From d2feac06d421db8f5214770653d277742248fc0a Mon Sep 17 00:00:00 2001 From: Robert Oskamp Date: Thu, 21 Sep 2023 10:57:37 +0200 Subject: [PATCH] FTR - adjust auth for esSupertest in serverless (#166745) ## Summary This PR removes the `systemIndicesSuperuser` auth in the `esSupertest` service for serverless test runs, adds `certificateAuthorities` to the Elasticsearch server config in serverless and adds a tiny test to verify functionality of this fix. ### Details Issues before this PR when using the `esSupertest` service in serverless tests (can be reproduced by running the added `elasticsearch_api` test without the supertest and config changes): 1. Running against a local `functional_tests_server`, `esSupertest` produces an error: `Error: self-signed certificate in certificate chain` 2. Running against an MKI project produces an error: `unable to authenticate user [system_indices_superuser] for REST request [/]`, because the `system_indices_superuser` doesn't exist in MKI. How this PR addresses the issues: 1. Add `certificateAuthorities` to `servers.elasticsearch` in `x-pack/test_serverless/shared/config.base.ts` in the same way we already have it for `servers.kibana` 2. Modify the `esSUpertest` service to not override the default ES auth when running in serverless, instead go with the default auth (regular superuser), which is the best we can get. ### Additional information It has been considered to add a serverless specific version of `esSupertest` in order to avoid the `config.get('serverless') ?` code. The fact that a number of stateful services are planned to be re-used in serverless and rely on `esSupertest` in combination with the very small change in a central service made it seem worth to make an exception here. Note that service methods or tests that use `esSupertest` can still run into issues on serverless if they actually try to modify system indices. This should be avoided anyways and particularly for serverless tests. --- test/api_integration/services/supertest.ts | 8 ++++++-- .../test_suites/common/elasticsearch_api.ts | 20 +++++++++++++++++++ .../test_suites/common/index.ts | 1 + x-pack/test_serverless/shared/config.base.ts | 6 +++++- 4 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 x-pack/test_serverless/api_integration/test_suites/common/elasticsearch_api.ts diff --git a/test/api_integration/services/supertest.ts b/test/api_integration/services/supertest.ts index 6680c7b203bd5..baf42703c64a0 100644 --- a/test/api_integration/services/supertest.ts +++ b/test/api_integration/services/supertest.ts @@ -22,10 +22,14 @@ export function KibanaSupertestProvider({ getService }: FtrProviderContext) { export function ElasticsearchSupertestProvider({ getService }: FtrProviderContext) { const config = getService('config'); const esServerConfig = config.get('servers.elasticsearch'); + + // For stateful tests, use system indices user so tests can write to system indices + // For serverless tests, we don't have a system indices user, so we're using the default superuser const elasticSearchServerUrl = formatUrl({ ...esServerConfig, - // Use system indices user so tests can write to system indices - auth: `${systemIndicesSuperuser.username}:${systemIndicesSuperuser.password}`, + ...(config.get('serverless') + ? [] + : { auth: `${systemIndicesSuperuser.username}:${systemIndicesSuperuser.password}` }), }); let agentOptions = {}; diff --git a/x-pack/test_serverless/api_integration/test_suites/common/elasticsearch_api.ts b/x-pack/test_serverless/api_integration/test_suites/common/elasticsearch_api.ts new file mode 100644 index 0000000000000..b55f36cab29aa --- /dev/null +++ b/x-pack/test_serverless/api_integration/test_suites/common/elasticsearch_api.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrProviderContext } from '../../ftr_provider_context'; + +export default function ({ getService }: FtrProviderContext) { + const esSupertest = getService('esSupertest'); + const svlCommonApi = getService('svlCommonApi'); + + describe('Elasticsearch API', function () { + it('can request /', async () => { + const { body, status } = await esSupertest.get('/'); + svlCommonApi.assertResponseStatusCode(200, status, body); + }); + }); +} diff --git a/x-pack/test_serverless/api_integration/test_suites/common/index.ts b/x-pack/test_serverless/api_integration/test_suites/common/index.ts index ae68f7ec7670c..fffe386b7c2ba 100644 --- a/x-pack/test_serverless/api_integration/test_suites/common/index.ts +++ b/x-pack/test_serverless/api_integration/test_suites/common/index.ts @@ -34,5 +34,6 @@ export default function ({ loadTestFile }: FtrProviderContext) { loadTestFile(require.resolve('./scripts_tests')); loadTestFile(require.resolve('./search_oss')); loadTestFile(require.resolve('./search_xpack')); + loadTestFile(require.resolve('./elasticsearch_api')); }); } diff --git a/x-pack/test_serverless/shared/config.base.ts b/x-pack/test_serverless/shared/config.base.ts index a15405cd0f231..5ea4a5eddf14f 100644 --- a/x-pack/test_serverless/shared/config.base.ts +++ b/x-pack/test_serverless/shared/config.base.ts @@ -27,7 +27,11 @@ export default async () => { protocol: 'https', certificateAuthorities: process.env.TEST_CLOUD ? undefined : [Fs.readFileSync(CA_CERT_PATH)], }, - elasticsearch: { ...esTestConfig.getUrlParts(), protocol: 'https' }, + elasticsearch: { + ...esTestConfig.getUrlParts(), + protocol: 'https', + certificateAuthorities: process.env.TEST_CLOUD ? undefined : [Fs.readFileSync(CA_CERT_PATH)], + }, }; // "Fake" SAML provider