Skip to content

[9.3] [Osquery] Fix profile_uid dropped in getUserInfo authc fallback (#258866)#259258

Merged
csr merged 5 commits intoelastic:9.3from
csr:backport/9.3/pr-258866
Apr 1, 2026
Merged

[9.3] [Osquery] Fix profile_uid dropped in getUserInfo authc fallback (#258866)#259258
csr merged 5 commits intoelastic:9.3from
csr:backport/9.3/pr-258866

Conversation

@csr
Copy link
Copy Markdown
Member

@csr csr commented Mar 24, 2026

Backport

This will backport the following commits from main to 9.3:

Questions ?

Please refer to the Backport tool documentation

@csr
[Osquery] Fix profile_uid dropped in getUserInfo authc fallback (e…
14602d1 
…lastic#258866)

I'm working on adding Scout API tests
(elastic#258534) and noticed that
`created_by_profile_uid` and `updated_by_profile_uid` fields are absent
from all Osquery API responses on ECH (Elastic Cloud Hosted), even
though the authenticated user clearly has a `profile_uid` available.

## Test it yourself on ECH (dev console)

Confirm the user has a `profile_uid`:

```bash
GET kbn:/internal/security/me
```

This returns `{ "profile_uid": "u_..." }`.

Now create a saved query and check the response keys:

```bash
POST kbn:/api/osquery/saved_queries
{"id":"profile-uid-test","query":"select 1;","interval":"3600"}
```

The `created_by_profile_uid` and `updated_by_profile_uid` fields are
missing from the response on ECH. On local stateful they appear just
fine.

## Hypothesis (LLM-assisted)

`getUserInfo()` has two code paths for resolving user identity:

1. **Primary**: `userProfiles.getCurrent()` — returns `profile_uid` from
the user profile service
2. **Fallback**: `authc.getCurrentUser()` — used when the primary fails
or returns `null`

The fallback hardcodes `profile_uid: null` instead of reading
`user.profile_uid` from the `AuthenticatedUser` object (available since
2022, PR elastic#141092).

On ECH (Elastic Cloud Hosted), `userProfiles.getCurrent()` returns
`null`, so the fallback is always used. The hardcoded `null` then
cascades through route handlers:
- Converted to `undefined` via `?? undefined`
- Stripped by `JSON.stringify` (packs) or `pickBy` (saved queries)

## Why didn't we spot this sooner and why Scout comes to the rescue

The existing FTR API tests
[[1](https://github.com/elastic/kibana/blob/main/x-pack/platform/test/api_integration/apis/osquery/saved_queries.ts#L90-L126)]
[[2](https://github.com/elastic/kibana/blob/main/x-pack/platform/test/api_integration/apis/osquery/packs.ts#L191-L251)]
covering this ground aren't run on ECH. Scout is designed to be
[deployment-agnostic](https://www.elastic.co/docs/extend/kibana/scout/best-practices#design-tests-with-a-cloud-first-mindset),
so we're easily able to run the same set of tests on different testing
surfaces :-)

(cherry picked from commit fe7e247)

# Conflicts:
#	x-pack/platform/plugins/shared/osquery/server/lib/get_user_info.test.ts
@csr csr requested a review from kibanamachine as a code owner March 24, 2026 08:36
@csr csr added the backport This PR is a backport of another PR label Mar 24, 2026
@csr csr enabled auto-merge (squash) March 24, 2026 08:36
@csr csr mentioned this pull request Mar 24, 2026
Merged
csr
csr commented Mar 24, 2026
View reviewed changes
x-pack/platform/plugins/shared/osquery/server/lib/get_user_info.test.ts
@@ -0,0 +1,97 @@
/*
Copy link
Copy Markdown
Member Author

@csr csr Mar 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test file was introduced in #249173 and doesn't exist on 9.3 (the PR wasn't backported). Is it OK if we introduce it in this backport PR? It adds coverage related to the change.

@csr csr requested review from a team, ashokaditya and parkiino and removed request for a team March 24, 2026 08:40
@csr csr added the ci:skip-cypress-osquery Skips osquery cypress checks label Mar 31, 2026
@csr
Copy link
Copy Markdown
Member Author

csr commented Mar 31, 2026
edited
Loading

Osquery Serverless tests were failing but were recently disabled by #259898. Rebasing

@csr csr removed the ci:skip-cypress-osquery Skips osquery cypress checks label Mar 31, 2026
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Mar 31, 2026

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

@csr csr requested a review from szwarckonrad March 31, 2026 12:06
@csr csr merged commit bf7be75 into elastic:9.3 Apr 1, 2026
14 checks passed
@csr csr deleted the backport/9.3/pr-258866 branch April 1, 2026 15:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@szwarckonrad szwarckonrad szwarckonrad approved these changes

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

@ashokaditya ashokaditya Awaiting requested review from ashokaditya ashokaditya was automatically assigned from elastic/security-defend-workflows

@parkiino parkiino Awaiting requested review from parkiino parkiino was automatically assigned from elastic/security-defend-workflows

Assignees

No one assigned

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@csr @elasticmachine @szwarckonrad