Skip to content

Commit

Permalink
[Fleet][RBAC v2] Add tests for fleet API changes (#147611)
Browse files Browse the repository at this point in the history 
## Summary

Tests related to changes in /pull/145361


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

Co-authored-by: Mark Hopkin <mark.hopkin@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
  • Loading branch information
@ashokaditya @hop-dev @kibanamachine
3 people authored Jan 3, 2023
1 parent 9111a2e commit 55f6006
Show file tree
Hide file tree
Showing 5 changed files with 255 additions and 17 deletions.
Binary file added x-pack/test/fleet_api_integration/apis/fixtures/test_packages/endpoint/endpoint-8.6.1.zip
View file
Binary file not shown.
131 changes: 120 additions & 11 deletions x-pack/test/fleet_api_integration/apis/package_policy/get.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,15 @@
import expect from '@kbn/expect';
import { FtrProviderContext } from '../../../api_integration/ftr_provider_context';
import { skipIfNoDockerRegistry } from '../../helpers';
import { testUsers } from '../test_users';

export default function (providerContext: FtrProviderContext) {
const { getService } = providerContext;
const supertest = getService('supertest');
const superTestWithoutAuth = getService('supertestWithoutAuth');
const dockerServers = getService('dockerServers');
const esArchiver = getService('esArchiver');
const kibanaServer = getService('kibanaServer');

const server = dockerServers.get('registry');
// use function () {} and not () => {} here
Expand All @@ -23,23 +27,19 @@ export default function (providerContext: FtrProviderContext) {
skipIfNoDockerRegistry(providerContext);

before(async () => {
await getService('kibanaServer').savedObjects.cleanStandardList();

await getService('esArchiver').load(
'x-pack/test/functional/es_archives/fleet/empty_fleet_server'
);
await kibanaServer.savedObjects.cleanStandardList();
await esArchiver.load('x-pack/test/functional/es_archives/fleet/empty_fleet_server');
});

after(async () => {
await getService('esArchiver').unload(
'x-pack/test/functional/es_archives/fleet/empty_fleet_server'
);
await getService('kibanaServer').savedObjects.cleanStandardList();
await esArchiver.unload('x-pack/test/functional/es_archives/fleet/empty_fleet_server');
await kibanaServer.savedObjects.cleanStandardList();
});

describe('get by id', async function () {
let agentPolicyId: string;
let packagePolicyId: string;
let endpointPackagePolicyId: string;

before(async function () {
if (!server.enabled) {
Expand Down Expand Up @@ -72,6 +72,25 @@ export default function (providerContext: FtrProviderContext) {
},
});
packagePolicyId = packagePolicyResponse.item.id;

const { body: endpointPackagePolicyResponse } = await supertest
.post(`/api/fleet/package_policies`)
.set('kbn-xsrf', 'xxxx')
.send({
name: 'endpoint-1',
description: '',
namespace: 'default',
policy_id: agentPolicyId,
enabled: true,
inputs: [],
force: true,
package: {
name: 'endpoint',
title: 'Elastic Defend',
version: '8.6.1',
},
});
endpointPackagePolicyId = endpointPackagePolicyResponse.item.id;
});

after(async function () {
Expand All @@ -88,14 +107,48 @@ export default function (providerContext: FtrProviderContext) {
await supertest
.post(`/api/fleet/package_policies/delete`)
.set('kbn-xsrf', 'xxxx')
.send({ packagePolicyIds: [packagePolicyId] })
.send({ packagePolicyIds: [packagePolicyId, endpointPackagePolicyId] })
.expect(200);

// uninstall endpoint package
await supertest
.delete(`/api/fleet/epm/packages/endpoint-8.6.1`)
.set('kbn-xsrf', 'xxxx')
.send({ force: true })
.expect(200);
});

it('should succeed with a valid id', async function () {
await supertest.get(`/api/fleet/package_policies/${packagePolicyId}`).expect(200);
});

it('should succeed when requesting with policy ids that match package names allowed by package privileges', async function () {
await superTestWithoutAuth
.get(`/api/fleet/package_policies/${endpointPackagePolicyId}`)
.set('kbn-xsrf', 'xxxx')
.auth(
testUsers.endpoint_integr_read_policy.username,
testUsers.endpoint_integr_read_policy.password
)
.expect(200);
});

it('should return 403 for requests with authenticated role but not allowed packages', async function () {
await superTestWithoutAuth
.get(`/api/fleet/package_policies/${packagePolicyId}`)
.set('kbn-xsrf', 'xxxx')
.auth(
testUsers.endpoint_integr_read_policy.username,
testUsers.endpoint_integr_read_policy.password
)
.expect(403, {
statusCode: 403,
error: 'Forbidden',
message:
"Authorization denied to [package.name=filetest]. Allowed package.name's: endpoint",
});
});

it('should return a 404 with an invalid id', async function () {
await supertest.get(`/api/fleet/package_policies/IS_NOT_PRESENT`).expect(404);
});
Expand All @@ -104,6 +157,7 @@ export default function (providerContext: FtrProviderContext) {
describe('POST /api/fleet/package_policies/_bulk_get', async function () {
let agentPolicyId: string;
let packagePolicyId: string;
let endpointPackagePolicyId: string;

before(async function () {
if (!server.enabled) {
Expand Down Expand Up @@ -136,6 +190,25 @@ export default function (providerContext: FtrProviderContext) {
},
});
packagePolicyId = packagePolicyResponse.item.id;

const { body: endpointPackagePolicyResponse } = await supertest
.post(`/api/fleet/package_policies`)
.set('kbn-xsrf', 'xxxx')
.send({
name: 'endpoint-1',
description: '',
namespace: 'default',
policy_id: agentPolicyId,
enabled: true,
inputs: [],
force: true,
package: {
name: 'endpoint',
title: 'Elastic Defend',
version: '8.6.1',
},
});
endpointPackagePolicyId = endpointPackagePolicyResponse.item.id;
});

after(async function () {
Expand All @@ -152,7 +225,14 @@ export default function (providerContext: FtrProviderContext) {
await supertest
.post(`/api/fleet/package_policies/delete`)
.set('kbn-xsrf', 'xxxx')
.send({ packagePolicyIds: [packagePolicyId] })
.send({ packagePolicyIds: [packagePolicyId, endpointPackagePolicyId] })
.expect(200);

// uninstall endpoint package
await supertest
.delete(`/api/fleet/epm/packages/endpoint-8.6.1`)
.set('kbn-xsrf', 'xxxx')
.send({ force: true })
.expect(200);
});

Expand All @@ -176,6 +256,35 @@ export default function (providerContext: FtrProviderContext) {
.expect(404);
});

it('should return 403 without allowed package names', async function () {
await superTestWithoutAuth
.post(`/api/fleet/package_policies/_bulk_get`)
.set('kbn-xsrf', 'xxxx')
.auth(
testUsers.endpoint_integr_read_policy.username,
testUsers.endpoint_integr_read_policy.password
)
.send({ ids: [packagePolicyId] })
.expect(403, {
error: 'Forbidden',
message:
"Authorization denied to [package.name=filetest]. Allowed package.name's: endpoint",
statusCode: 403,
});
});

it('should succeed when bulk requesting with policy ids that match package names allowed by package privileges', async function () {
await superTestWithoutAuth
.post(`/api/fleet/package_policies/_bulk_get`)
.set('kbn-xsrf', 'xxxx')
.auth(
testUsers.endpoint_integr_read_policy.username,
testUsers.endpoint_integr_read_policy.password
)
.send({ ids: [endpointPackagePolicyId] })
.expect(200);
});

it('should succeed with mixed valid ids and invalid ids and ignoreMissing flag ', async function () {
const {
body: { items },
Expand Down
109 changes: 103 additions & 6 deletions x-pack/test/fleet_api_integration/apis/package_policy/update.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,18 @@
* 2.0.
*/
import expect from '@kbn/expect';
import { policyFactory } from '@kbn/security-solution-plugin/common/endpoint/models/policy_config';
import { FtrProviderContext } from '../../../api_integration/ftr_provider_context';
import { skipIfNoDockerRegistry } from '../../helpers';
import { testUsers } from '../test_users';

export default function (providerContext: FtrProviderContext) {
const { getService } = providerContext;
const supertest = getService('supertest');
const superTestWithoutAuth = getService('supertestWithoutAuth');
const dockerServers = getService('dockerServers');
const kibanaServer = getService('kibanaServer');
const esArchiver = getService('esArchiver');

const getPackagePolicyById = async (id: string) => {
const { body } = await supertest.get(`/api/fleet/package_policies/${id}`);
Expand All @@ -31,11 +35,10 @@ export default function (providerContext: FtrProviderContext) {
let packagePolicyId: string;
let packagePolicyId2: string;
let packagePolicyId3: string;
let endpointPackagePolicyId: string;
before(async () => {
await kibanaServer.savedObjects.cleanStandardList();
await getService('esArchiver').load(
'x-pack/test/functional/es_archives/fleet/empty_fleet_server'
);
await esArchiver.load('x-pack/test/functional/es_archives/fleet/empty_fleet_server');
});

before(async function () {
Expand Down Expand Up @@ -132,19 +135,49 @@ export default function (providerContext: FtrProviderContext) {
},
});
packagePolicyId3 = packagePolicyResponse3.item.id;

const { body: endpointPackagePolicyResponse } = await supertest
.post(`/api/fleet/package_policies`)
.set('kbn-xsrf', 'xxxx')
.send({
name: 'endpoint-1',
description: '',
namespace: 'default',
policy_id: agentPolicyId,
enabled: true,
inputs: [
{
enabled: true,
streams: [],
type: 'endpoint',
},
],
force: true,
package: {
name: 'endpoint',
title: 'Elastic Defend',
version: '8.6.1',
},
});
endpointPackagePolicyId = endpointPackagePolicyResponse.item.id;
});

after(async function () {
await supertest
.post(`/api/fleet/agent_policies/delete`)
.set('kbn-xsrf', 'xxxx')
.send({ agentPolicyId });

// uninstall endpoint package
await supertest
.delete(`/api/fleet/epm/packages/endpoint-8.6.1`)
.set('kbn-xsrf', 'xxxx')
.send({ force: true })
.expect(200);
});

after(async () => {
await getService('esArchiver').unload(
'x-pack/test/functional/es_archives/fleet/empty_fleet_server'
);
await esArchiver.unload('x-pack/test/functional/es_archives/fleet/empty_fleet_server');
await kibanaServer.savedObjects.cleanStandardList();
});

Expand Down Expand Up @@ -209,6 +242,70 @@ export default function (providerContext: FtrProviderContext) {
});
});

it('should succeed when updating packages that are allowed with package privileges', async function () {
await superTestWithoutAuth
.put(`/api/fleet/package_policies/${endpointPackagePolicyId}`)
.set('kbn-xsrf', 'xxxx')
.auth(
testUsers.endpoint_integr_write_policy.username,
testUsers.endpoint_integr_write_policy.password
)
.send({
name: 'endpoint-1',
description: '',
namespace: 'updated_namespace',
policy_id: agentPolicyId,
enabled: true,
inputs: [
{
enabled: true,
streams: [],
config: {
policy: {
value: policyFactory(),
},
},
type: 'endpoint',
},
],
force: true,
package: {
name: 'endpoint',
title: 'Elastic Defend',
version: '8.6.1',
},
})
.expect(200);
});

it('should return a 403 with package names that are not allowed', async function () {
await superTestWithoutAuth
.put(`/api/fleet/package_policies/${packagePolicyId}`)
.set('kbn-xsrf', 'xxxx')
.auth(
testUsers.endpoint_integr_write_policy.username,
testUsers.endpoint_integr_write_policy.password
)
.send({
name: 'updated_name',
description: '',
namespace: 'updated_namespace',
policy_id: agentPolicyId,
enabled: true,
inputs: [],
package: {
name: 'filetest',
title: 'For File Tests',
version: '0.1.0',
},
})
.expect(403, {
error: 'Forbidden',
message: 'Update for package name filetest is not authorized.',
statusCode: 403,
});
});

it('should return a 400 if there is another package policy with the same name', async function () {
await supertest
.put(`/api/fleet/package_policies/${packagePolicyId2}`)
Expand Down
Loading

0 comments on commit 55f6006

Please sign in to comment.