diff --git a/x-pack/plugins/security/server/authorization/authorization_service.test.ts b/x-pack/plugins/security/server/authorization/authorization_service.test.ts index 01a3a60355019..95de8f90ce2aa 100644 --- a/x-pack/plugins/security/server/authorization/authorization_service.test.ts +++ b/x-pack/plugins/security/server/authorization/authorization_service.test.ts @@ -55,7 +55,7 @@ afterEach(() => { }); it(`#setup returns exposed services`, () => { - const mockClusterClient = elasticsearchServiceMock.createLegacyClusterClient(); + const mockClusterClient = elasticsearchServiceMock.createClusterClient(); const mockGetSpacesService = jest .fn() .mockReturnValue({ getSpaceId: jest.fn(), namespaceToSpaceId: jest.fn() }); @@ -64,10 +64,11 @@ it(`#setup returns exposed services`, () => { const mockCoreSetup = coreMock.createSetup(); const authorizationService = new AuthorizationService(); + const getClusterClient = () => Promise.resolve(mockClusterClient); const authz = authorizationService.setup({ http: mockCoreSetup.http, capabilities: mockCoreSetup.capabilities, - clusterClient: mockClusterClient, + getClusterClient, license: mockLicense, loggers: loggingSystemMock.create(), kibanaIndexName, @@ -84,7 +85,7 @@ it(`#setup returns exposed services`, () => { expect(authz.checkPrivilegesWithRequest).toBe(mockCheckPrivilegesWithRequest); expect(checkPrivilegesWithRequestFactory).toHaveBeenCalledWith( authz.actions, - mockClusterClient, + getClusterClient, authz.applicationName ); @@ -119,14 +120,14 @@ describe('#start', () => { beforeEach(() => { statusSubject = new Subject(); - const mockClusterClient = elasticsearchServiceMock.createLegacyClusterClient(); + const mockClusterClient = elasticsearchServiceMock.createClusterClient(); const mockCoreSetup = coreMock.createSetup(); const authorizationService = new AuthorizationService(); authorizationService.setup({ http: mockCoreSetup.http, capabilities: mockCoreSetup.capabilities, - clusterClient: mockClusterClient, + getClusterClient: () => Promise.resolve(mockClusterClient), license: licenseMock.create(), loggers: loggingSystemMock.create(), kibanaIndexName, @@ -190,7 +191,7 @@ describe('#start', () => { }); it('#stop unsubscribes from license and ES updates.', async () => { - const mockClusterClient = elasticsearchServiceMock.createLegacyClusterClient(); + const mockClusterClient = elasticsearchServiceMock.createClusterClient(); const statusSubject = new Subject(); const mockCoreSetup = coreMock.createSetup(); @@ -198,7 +199,7 @@ it('#stop unsubscribes from license and ES updates.', async () => { authorizationService.setup({ http: mockCoreSetup.http, capabilities: mockCoreSetup.capabilities, - clusterClient: mockClusterClient, + getClusterClient: () => Promise.resolve(mockClusterClient), license: licenseMock.create(), loggers: loggingSystemMock.create(), kibanaIndexName, diff --git a/x-pack/plugins/security/server/authorization/authorization_service.tsx b/x-pack/plugins/security/server/authorization/authorization_service.tsx index a45bca90d8b56..b4640c1112eef 100644 --- a/x-pack/plugins/security/server/authorization/authorization_service.tsx +++ b/x-pack/plugins/security/server/authorization/authorization_service.tsx @@ -16,10 +16,10 @@ import type { Capabilities as UICapabilities } from '../../../../../src/core/typ import { LoggerFactory, KibanaRequest, - ILegacyClusterClient, Logger, HttpServiceSetup, CapabilitiesSetup, + IClusterClient, } from '../../../../../src/core/server'; import { @@ -63,7 +63,7 @@ interface AuthorizationServiceSetupParams { buildNumber: number; http: HttpServiceSetup; capabilities: CapabilitiesSetup; - clusterClient: ILegacyClusterClient; + getClusterClient: () => Promise; license: SecurityLicense; loggers: LoggerFactory; features: FeaturesPluginSetup; @@ -74,7 +74,7 @@ interface AuthorizationServiceSetupParams { interface AuthorizationServiceStartParams { features: FeaturesPluginStart; - clusterClient: ILegacyClusterClient; + clusterClient: IClusterClient; online$: Observable; } @@ -100,7 +100,7 @@ export class AuthorizationService { capabilities, packageVersion, buildNumber, - clusterClient, + getClusterClient, license, loggers, features, @@ -117,7 +117,7 @@ export class AuthorizationService { const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory( actions, - clusterClient, + getClusterClient, this.applicationName ); diff --git a/x-pack/plugins/security/server/authorization/check_privileges.test.ts b/x-pack/plugins/security/server/authorization/check_privileges.test.ts index 4151ff645005d..69f32dedfcd8a 100644 --- a/x-pack/plugins/security/server/authorization/check_privileges.test.ts +++ b/x-pack/plugins/security/server/authorization/check_privileges.test.ts @@ -21,10 +21,12 @@ const mockActions = { const savedObjectTypes = ['foo-type', 'bar-type']; const createMockClusterClient = (response: any) => { - const mockScopedClusterClient = elasticsearchServiceMock.createLegacyScopedClusterClient(); - mockScopedClusterClient.callAsCurrentUser.mockResolvedValue(response); + const mockScopedClusterClient = elasticsearchServiceMock.createScopedClusterClient(); + mockScopedClusterClient.asCurrentUser.security.hasPrivileges.mockResolvedValue({ + body: response, + } as any); - const mockClusterClient = elasticsearchServiceMock.createLegacyClusterClient(); + const mockClusterClient = elasticsearchServiceMock.createClusterClient(); mockClusterClient.asScoped.mockReturnValue(mockScopedClusterClient); return { mockClusterClient, mockScopedClusterClient }; @@ -45,7 +47,7 @@ describe('#atSpace', () => { ); const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory( mockActions, - mockClusterClient, + () => Promise.resolve(mockClusterClient), application ); const request = httpServerMock.createKibanaRequest(); @@ -70,7 +72,7 @@ describe('#atSpace', () => { })); expect(mockClusterClient.asScoped).toHaveBeenCalledWith(request); - expect(mockScopedClusterClient.callAsCurrentUser).toHaveBeenCalledWith('shield.hasPrivileges', { + expect(mockScopedClusterClient.asCurrentUser.security.hasPrivileges).toHaveBeenCalledWith({ body: { cluster: options.elasticsearchPrivileges?.cluster, index: expectedIndexPrivilegePayload, @@ -891,7 +893,7 @@ describe('#atSpaces', () => { ); const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory( mockActions, - mockClusterClient, + () => Promise.resolve(mockClusterClient), application ); const request = httpServerMock.createKibanaRequest(); @@ -916,7 +918,7 @@ describe('#atSpaces', () => { })); expect(mockClusterClient.asScoped).toHaveBeenCalledWith(request); - expect(mockScopedClusterClient.callAsCurrentUser).toHaveBeenCalledWith('shield.hasPrivileges', { + expect(mockScopedClusterClient.asCurrentUser.security.hasPrivileges).toHaveBeenCalledWith({ body: { cluster: options.elasticsearchPrivileges?.cluster, index: expectedIndexPrivilegePayload, @@ -2095,7 +2097,7 @@ describe('#globally', () => { ); const checkPrivilegesWithRequest = checkPrivilegesWithRequestFactory( mockActions, - mockClusterClient, + () => Promise.resolve(mockClusterClient), application ); const request = httpServerMock.createKibanaRequest(); @@ -2120,7 +2122,7 @@ describe('#globally', () => { })); expect(mockClusterClient.asScoped).toHaveBeenCalledWith(request); - expect(mockScopedClusterClient.callAsCurrentUser).toHaveBeenCalledWith('shield.hasPrivileges', { + expect(mockScopedClusterClient.asCurrentUser.security.hasPrivileges).toHaveBeenCalledWith({ body: { cluster: options.elasticsearchPrivileges?.cluster, index: expectedIndexPrivilegePayload, diff --git a/x-pack/plugins/security/server/authorization/check_privileges.ts b/x-pack/plugins/security/server/authorization/check_privileges.ts index 27e1802b4e5c2..06973bc796733 100644 --- a/x-pack/plugins/security/server/authorization/check_privileges.ts +++ b/x-pack/plugins/security/server/authorization/check_privileges.ts @@ -5,7 +5,7 @@ */ import { pick, transform, uniq } from 'lodash'; -import { ILegacyClusterClient, KibanaRequest } from '../../../../../src/core/server'; +import { IClusterClient, KibanaRequest } from '../../../../../src/core/server'; import { GLOBAL_RESOURCE } from '../../common/constants'; import { ResourceSerializer } from './resource_serializer'; import { @@ -24,7 +24,7 @@ interface CheckPrivilegesActions { export function checkPrivilegesWithRequestFactory( actions: CheckPrivilegesActions, - clusterClient: ILegacyClusterClient, + getClusterClient: () => Promise, applicationName: string ) { const hasIncompatibleVersion = ( @@ -47,9 +47,10 @@ export function checkPrivilegesWithRequestFactory( : []; const allApplicationPrivileges = uniq([actions.version, actions.login, ...kibanaPrivileges]); - const hasPrivilegesResponse = (await clusterClient + const clusterClient = await getClusterClient(); + const { body: hasPrivilegesResponse } = await clusterClient .asScoped(request) - .callAsCurrentUser('shield.hasPrivileges', { + .asCurrentUser.security.hasPrivileges({ body: { cluster: privileges.elasticsearch?.cluster, index: Object.entries(privileges.elasticsearch?.index ?? {}).map( @@ -62,7 +63,7 @@ export function checkPrivilegesWithRequestFactory( { application: applicationName, resources, privileges: allApplicationPrivileges }, ], }, - })) as HasPrivilegesResponse; + }); validateEsPrivilegeResponse( hasPrivilegesResponse, diff --git a/x-pack/plugins/security/server/authorization/register_privileges_with_cluster.test.ts b/x-pack/plugins/security/server/authorization/register_privileges_with_cluster.test.ts index fef3ee78ed1bc..3087a62b1a83a 100644 --- a/x-pack/plugins/security/server/authorization/register_privileges_with_cluster.test.ts +++ b/x-pack/plugins/security/server/authorization/register_privileges_with_cluster.test.ts @@ -5,7 +5,7 @@ */ /* eslint-disable @typescript-eslint/naming-convention */ -import { ILegacyClusterClient, Logger } from 'kibana/server'; +import { Logger } from 'kibana/server'; import { RawKibanaPrivileges } from '../../common/model'; import { registerPrivilegesWithCluster } from './register_privileges_with_cluster'; @@ -33,29 +33,33 @@ const registerPrivilegesWithClusterTest = ( } ) => { const createExpectUpdatedPrivileges = ( - mockClusterClient: jest.Mocked, + mockClusterClient: ReturnType, mockLogger: jest.Mocked, error: Error ) => { return (postPrivilegesBody: any, deletedPrivileges: string[] = []) => { expect(error).toBeUndefined(); - expect(mockClusterClient.callAsInternalUser).toHaveBeenCalledTimes( - 2 + deletedPrivileges.length - ); - expect(mockClusterClient.callAsInternalUser).toHaveBeenCalledWith('shield.getPrivilege', { - privilege: application, + expect(mockClusterClient.asInternalUser.security.getPrivileges).toHaveBeenCalledTimes(1); + expect(mockClusterClient.asInternalUser.security.getPrivileges).toHaveBeenCalledWith({ + application, }); - expect(mockClusterClient.callAsInternalUser).toHaveBeenCalledWith('shield.postPrivileges', { + + expect(mockClusterClient.asInternalUser.security.putPrivileges).toHaveBeenCalledTimes(1); + expect(mockClusterClient.asInternalUser.security.putPrivileges).toHaveBeenCalledWith({ body: postPrivilegesBody, }); + + expect(mockClusterClient.asInternalUser.security.deletePrivileges).toHaveBeenCalledTimes( + deletedPrivileges.length + ); for (const deletedPrivilege of deletedPrivileges) { expect(mockLogger.debug).toHaveBeenCalledWith( `Deleting Kibana Privilege ${deletedPrivilege} from Elasticsearch for ${application}` ); - expect(mockClusterClient.callAsInternalUser).toHaveBeenCalledWith( - 'shield.deletePrivilege', - { application, privilege: deletedPrivilege } - ); + expect(mockClusterClient.asInternalUser.security.deletePrivileges).toHaveBeenCalledWith({ + application, + name: deletedPrivilege, + }); } expect(mockLogger.debug).toHaveBeenCalledWith( @@ -68,15 +72,15 @@ const registerPrivilegesWithClusterTest = ( }; const createExpectDidntUpdatePrivileges = ( - mockClusterClient: jest.Mocked, + mockClusterClient: ReturnType, mockLogger: Logger, error: Error ) => { return () => { expect(error).toBeUndefined(); - expect(mockClusterClient.callAsInternalUser).toHaveBeenCalledTimes(1); - expect(mockClusterClient.callAsInternalUser).toHaveBeenLastCalledWith('shield.getPrivilege', { - privilege: application, + expect(mockClusterClient.asInternalUser.security.getPrivileges).toHaveBeenCalledTimes(1); + expect(mockClusterClient.asInternalUser.security.getPrivileges).toHaveBeenLastCalledWith({ + application, }); expect(mockLogger.debug).toHaveBeenCalledWith( @@ -101,36 +105,25 @@ const registerPrivilegesWithClusterTest = ( }; test(description, async () => { - const mockClusterClient = elasticsearchServiceMock.createLegacyClusterClient(); - mockClusterClient.callAsInternalUser.mockImplementation(async (api) => { - switch (api) { - case 'shield.getPrivilege': { - if (throwErrorWhenGettingPrivileges) { - throw throwErrorWhenGettingPrivileges; - } - - // ES returns an empty object if we don't have any privileges - if (!existingPrivileges) { - return {}; - } + const mockClusterClient = elasticsearchServiceMock.createClusterClient(); + mockClusterClient.asInternalUser.security.getPrivileges.mockImplementation((async () => { + if (throwErrorWhenGettingPrivileges) { + throw throwErrorWhenGettingPrivileges; + } - return existingPrivileges; - } - case 'shield.deletePrivilege': { - break; - } - case 'shield.postPrivileges': { - if (throwErrorWhenPuttingPrivileges) { - throw throwErrorWhenPuttingPrivileges; - } + // ES returns an empty object if we don't have any privileges + if (!existingPrivileges) { + return { body: {} }; + } - return; - } - default: { - expect(true).toBe(false); - } + return { body: existingPrivileges }; + }) as any); + mockClusterClient.asInternalUser.security.putPrivileges.mockImplementation((async () => { + if (throwErrorWhenPuttingPrivileges) { + throw throwErrorWhenPuttingPrivileges; } - }); + }) as any); + const mockLogger = loggingSystemMock.create().get() as jest.Mocked; let error; diff --git a/x-pack/plugins/security/server/authorization/register_privileges_with_cluster.ts b/x-pack/plugins/security/server/authorization/register_privileges_with_cluster.ts index 8b5c119d59494..b46d673357fba 100644 --- a/x-pack/plugins/security/server/authorization/register_privileges_with_cluster.ts +++ b/x-pack/plugins/security/server/authorization/register_privileges_with_cluster.ts @@ -5,7 +5,7 @@ */ import { isEqual, isEqualWith, difference } from 'lodash'; -import { ILegacyClusterClient, Logger } from '../../../../../src/core/server'; +import { IClusterClient, Logger } from '../../../../../src/core/server'; import { serializePrivileges } from './privileges_serializer'; import { PrivilegesService } from './privileges'; @@ -14,7 +14,7 @@ export async function registerPrivilegesWithCluster( logger: Logger, privileges: PrivilegesService, application: string, - clusterClient: ILegacyClusterClient + clusterClient: IClusterClient ) { const arePrivilegesEqual = ( existingPrivileges: Record, @@ -57,9 +57,9 @@ export async function registerPrivilegesWithCluster( try { // we only want to post the privileges when they're going to change as Elasticsearch has // to clear the role cache to get these changes reflected in the _has_privileges API - const existingPrivileges = await clusterClient.callAsInternalUser('shield.getPrivilege', { - privilege: application, - }); + const { body: existingPrivileges } = await clusterClient.asInternalUser.security.getPrivileges< + Record + >({ application }); if (arePrivilegesEqual(existingPrivileges, expectedPrivileges)) { logger.debug(`Kibana Privileges already registered with Elasticsearch for ${application}`); return; @@ -71,9 +71,9 @@ export async function registerPrivilegesWithCluster( `Deleting Kibana Privilege ${privilegeToDelete} from Elasticsearch for ${application}` ); try { - await clusterClient.callAsInternalUser('shield.deletePrivilege', { + await clusterClient.asInternalUser.security.deletePrivileges({ application, - privilege: privilegeToDelete, + name: privilegeToDelete, }); } catch (err) { logger.error(`Error deleting Kibana Privilege ${privilegeToDelete}`); @@ -81,7 +81,7 @@ export async function registerPrivilegesWithCluster( } } - await clusterClient.callAsInternalUser('shield.postPrivileges', { body: expectedPrivileges }); + await clusterClient.asInternalUser.security.putPrivileges({ body: expectedPrivileges }); logger.debug(`Updated Kibana Privileges with Elasticsearch for ${application}`); } catch (err) { logger.error( diff --git a/x-pack/plugins/security/server/elasticsearch/elasticsearch_client_plugin.ts b/x-pack/plugins/security/server/elasticsearch/elasticsearch_client_plugin.ts index 0a43d8dd6973a..7823e8b401190 100644 --- a/x-pack/plugins/security/server/elasticsearch/elasticsearch_client_plugin.ts +++ b/x-pack/plugins/security/server/elasticsearch/elasticsearch_client_plugin.ts @@ -22,82 +22,6 @@ export function elasticsearchClientPlugin(Client: any, config: unknown, componen }, }); - /** - * Perform a [shield.getRole](Retrieve one or more roles from the native shield realm) request - * - * @param {Object} params - An object with parameters used to carry out this action - * @param {String} params.name - Role name - */ - shield.getRole = ca({ - params: {}, - urls: [ - { - fmt: '/_security/role/<%=name%>', - req: { - name: { - type: 'string', - required: false, - }, - }, - }, - { - fmt: '/_security/role', - }, - ], - }); - - /** - * Perform a [shield.putRole](Update or create a role for the native shield realm) request - * - * @param {Object} params - An object with parameters used to carry out this action - * @param {Boolean} params.refresh - Refresh the index after performing the operation - * @param {String} params.name - Role name - */ - shield.putRole = ca({ - params: { - refresh: { - type: 'boolean', - }, - }, - url: { - fmt: '/_security/role/<%=name%>', - req: { - name: { - type: 'string', - required: true, - }, - }, - }, - needBody: true, - method: 'PUT', - }); - - /** - * Perform a [shield.putUser](Update or create a user for the native shield realm) request - * - * @param {Object} params - An object with parameters used to carry out this action - * @param {Boolean} params.refresh - Refresh the index after performing the operation - * @param {String} params.username - The username of the User - */ - shield.putUser = ca({ - params: { - refresh: { - type: 'boolean', - }, - }, - url: { - fmt: '/_security/user/<%=username%>', - req: { - username: { - type: 'string', - required: true, - }, - }, - }, - needBody: true, - method: 'PUT', - }); - /** * Asks Elasticsearch to prepare SAML authentication request to be sent to * the 3rd-party SAML identity provider. @@ -272,59 +196,6 @@ export function elasticsearchClientPlugin(Client: any, config: unknown, componen }, }); - shield.getPrivilege = ca({ - method: 'GET', - urls: [ - { - fmt: '/_security/privilege/<%=privilege%>', - req: { - privilege: { - type: 'string', - required: false, - }, - }, - }, - { - fmt: '/_security/privilege', - }, - ], - }); - - shield.deletePrivilege = ca({ - method: 'DELETE', - urls: [ - { - fmt: '/_security/privilege/<%=application%>/<%=privilege%>', - req: { - application: { - type: 'string', - required: true, - }, - privilege: { - type: 'string', - required: true, - }, - }, - }, - ], - }); - - shield.postPrivileges = ca({ - method: 'POST', - needBody: true, - url: { - fmt: '/_security/privilege', - }, - }); - - shield.hasPrivileges = ca({ - method: 'POST', - needBody: true, - url: { - fmt: '/_security/user/_has_privileges', - }, - }); - /** * Creates an API key in Elasticsearch for the current user. * diff --git a/x-pack/plugins/security/server/plugin.ts b/x-pack/plugins/security/server/plugin.ts index d6fe1356ce145..15d25971800f8 100644 --- a/x-pack/plugins/security/server/plugin.ts +++ b/x-pack/plugins/security/server/plugin.ts @@ -141,6 +141,12 @@ export class Plugin { .pipe(first()) .toPromise(); + // A subset of `start` services we need during `setup`. + const startServicesPromise = core.getStartServices().then(([coreServices, depsServices]) => ({ + elasticsearch: coreServices.elasticsearch, + features: depsServices.features, + })); + this.securityLicenseService = new SecurityLicenseService(); const { license } = this.securityLicenseService.setup({ license$: licensing.license$, @@ -200,7 +206,8 @@ export class Plugin { const authz = this.authorizationService.setup({ http: core.http, capabilities: core.capabilities, - clusterClient, + getClusterClient: () => + startServicesPromise.then(({ elasticsearch }) => elasticsearch.client), license, loggers: this.initializerContext.logger, kibanaIndexName: legacyConfig.kibana.index, @@ -236,9 +243,7 @@ export class Plugin { license, session, getFeatures: () => - core - .getStartServices() - .then(([, { features: featuresStart }]) => featuresStart.getKibanaFeatures()), + startServicesPromise.then((services) => services.features.getKibanaFeatures()), getFeatureUsageService: this.getFeatureUsageService, }); @@ -276,10 +281,14 @@ export class Plugin { featureUsage: licensing.featureUsage, }); - const { clusterClient, watchOnlineStatus$ } = this.elasticsearchService.start(); + const { watchOnlineStatus$ } = this.elasticsearchService.start(); this.sessionManagementService.start({ online$: watchOnlineStatus$(), taskManager }); - this.authorizationService.start({ features, clusterClient, online$: watchOnlineStatus$() }); + this.authorizationService.start({ + features, + clusterClient: core.elasticsearch.client, + online$: watchOnlineStatus$(), + }); } public stop() { diff --git a/x-pack/test/api_integration/apis/es/has_privileges.js b/x-pack/test/api_integration/apis/es/has_privileges.ts similarity index 87% rename from x-pack/test/api_integration/apis/es/has_privileges.js rename to x-pack/test/api_integration/apis/es/has_privileges.ts index 88b166b60865b..7addba8476aa7 100644 --- a/x-pack/test/api_integration/apis/es/has_privileges.js +++ b/x-pack/test/api_integration/apis/es/has_privileges.ts @@ -4,15 +4,16 @@ * you may not use this file except in compliance with the Elastic License. */ import expect from '@kbn/expect'; +import { FtrProviderContext } from '../../ftr_provider_context'; const application = 'has_privileges_test'; -export default function ({ getService }) { +export default function ({ getService }: FtrProviderContext) { describe('has_privileges', () => { before(async () => { - const es = getService('legacyEs'); + const es = getService('es'); - await es.shield.postPrivileges({ + await es.security.putPrivileges({ body: { [application]: { read: { @@ -25,7 +26,7 @@ export default function ({ getService }) { }, }); - await es.shield.putRole({ + await es.security.putRole({ name: 'hp_read_user', body: { cluster: [], @@ -40,7 +41,7 @@ export default function ({ getService }) { }, }); - await es.shield.putUser({ + await es.security.putUser({ username: 'testuser', body: { password: 'testpassword', @@ -51,7 +52,9 @@ export default function ({ getService }) { }); }); - function createHasPrivilegesRequest(privileges) { + function createHasPrivilegesRequest( + privileges: string[] + ): Promise<{ body: Record }> { const supertest = getService('esSupertestWithoutAuth'); return supertest .post(`/_security/user/_has_privileges`) @@ -105,8 +108,8 @@ export default function ({ getService }) { }); // Create privilege - const es = getService('legacyEs'); - await es.shield.postPrivileges({ + const es = getService('es'); + await es.security.putPrivileges({ body: { [application]: { read: { diff --git a/x-pack/test/api_integration/apis/es/index.js b/x-pack/test/api_integration/apis/es/index.ts similarity index 74% rename from x-pack/test/api_integration/apis/es/index.js rename to x-pack/test/api_integration/apis/es/index.ts index 6317d6b93878f..1869a23d2facf 100644 --- a/x-pack/test/api_integration/apis/es/index.js +++ b/x-pack/test/api_integration/apis/es/index.ts @@ -4,7 +4,9 @@ * you may not use this file except in compliance with the Elastic License. */ -export default function ({ loadTestFile }) { +import { FtrProviderContext } from '../../ftr_provider_context'; + +export default function ({ loadTestFile }: FtrProviderContext) { describe('rbac es', () => { loadTestFile(require.resolve('./has_privileges')); loadTestFile(require.resolve('./post_privileges')); diff --git a/x-pack/test/api_integration/apis/es/post_privileges.js b/x-pack/test/api_integration/apis/es/post_privileges.ts similarity index 83% rename from x-pack/test/api_integration/apis/es/post_privileges.js rename to x-pack/test/api_integration/apis/es/post_privileges.ts index d1a4365e770ae..e8428ab4925ef 100644 --- a/x-pack/test/api_integration/apis/es/post_privileges.js +++ b/x-pack/test/api_integration/apis/es/post_privileges.ts @@ -4,13 +4,14 @@ * you may not use this file except in compliance with the Elastic License. */ import expect from '@kbn/expect'; +import { FtrProviderContext } from '../../ftr_provider_context'; -export default function ({ getService }) { +export default function ({ getService }: FtrProviderContext) { describe('post_privileges', () => { it('should allow privileges to be updated', async () => { - const es = getService('legacyEs'); + const es = getService('es'); const application = 'foo'; - const response = await es.shield.postPrivileges({ + const response = await es.security.putPrivileges({ body: { [application]: { all: { @@ -29,7 +30,7 @@ export default function ({ getService }) { }, }); - expect(response).to.eql({ + expect(response.body).to.eql({ foo: { all: { created: true }, read: { created: true }, @@ -40,7 +41,7 @@ export default function ({ getService }) { // 1. Not specifying the "all" privilege that we created above // 2. Specifying a different collection of "read" actions // 3. Adding a new "other" privilege - const updateResponse = await es.shield.postPrivileges({ + const updateResponse = await es.security.putPrivileges({ body: { [application]: { read: { @@ -59,15 +60,15 @@ export default function ({ getService }) { }, }); - expect(updateResponse).to.eql({ + expect(updateResponse.body).to.eql({ foo: { other: { created: true }, read: { created: false }, }, }); - const retrievedPrivilege = await es.shield.getPrivilege({ privilege: application }); - expect(retrievedPrivilege).to.eql({ + const retrievedPrivilege = await es.security.getPrivileges({ application }); + expect(retrievedPrivilege.body).to.eql({ foo: { // "all" is maintained even though the subsequent update did not specify this privilege all: { diff --git a/x-pack/test/api_integration/apis/index.js b/x-pack/test/api_integration/apis/index.ts similarity index 91% rename from x-pack/test/api_integration/apis/index.js rename to x-pack/test/api_integration/apis/index.ts index a1bcaa13cc52b..062382cd70ff2 100644 --- a/x-pack/test/api_integration/apis/index.js +++ b/x-pack/test/api_integration/apis/index.ts @@ -4,7 +4,9 @@ * you may not use this file except in compliance with the Elastic License. */ -export default function ({ loadTestFile }) { +import { FtrProviderContext } from '../ftr_provider_context'; + +export default function ({ loadTestFile }: FtrProviderContext) { describe('apis', function () { this.tags('ciGroup6'); diff --git a/x-pack/test/api_integration/apis/security/index.js b/x-pack/test/api_integration/apis/security/index.ts similarity index 86% rename from x-pack/test/api_integration/apis/security/index.js rename to x-pack/test/api_integration/apis/security/index.ts index 19eddb311b451..2d112215f4fc1 100644 --- a/x-pack/test/api_integration/apis/security/index.js +++ b/x-pack/test/api_integration/apis/security/index.ts @@ -4,7 +4,9 @@ * you may not use this file except in compliance with the Elastic License. */ -export default function ({ loadTestFile }) { +import { FtrProviderContext } from '../../ftr_provider_context'; + +export default function ({ loadTestFile }: FtrProviderContext) { describe('security', function () { this.tags('ciGroup6'); diff --git a/x-pack/test/api_integration/apis/security/roles.js b/x-pack/test/api_integration/apis/security/roles.ts similarity index 89% rename from x-pack/test/api_integration/apis/security/roles.js rename to x-pack/test/api_integration/apis/security/roles.ts index 38b878d25693b..e39a95498b4c2 100644 --- a/x-pack/test/api_integration/apis/security/roles.js +++ b/x-pack/test/api_integration/apis/security/roles.ts @@ -5,9 +5,10 @@ */ import expect from '@kbn/expect'; +import { FtrProviderContext } from '../../ftr_provider_context'; -export default function ({ getService }) { - const es = getService('legacyEs'); +export default function ({ getService }: FtrProviderContext) { + const es = getService('es'); const supertest = getService('supertest'); const config = getService('config'); const basic = config.get('esTestCluster.license') === 'basic'; @@ -56,7 +57,7 @@ export default function ({ getService }) { }) .expect(204); - const role = await es.shield.getRole({ name: 'role_with_privileges' }); + const { body: role } = await es.security.getRole({ name: 'role_with_privileges' }); expect(role).to.eql({ role_with_privileges: { cluster: ['manage'], @@ -121,7 +122,7 @@ export default function ({ getService }) { describe('Update Role', () => { it('should update a role with elasticsearch, kibana and other applications privileges', async () => { - await es.shield.putRole({ + await es.security.putRole({ name: 'role_to_update', body: { cluster: ['monitor'], @@ -184,7 +185,7 @@ export default function ({ getService }) { }) .expect(204); - const role = await es.shield.getRole({ name: 'role_to_update' }); + const { body: role } = await es.security.getRole({ name: 'role_to_update' }); expect(role).to.eql({ role_to_update: { cluster: ['manage'], @@ -225,7 +226,7 @@ export default function ({ getService }) { it(`should ${basic ? 'not' : ''} update a role adding DLS and TLS priviledges when using ${basic ? 'basic' : 'trial'} license`, async () => { - await es.shield.putRole({ + await es.security.putRole({ name: 'role_to_update_with_dls_fls', body: { cluster: ['monitor'], @@ -261,7 +262,7 @@ export default function ({ getService }) { }) .expect(basic ? 403 : 204); - const role = await es.shield.getRole({ name: 'role_to_update_with_dls_fls' }); + const { body: role } = await es.security.getRole({ name: 'role_to_update_with_dls_fls' }); expect(role.role_to_update_with_dls_fls.cluster).to.eql(basic ? ['monitor'] : ['manage']); expect(role.role_to_update_with_dls_fls.run_as).to.eql( @@ -278,7 +279,7 @@ export default function ({ getService }) { describe('Get Role', () => { it('should get roles', async () => { - await es.shield.putRole({ + await es.security.putRole({ name: 'role_to_get', body: { cluster: ['manage'], @@ -378,24 +379,30 @@ export default function ({ getService }) { .set('kbn-xsrf', 'xxx') .expect(204); - const emptyRole = await es.shield.getRole({ name: 'empty_role', ignore: [404] }); + const { body: emptyRole } = await es.security.getRole( + { name: 'empty_role' }, + { ignore: [404] } + ); expect(emptyRole).to.eql({}); - const roleWithPrivileges = await es.shield.getRole({ - name: 'role_with_privileges', - ignore: [404], - }); + const { body: roleWithPrivileges } = await es.security.getRole( + { name: 'role_with_privileges' }, + { ignore: [404] } + ); expect(roleWithPrivileges).to.eql({}); - const roleWithPriviledgesDlsFls = await es.shield.getRole({ - name: 'role_with_privileges_dls_fls', - ignore: [404], - }); - expect(roleWithPriviledgesDlsFls).to.eql({}); - const roleToUpdate = await es.shield.getRole({ name: 'role_to_update', ignore: [404] }); + const { body: roleWithPrivilegesDlsFls } = await es.security.getRole( + { name: 'role_with_privileges_dls_fls' }, + { ignore: [404] } + ); + expect(roleWithPrivilegesDlsFls).to.eql({}); + const { body: roleToUpdate } = await es.security.getRole( + { name: 'role_to_update' }, + { ignore: [404] } + ); expect(roleToUpdate).to.eql({}); - const roleToUpdateWithDlsFls = await es.shield.getRole({ - name: 'role_to_update_with_dls_fls', - ignore: [404], - }); + const { body: roleToUpdateWithDlsFls } = await es.security.getRole( + { name: 'role_to_update_with_dls_fls' }, + { ignore: [404] } + ); expect(roleToUpdateWithDlsFls).to.eql({}); }); }); diff --git a/x-pack/test/api_integration/services/legacy_es.js b/x-pack/test/api_integration/services/legacy_es.js index c184a87365977..46de852b16a46 100644 --- a/x-pack/test/api_integration/services/legacy_es.js +++ b/x-pack/test/api_integration/services/legacy_es.js @@ -8,7 +8,6 @@ import { format as formatUrl } from 'url'; import * as legacyElasticsearch from 'elasticsearch'; -import { elasticsearchClientPlugin as securityEsClientPlugin } from '../../../plugins/security/server/elasticsearch/elasticsearch_client_plugin'; import { elasticsearchJsPlugin as indexManagementEsClientPlugin } from '../../../plugins/index_management/server/client/elasticsearch'; import { elasticsearchJsPlugin as snapshotRestoreEsClientPlugin } from '../../../plugins/snapshot_restore/server/client/elasticsearch_sr'; // eslint-disable-next-line @kbn/eslint/no-restricted-paths @@ -21,6 +20,6 @@ export function LegacyEsProvider({ getService }) { apiVersion: DEFAULT_API_VERSION, host: formatUrl(config.get('servers.elasticsearch')), requestTimeout: config.get('timeouts.esRequestTimeout'), - plugins: [securityEsClientPlugin, indexManagementEsClientPlugin, snapshotRestoreEsClientPlugin], + plugins: [indexManagementEsClientPlugin, snapshotRestoreEsClientPlugin], }); } diff --git a/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.ts b/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.ts index 730e974de43c7..86a90c8adfad7 100644 --- a/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.ts +++ b/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.ts @@ -4,9 +4,10 @@ * you may not use this file except in compliance with the Elastic License. */ import { SuperTest } from 'supertest'; +import { Client } from '@elastic/elasticsearch'; import { AUTHENTICATION } from './authentication'; -export const createUsersAndRoles = async (es: any, supertest: SuperTest) => { +export const createUsersAndRoles = async (es: Client, supertest: SuperTest) => { await supertest .put('/api/security/role/kibana_legacy_user') .send({ @@ -130,7 +131,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }) .expect(204); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.NOT_A_KIBANA_USER.username, body: { password: AUTHENTICATION.NOT_A_KIBANA_USER.password, @@ -140,7 +141,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_LEGACY_USER.username, body: { password: AUTHENTICATION.KIBANA_LEGACY_USER.password, @@ -150,7 +151,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.username, body: { password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.password, @@ -160,7 +161,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.username, body: { password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.password, @@ -170,7 +171,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_USER.password, @@ -180,7 +181,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.password, @@ -190,7 +191,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.password, @@ -200,7 +201,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.password, @@ -210,7 +211,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.password, @@ -220,7 +221,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.password, diff --git a/x-pack/test/saved_object_api_integration/common/services/index.ts b/x-pack/test/saved_object_api_integration/common/services/index.ts index 273a976209bd1..0e5de12730267 100644 --- a/x-pack/test/saved_object_api_integration/common/services/index.ts +++ b/x-pack/test/saved_object_api_integration/common/services/index.ts @@ -4,9 +4,6 @@ * you may not use this file except in compliance with the Elastic License. */ -// @ts-ignore not ts yet -import { LegacyEsProvider } from './legacy_es'; - import { services as commonServices } from '../../../common/services'; import { services as apiIntegrationServices } from '../../../api_integration/services'; import { services as kibanaApiIntegrationServices } from '../../../../../test/api_integration/services'; @@ -14,7 +11,6 @@ import { services as kibanaFunctionalServices } from '../../../../../test/functi export const services = { ...commonServices, - legacyEs: LegacyEsProvider, esSupertestWithoutAuth: apiIntegrationServices.esSupertestWithoutAuth, supertest: kibanaApiIntegrationServices.supertest, supertestWithoutAuth: apiIntegrationServices.supertestWithoutAuth, diff --git a/x-pack/test/saved_object_api_integration/common/services/legacy_es.js b/x-pack/test/saved_object_api_integration/common/services/legacy_es.js deleted file mode 100644 index c8bf1810daafe..0000000000000 --- a/x-pack/test/saved_object_api_integration/common/services/legacy_es.js +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { format as formatUrl } from 'url'; - -import * as legacyElasticsearch from 'elasticsearch'; - -import { elasticsearchClientPlugin } from '../../../../plugins/security/server/elasticsearch/elasticsearch_client_plugin'; - -export function LegacyEsProvider({ getService }) { - const config = getService('config'); - - return new legacyElasticsearch.Client({ - host: formatUrl(config.get('servers.elasticsearch')), - requestTimeout: config.get('timeouts.esRequestTimeout'), - plugins: [elasticsearchClientPlugin], - }); -} diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/index.ts b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/index.ts index ed501b235a457..3cc6b85cb97c0 100644 --- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/index.ts +++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/index.ts @@ -8,7 +8,7 @@ import { createUsersAndRoles } from '../../common/lib/create_users_and_roles'; import { FtrProviderContext } from '../../common/ftr_provider_context'; export default function ({ getService, loadTestFile }: FtrProviderContext) { - const es = getService('legacyEs'); + const es = getService('es'); const supertest = getService('supertest'); describe('saved objects security and spaces enabled', function () { diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/index.ts b/x-pack/test/saved_object_api_integration/security_only/apis/index.ts index 997dbef49360f..c52ba3f595711 100644 --- a/x-pack/test/saved_object_api_integration/security_only/apis/index.ts +++ b/x-pack/test/saved_object_api_integration/security_only/apis/index.ts @@ -8,7 +8,7 @@ import { createUsersAndRoles } from '../../common/lib/create_users_and_roles'; import { FtrProviderContext } from '../../common/ftr_provider_context'; export default function ({ getService, loadTestFile }: FtrProviderContext) { - const es = getService('legacyEs'); + const es = getService('es'); const supertest = getService('supertest'); describe('saved objects security only enabled', function () { diff --git a/x-pack/test/security_api_integration/saml.config.ts b/x-pack/test/security_api_integration/saml.config.ts index 133e52d68d87e..3e00256981a7a 100644 --- a/x-pack/test/security_api_integration/saml.config.ts +++ b/x-pack/test/security_api_integration/saml.config.ts @@ -6,11 +6,9 @@ import { resolve } from 'path'; import { FtrConfigProviderContext } from '@kbn/test/types/ftr'; +import { services } from './services'; export default async function ({ readConfigFile }: FtrConfigProviderContext) { - const kibanaAPITestsConfig = await readConfigFile( - require.resolve('../../../test/api_integration/config.js') - ); const xPackAPITestsConfig = await readConfigFile(require.resolve('../api_integration/config.ts')); const kibanaPort = xPackAPITestsConfig.get('servers.kibana.port'); @@ -20,11 +18,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { testFiles: [require.resolve('./tests/saml')], servers: xPackAPITestsConfig.get('servers'), security: { disableTestUser: true }, - services: { - randomness: kibanaAPITestsConfig.get('services.randomness'), - legacyEs: kibanaAPITestsConfig.get('services.legacyEs'), - supertestWithoutAuth: xPackAPITestsConfig.get('services.supertestWithoutAuth'), - }, + services, junit: { reportName: 'X-Pack Security API Integration Tests (SAML)', }, diff --git a/x-pack/test/security_api_integration/session_idle.config.ts b/x-pack/test/security_api_integration/session_idle.config.ts index b8f9141c0a29e..7eba1b02a0e1f 100644 --- a/x-pack/test/security_api_integration/session_idle.config.ts +++ b/x-pack/test/security_api_integration/session_idle.config.ts @@ -6,13 +6,11 @@ import { resolve } from 'path'; import { FtrConfigProviderContext } from '@kbn/test/types/ftr'; +import { services } from './services'; // the default export of config files must be a config provider // that returns an object with the projects config values export default async function ({ readConfigFile }: FtrConfigProviderContext) { - const kibanaAPITestsConfig = await readConfigFile( - require.resolve('../../../test/api_integration/config.js') - ); const xPackAPITestsConfig = await readConfigFile(require.resolve('../api_integration/config.ts')); const kibanaPort = xPackAPITestsConfig.get('servers.kibana.port'); @@ -20,15 +18,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { return { testFiles: [resolve(__dirname, './tests/session_idle')], - - services: { - randomness: kibanaAPITestsConfig.get('services.randomness'), - legacyEs: kibanaAPITestsConfig.get('services.legacyEs'), - supertestWithoutAuth: xPackAPITestsConfig.get('services.supertestWithoutAuth'), - }, - + services, servers: xPackAPITestsConfig.get('servers'), - esTestCluster: { ...xPackAPITestsConfig.get('esTestCluster'), serverArgs: [ diff --git a/x-pack/test/security_api_integration/session_lifespan.config.ts b/x-pack/test/security_api_integration/session_lifespan.config.ts index 4001a963bfae8..47c02cec19280 100644 --- a/x-pack/test/security_api_integration/session_lifespan.config.ts +++ b/x-pack/test/security_api_integration/session_lifespan.config.ts @@ -6,13 +6,11 @@ import { resolve } from 'path'; import { FtrConfigProviderContext } from '@kbn/test/types/ftr'; +import { services } from './services'; // the default export of config files must be a config provider // that returns an object with the projects config values export default async function ({ readConfigFile }: FtrConfigProviderContext) { - const kibanaAPITestsConfig = await readConfigFile( - require.resolve('../../../test/api_integration/config.js') - ); const xPackAPITestsConfig = await readConfigFile(require.resolve('../api_integration/config.ts')); const kibanaPort = xPackAPITestsConfig.get('servers.kibana.port'); @@ -20,15 +18,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { return { testFiles: [resolve(__dirname, './tests/session_lifespan')], - - services: { - randomness: kibanaAPITestsConfig.get('services.randomness'), - legacyEs: kibanaAPITestsConfig.get('services.legacyEs'), - supertestWithoutAuth: xPackAPITestsConfig.get('services.supertestWithoutAuth'), - }, - + services, servers: xPackAPITestsConfig.get('servers'), - esTestCluster: { ...xPackAPITestsConfig.get('esTestCluster'), serverArgs: [ diff --git a/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts b/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts index 26edc36563e1c..7e2e6647d7234 100644 --- a/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts +++ b/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts @@ -383,12 +383,12 @@ export default function ({ getService }: FtrProviderContext) { // Let's delete tokens from `.security-tokens` index directly to simulate the case when // Elasticsearch automatically removes access/refresh token document from the index after // some period of time. - const esResponse = await getService('legacyEs').deleteByQuery({ + const esResponse = await getService('es').deleteByQuery({ index: '.security-tokens', - q: 'doc_type:token', + body: { query: { match: { doc_type: 'token' } } }, refresh: true, }); - expect(esResponse).to.have.property('deleted').greaterThan(0); + expect(esResponse.body).to.have.property('deleted').greaterThan(0); }); it('AJAX call should initiate SPNEGO and clear existing cookie', async function () { diff --git a/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts b/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts index aac41374734b2..ff7c211d38de2 100644 --- a/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts +++ b/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts @@ -603,12 +603,12 @@ export default function ({ getService }: FtrProviderContext) { // Let's delete tokens from `.security-tokens` index directly to simulate the case when // Elasticsearch automatically removes access/refresh token document from the index // after some period of time. - const esResponse = await getService('legacyEs').deleteByQuery({ + const esResponse = await getService('es').deleteByQuery({ index: '.security-tokens', - q: 'doc_type:token', + body: { query: { match: { doc_type: 'token' } } }, refresh: true, }); - expect(esResponse).to.have.property('deleted').greaterThan(0); + expect(esResponse.body).to.have.property('deleted').greaterThan(0); const handshakeResponse = await supertest .post('/internal/security/login') diff --git a/x-pack/test/security_api_integration/tests/saml/saml_login.ts b/x-pack/test/security_api_integration/tests/saml/saml_login.ts index 030c6f91d2aed..c76b39a1ea772 100644 --- a/x-pack/test/security_api_integration/tests/saml/saml_login.ts +++ b/x-pack/test/security_api_integration/tests/saml/saml_login.ts @@ -582,12 +582,12 @@ export default function ({ getService }: FtrProviderContext) { // Let's delete tokens from `.security` index directly to simulate the case when // Elasticsearch automatically removes access/refresh token document from the index // after some period of time. - const esResponse = await getService('legacyEs').deleteByQuery({ + const esResponse = await getService('es').deleteByQuery({ index: '.security-tokens', - q: 'doc_type:token', + body: { query: { match: { doc_type: 'token' } } }, refresh: true, }); - expect(esResponse).to.have.property('deleted').greaterThan(0); + expect(esResponse.body).to.have.property('deleted').greaterThan(0); }); it('should redirect user to a page that would capture URL fragment', async () => { @@ -666,12 +666,12 @@ export default function ({ getService }: FtrProviderContext) { [ 'when access token document is missing', async () => { - const esResponse = await getService('legacyEs').deleteByQuery({ + const esResponse = await getService('es').deleteByQuery({ index: '.security-tokens', - q: 'doc_type:token', + body: { query: { match: { doc_type: 'token' } } }, refresh: true, }); - expect(esResponse).to.have.property('deleted').greaterThan(0); + expect(esResponse.body).to.have.property('deleted').greaterThan(0); }, ], ]; diff --git a/x-pack/test/security_api_integration/tests/session_idle/cleanup.ts b/x-pack/test/security_api_integration/tests/session_idle/cleanup.ts index 8251ca3419ac8..876aaa6a70b7a 100644 --- a/x-pack/test/security_api_integration/tests/session_idle/cleanup.ts +++ b/x-pack/test/security_api_integration/tests/session_idle/cleanup.ts @@ -13,7 +13,7 @@ import { FtrProviderContext } from '../../ftr_provider_context'; export default function ({ getService }: FtrProviderContext) { const supertest = getService('supertestWithoutAuth'); - const es = getService('legacyEs'); + const es = getService('es'); const config = getService('config'); const log = getService('log'); const randomness = getService('randomness'); @@ -40,9 +40,8 @@ export default function ({ getService }: FtrProviderContext) { } async function getNumberOfSessionDocuments() { - return (((await es.search({ index: '.kibana_security_session*' })).hits.total as unknown) as { - value: number; - }).value; + return (await es.search({ index: '.kibana_security_session*' })).body.hits.total + .value as number; } async function loginWithSAML(providerName: string) { @@ -72,11 +71,8 @@ export default function ({ getService }: FtrProviderContext) { describe('Session Idle cleanup', () => { beforeEach(async () => { - await es.cluster.health({ index: '.kibana_security_session*', waitForStatus: 'green' }); - await es.indices.delete({ - index: '.kibana_security_session*', - ignore: [404], - }); + await es.cluster.health({ index: '.kibana_security_session*', wait_for_status: 'green' }); + await es.indices.delete({ index: '.kibana_security_session*' }, { ignore: [404] }); }); it('should properly clean up session expired because of idle timeout', async function () { diff --git a/x-pack/test/security_api_integration/tests/session_lifespan/cleanup.ts b/x-pack/test/security_api_integration/tests/session_lifespan/cleanup.ts index 134c9e9b1ad82..328e17307a05f 100644 --- a/x-pack/test/security_api_integration/tests/session_lifespan/cleanup.ts +++ b/x-pack/test/security_api_integration/tests/session_lifespan/cleanup.ts @@ -13,7 +13,7 @@ import { FtrProviderContext } from '../../ftr_provider_context'; export default function ({ getService }: FtrProviderContext) { const supertest = getService('supertestWithoutAuth'); - const es = getService('legacyEs'); + const es = getService('es'); const config = getService('config'); const randomness = getService('randomness'); const [basicUsername, basicPassword] = config.get('servers.elasticsearch.auth').split(':'); @@ -35,9 +35,8 @@ export default function ({ getService }: FtrProviderContext) { } async function getNumberOfSessionDocuments() { - return (((await es.search({ index: '.kibana_security_session*' })).hits.total as unknown) as { - value: number; - }).value; + return (await es.search({ index: '.kibana_security_session*' })).body.hits.total + .value as number; } async function loginWithSAML(providerName: string) { @@ -67,11 +66,8 @@ export default function ({ getService }: FtrProviderContext) { describe('Session Lifespan cleanup', () => { beforeEach(async () => { - await es.cluster.health({ index: '.kibana_security_session*', waitForStatus: 'green' }); - await es.indices.delete({ - index: '.kibana_security_session*', - ignore: [404], - }); + await es.cluster.health({ index: '.kibana_security_session*', wait_for_status: 'green' }); + await es.indices.delete({ index: '.kibana_security_session*' }, { ignore: [404] }); }); it('should properly clean up session expired because of lifespan', async function () { diff --git a/x-pack/test/security_api_integration/tests/token/header.ts b/x-pack/test/security_api_integration/tests/token/header.ts index 53b50286cc6cc..9338e81e534d7 100644 --- a/x-pack/test/security_api_integration/tests/token/header.ts +++ b/x-pack/test/security_api_integration/tests/token/header.ts @@ -8,10 +8,12 @@ import { FtrProviderContext } from '../../ftr_provider_context'; export default function ({ getService }: FtrProviderContext) { const supertest = getService('supertestWithoutAuth'); - const es = getService('legacyEs'); + const es = getService('es'); async function createToken() { - const { access_token: accessToken } = await (es as any).shield.getAccessToken({ + const { + body: { access_token: accessToken }, + } = await es.security.getToken({ body: { grant_type: 'password', username: 'elastic', diff --git a/x-pack/test/security_api_integration/tests/token/session.ts b/x-pack/test/security_api_integration/tests/token/session.ts index daee8264bd0bd..c8dc01628a248 100644 --- a/x-pack/test/security_api_integration/tests/token/session.ts +++ b/x-pack/test/security_api_integration/tests/token/session.ts @@ -140,12 +140,12 @@ export default function ({ getService }: FtrProviderContext) { // Let's delete tokens from `.security` index directly to simulate the case when // Elasticsearch automatically removes access/refresh token document from the index // after some period of time. - const esResponse = await getService('legacyEs').deleteByQuery({ + const esResponse = await getService('es').deleteByQuery({ index: '.security-tokens', - q: 'doc_type:token', + body: { query: { match: { doc_type: 'token' } } }, refresh: true, }); - expect(esResponse).to.have.property('deleted').greaterThan(0); + expect(esResponse.body).to.have.property('deleted').greaterThan(0); const response = await supertest .get('/abc/xyz/') diff --git a/x-pack/test/security_api_integration/token.config.ts b/x-pack/test/security_api_integration/token.config.ts index c7afa51edba5e..4c1612efedae1 100644 --- a/x-pack/test/security_api_integration/token.config.ts +++ b/x-pack/test/security_api_integration/token.config.ts @@ -5,6 +5,7 @@ */ import { FtrConfigProviderContext } from '@kbn/test/types/ftr'; +import { services } from './services'; export default async function ({ readConfigFile }: FtrConfigProviderContext) { const xPackAPITestsConfig = await readConfigFile(require.resolve('../api_integration/config.ts')); @@ -13,10 +14,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { testFiles: [require.resolve('./tests/token')], servers: xPackAPITestsConfig.get('servers'), security: { disableTestUser: true }, - services: { - legacyEs: xPackAPITestsConfig.get('services.legacyEs'), - supertestWithoutAuth: xPackAPITestsConfig.get('services.supertestWithoutAuth'), - }, + services, junit: { reportName: 'X-Pack Security API Integration Tests (Token)', }, diff --git a/x-pack/test/spaces_api_integration/common/config.ts b/x-pack/test/spaces_api_integration/common/config.ts index b1da9931f3c9b..3ea8afa732f4e 100644 --- a/x-pack/test/spaces_api_integration/common/config.ts +++ b/x-pack/test/spaces_api_integration/common/config.ts @@ -9,8 +9,6 @@ import path from 'path'; import { REPO_ROOT } from '@kbn/utils'; import { TestInvoker } from './lib/types'; -// @ts-ignore -import { LegacyEsProvider } from './services/legacy_es'; interface CreateTestConfigOptions { license: string; @@ -35,7 +33,8 @@ export function createTestConfig(name: string, options: CreateTestConfigOptions) testFiles: [require.resolve(`../${name}/apis/`)], servers: config.xpack.api.get('servers'), services: { - legacyEs: LegacyEsProvider, + es: config.kibana.api.get('services.es'), + legacyEs: config.kibana.api.get('services.legacyEs'), esSupertestWithoutAuth: config.xpack.api.get('services.esSupertestWithoutAuth'), supertest: config.kibana.api.get('services.supertest'), supertestWithoutAuth: config.xpack.api.get('services.supertestWithoutAuth'), diff --git a/x-pack/test/spaces_api_integration/common/lib/create_users_and_roles.ts b/x-pack/test/spaces_api_integration/common/lib/create_users_and_roles.ts index 494c8d9c9e449..07a7d289f16d7 100644 --- a/x-pack/test/spaces_api_integration/common/lib/create_users_and_roles.ts +++ b/x-pack/test/spaces_api_integration/common/lib/create_users_and_roles.ts @@ -3,10 +3,12 @@ * or more contributor license agreements. Licensed under the Elastic License; * you may not use this file except in compliance with the Elastic License. */ + +import { Client } from '@elastic/elasticsearch'; import { SuperTest } from 'supertest'; import { AUTHENTICATION } from './authentication'; -export const createUsersAndRoles = async (es: any, supertest: SuperTest) => { +export const createUsersAndRoles = async (es: Client, supertest: SuperTest) => { await supertest .put('/api/security/role/kibana_legacy_user') .send({ @@ -241,7 +243,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }) .expect(204); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.NOT_A_KIBANA_USER.username, body: { password: AUTHENTICATION.NOT_A_KIBANA_USER.password, @@ -251,7 +253,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_LEGACY_USER.username, body: { password: AUTHENTICATION.KIBANA_LEGACY_USER.password, @@ -261,7 +263,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.username, body: { password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.password, @@ -271,7 +273,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.username, body: { password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.password, @@ -281,7 +283,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_USER.password, @@ -291,7 +293,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.password, @@ -301,7 +303,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.password, @@ -311,7 +313,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.password, @@ -321,7 +323,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.password, @@ -331,7 +333,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.password, @@ -341,7 +343,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_SPACE_2_ALL_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_SPACE_2_ALL_USER.password, @@ -351,7 +353,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_SPACE_2_READ_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_SPACE_2_READ_USER.password, @@ -361,7 +363,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_ALL_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_ALL_USER.password, @@ -371,7 +373,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_READ_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_2_READ_USER.password, @@ -381,7 +383,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_SAVED_OBJECTS_ALL_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_SAVED_OBJECTS_ALL_USER.password, @@ -391,7 +393,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_SAVED_OBJECTS_READ_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_SAVED_OBJECTS_READ_USER.password, @@ -401,7 +403,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_SAVED_OBJECTS_ALL_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_SAVED_OBJECTS_ALL_USER.password, @@ -411,7 +413,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_SAVED_OBJECTS_READ_USER.username, body: { password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_SAVED_OBJECTS_READ_USER.password, @@ -421,7 +423,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.APM_USER.username, body: { password: AUTHENTICATION.APM_USER.password, @@ -431,7 +433,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.MACHINE_LEARING_ADMIN.username, body: { password: AUTHENTICATION.MACHINE_LEARING_ADMIN.password, @@ -441,7 +443,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.MACHINE_LEARNING_USER.username, body: { password: AUTHENTICATION.MACHINE_LEARNING_USER.password, @@ -451,7 +453,7 @@ export const createUsersAndRoles = async (es: any, supertest: SuperTest) => }, }); - await es.shield.putUser({ + await es.security.putUser({ username: AUTHENTICATION.MONITORING_USER.username, body: { password: AUTHENTICATION.MONITORING_USER.password, diff --git a/x-pack/test/spaces_api_integration/common/services/legacy_es.js b/x-pack/test/spaces_api_integration/common/services/legacy_es.js deleted file mode 100644 index c8bf1810daafe..0000000000000 --- a/x-pack/test/spaces_api_integration/common/services/legacy_es.js +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { format as formatUrl } from 'url'; - -import * as legacyElasticsearch from 'elasticsearch'; - -import { elasticsearchClientPlugin } from '../../../../plugins/security/server/elasticsearch/elasticsearch_client_plugin'; - -export function LegacyEsProvider({ getService }) { - const config = getService('config'); - - return new legacyElasticsearch.Client({ - host: formatUrl(config.get('servers.elasticsearch')), - requestTimeout: config.get('timeouts.esRequestTimeout'), - plugins: [elasticsearchClientPlugin], - }); -} diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/index.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/index.ts index 2d2eac6c9ad83..ce3f551043ba0 100644 --- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/index.ts +++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/index.ts @@ -9,7 +9,7 @@ import { TestInvoker } from '../../common/lib/types'; // eslint-disable-next-line import/no-default-export export default function ({ loadTestFile, getService }: TestInvoker) { - const es = getService('legacyEs'); + const es = getService('es'); const supertest = getService('supertest'); describe('spaces api with security', function () {