Add functional tests

elastic · Mar 4, 2022 · b50da6b · b50da6b
1 parent 8639532
commit b50da6b
Show file tree

Hide file tree

Showing 4 changed files with 135 additions and 4 deletions.
diff --git a/x-pack/test/api_integration/apis/telemetry/telemetry.ts b/x-pack/test/api_integration/apis/telemetry/telemetry.ts
@@ -10,6 +10,7 @@ import moment from 'moment';
 import type SuperTest from 'supertest';
 import deepmerge from 'deepmerge';
 import type { FtrProviderContext } from '../../ftr_provider_context';
+import type { SecurityService } from '../../../../../test/common/services/security/security';
 
 import multiClusterFixture from './fixtures/multicluster.json';
 import basicClusterFixture from './fixtures/basiccluster.json';
@@ -90,10 +91,31 @@ function updateMonitoringDates(
   ]);
 }
 
+async function createUserWithRole(
+  security: SecurityService,
+  userName: string,
+  roleName: string,
+  role: unknown
+) {
+  await security.role.create(roleName, role);
+
+  await security.user.create(userName, {
+    password: password(userName),
+    roles: [roleName],
+    full_name: `User ${userName}`,
+  });
+}
+
+function password(userName: string) {
+  return `${userName}-password`;
+}
+
 export default function ({ getService }: FtrProviderContext) {
   const supertest = getService('supertest');
+  const supertestWithoutAuth = getService('supertestWithoutAuth'); // We need this because `.auth` in the already authed one does not work as expected
   const esArchiver = getService('esArchiver');
   const esSupertest = getService('esSupertest');
+  const security = getService('security');
 
   describe('/api/telemetry/v2/clusters/_stats', () => {
     const timestamp = new Date().toISOString();
@@ -236,5 +258,114 @@ export default function ({ getService }: FtrProviderContext) {
         expect(new Date(fetchedAt).getTime()).to.be.greaterThan(now);
       });
     });
+
+    describe('Only global read+ users can fetch unencrypted telemetry', () => {
+      describe('superadmin user', () => {
+        it('should return unencrypted telemetry for the admin user', async () => {
+          await supertest
+            .post('/api/telemetry/v2/clusters/_stats')
+            .set('kbn-xsrf', 'xxx')
+            .send({ unencrypted: true })
+            .expect(200);
+        });
+
+        it('should return encrypted telemetry for the admin user', async () => {
+          await supertest
+            .post('/api/telemetry/v2/clusters/_stats')
+            .set('kbn-xsrf', 'xxx')
+            .send({ unencrypted: false })
+            .expect(200);
+        });
+      });
+
+      describe('global-read user', () => {
+        const globalReadOnlyUser = 'telemetry-global-read-only-user';
+        const globalReadOnlyRole = 'telemetry-global-read-only-role';
+
+        before('create user', async () => {
+          await createUserWithRole(security, globalReadOnlyUser, globalReadOnlyRole, {
+            kibana: [
+              {
+                spaces: ['*'],
+                base: ['read'],
+                feature: {},
+              },
+            ],
+          });
+        });
+
+        after(async () => {
+          await security.user.delete(globalReadOnlyUser);
+          await security.role.delete(globalReadOnlyRole);
+        });
+
+        it('should return encrypted telemetry for the global-read user', async () => {
+          await supertestWithoutAuth
+            .post('/api/telemetry/v2/clusters/_stats')
+            .auth(globalReadOnlyUser, password(globalReadOnlyUser))
+            .set('kbn-xsrf', 'xxx')
+            .send({ unencrypted: false })
+            .expect(200);
+        });
+
+        it('should return unencrypted telemetry for the global-read user', async () => {
+          await supertestWithoutAuth
+            .post('/api/telemetry/v2/clusters/_stats')
+            .auth(globalReadOnlyUser, password(globalReadOnlyUser))
+            .set('kbn-xsrf', 'xxx')
+            .send({ unencrypted: true })
+            .expect(200);
+        });
+      });
+
+      describe('non global-read user', () => {
+        const noGlobalUser = 'telemetry-no-global-user';
+        const noGlobalRole = 'telemetry-no-global-role';
+
+        before('create user', async () => {
+          await createUserWithRole(security, noGlobalUser, noGlobalRole, {
+            kibana: [
+              {
+                spaces: ['*'],
+                base: [],
+                feature: {
+                  // It has access to many features specified individually but not a global one
+                  discover: ['all'],
+                  dashboard: ['all'],
+                  canvas: ['all'],
+                  maps: ['all'],
+                  ml: ['all'],
+                  visualize: ['all'],
+                  dev_tools: ['all'],
+                },
+              },
+            ],
+          });
+        });
+
+        after(async () => {
+          await security.user.delete(noGlobalUser);
+          await security.role.delete(noGlobalRole);
+        });
+
+        it('should return encrypted telemetry for the read-only user', async () => {
+          await supertestWithoutAuth
+            .post('/api/telemetry/v2/clusters/_stats')
+            .auth(noGlobalUser, password(noGlobalUser))
+            .set('kbn-xsrf', 'xxx')
+            .send({ unencrypted: false })
+            .expect(200);
+        });
+
+        it('should return 403 when the read-only user requests unencrypted telemetry', async () => {
+          await supertestWithoutAuth
+            .post('/api/telemetry/v2/clusters/_stats')
+            .auth(noGlobalUser, password(noGlobalUser))
+            .set('kbn-xsrf', 'xxx')
+            .send({ unencrypted: true })
+            .expect(403);
+        });
+      });
+    });
   });
 }
diff --git a/...ion/services/es_supertest_without_auth.js → ...ion/services/es_supertest_without_auth.ts b/...ion/services/es_supertest_without_auth.js → ...ion/services/es_supertest_without_auth.ts
@@ -8,12 +8,13 @@
 import { format as formatUrl } from 'url';
 
 import supertest from 'supertest';
+import type { FtrProviderContext } from '../ftr_provider_context';
 
 /**
  * Supertest provider that doesn't include user credentials into base URL that is passed
  * to the supertest.
  */
-export function EsSupertestWithoutAuthProvider({ getService }) {
+export function EsSupertestWithoutAuthProvider({ getService }: FtrProviderContext) {
   const config = getService('config');
   const elasticsearchServerConfig = config.get('servers.elasticsearch');
 

diff --git a/x-pack/test/api_integration/services/index.ts b/x-pack/test/api_integration/services/index.ts
@@ -8,9 +8,7 @@
 import { services as kibanaApiIntegrationServices } from '../../../../test/api_integration/services';
 import { services as commonServices } from '../../common/services';
 
-// @ts-ignore not ts yet
 import { EsSupertestWithoutAuthProvider } from './es_supertest_without_auth';
-// @ts-ignore not ts yet
 import { SupertestWithoutAuthProvider } from './supertest_without_auth';
 
 import { UsageAPIProvider } from './usage_api';

diff --git a/...ration/services/supertest_without_auth.js → ...ration/services/supertest_without_auth.ts b/...ration/services/supertest_without_auth.js → ...ration/services/supertest_without_auth.ts
@@ -8,12 +8,13 @@
 import { format as formatUrl } from 'url';
 
 import supertest from 'supertest';
+import type { FtrProviderContext } from '../ftr_provider_context';
 
 /**
  * supertest provider that doesn't include user credentials into base URL that is passed
  * to the supertest. It's used to test API behaviour for not yet authenticated user.
  */
-export function SupertestWithoutAuthProvider({ getService }) {
+export function SupertestWithoutAuthProvider({ getService }: FtrProviderContext) {
   const config = getService('config');
   const kibanaServerConfig = config.get('servers.kibana');