From 23515b1a5c0866c5d3d5ebf5115526b28deb8ebe Mon Sep 17 00:00:00 2001 From: kobelb Date: Mon, 10 Sep 2018 06:57:58 -0400 Subject: [PATCH] Adding more users to the spaces tests --- .../common/suites/create.ts | 54 +++-- .../common/suites/delete.ts | 10 +- .../common/suites/get.ts | 13 +- .../common/suites/get_all.ts | 9 + .../common/suites/select.ts | 13 +- .../common/suites/update.ts | 47 ++-- .../security_and_spaces/apis/create.ts | 184 +++++----------- .../security_and_spaces/apis/delete.ts | 75 ++++++- .../security_and_spaces/apis/get.ts | 41 +++- .../security_and_spaces/apis/get_all.ts | 37 +++- .../security_and_spaces/apis/select.ts | 43 +++- .../security_and_spaces/apis/update.ts | 207 ++++++------------ .../spaces_only/apis/create.ts | 37 +--- 13 files changed, 413 insertions(+), 357 deletions(-) diff --git a/x-pack/test/spaces_api_integration/common/suites/create.ts b/x-pack/test/spaces_api_integration/common/suites/create.ts index d4de96db8ed71..51a71b43271b3 100644 --- a/x-pack/test/spaces_api_integration/common/suites/create.ts +++ b/x-pack/test/spaces_api_integration/common/suites/create.ts @@ -9,21 +9,15 @@ import { SuperTest } from 'supertest'; import { getUrlPrefix } from '../lib/space_test_utils'; import { DescribeFn, TestDefinitionAuthentication } from '../lib/types'; -interface CreateTestWithoutSpace { +interface CreateTest { statusCode: number; response: (resp: any) => void; } -interface CreateTestWithSpace { - statusCode: number; - space: any; - response: (resp: any) => void; -} - interface CreateTests { - newSpace: CreateTestWithSpace; - alreadyExists: CreateTestWithoutSpace; - reservedSpecified: CreateTestWithSpace; + newSpace: CreateTest; + alreadyExists: CreateTest; + reservedSpecified: CreateTest; } interface CreateTestDefinition { @@ -45,7 +39,12 @@ export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest (resp: any) => { - expect(resp.body).to.eql(expectedResult); - }; - const expectConflictResponse = (resp: any) => { const spaceId = 'space_1'; expect(resp.body).to.only.have.keys(['error', 'message', 'statusCode']); @@ -111,9 +112,28 @@ export function createTestSuiteFactory(esArchiver: any, supertest: SuperTest { + expect(resp.body).to.eql({ + name: 'marketing', + id: 'marketing', + description: 'a description', + color: '#5c5959', + }); + }; + + const expectReservedSpecifiedResult = (resp: any) => { + expect(resp.body).to.eql({ + name: 'reserved space', + id: 'reserved', + description: 'a description', + color: '#5c5959', + }); + }; + return { createTest, - createExpectResult, + expectNewSpaceResult, + expectReservedSpecifiedResult, expectConflictResponse, expectRbacForbiddenResponse, createExpectLegacyForbiddenResponse, diff --git a/x-pack/test/spaces_api_integration/common/suites/delete.ts b/x-pack/test/spaces_api_integration/common/suites/delete.ts index 5e2c66794826b..edc6c2b35dd96 100644 --- a/x-pack/test/spaces_api_integration/common/suites/delete.ts +++ b/x-pack/test/spaces_api_integration/common/suites/delete.ts @@ -90,7 +90,7 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest { + const expectRbacForbidden = (resp: any) => { expect(resp.body).to.eql({ statusCode: 403, error: 'Forbidden', @@ -98,19 +98,19 @@ export function deleteTestSuiteFactory(esArchiver: any, supertest: SuperTest (resp: any) => { + const createExpectLegacyForbidden = (username: string, action: string) => (resp: any) => { expect(resp.body).to.eql({ statusCode: 403, error: 'Forbidden', - message: `action [indices:data/write/delete] is unauthorized for user [${username}]: [security_exception] action [indices:data/write/delete] is unauthorized for user [${username}]`, + message: `action [indices:data/${action}] is unauthorized for user [${username}]: [security_exception] action [indices:data/${action}] is unauthorized for user [${username}]`, }); }; return { deleteTest, - createExpectLegacyForbiddenResult, + createExpectLegacyForbidden, createExpectResult, - expectRbacForbiddenResult, + expectRbacForbidden, expectEmptyResult, expectNotFoundResult, expectReservedSpaceResult, diff --git a/x-pack/test/spaces_api_integration/common/suites/get.ts b/x-pack/test/spaces_api_integration/common/suites/get.ts index e2b5f1558c545..35c9187592229 100644 --- a/x-pack/test/spaces_api_integration/common/suites/get.ts +++ b/x-pack/test/spaces_api_integration/common/suites/get.ts @@ -81,7 +81,7 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperAgent) }); }; - const createExpectForbiddenResult = (spaceId: string) => (resp: any) => { + const createExpectRbacForbidden = (spaceId: string) => (resp: any) => { expect(resp.body).to.eql({ statusCode: 403, error: 'Forbidden', @@ -89,12 +89,21 @@ export function getTestSuiteFactory(esArchiver: any, supertest: SuperAgent) }); }; + const createExpectLegacyForbidden = (username: string) => (resp: any) => { + expect(resp.body).to.eql({ + statusCode: 403, + error: 'Forbidden', + message: `action [indices:data/read/get] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/get] is unauthorized for user [${username}]`, + }); + }; + return { getTest, nonExistantSpaceId, createExpectResults, - createExpectForbiddenResult, + createExpectRbacForbidden, createExpectEmptyResult, createExpectNotFoundResult, + createExpectLegacyForbidden, }; } diff --git a/x-pack/test/spaces_api_integration/common/suites/get_all.ts b/x-pack/test/spaces_api_integration/common/suites/get_all.ts index e378197e150a1..69702fba7dc6c 100644 --- a/x-pack/test/spaces_api_integration/common/suites/get_all.ts +++ b/x-pack/test/spaces_api_integration/common/suites/get_all.ts @@ -70,9 +70,18 @@ export function getAllTestSuiteFactory(esArchiver: any, supertest: SuperTest (resp: any) => { + expect(resp.body).to.eql({ + statusCode: 403, + error: 'Forbidden', + message: `action [indices:data/read/search] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/search] is unauthorized for user [${username}]`, + }); + }; + return { getAllTest, createExpectResults, + createExpectLegacyForbidden, expectEmptyResult, }; } diff --git a/x-pack/test/spaces_api_integration/common/suites/select.ts b/x-pack/test/spaces_api_integration/common/suites/select.ts index 62232717074c9..e5fb91cbc4061 100644 --- a/x-pack/test/spaces_api_integration/common/suites/select.ts +++ b/x-pack/test/spaces_api_integration/common/suites/select.ts @@ -84,7 +84,7 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest (resp: any) => { + const createExpectRbacForbidden = (spaceId: any) => (resp: any) => { expect(resp.body).to.eql({ statusCode: 403, error: 'Forbidden', @@ -108,14 +108,23 @@ export function selectTestSuiteFactory(esArchiver: any, supertest: SuperTest (resp: any) => { + expect(resp.body).to.eql({ + statusCode: 403, + error: 'Forbidden', + message: `action [indices:data/read/get] is unauthorized for user [${username}]: [security_exception] action [indices:data/read/get] is unauthorized for user [${username}]`, + }); + }; + return { selectTest, nonExistantSpaceId, expectDefaultSpaceResponse, createExpectSpaceResponse, createExpectResults, - createExpectForbiddenResult, + createExpectRbacForbidden, createExpectEmptyResult, createExpectNotFoundResult, + createExpectLegacyForbidden, }; } diff --git a/x-pack/test/spaces_api_integration/common/suites/update.ts b/x-pack/test/spaces_api_integration/common/suites/update.ts index 55e43f9ac43af..95bcb14a287de 100644 --- a/x-pack/test/spaces_api_integration/common/suites/update.ts +++ b/x-pack/test/spaces_api_integration/common/suites/update.ts @@ -10,7 +10,6 @@ import { DescribeFn, TestDefinitionAuthentication } from '../lib/types'; interface UpdateTest { statusCode: number; - space: any; response: (resp: any) => void; } @@ -36,9 +35,15 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest { return supertest - .put(`${getUrlPrefix(spaceId)}/api/spaces/v1/space/${tests.alreadyExists.space.id}`) + .put(`${getUrlPrefix(spaceId)}/api/spaces/v1/space/space_1`) .auth(auth.username, auth.password) - .send(tests.alreadyExists.space) + .send({ + name: 'space 1', + id: 'space_1', + description: 'a description', + color: '#5c5959', + _reserved: true, + }) .expect(tests.alreadyExists.statusCode) .then(tests.alreadyExists.response); }); @@ -46,9 +51,14 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest { it(`should return ${tests.newSpace.statusCode}`, async () => { return supertest - .put(`${getUrlPrefix(spaceId)}/api/spaces/v1/space/${tests.newSpace.space.id}`) + .put(`${getUrlPrefix(spaceId)}/api/spaces/v1/space/marketing`) .auth(auth.username, auth.password) - .send(tests.newSpace.space) + .send({ + name: 'marketing', + id: 'marketing', + description: 'a description', + color: '#5c5959', + }) .expect(tests.newSpace.statusCode) .then(tests.newSpace.response); }); @@ -58,10 +68,6 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest (resp: any) => { - expect(resp.body).to.eql(expectedResult); - }; - const createExpectNotFoundResult = (spaceId: string) => (resp: any) => { expect(resp.body).to.eql({ error: 'Not Found', @@ -70,7 +76,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest { + const expectRbacForbidden = (resp: any) => { expect(resp.body).to.eql({ statusCode: 403, error: 'Forbidden', @@ -78,7 +84,7 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest (resp: any) => { + const createExpectLegacyForbidden = (username: string) => (resp: any) => { expect(resp.body).to.eql({ statusCode: 403, error: 'Forbidden', @@ -86,11 +92,22 @@ export function updateTestSuiteFactory(esArchiver: any, supertest: SuperTest { + expect(resp.body).to.eql({ + name: 'space 1', + id: 'space_1', + description: 'a description', + color: '#5c5959', + }); + }; + return { updateTest, - createExpectResult, - createExpectNotFoundResult, - expectRbacForbiddenResult, - createExpectLegacyForbiddenResult, + expectNewSpaceNotFound, + expectRbacForbidden, + createExpectLegacyForbidden, + expectAlreadyExistsResult, }; } diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts index 131eda9fec751..4084e777e2c70 100644 --- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts +++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/create.ts @@ -16,7 +16,8 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { const { createTest, - createExpectResult, + expectReservedSpecifiedResult, + expectNewSpaceResult, expectConflictResponse, expectRbacForbiddenResponse, createExpectLegacyForbiddenResponse, @@ -26,6 +27,8 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { [ { spaceId: SPACES.DEFAULT.spaceId, + notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER, + superuser: AUTHENTICATION.SUPERUSER, userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER, userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER, userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER, @@ -36,6 +39,8 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { }, { spaceId: SPACES.SPACE_1.spaceId, + notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER, + superuser: AUTHENTICATION.SUPERUSER, userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER, userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER, userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER, @@ -45,6 +50,50 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER, }, ].forEach(scenario => { + createTest(`${scenario.notAKibanaUser.USERNAME} within the ${scenario.spaceId} space`, { + spaceId: scenario.spaceId, + auth: { + username: scenario.notAKibanaUser.USERNAME, + password: scenario.notAKibanaUser.PASSWORD, + }, + tests: { + newSpace: { + statusCode: 403, + response: createExpectLegacyForbiddenResponse(scenario.notAKibanaUser.USERNAME), + }, + alreadyExists: { + statusCode: 403, + response: createExpectLegacyForbiddenResponse(scenario.notAKibanaUser.USERNAME), + }, + reservedSpecified: { + statusCode: 403, + response: createExpectLegacyForbiddenResponse(scenario.notAKibanaUser.USERNAME), + }, + }, + }); + + createTest(`${scenario.superuser.USERNAME} within the ${scenario.spaceId} space`, { + spaceId: scenario.spaceId, + auth: { + username: scenario.superuser.USERNAME, + password: scenario.superuser.PASSWORD, + }, + tests: { + newSpace: { + statusCode: 200, + response: expectNewSpaceResult, + }, + alreadyExists: { + statusCode: 409, + response: expectConflictResponse, + }, + reservedSpecified: { + statusCode: 200, + response: expectReservedSpecifiedResult, + }, + }, + }); + createTest(`${scenario.userWithAllGlobally.USERNAME} within the ${scenario.spaceId} space`, { spaceId: scenario.spaceId, auth: { @@ -53,39 +102,16 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { }, tests: { newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 200, - response: createExpectResult({ - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }), + response: expectNewSpaceResult, }, alreadyExists: { statusCode: 409, response: expectConflictResponse, }, reservedSpecified: { - space: { - name: 'reserved space', - id: 'reserved', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 200, - response: createExpectResult({ - name: 'reserved space', - id: 'reserved', - description: 'a description', - color: '#5c5959', - }), + response: expectReservedSpecifiedResult, }, }, }); @@ -98,39 +124,16 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { }, tests: { newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 200, - response: createExpectResult({ - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }), + response: expectNewSpaceResult, }, alreadyExists: { statusCode: 409, response: expectConflictResponse, }, reservedSpecified: { - space: { - name: 'reserved space', - id: 'reserved', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 200, - response: createExpectResult({ - name: 'reserved space', - id: 'reserved', - description: 'a description', - color: '#5c5959', - }), + response: expectReservedSpecifiedResult, }, }, }); @@ -143,39 +146,16 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { }, tests: { newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 200, - response: createExpectResult({ - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }), + response: expectNewSpaceResult, }, alreadyExists: { statusCode: 409, response: expectConflictResponse, }, reservedSpecified: { - space: { - name: 'reserved space', - id: 'reserved', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 200, - response: createExpectResult({ - name: 'reserved space', - id: 'reserved', - description: 'a description', - color: '#5c5959', - }), + response: expectReservedSpecifiedResult, }, }, }); @@ -188,12 +168,6 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { }, tests: { newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 403, response: expectRbacForbiddenResponse, }, @@ -202,13 +176,6 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { response: expectRbacForbiddenResponse, }, reservedSpecified: { - space: { - name: 'reserved space', - id: 'reserved', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 403, response: expectRbacForbiddenResponse, }, @@ -223,12 +190,6 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { }, tests: { newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 403, response: expectRbacForbiddenResponse, }, @@ -237,13 +198,6 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { response: expectRbacForbiddenResponse, }, reservedSpecified: { - space: { - name: 'reserved space', - id: 'reserved', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 403, response: expectRbacForbiddenResponse, }, @@ -258,12 +212,6 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { }, tests: { newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 403, response: createExpectLegacyForbiddenResponse(scenario.userWithLegacyRead.USERNAME), }, @@ -272,13 +220,6 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { response: createExpectLegacyForbiddenResponse(scenario.userWithLegacyRead.USERNAME), }, reservedSpecified: { - space: { - name: 'reserved space', - id: 'reserved', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 403, response: createExpectLegacyForbiddenResponse(scenario.userWithLegacyRead.USERNAME), }, @@ -293,12 +234,6 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { }, tests: { newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 403, response: expectRbacForbiddenResponse, }, @@ -307,13 +242,6 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { response: expectRbacForbiddenResponse, }, reservedSpecified: { - space: { - name: 'reserved space', - id: 'reserved', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 403, response: expectRbacForbiddenResponse, }, diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts index 31bc64d2aac3a..93a04d8bc51e0 100644 --- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts +++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/delete.ts @@ -19,14 +19,16 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) { expectEmptyResult, expectReservedSpaceResult, expectNotFoundResult, - expectRbacForbiddenResult, - createExpectLegacyForbiddenResult, + expectRbacForbidden, + createExpectLegacyForbidden, } = deleteTestSuiteFactory(esArchiver, supertestWithoutAuth); describe('delete', () => { [ { spaceId: SPACES.DEFAULT.spaceId, + notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER, + superuser: AUTHENTICATION.SUPERUSER, userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER, userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER, userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER, @@ -37,6 +39,8 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) { }, { spaceId: SPACES.SPACE_1.spaceId, + notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER, + superuser: AUTHENTICATION.SUPERUSER, userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER, userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER, userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER, @@ -46,6 +50,50 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) { userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER, }, ].forEach(scenario => { + deleteTest(`${scenario.notAKibanaUser.USERNAME} from the ${scenario.spaceId} space`, { + spaceId: scenario.spaceId, + auth: { + username: scenario.notAKibanaUser.USERNAME, + password: scenario.notAKibanaUser.PASSWORD, + }, + tests: { + exists: { + statusCode: 403, + response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME, 'read/get'), + }, + reservedSpace: { + statusCode: 403, + response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME, 'read/get'), + }, + doesntExist: { + statusCode: 403, + response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME, 'read/get'), + }, + }, + }); + + deleteTest(`${scenario.superuser.USERNAME} from the ${scenario.spaceId} space`, { + spaceId: scenario.spaceId, + auth: { + username: scenario.superuser.USERNAME, + password: scenario.superuser.PASSWORD, + }, + tests: { + exists: { + statusCode: 204, + response: expectEmptyResult, + }, + reservedSpace: { + statusCode: 400, + response: expectReservedSpaceResult, + }, + doesntExist: { + statusCode: 404, + response: expectNotFoundResult, + }, + }, + }); + deleteTest(`${scenario.userWithAllGlobally.USERNAME} from the ${scenario.spaceId} space`, { spaceId: scenario.spaceId, auth: { @@ -121,15 +169,15 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) { tests: { exists: { statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, reservedSpace: { statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, doesntExist: { statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, }, }); @@ -143,15 +191,15 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) { tests: { exists: { statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, reservedSpace: { statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, doesntExist: { statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, }, }); @@ -165,7 +213,10 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) { tests: { exists: { statusCode: 403, - response: createExpectLegacyForbiddenResult(scenario.userWithLegacyRead.USERNAME), + response: createExpectLegacyForbidden( + scenario.userWithLegacyRead.USERNAME, + 'write/delete' + ), }, reservedSpace: { statusCode: 400, @@ -187,15 +238,15 @@ export default function deleteSpaceTestSuite({ getService }: TestInvoker) { tests: { exists: { statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, reservedSpace: { statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, doesntExist: { statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, }, }); diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts index 7aec52d7ce2f5..852c3c986728b 100644 --- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts +++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get.ts @@ -18,7 +18,8 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) { getTest, createExpectResults, createExpectNotFoundResult, - createExpectForbiddenResult, + createExpectLegacyForbidden, + createExpectRbacForbidden, nonExistantSpaceId, } = getTestSuiteFactory(esArchiver, supertestWithoutAuth); @@ -28,6 +29,8 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) { { spaceId: SPACES.DEFAULT.spaceId, otherSpaceId: SPACES.SPACE_1.spaceId, + notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER, + superuser: AUTHENTICATION.SUPERUSER, userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER, userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER, userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER, @@ -41,6 +44,8 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) { { spaceId: SPACES.SPACE_1.spaceId, otherSpaceId: SPACES.DEFAULT.spaceId, + notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER, + superuser: AUTHENTICATION.SUPERUSER, userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER, userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER, userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER, @@ -52,6 +57,36 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) { userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER, }, ].forEach(scenario => { + getTest(`${scenario.notAKibanaUser.USERNAME}`, { + currentSpaceId: scenario.spaceId, + spaceId: scenario.spaceId, + auth: { + username: scenario.notAKibanaUser.USERNAME, + password: scenario.notAKibanaUser.PASSWORD, + }, + tests: { + default: { + statusCode: 403, + response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME), + }, + }, + }); + + getTest(`${scenario.superuser.USERNAME}`, { + currentSpaceId: scenario.spaceId, + spaceId: scenario.spaceId, + auth: { + username: scenario.superuser.USERNAME, + password: scenario.superuser.PASSWORD, + }, + tests: { + default: { + statusCode: 200, + response: createExpectResults(scenario.spaceId), + }, + }, + }); + getTest(`${scenario.userWithAllGlobally.USERNAME}`, { currentSpaceId: scenario.spaceId, spaceId: scenario.spaceId, @@ -167,7 +202,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectForbiddenResult(scenario.spaceId), + response: createExpectRbacForbidden(scenario.spaceId), }, }, }); @@ -287,7 +322,7 @@ export default function getSpaceTestSuite({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectForbiddenResult(scenario.otherSpaceId), + response: createExpectRbacForbidden(scenario.otherSpaceId), }, }, }); diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts index 56d98fca7c0a8..9410103cb25d7 100644 --- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts +++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/get_all.ts @@ -14,7 +14,7 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) { const supertestWithoutAuth = getService('supertestWithoutAuth'); const esArchiver = getService('esArchiver'); - const { getAllTest, createExpectResults } = getAllTestSuiteFactory( + const { getAllTest, createExpectResults, createExpectLegacyForbidden } = getAllTestSuiteFactory( esArchiver, supertestWithoutAuth ); @@ -23,6 +23,8 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) { [ { spaceId: SPACES.DEFAULT.spaceId, + notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER, + superuser: AUTHENTICATION.SUPERUSER, userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER, userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER, userWithAllAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER, @@ -36,6 +38,8 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) { }, { spaceId: SPACES.SPACE_1.spaceId, + notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER, + superuser: AUTHENTICATION.SUPERUSER, userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER, userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER, userWithAllAtSpace_1: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER, @@ -48,6 +52,37 @@ export default function getAllSpacesTestSuite({ getService }: TestInvoker) { userwithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER, }, ].forEach(scenario => { + getAllTest( + `${scenario.notAKibanaUser.USERNAME} can't access any spaces from ${scenario.spaceId}`, + { + spaceId: scenario.spaceId, + auth: { + username: scenario.notAKibanaUser.USERNAME, + password: scenario.notAKibanaUser.PASSWORD, + }, + tests: { + exists: { + statusCode: 403, + response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME), + }, + }, + } + ); + + getAllTest(`${scenario.superuser.USERNAME} can access all spaces from ${scenario.spaceId}`, { + spaceId: scenario.spaceId, + auth: { + username: scenario.superuser.USERNAME, + password: scenario.superuser.PASSWORD, + }, + tests: { + exists: { + statusCode: 200, + response: createExpectResults('default', 'space_1', 'space_2'), + }, + }, + }); + getAllTest( `${scenario.userWithAllGlobally.USERNAME} can access all spaces from ${scenario.spaceId}`, { diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts index ab6f086544dce..afe824b98abfa 100644 --- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts +++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/select.ts @@ -17,9 +17,10 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) { const { selectTest, createExpectSpaceResponse, - createExpectForbiddenResult, + createExpectRbacForbidden, createExpectNotFoundResult, nonExistantSpaceId, + createExpectLegacyForbidden, } = selectTestSuiteFactory(esArchiver, supertestWithoutAuth); describe('select', () => { @@ -28,6 +29,8 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) { { spaceId: SPACES.DEFAULT.spaceId, otherSpaceId: SPACES.SPACE_1.spaceId, + notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER, + superuser: AUTHENTICATION.SUPERUSER, userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER, userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER, userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER, @@ -38,6 +41,8 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) { { spaceId: SPACES.SPACE_1.spaceId, otherSpaceId: SPACES.DEFAULT.spaceId, + notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER, + superuser: AUTHENTICATION.SUPERUSER, userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER, userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER, userWithLegacyAll: AUTHENTICATION.KIBANA_LEGACY_USER, @@ -46,6 +51,36 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) { userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER, }, ].forEach(scenario => { + selectTest(`${scenario.notAKibanaUser.USERNAME} selects ${scenario.otherSpaceId}`, { + currentSpaceId: scenario.spaceId, + spaceId: scenario.otherSpaceId, + auth: { + username: scenario.notAKibanaUser.USERNAME, + password: scenario.notAKibanaUser.PASSWORD, + }, + tests: { + default: { + statusCode: 403, + response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME), + }, + }, + }); + + selectTest(`${scenario.superuser.USERNAME} selects ${scenario.otherSpaceId}`, { + currentSpaceId: scenario.spaceId, + spaceId: scenario.otherSpaceId, + auth: { + username: scenario.superuser.USERNAME, + password: scenario.superuser.PASSWORD, + }, + tests: { + default: { + statusCode: 200, + response: createExpectSpaceResponse(scenario.otherSpaceId), + }, + }, + }); + selectTest(`${scenario.userWithAllGlobally.USERNAME} selects ${scenario.otherSpaceId}`, { currentSpaceId: scenario.spaceId, spaceId: scenario.otherSpaceId, @@ -215,7 +250,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectForbiddenResult(scenario.spaceId), + response: createExpectRbacForbidden(scenario.spaceId), }, }, } @@ -264,7 +299,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectForbiddenResult(scenario.spaceId), + response: createExpectRbacForbidden(scenario.spaceId), }, }, } @@ -311,7 +346,7 @@ export default function selectSpaceTestSuite({ getService }: TestInvoker) { tests: { default: { statusCode: 403, - response: createExpectForbiddenResult(nonExistantSpaceId), + response: createExpectRbacForbidden(nonExistantSpaceId), }, }, }); diff --git a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts index a92772c079749..718e06a13d328 100644 --- a/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts +++ b/x-pack/test/spaces_api_integration/security_and_spaces/apis/update.ts @@ -16,16 +16,18 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) { const { updateTest, - createExpectResult, - createExpectNotFoundResult, - expectRbacForbiddenResult, - createExpectLegacyForbiddenResult, + expectNewSpaceNotFound, + expectAlreadyExistsResult, + expectRbacForbidden, + createExpectLegacyForbidden, } = updateTestSuiteFactory(esArchiver, supertestWithoutAuth); describe('update', () => { [ { spaceId: SPACES.DEFAULT.spaceId, + notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER, + superuser: AUTHENTICATION.SUPERUSER, userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER, userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER, userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER, @@ -37,6 +39,8 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) { }, { spaceId: SPACES.SPACE_1.spaceId, + notAKibanaUser: AUTHENTICATION.NOT_A_KIBANA_USER, + superuser: AUTHENTICATION.SUPERUSER, userWithAllGlobally: AUTHENTICATION.KIBANA_RBAC_USER, userWithReadGlobally: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER, userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER, @@ -47,6 +51,50 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) { userWithDualRead: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER, }, ].forEach(scenario => { + updateTest( + `${scenario.notAKibanaUser.USERNAME} can't update space_1 from + the ${scenario.spaceId} space`, + { + spaceId: scenario.spaceId, + auth: { + username: scenario.notAKibanaUser.USERNAME, + password: scenario.notAKibanaUser.PASSWORD, + }, + tests: { + alreadyExists: { + statusCode: 403, + response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME), + }, + newSpace: { + statusCode: 403, + response: createExpectLegacyForbidden(scenario.notAKibanaUser.USERNAME), + }, + }, + } + ); + + updateTest( + `${scenario.superuser.USERNAME} can update space_1 from + the ${scenario.spaceId} space`, + { + spaceId: scenario.spaceId, + auth: { + username: scenario.superuser.USERNAME, + password: scenario.superuser.PASSWORD, + }, + tests: { + alreadyExists: { + statusCode: 200, + response: expectAlreadyExistsResult, + }, + newSpace: { + statusCode: 404, + response: expectNewSpaceNotFound, + }, + }, + } + ); + updateTest( `${scenario.userWithAllGlobally.USERNAME} can update space_1 from the ${scenario.spaceId} space`, @@ -58,30 +106,12 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) { }, tests: { alreadyExists: { - space: { - name: 'space 1', - id: 'space_1', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 200, - response: createExpectResult({ - name: 'space 1', - id: 'space_1', - description: 'a description', - color: '#5c5959', - }), + response: expectAlreadyExistsResult, }, newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 404, - response: createExpectNotFoundResult('marketing'), + response: expectNewSpaceNotFound, }, }, } @@ -98,30 +128,12 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) { }, tests: { alreadyExists: { - space: { - name: 'space 1', - id: 'space_1', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 200, - response: createExpectResult({ - name: 'space 1', - id: 'space_1', - description: 'a description', - color: '#5c5959', - }), + response: expectAlreadyExistsResult, }, newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 404, - response: createExpectNotFoundResult('marketing'), + response: expectNewSpaceNotFound, }, }, } @@ -138,30 +150,12 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) { }, tests: { alreadyExists: { - space: { - name: 'space 1', - id: 'space_1', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 200, - response: createExpectResult({ - name: 'space 1', - id: 'space_1', - description: 'a description', - color: '#5c5959', - }), + response: expectAlreadyExistsResult, }, newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 404, - response: createExpectNotFoundResult('marketing'), + response: expectNewSpaceNotFound, }, }, } @@ -178,25 +172,12 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) { }, tests: { alreadyExists: { - space: { - name: 'space 1', - id: 'space_1', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, }, } @@ -213,25 +194,12 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) { }, tests: { alreadyExists: { - space: { - name: 'space 1', - id: 'space_1', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, }, } @@ -248,25 +216,12 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) { }, tests: { alreadyExists: { - space: { - name: 'space 1', - id: 'space_1', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 403, - response: createExpectLegacyForbiddenResult(scenario.userWithLegacyRead.USERNAME), + response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME), }, newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 403, - response: createExpectLegacyForbiddenResult(scenario.userWithLegacyRead.USERNAME), + response: createExpectLegacyForbidden(scenario.userWithLegacyRead.USERNAME), }, }, } @@ -280,25 +235,12 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) { }, tests: { alreadyExists: { - space: { - name: 'space 1', - id: 'space_1', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, }, }); @@ -311,25 +253,12 @@ export default function updateSpaceTestSuite({ getService }: TestInvoker) { }, tests: { alreadyExists: { - space: { - name: 'space 1', - id: 'space_1', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 403, - response: expectRbacForbiddenResult, + response: expectRbacForbidden, }, }, }); diff --git a/x-pack/test/spaces_api_integration/spaces_only/apis/create.ts b/x-pack/test/spaces_api_integration/spaces_only/apis/create.ts index 8a770ca5028ab..fb01fd18527c2 100644 --- a/x-pack/test/spaces_api_integration/spaces_only/apis/create.ts +++ b/x-pack/test/spaces_api_integration/spaces_only/apis/create.ts @@ -13,10 +13,12 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { const supertestWithoutAuth = getService('supertestWithoutAuth'); const esArchiver = getService('esArchiver'); - const { createTest, createExpectResult, expectConflictResponse } = createTestSuiteFactory( - esArchiver, - supertestWithoutAuth - ); + const { + createTest, + expectNewSpaceResult, + expectConflictResponse, + expectReservedSpecifiedResult, + } = createTestSuiteFactory(esArchiver, supertestWithoutAuth); describe('create', () => { [ @@ -31,39 +33,16 @@ export default function createSpacesOnlySuite({ getService }: TestInvoker) { spaceId: scenario.spaceId, tests: { newSpace: { - space: { - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }, statusCode: 200, - response: createExpectResult({ - name: 'marketing', - id: 'marketing', - description: 'a description', - color: '#5c5959', - }), + response: expectNewSpaceResult, }, alreadyExists: { statusCode: 409, response: expectConflictResponse, }, reservedSpecified: { - space: { - name: 'reserved space', - id: 'reserved', - description: 'a description', - color: '#5c5959', - _reserved: true, - }, statusCode: 200, - response: createExpectResult({ - name: 'reserved space', - id: 'reserved', - description: 'a description', - color: '#5c5959', - }), + response: expectReservedSpecifiedResult, }, }, });