[Security Solutions][Detection Engine] Unskips tests after ES promotion and adds deleteUserRole utility #90533
Conversation
FrankHassanabad
added
the
release_note:skip
FrankHassanabad
added
v8.0.0
v7.12.0
Team:Detections and Resp
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
|
||
| export const createUserAndRole = async ( | ||
| securityService: ReturnType<FtrProviderContext['getService']>, | ||
| securityService: ProvidedType<typeof services['security']>, |
There was a problem hiding this comment.
Nit: I don't see ProvidedType being used much externally, if at all; it seems more common to pass getService: FtrProviderContext['getService'] to helper functions like this.
There was a problem hiding this comment.
The trick for this and why I can't use that is because we want the return type from it and it's function overloaded which does not work well for type script.
There was a problem hiding this comment.
Yeah I see what you're saying though. Most people are passing the service directly and then calling the getService('security') against that and then using it.
I can change this to use that and remove the ProvidedType. Might be better for us to stick with the existing patterns here and not look odd ball for maintainers.
| beforeEach(async () => { | ||
| await createUserAndRole(security, role); | ||
| }); | ||
|
|
||
| afterEach(async () => { |
There was a problem hiding this comment.
These have got me thinking generally about how we can guarantee these kinds of hooks to be symmetric. My first thought is helper functions that generate these hooks, e.g.
const withUserRole = (role, security) => { beforeEach(); afterEach(); }but maybe that's too much abstraction? Just a thought.
There was a problem hiding this comment.
I think this is a neat idea 👍
There was a problem hiding this comment.
Not tracking all the way on this. How do you use those functions like you have above. I can't call beforeEach and then afterEach like that. I might be dense here though.
| ) => { | ||
| await securityService.role.delete(roleName); | ||
| await securityService.user.delete(roleName); | ||
| }; |
There was a problem hiding this comment.
Nit: I would ask we switch the ordering of these delete calls such that we delete the user first and then the role. This would better reflect the setup of posting the role first and then the user.
There was a problem hiding this comment.
Yeah, it does seem wrong if I deleted a role first and the user had a dangling role. I am curious how it allowed me to do that in first place but you are correct this would be better for future proofing things and is the way it should operate.
| @@ -88,7 +91,7 @@ export default ({ getService }: FtrProviderContext) => { | |||
| .expect(403); | |||
| expect(body).to.eql({ | |||
| message: | |||
| 'security_exception: action [cluster:admin/ilm/get] is unauthorized for user [t1_analyst], this action is granted by the privileges [read_ilm,manage_ilm,manage,all]', | |||
| 'security_exception: action [cluster:admin/ilm/get] is unauthorized for user [t1_analyst], this action is granted by the cluster privileges [read_ilm,manage_ilm,manage,all]', | |||
There was a problem hiding this comment.
are messages a defined part of the ES API spec? we've been burned a few times by wording changes in these messages causing tests to fail and get skipped. I could imagine a new privilege being added that grants [cluster:admin/ilm/get] and the array [read_ilm,manage_ilm,manage,all] would then include the new privilege. I don't think that would be considered a breaking change in ES but it would break this test.
Perhaps we can verify part of the message, such as that it begins with security_exception instead of asserting the whole string?
There was a problem hiding this comment.
It shouldn't change often from talking to others about this one when ES was promoted. If it were to change again it could be at either the start, end, or middle of the string. For example they could change the wording of security_exception: to something else at the start of it.
From my understanding, during the promotions of elastic search and when people skip tests they don't view the string failures like this one as something to necessarily minimize but rather as a way for Kibana core members and us to double check the wording and the elastic tickets to ensure these changes in the strings are intentful from the elastic team and make sense when it bubbles up to the UI.
Kibana core skips the tests as we're the best to fix them but if we see something such as a misspellings or worse something that looks wrong such as the ending string array of [read_ilm,manage_ilm,manage,all] missing in one of the properties, then the diff in the failure is useful for everyone.
We have previously rejected the promotion and asked downstream elastic to issue a fix before the promotion is allowed to move forward in some failure cases rather than do a skip.
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
…romotion and adds deleteUserRole utility (#90533) (#90847) * [Security Solutions][Detection Engine] Unskips tests after ES promotion and adds deleteUserRole utility (#90533) ## Summary Unskips tests after a ES promotion and adds a delete user role utility. Ref: #90229 #88302 Removes one `any` from the utils by switching to using `ProvidedType` Before: <img width="558" alt="Screen Shot 2021-02-05 at 2 45 37 PM" src="https://user-images.githubusercontent.com/1151048/107098890-8dce5b80-67cd-11eb-8f6e-51f83eef4647.png"> After: <img width="513" alt="Screen Shot 2021-02-05 at 4 13 23 PM" src="https://user-images.githubusercontent.com/1151048/107098898-9161e280-67cd-11eb-8085-a5220938834e.png"> Turns out that return types on overloaded functions aren't easy fwiw and will fall on the bottom one which in this case looked to be `any` which we don't want: microsoft/TypeScript#24275 (comment) ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios # Conflicts: # x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_index.ts # x-pack/test/detection_engine_api_integration/security_and_spaces/tests/delete_signals_migrations.ts * Fixes test failure as the permissions are true for 7.x -> 7.12 compared to false for 7.11
Summary
Unskips tests after a ES promotion and adds a delete user role utility.
Ref:
#90229
#88302
Removes one
anyfrom the utils by switching to usingProvidedTypeBefore:
After:
Turns out that return types on overloaded functions aren't easy fwiw and will fall on the bottom one which in this case looked to be
anywhich we don't want:microsoft/TypeScript#24275 (comment)
Checklist