query\":\"select 1;\",\"interval\":\"3600\"}\n```\n\nThe `created_by_profile_uid` and `updated_by_profile_uid` fields are\nmissing from the response on ECH. On local stateful they appear just\nfine.\n\n## Hypothesis (LLM-assisted)\n\n`getUserInfo()` has two code paths for resolving user identity:\n\n1. **Primary**: `userProfiles.getCurrent()` — returns `profile_uid` from\nthe user profile service\n2. **Fallback**: `authc.getCurrentUser()` — used when the primary fails\nor returns `null`\n\nThe fallback hardcodes `profile_uid: null` instead of reading\n`user.profile_uid` from the `AuthenticatedUser` object (available since\n2022, PR #141092).\n\nOn ECH (Elastic Cloud Hosted), `userProfiles.getCurrent()` returns\n`null`, so the fallback is always used. The hardcoded `null` then\ncascades through route handlers:\n- Converted to `undefined` via `?? undefined`\n- Stripped by `JSON.stringify` (packs) or `pickBy` (saved queries)\n\n## Why didn't we spot this sooner and why Scout comes to the rescue\n\nThe existing FTR API tests\n[[1](https://github.com/elastic/kibana/blob/main/x-pack/platform/test/api_integration/apis/osquery/saved_queries.ts#L90-L126)]\n[[2](https://github.com/elastic/kibana/blob/main/x-pack/platform/test/api_integration/apis/osquery/packs.ts#L191-L251)]\ncovering this ground aren't run on ECH. Scout is designed to be\n[deployment-agnostic](https://www.elastic.co/docs/extend/kibana/scout/best-practices#design-tests-with-a-cloud-first-mindset),\nso we're easily able to run the same set of tests on different testing\nsurfaces :-)","sha":"fe7e2477ddd0d89e13e5a8ff594a22eb4b8e2d5c"}},"sourceBranch":"main","suggestedTargetBranches":["9.3"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/258866","number":258866,"mergeCommit":{"message":"[Osquery] Fix `profile_uid` dropped in `getUserInfo` authc fallback (#258866)\n\nI'm working on adding Scout API tests\n(#258534) and noticed that\n`created_by_profile_uid` and `updated_by_profile_uid` fields are absent\nfrom all Osquery API responses on ECH (Elastic Cloud Hosted), even\nthough the authenticated user clearly has a `profile_uid` available.\n\n## Test it yourself on ECH (dev console)\n\nConfirm the user has a `profile_uid`:\n\n```bash\nGET kbn:/internal/security/me\n```\n\nThis returns `{ \"profile_uid\": \"u_...\" }`.\n\nNow create a saved query and check the response keys:\n\n```bash\nPOST kbn:/api/osquery/saved_queries\n{\"id\":\"profile-uid-test\",\"query\":\"select 1;\",\"interval\":\"3600\"}\n```\n\nThe `created_by_profile_uid` and `updated_by_profile_uid` fields are\nmissing from the response on ECH. On local stateful they appear just\nfine.\n\n## Hypothesis (LLM-assisted)\n\n`getUserInfo()` has two code paths for resolving user identity:\n\n1. **Primary**: `userProfiles.getCurrent()` — returns `profile_uid` from\nthe user profile service\n2. **Fallback**: `authc.getCurrentUser()` — used when the primary fails\nor returns `null`\n\nThe fallback hardcodes `profile_uid: null` instead of reading\n`user.profile_uid` from the `AuthenticatedUser` object (available since\n2022, PR #141092).\n\nOn ECH (Elastic Cloud Hosted), `userProfiles.getCurrent()` returns\n`null`, so the fallback is always used. The hardcoded `null` then\ncascades through route handlers:\n- Converted to `undefined` via `?? undefined`\n- Stripped by `JSON.stringify` (packs) or `pickBy` (saved queries)\n\n## Why didn't we spot this sooner and why Scout comes to the rescue\n\nThe existing FTR API tests\n[[1](https://github.com/elastic/kibana/blob/main/x-pack/platform/test/api_integration/apis/osquery/saved_queries.ts#L90-L126)]\n[[2](https://github.com/elastic/kibana/blob/main/x-pack/platform/test/api_integration/apis/osquery/packs.ts#L191-L251)]\ncovering this ground aren't run on ECH. Scout is designed to be\n[deployment-agnostic](https://www.elastic.co/docs/extend/kibana/scout/best-practices#design-tests-with-a-cloud-first-mindset),\nso we're easily able to run the same set of tests on different testing\nsurfaces :-)","sha":"fe7e2477ddd0d89e13e5a8ff594a22eb4b8e2d5c"}},{"branch":"9.3","label":"v9.3.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
…actions (elastic#258534) This PR adds initial Scout API tests for the Osquery platform plugin. This is a very early step towards breaking down the wonderful work started by PR elastic#252216 in multiple easy-to-review pieces, while still ensuring the tests follow Scout's [best practices](https://www.elastic.co/docs/extend/kibana/scout/best-practices). Note that some of the Cypress tests intercept API calls, which we usually don't recommend doing (a dedicated Scout API test ensure an isolated + clear testing environment). These API tests tests cover saved queries, packs, and detection rule response actions with RBAC permission boundaries so UI tests don't have to intercept these calls or verify this data correctness behavior. These are 7 new Scout API tests. Exact breakdown details available below. ### Coverage Parity Report | Scout spec | Focus | Migrated from FTR? | |---|---|---| | `packs_admin.spec.ts` | Profile UID on create/find | Yes (from `packs.ts`) | | `packs_editor.spec.ts` | Packs CRUD, multi-query, search/filter | Yes (from `packs.ts`) | | `packs_viewer.spec.ts` | RBAC: read allowed, write denied | **New** | | `saved_queries_admin.spec.ts` | Profile UID on create/read/find | Yes (from `saved_queries.ts`) | | `saved_queries_editor.spec.ts` | Saved queries CRUD, search/filter | Yes (from `saved_queries.ts`) | | `saved_queries_viewer.spec.ts` | RBAC: read allowed, write denied | **New** | | `response_actions_rules.spec.ts` | Detection rules with osquery actions | **New** | ### FTR tests still remaining (6 files) -- NOT migrated | FTR file | Tests | API type | Migration notes | |---|---|---|---| | `packs.ts` (2 remaining) | Fleet config multi-line/single-line query format | Internal + Fleet | Requires Fleet agent/package policy setup; consider migrating if Scout supports Fleet fixtures | | `assets.ts` | Prebuilt pack assets status, install/update | Internal (`/internal/osquery/assets`) | Good candidate for Scout migration | | `fleet_wrapper.ts` | 7 Fleet wrapper endpoints (agents, policies, package policies) | Internal (`/internal/osquery/fleet_wrapper/*`) | Requires Fleet agent enrollment; depends on `fleetAndAgents` FTR service | | `privileges_check.ts` | Superuser privileges check | Internal (`/internal/osquery/privileges_check`) | Simple test, easy to migrate | | `status.ts` | Osquery installation status | Internal (`/internal/osquery/status`) | Requires osquery package install; moderate to migrate | | `live_queries.ts` | Live query details and results | Public (`/api/osquery/live_queries`) | Uses ES directly to seed action docs; moderate to migrate | | `history_tags.ts` | 17 tag CRUD tests + aggregation + validation | Public + Internal (`/api/osquery/history`, `/internal/osquery/history/tags`) | Large test suite; uses ES directly for action/response docs; good candidate but substantial effort | ### Follow-ups Further PRs will focus on migrating some of the Cypress tests. This initial PR is a way for me / the team to get acquainted with Osquery / ensure we have some very early (though for now limited) Scout coverage. Feedback welcome! --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds initial Scout API tests for the Osquery platform plugin. This is a very early step towards breaking down the wonderful work started by PR #252216 in multiple easy-to-review pieces, while still ensuring the tests follow Scout's best practices. Note that some of the Cypress tests intercept API calls, which we usually don't recommend doing (a dedicated Scout API test ensure an isolated + clear testing environment).
These API tests tests cover saved queries, packs, and detection rule response actions with RBAC permission boundaries so UI tests don't have to intercept these calls or verify this data correctness behavior.
These are 7 new Scout API tests. Exact breakdown details available below.
Coverage Parity Report
packs_admin.spec.tspacks.ts)packs_editor.spec.tspacks.ts)packs_viewer.spec.tssaved_queries_admin.spec.tssaved_queries.ts)saved_queries_editor.spec.tssaved_queries.ts)saved_queries_viewer.spec.tsresponse_actions_rules.spec.tsFTR tests still remaining (6 files) -- NOT migrated
packs.ts(2 remaining)assets.ts/internal/osquery/assets)fleet_wrapper.ts/internal/osquery/fleet_wrapper/*)fleetAndAgentsFTR serviceprivileges_check.ts/internal/osquery/privileges_check)status.ts/internal/osquery/status)live_queries.ts/api/osquery/live_queries)history_tags.ts/api/osquery/history,/internal/osquery/history/tags)Follow-ups
Further PRs will focus on migrating some of the Cypress tests. This initial PR is a way for me / the team to get acquainted with Osquery / ensure we have some very early (though for now limited) Scout coverage. Feedback welcome!