[Backport 2.x] Run cypress tests with security (#1202) (#1204)

* Run cypress tests with security

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Switch to upload-artifact v4

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Add cypress.config.js

Signed-off-by: Craig Perkins <cwperx@amazon.com>

* Remove readCertAndKey

Signed-off-by: Craig Perkins <cwperx@amazon.com>

---------

Signed-off-by: Craig Perkins <cwperx@amazon.com>

.github/actions/run-cypress-tests/action.yaml

@@ -0,0 +1,152 @@
+name: 'Runs the cypress test suite'
+description: 'Re-usable workflow to run cypress tests against a cluster with or without security'
+
+inputs:
+  with-security:
+    description: 'Whether security should be installed on the cluster the tests are run with'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up JDK
+      uses: actions/setup-java@v1
+      with:
+        # TODO: Parse this from index management plugin
+        java-version: 21
+    - name: Checkout index management
+      uses: actions/checkout@v2
+      with:
+        path: index-management
+        repository: opensearch-project/index-management
+        ref: '2.x'
+    - name: Run opensearch with plugin
+      shell: bash
+      if: ${{ inputs.with-security == 'false' }}
+      run: |
+        cd index-management
+        ./gradlew run &
+        sleep 300
+      # timeout 300 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:9200)" != "200" ]]; do sleep 5; done'
+    - name: Run opensearch with plugin
+      shell: bash
+      if: ${{ inputs.with-security == 'true' }}
+      run: |
+        cd index-management
+        ./gradlew run -Dsecurity=true -Dhttps=true &
+        sleep 300
+      # timeout 300 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:9200)" != "200" ]]; do sleep 5; done'
+    - name: Checkout Index Management Dashboards plugin
+      uses: actions/checkout@v2
+      with:
+        path: index-management-dashboards-plugin
+    - name: Checkout Security Dashboards plugin
+      uses: actions/checkout@v2
+      with:
+        repository: opensearch-project/security-dashboards-plugin
+        path: security-dashboards-plugin
+        ref: ${{ env.OPENSEARCH_DASHBOARDS_VERSION }}
+    - name: Checkout OpenSearch-Dashboards
+      uses: actions/checkout@v2
+      with:
+        repository: opensearch-project/OpenSearch-Dashboards
+        path: OpenSearch-Dashboards
+        ref: ${{ env.OPENSEARCH_DASHBOARDS_VERSION }}
+    - name: Setup Node
+      uses: actions/setup-node@v3
+      with:
+        node-version-file: './OpenSearch-Dashboards/.nvmrc'
+        registry-url: 'https://registry.npmjs.org'
+    - name: Install Yarn
+      # Need to use bash to avoid having a windows/linux specific step
+      shell: bash
+      run: |
+        YARN_VERSION=$(node -p "require('./OpenSearch-Dashboards/package.json').engines.yarn")
+        echo "Installing yarn@$YARN_VERSION"
+        npm i -g yarn@$YARN_VERSION
+    - run: node -v
+      shell: bash
+    - run: yarn -v
+      shell: bash
+    - name: Configure OpenSearch Dashboards for cypress
+      shell: bash
+      if: ${{ inputs.with-security == 'true' }}
+      run: |
+        cat << 'EOT' > ./OpenSearch-Dashboards/config/opensearch_dashboards.yml
+        server.host: "0.0.0.0"
+        opensearch.hosts: ["https://localhost:9200"]
+        opensearch.ssl.verificationMode: none
+        opensearch.username: "kibanaserver"
+        opensearch.password: "kibanaserver"
+        opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
+        opensearch_security.multitenancy.enabled: true
+        opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
+        opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+        opensearch_security.cookie.secure: false
+        EOT
+    - name: Print Dashboards Config
+      shell: bash
+      if: ${{ inputs.with-security == 'true' }}
+      run: |
+        cat ./OpenSearch-Dashboards/config/opensearch_dashboards.yml
+    - name: Bootstrap plugin/OpenSearch-Dashboards
+      shell: bash
+      if: ${{ inputs.with-security == 'false' }}
+      run: |
+        mkdir -p OpenSearch-Dashboards/plugins
+        mv index-management-dashboards-plugin OpenSearch-Dashboards/plugins
+    - name: Bootstrap plugin/OpenSearch-Dashboards
+      shell: bash
+      if: ${{ inputs.with-security == 'true' }}
+      run: |
+        mkdir -p OpenSearch-Dashboards/plugins
+        mv index-management-dashboards-plugin OpenSearch-Dashboards/plugins
+        mv security-dashboards-plugin OpenSearch-Dashboards/plugins
+    - name: Bootstrap the OpenSearch Dashboard
+      uses: nick-fields/retry@v2
+      with:
+        timeout_minutes: 20
+        max_attempts: 2
+        command: yarn --cwd OpenSearch-Dashboards osd bootstrap --oss --single-version=loose
+    - name: Compile OpenSearch Dashboards
+      shell: bash
+      run: |
+        cd OpenSearch-Dashboards
+        node scripts/build_opensearch_dashboards_platform_plugins --no-examples --workers=10 --verbose
+    - name: Run OpenSearch-Dashboards server
+      shell: bash
+      run: |
+        cd OpenSearch-Dashboards
+        yarn start --no-base-path --no-watch --server.host="0.0.0.0" &
+        sleep 30
+      # in main branch, OSD server requires more time to bundle and bootstrap
+      # timeout 300 bash -c 'while [[ "$(curl -s localhost:5601/api/status | jq -r '.status.overall.state')" != "green" ]]; do sleep 5; done'
+    # for now just chrome, use matrix to do all browsers later
+    - name: Cypress tests
+      uses: cypress-io/github-action@v2
+      if: ${{ inputs.with-security == 'false' }}
+      with:
+        working-directory: OpenSearch-Dashboards/plugins/index-management-dashboards-plugin
+        command: yarn run cypress run
+        wait-on: 'http://localhost:5601'
+        browser: chrome
+    - name: Cypress tests
+      uses: cypress-io/github-action@v2
+      if: ${{ inputs.with-security == 'true' }}
+      with:
+        working-directory: OpenSearch-Dashboards/plugins/index-management-dashboards-plugin
+        command: yarn run cypress run --env SECURITY_ENABLED=true,openSearchUrl=https://localhost:9200,WAIT_FOR_LOADER_BUFFER_MS=500
+        wait-on: 'http://localhost:5601'
+        browser: chrome
+    # Screenshots are only captured on failure, will change this once we do visual regression tests
+    - uses: actions/upload-artifact@v4
+      if: failure()
+      with:
+        name: cypress-screenshots
+        path: OpenSearch-Dashboards/plugins/index-management-dashboards-plugin/cypress/screenshots
+    # Test run video was always captured, so this action uses "always()" condition
+    - uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: cypress-videos
+        path: OpenSearch-Dashboards/plugins/index-management-dashboards-plugin/cypress/videos

.github/workflows/cypress-with-security-workflow.yml

@@ -0,0 +1,26 @@
+name: E2E tests workflow
+on:
+  pull_request:
+    branches:
+      - "*"
+  push:
+    branches:
+      - "*"
+env:
+  OPENSEARCH_DASHBOARDS_VERSION: '2.x'
+jobs:
+  tests:
+    name: Run Cypress E2E tests with security
+    runs-on: ubuntu-latest
+    env:
+      # prevents extra Cypress installation progress messages
+      CI: 1
+      # avoid warnings like "tput: No value for $TERM and no -T specified"
+      TERM: xterm
+    steps:
+      - name: Checkout Branch
+        uses: actions/checkout@v3
+      - id: run-cypress-tests
+        uses: ./.github/actions/run-cypress-tests
+        with:
+          with-security: true

.github/workflows/cypress-workflow.yml

@@ -18,76 +18,9 @@ jobs:
       # avoid warnings like "tput: No value for $TERM and no -T specified"
       TERM: xterm
     steps:
-      - name: Set up JDK
-        uses: actions/setup-java@v1
+      - name: Checkout Branch
+        uses: actions/checkout@v3
+      - id: run-cypress-tests
+        uses: ./.github/actions/run-cypress-tests
         with:
-          # TODO: Parse this from index management plugin
-          java-version: 21
-      - name: Checkout index management
-        uses: actions/checkout@v2
-        with:
-          path: index-management
-          repository: opensearch-project/index-management
-          ref: '2.x'
-      - name: Run opensearch with plugin
-        run: |
-          cd index-management
-          ./gradlew run &
-          sleep 300
-        # timeout 300 bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:9200)" != "200" ]]; do sleep 5; done'
-      - name: Checkout Index Management Dashboards plugin
-        uses: actions/checkout@v2
-        with:
-          path: index-management-dashboards-plugin
-      - name: Checkout OpenSearch-Dashboards
-        uses: actions/checkout@v2
-        with:
-          repository: opensearch-project/OpenSearch-Dashboards
-          path: OpenSearch-Dashboards
-          ref: ${{ env.OPENSEARCH_DASHBOARDS_VERSION }}
-      - name: Setup Node
-        uses: actions/setup-node@v3
-        with:
-          node-version-file: './OpenSearch-Dashboards/.nvmrc'
-          registry-url: 'https://registry.npmjs.org'
-      - name: Install Yarn
-        # Need to use bash to avoid having a windows/linux specific step
-        shell: bash
-        run: |
-          YARN_VERSION=$(node -p "require('./OpenSearch-Dashboards/package.json').engines.yarn")
-          echo "Installing yarn@$YARN_VERSION"
-          npm i -g yarn@$YARN_VERSION
-      - run: node -v
-      - run: yarn -v
-      - name: Bootstrap plugin/OpenSearch-Dashboards
-        run: |
-          mkdir -p OpenSearch-Dashboards/plugins
-          mv index-management-dashboards-plugin OpenSearch-Dashboards/plugins
-          cd OpenSearch-Dashboards/plugins/index-management-dashboards-plugin
-          yarn osd bootstrap
-      - name: Run OpenSearch-Dashboards server
-        run: |
-          cd OpenSearch-Dashboards
-          yarn start --no-base-path --no-watch --server.host="0.0.0.0" &
-          sleep 300
-        # timeout 300 bash -c 'while [[ "$(curl -s localhost:5601/api/status | jq -r '.status.overall.state')" != "green" ]]; do sleep 5; done'
-      # for now just chrome, use matrix to do all browsers later
-      - name: Cypress tests
-        uses: cypress-io/github-action@v2
-        with:
-          working-directory: OpenSearch-Dashboards/plugins/index-management-dashboards-plugin
-          command: yarn run cypress run
-          wait-on: 'http://localhost:5601'
-          browser: chrome
-      # Screenshots are only captured on failure, will change this once we do visual regression tests
-      - uses: actions/upload-artifact@v4
-        if: failure()
-        with:
-          name: cypress-screenshots
-          path: OpenSearch-Dashboards/plugins/index-management-dashboards-plugin/cypress/screenshots
-      # Test run video was always captured, so this action uses "always()" condition
-      - uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: cypress-videos
-          path: OpenSearch-Dashboards/plugins/index-management-dashboards-plugin/cypress/videos
+          with-security: false

cypress.config.js

@@ -1,6 +1,4 @@
 const { defineConfig } = require("cypress");
-const fs = require("fs");
-const path = require("path");
 
 module.exports = defineConfig({
   e2e: {
@@ -17,16 +15,33 @@ module.exports = defineConfig({
       username: "admin",
       password: "admin",
     },
+    clientCertificates: [
+      {
+        url: "https://localhost:9200/.opendistro-ism*",
+        ca: ["cypress/resources/root-ca.pem"],
+        certs: [
+          {
+            cert: "cypress/resources/kirk.pem",
+            key: "cypress/resources/kirk-key.pem",
+            passphrase: "",
+          },
+        ],
+      },
+      {
+        url: "https://localhost:9200/.opendistro-ism-config/_update_by_query/",
+        ca: ["cypress/resources/root-ca.pem"],
+        certs: [
+          {
+            cert: "cypress/resources/kirk.pem",
+            key: "cypress/resources/kirk-key.pem",
+            passphrase: "",
+          },
+        ],
+      },
+    ],
     setupNodeEvents(on, config) {
-      on("task", {
-        readCertAndKey() {
-          const cert = fs.readFileSync(path.resolve(__dirname, "cypress/resources/kirk.pem"));
-          const key = fs.readFileSync(path.resolve(__dirname, "cypress/resources/kirk-key.pem"));
-          return { cert, key };
-        },
-      });
       // implement node event listeners here
       return config;
     },
   },
-});
+});

cypress/resources/root-ca.pem

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIExjCCA66gAwIBAgIUDWQJmWZ9xBTsQUeOt9F5YSPpqOIwDQYJKoZIhvcNAQEL
+BQAwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdleGFt
+cGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYDVQQLDBhFeGFtcGxl
+IENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUgQ29tIEluYy4gUm9v
+dCBDQTAeFw0yNDAyMjAxNzAwMzZaFw0zNDAyMTcxNzAwMzZaMIGPMRMwEQYKCZIm
+iZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTEZMBcGA1UECgwQ
+RXhhbXBsZSBDb20gSW5jLjEhMB8GA1UECwwYRXhhbXBsZSBDb20gSW5jLiBSb290
+IENBMSEwHwYDVQQDDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEPyN7J9VGPyJcQmCBl5TGwfSzvVdWwoQU
+j9aEsdfFJ6pBCDQSsj8Lv4RqL0dZra7h7SpZLLX/YZcnjikrYC+rP5OwsI9xEE/4
+U98CsTBPhIMgqFK6SzNE5494BsAk4cL72dOOc8tX19oDS/PvBULbNkthQ0aAF1dg
+vbrHvu7hq7LisB5ZRGHVE1k/AbCs2PaaKkn2jCw/b+U0Ml9qPuuEgz2mAqJDGYoA
+WSR4YXrOcrmPuRqbws464YZbJW898/0Pn/U300ed+4YHiNYLLJp51AMkR4YEw969
+VRPbWIvLrd0PQBooC/eLrL6rvud/GpYhdQEUx8qcNCKd4bz3OaQ5AgMBAAGjggEW
+MIIBEjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQU
+F4ffoFrrZhKn1dD4uhJFPLcrAJwwgc8GA1UdIwSBxzCBxIAUF4ffoFrrZhKn1dD4
+uhJFPLcrAJyhgZWkgZIwgY8xEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJ
+k/IsZAEZFgdleGFtcGxlMRkwFwYDVQQKDBBFeGFtcGxlIENvbSBJbmMuMSEwHwYD
+VQQLDBhFeGFtcGxlIENvbSBJbmMuIFJvb3QgQ0ExITAfBgNVBAMMGEV4YW1wbGUg
+Q29tIEluYy4gUm9vdCBDQYIUDWQJmWZ9xBTsQUeOt9F5YSPpqOIwDQYJKoZIhvcN
+AQELBQADggEBAL3Q3AHUhMiLUy6OlLSt8wX9I2oNGDKbBu0atpUNDztk/0s3YLQC
+YuXgN4KrIcMXQIuAXCx407c+pIlT/T1FNn+VQXwi56PYzxQKtlpoKUL3oPQE1d0V
+6EoiNk+6UodvyZqpdQu7fXVentRMk1QX7D9otmiiNuX+GSxJhJC2Lyzw65O9EUgG
+1yVJon6RkUGtqBqKIuLksKwEr//ELnjmXit4LQKSnqKr0FTCB7seIrKJNyb35Qnq
+qy9a/Unhokrmdda1tr6MbqU8l7HmxLuSd/Ky+L0eDNtYv6YfMewtjg0TtAnFyQov
+rdXmeq1dy9HLo3Ds4AFz3Gx9076TxcRS/iI=
+-----END CERTIFICATE-----

cypress/utils/commands.js

@@ -99,17 +99,7 @@ Cypress.Commands.add("login", () => {
 Cypress.Commands.add("deleteAllIndices", () => {
   cy.log("Deleting all indexes");
   cy.request("DELETE", `${Cypress.env("openSearchUrl")}/test_index_*,index*,sample*,opensearch_dashboards*`);
-  cy.task("readCertAndKey").then(({ cert, key }) => {
-    cy.request({
-      method: "DELETE",
-      url: `${Cypress.env("openSearchUrl")}/.opendistro-ism*?expand_wildcards=all`,
-      headers: {},
-      agentOptions: {
-        cert,
-        key,
-      },
-    });
-  });
+  cy.request("DELETE", `${Cypress.env("openSearchUrl")}/.opendistro-ism*?expand_wildcards=all`);
 });
 
 Cypress.Commands.add("deleteADSystemIndices", () => {

cypress/utils/plugins/index-management-dashboards-plugin/commands.js

@@ -44,7 +44,7 @@ Cypress.Commands.add("updateManagedIndexConfigStartTime", (index) => {
         source: `ctx._source['managed_index']['schedule']['interval']['start_time'] = ${startTime}L`,
       },
     };
-    cy.request("POST", `${Cypress.env("openSearchUrl")}/${IM_CONFIG_INDEX.OPENDISTRO_ISM_CONFIG}/_update_by_query`, body);
+    cy.request("POST", `${Cypress.env("openSearchUrl")}/${IM_CONFIG_INDEX.OPENDISTRO_ISM_CONFIG}/_update_by_query/`, body);
   });
 });