[FTR] add service to test user roles on serverless

.gitignore

@@ -141,4 +141,7 @@ fleet-server.yml
 **/.journeys/
 x-pack/test/security_api_integration/plugins/audit_log/audit.log
 
+# ignore FTR temp directory
+.ftr
+role_users.json
 

packages/kbn-es/src/utils/docker.test.ts

@@ -462,9 +462,9 @@ describe('resolveEsArgs()', () => {
         "--env",
         "xpack.security.authc.realms.saml.mock-idp.attributes.groups=http://saml.elastic-cloud.com/attributes/roles",
         "--env",
-        "xpack.security.authc.realms.saml.mock-idp.attributes.name=http://saml.elastic-cloud.com/attributes/email",
+        "xpack.security.authc.realms.saml.mock-idp.attributes.name=http://saml.elastic-cloud.com/attributes/name",
         "--env",
-        "xpack.security.authc.realms.saml.mock-idp.attributes.mail=http://saml.elastic-cloud.com/attributes/name",
+        "xpack.security.authc.realms.saml.mock-idp.attributes.mail=http://saml.elastic-cloud.com/attributes/email",
       ]
     `);
   });

packages/kbn-es/src/utils/docker.ts

@@ -508,11 +508,11 @@ export function resolveEsArgs(
     );
     esArgs.set(
       `xpack.security.authc.realms.saml.${MOCK_IDP_REALM_NAME}.attributes.name`,
-      MOCK_IDP_ATTRIBUTE_EMAIL
+      MOCK_IDP_ATTRIBUTE_NAME
     );
     esArgs.set(
       `xpack.security.authc.realms.saml.${MOCK_IDP_REALM_NAME}.attributes.mail`,
-      MOCK_IDP_ATTRIBUTE_NAME
+      MOCK_IDP_ATTRIBUTE_EMAIL
     );
   }
 

test/functional/services/common/browser.ts

@@ -246,6 +246,18 @@ class BrowserService extends FtrService {
     return await this.driver.get(url);
   }
 
+  /**
+   * Adds a cookie to the current browsing context. You need to be on the domain that the cookie will be valid for.
+   * https://www.selenium.dev/documentation/webdriver/interactions/cookies/#add-cookie
+   *
+   * @param {string} name
+   * @param {string} value
+   * @return {Promise<void>}
+   */
+  public async setCookie(name: string, value: string) {
+    await this.driver.manage().addCookie({ name, value });
+  }
+
   /**
    * Retrieves the cookie with the given name. Returns null if there is no such cookie. The cookie will be returned as
    * a JSON object as described by the WebDriver wire protocol.

x-pack/test_serverless/api_integration/test_suites/common/platform_security/index.ts

@@ -22,6 +22,7 @@ export default function ({ loadTestFile }: FtrProviderContext) {
     loadTestFile(require.resolve('./role_mappings'));
     loadTestFile(require.resolve('./sessions'));
     loadTestFile(require.resolve('./users'));
+    loadTestFile(require.resolve('./request_as_viewer'));
     loadTestFile(require.resolve('./user_profiles'));
     loadTestFile(require.resolve('./views'));
   });

x-pack/test_serverless/api_integration/test_suites/common/platform_security/request_as_viewer.ts

@@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import type { FtrProviderContext } from '../../../ftr_provider_context';
+
+export default function ({ getService }: FtrProviderContext) {
+  describe('security/request as viewer', () => {
+    const svlUserManager = getService('svlUserManager');
+    const supertestWithoutAuth = getService('supertestWithoutAuth');
+    let credentials: { Cookie: string };
+
+    before(async () => {
+      // get auth header for Viewer role
+      credentials = await svlUserManager.getApiCredentialsForRole('viewer');
+    });
+
+    it('returns full status payload for authenticated request', async () => {
+      const { body } = await supertestWithoutAuth
+        .get('/api/status')
+        .set(credentials)
+        .set('kbn-xsrf', 'kibana');
+
+      expect(body.name).to.be.a('string');
+      expect(body.uuid).to.be.a('string');
+      expect(body.version.number).to.be.a('string');
+    });
+  });
+}

x-pack/test_serverless/functional/page_objects/svl_common_page.ts

@@ -15,20 +15,33 @@ export function SvlCommonPageProvider({ getService, getPageObjects }: FtrProvide
   const deployment = getService('deployment');
   const log = getService('log');
   const browser = getService('browser');
+  const svlUserManager = getService('svlUserManager');
 
   const delay = (ms: number) =>
     new Promise((resolve) => {
       setTimeout(resolve, ms);
     });
 
   return {
+    async loginWithRole(role: string) {
+      log.debug(`Logging in by setting browser cookie for '${role}' role`);
+      const sidCookie = await svlUserManager.getSessionCookieForRole(role);
+      // Loading bootstrap.js in order to be on the domain that the cookie will be set for.
+      await browser.get(deployment.getHostPort() + '/bootstrap.js');
+      await browser.setCookie('sid', sidCookie);
+      // Cookie should be already set in the browsing context, navigating to the Home page
+      await browser.get(deployment.getHostPort());
+      // Verifying that we are logged in
+      if (await testSubjects.exists('userMenuButton', { timeout: 10_000 })) {
+        log.debug('userMenuButton found, login passed');
+      } else {
+        throw new Error(`Failed to login with cookie for '${role}' role`);
+      }
+    },
+
     async navigateToLoginForm() {
       const url = deployment.getHostPort() + '/login';
       await browser.get(url);
-      // ensure welcome screen won't be shown. This is relevant for environments which don't allow
-      // to use the yml setting, e.g. cloud
-      await browser.setLocalStorageItem('home:welcome:show', 'false');
-
       log.debug('Waiting for Login Form to appear.');
       await retry.waitForWithTimeout('login form', 10_000, async () => {
         return await pageObjects.security.isLoginFormVisible();

x-pack/test_serverless/functional/test_suites/common/platform_security/index.ts

@@ -9,6 +9,7 @@ import { FtrProviderContext } from '../../../ftr_provider_context';
 
 export default function ({ loadTestFile }: FtrProviderContext) {
   describe('Serverless Common UI - Platform Security', function () {
+    loadTestFile(require.resolve('./viewer_role_login'));
     loadTestFile(require.resolve('./api_keys'));
     loadTestFile(require.resolve('./navigation/avatar_menu'));
     loadTestFile(require.resolve('./user_profiles/user_profiles'));

x-pack/test_serverless/functional/test_suites/common/platform_security/viewer_role_login.ts

@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import expect from '@kbn/expect';
+import { FtrProviderContext } from '../../../ftr_provider_context';
+
+const VIEWER_ROLE = 'viewer';
+
+export default function ({ getPageObject, getService }: FtrProviderContext) {
+  describe(`Login as ${VIEWER_ROLE}`, function () {
+    const svlCommonPage = getPageObject('svlCommonPage');
+    const testSubjects = getService('testSubjects');
+    const svlUserManager = getService('svlUserManager');
+
+    before(async () => {
+      await svlCommonPage.loginWithRole(VIEWER_ROLE);
+    });
+
+    it('should be able to see correct profile', async () => {
+      await svlCommonPage.assertProjectHeaderExists();
+      await svlCommonPage.assertUserAvatarExists();
+      await svlCommonPage.clickUserAvatar();
+      await svlCommonPage.assertUserMenuExists();
+      const actualFullname = await testSubjects.getVisibleText('contextMenuPanelTitle');
+      const userData = await svlUserManager.getUserData(VIEWER_ROLE);
+      expect(actualFullname).to.be(userData.fullname);
+    });
+  });
+}

x-pack/test_serverless/shared/services/index.ts

@@ -8,10 +8,12 @@
 import { SvlReportingServiceProvider } from './svl_reporting';
 import { SupertestProvider, SupertestWithoutAuthProvider } from './supertest';
 import { SvlCommonApiServiceProvider } from './svl_common_api';
+import { SvlUserManagerProvider } from './user_manager/svl_user_manager';
 
 export const services = {
   supertest: SupertestProvider,
   supertestWithoutAuth: SupertestWithoutAuthProvider,
   svlCommonApi: SvlCommonApiServiceProvider,
   svlReportingApi: SvlReportingServiceProvider,
+  svlUserManager: SvlUserManagerProvider,
 };

x-pack/test_serverless/shared/services/supertest.ts

@@ -9,21 +9,29 @@ import { format as formatUrl } from 'url';
 import supertest from 'supertest';
 import { FtrProviderContext } from '../../functional/ftr_provider_context';
 
+/**
+ * Returns supertest.SuperTest<supertest.Test> instance that will not persist cookie between API requests.
+ */
 export function SupertestProvider({ getService }: FtrProviderContext) {
   const config = getService('config');
   const kbnUrl = formatUrl(config.get('servers.kibana'));
-  const ca = config.get('servers.kibana').certificateAuthorities;
 
-  return supertest.agent(kbnUrl, { ca });
+  return supertest(kbnUrl);
 }
 
+/**
+ * Returns supertest.SuperTest<supertest.Test> instance that will not persist cookie between API requests.
+ * If you need to pass certificate, do the following:
+ * await supertestWithoutAuth
+ *   .get('/abc')
+ *   .ca(CA_CERT)
+ */
 export function SupertestWithoutAuthProvider({ getService }: FtrProviderContext) {
   const config = getService('config');
   const kbnUrl = formatUrl({
     ...config.get('servers.kibana'),
     auth: false,
   });
-  const ca = config.get('servers.kibana').certificateAuthorities;
 
-  return supertest.agent(kbnUrl, { ca });
+  return supertest(kbnUrl);
 }