From 1607f807fd4ca9c40b621317b46f6c1e0c36d19c Mon Sep 17 00:00:00 2001 From: kobelb Date: Wed, 5 Sep 2018 11:47:19 -0400 Subject: [PATCH] Dynamically supplying users so we reduce some duplication --- .../common/lib/authentication.js | 16 +- .../common/lib/create_users_and_roles.js | 54 ++++- .../apis/saved_objects/create.js | 219 +++--------------- .../apis/saved_objects/create.js | 56 ++++- 4 files changed, 139 insertions(+), 206 deletions(-) diff --git a/x-pack/test/saved_object_api_integration/common/lib/authentication.js b/x-pack/test/saved_object_api_integration/common/lib/authentication.js index 1e8c10daf2a6b5..af32ecdce466ea 100644 --- a/x-pack/test/saved_object_api_integration/common/lib/authentication.js +++ b/x-pack/test/saved_object_api_integration/common/lib/authentication.js @@ -37,12 +37,20 @@ export const AUTHENTICATION = { USERNAME: 'a_kibana_rbac_dashboard_only_user', PASSWORD: 'password' }, - KIBANA_RBAC_DEFAULT_SPACE_USER: { - USERNAME: 'a_kibana_rbac_default_space_user', + KIBANA_RBAC_DEFAULT_SPACE_ALL_USER: { + USERNAME: 'a_kibana_rbac_default_space_all_user', PASSWORD: 'password' }, - KIBANA_RBAC_SPACE_1_READONLY_USER: { - USERNAME: 'a_kibana_rbac_space_1_readonly_user', + KIBANA_RBAC_DEFAULT_SPACE_READ_USER: { + USERNAME: 'a_kibana_rbac_default_space_read_user', + PASSWORD: 'password' + }, + KIBANA_RBAC_SPACE_1_ALL_USER: { + USERNAME: 'a_kibana_rbac_space_1_all_user', + PASSWORD: 'password' + }, + KIBANA_RBAC_SPACE_1_READ_USER: { + USERNAME: 'a_kibana_rbac_space_1_read_user', PASSWORD: 'password' }, }; diff --git a/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.js b/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.js index 86b7646e375bb1..1074ae12cb4967 100644 --- a/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.js +++ b/x-pack/test/saved_object_api_integration/common/lib/create_users_and_roles.js @@ -66,7 +66,7 @@ export const createUsersAndRoles = async (es, supertest) => { } }); - await supertest.put('/api/security/role/kibana_rbac_default_space_user') + await supertest.put('/api/security/role/kibana_rbac_default_space_all_user') .send({ kibana: { space: { @@ -75,6 +75,24 @@ export const createUsersAndRoles = async (es, supertest) => { } }); + await supertest.put('/api/security/role/kibana_rbac_default_space_read_user') + .send({ + kibana: { + space: { + default: ['read'] + } + } + }); + + await supertest.put('/api/security/role/kibana_rbac_space_1_all_user') + .send({ + kibana: { + space: { + space_1: ['all'] + } + } + }); + await supertest.put('/api/security/role/kibana_rbac_space_1_read_user') .send({ kibana: { @@ -155,19 +173,39 @@ export const createUsersAndRoles = async (es, supertest) => { }); await es.shield.putUser({ - username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_USER.USERNAME, + username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME, + body: { + password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD, + roles: ['kibana_rbac_default_space_all_user'], + full_name: 'a kibana default space all user', + email: 'a_kibana_rbac_default_space_all_user@elastic.co', + } + }); + + await es.shield.putUser({ + username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME, + body: { + password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD, + roles: ['kibana_rbac_default_space_read_user'], + full_name: 'a kibana default space read-only user', + email: 'a_kibana_rbac_default_space_read_user@elastic.co', + } + }); + + await es.shield.putUser({ + username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME, body: { - password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_USER.PASSWORD, - roles: ['kibana_rbac_default_space_user'], - full_name: 'a kibana default space user', - email: 'a_kibana_rbac_default_space_user@elastic.co', + password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD, + roles: ['kibana_rbac_space_1_all_user'], + full_name: 'a kibana rbac space 1 all user', + email: 'a_kibana_rbac_space_1_all_user@elastic.co', } }); await es.shield.putUser({ - username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READONLY_USER.USERNAME, + username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME, body: { - password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READONLY_USER.PASSWORD, + password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD, roles: ['kibana_rbac_space_1_read_user'], full_name: 'a kibana rbac space 1 read-only user', email: 'a_kibana_rbac_space_1_readonly_user@elastic.co', diff --git a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/saved_objects/create.js b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/saved_objects/create.js index 613ab7f605db53..8eb503d56c6647 100644 --- a/x-pack/test/saved_object_api_integration/security_and_spaces/apis/saved_objects/create.js +++ b/x-pack/test/saved_object_api_integration/security_and_spaces/apis/saved_objects/create.js @@ -41,9 +41,23 @@ export default function ({ getService }) { }); }; - describe(`${SPACES.DEFAULT.spaceId} space`, () => { - const spaceId = SPACES.DEFAULT.spaceId; - createTest(`not a kibana user`, { + [{ + spaceId: SPACES.DEFAULT.spaceId, + userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER, + userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER, + userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER, + }, { + spaceId: SPACES.DEFAULT.spaceId, + userWithAllAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER, + userWithReadAtSpace: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER, + userWithAllAtOtherSpace: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER, + }].forEach(({ + spaceId, + userWithAllAtSpace, + userWithReadAtSpace, + userWithAllAtOtherSpace + }) => { + createTest(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME, { auth: { username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME, password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD, @@ -61,7 +75,7 @@ export default function ({ getService }) { } }); - createTest(`superuser`, { + createTest(AUTHENTICATION.SUPERUSER.USERNAME, { auth: { username: AUTHENTICATION.SUPERUSER.USERNAME, password: AUTHENTICATION.SUPERUSER.PASSWORD, @@ -79,7 +93,7 @@ export default function ({ getService }) { } }); - createTest(`kibana legacy user`, { + createTest(AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME, { auth: { username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME, password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD, @@ -97,7 +111,7 @@ export default function ({ getService }) { } }); - createTest(`kibana legacy dashboard only user`, { + createTest(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME, { auth: { username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME, password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD, @@ -115,7 +129,7 @@ export default function ({ getService }) { } }); - createTest(`kibana dual-privileges user`, { + createTest(AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME, { auth: { username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME, password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD, @@ -133,7 +147,7 @@ export default function ({ getService }) { } }); - createTest(`kibana dual-privileges dashboard only user`, { + createTest(AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME, { auth: { username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME, password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD, @@ -151,7 +165,7 @@ export default function ({ getService }) { } }); - createTest(`kibana rbac user`, { + createTest(AUTHENTICATION.KIBANA_RBAC_USER.USERNAME, { auth: { username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME, password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD, @@ -169,7 +183,7 @@ export default function ({ getService }) { } }); - createTest(`kibana rbac dashboard only user`, { + createTest(AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME, { auth: { username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME, password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD, @@ -187,10 +201,10 @@ export default function ({ getService }) { } }); - createTest(`kibana rbac default space user`, { + createTest(userWithAllAtSpace.USERNAME, { auth: { - username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_USER.USERNAME, - password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_USER.PASSWORD, + username: userWithAllAtSpace.USERNAME, + password: userWithAllAtSpace.PASSWORD, }, tests: { spaceAware: { @@ -204,10 +218,10 @@ export default function ({ getService }) { } }); - createTest(`kibana rbac space 1 readonly user`, { + createTest(userWithReadAtSpace.USERNAME, { auth: { - username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READONLY_USER.USERNAME, - password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READONLY_USER.PASSWORD, + username: userWithReadAtSpace.USERNAME, + password: userWithReadAtSpace.PASSWORD, }, tests: { spaceAware: { @@ -220,178 +234,12 @@ export default function ({ getService }) { }, } }); - }); - - describe(`${SPACES.SPACE_1.spaceId} space`, () => { - const spaceId = SPACES.SPACE_1.spaceId; - createTest(`not a kibana user`, { - auth: { - username: AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME, - password: AUTHENTICATION.NOT_A_KIBANA_USER.PASSWORD, - }, - spaceId, - tests: { - spaceAware: { - statusCode: 403, - response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME), - }, - notSpaceAware: { - statusCode: 403, - response: createExpectLegacyForbidden(AUTHENTICATION.NOT_A_KIBANA_USER.USERNAME), - }, - } - }); - - createTest(`superuser`, { - auth: { - username: AUTHENTICATION.SUPERUSER.USERNAME, - password: AUTHENTICATION.SUPERUSER.PASSWORD, - }, - spaceId, - tests: { - spaceAware: { - statusCode: 200, - response: createExpectSpaceAwareResults(spaceId), - }, - notSpaceAware: { - statusCode: 200, - response: expectNotSpaceAwareResults(), - }, - } - }); - - createTest(`kibana legacy user`, { - auth: { - username: AUTHENTICATION.KIBANA_LEGACY_USER.USERNAME, - password: AUTHENTICATION.KIBANA_LEGACY_USER.PASSWORD, - }, - spaceId, - tests: { - spaceAware: { - statusCode: 200, - response: createExpectSpaceAwareResults(spaceId), - }, - notSpaceAware: { - statusCode: 200, - response: expectNotSpaceAwareResults, - }, - } - }); - - createTest(`kibana legacy dashboard only user`, { - auth: { - username: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME, - password: AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.PASSWORD, - }, - spaceId, - tests: { - spaceAware: { - statusCode: 403, - response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME), - }, - notSpaceAware: { - statusCode: 403, - response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_LEGACY_DASHBOARD_ONLY_USER.USERNAME), - }, - } - }); - - createTest(`kibana dual-privileges user`, { - auth: { - username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.USERNAME, - password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_USER.PASSWORD, - }, - spaceId, - tests: { - spaceAware: { - statusCode: 200, - response: createExpectSpaceAwareResults(spaceId), - }, - notSpaceAware: { - statusCode: 200, - response: expectNotSpaceAwareResults, - }, - } - }); - createTest(`kibana dual-privileges dashboard only user`, { + createTest(userWithAllAtOtherSpace.USERNAME, { auth: { - username: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.USERNAME, - password: AUTHENTICATION.KIBANA_DUAL_PRIVILEGES_DASHBOARD_ONLY_USER.PASSWORD, + username: userWithAllAtOtherSpace.USERNAME, + password: userWithAllAtOtherSpace.PASSWORD, }, - spaceId, - tests: { - spaceAware: { - statusCode: 403, - response: createExpectRbacForbidden(spaceAwareType), - }, - notSpaceAware: { - statusCode: 403, - response: createExpectRbacForbidden(notSpaceAwareType), - }, - } - }); - - createTest(`kibana rbac user`, { - auth: { - username: AUTHENTICATION.KIBANA_RBAC_USER.USERNAME, - password: AUTHENTICATION.KIBANA_RBAC_USER.PASSWORD, - }, - spaceId, - tests: { - spaceAware: { - statusCode: 200, - response: createExpectSpaceAwareResults(spaceId), - }, - notSpaceAware: { - statusCode: 200, - response: expectNotSpaceAwareResults, - }, - } - }); - - createTest(`kibana rbac dashboard only user`, { - auth: { - username: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.USERNAME, - password: AUTHENTICATION.KIBANA_RBAC_DASHBOARD_ONLY_USER.PASSWORD, - }, - spaceId, - tests: { - spaceAware: { - statusCode: 403, - response: createExpectRbacForbidden(spaceAwareType), - }, - notSpaceAware: { - statusCode: 403, - response: createExpectRbacForbidden(notSpaceAwareType), - }, - } - }); - - createTest(`kibana rbac default space user`, { - auth: { - username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_USER.USERNAME, - password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_USER.PASSWORD, - }, - spaceId, - tests: { - spaceAware: { - statusCode: 403, - response: createExpectRbacForbidden(spaceAwareType), - }, - notSpaceAware: { - statusCode: 403, - response: createExpectRbacForbidden(notSpaceAwareType), - }, - } - }); - - createTest(`kibana rbac space 1 readonly user`, { - auth: { - username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READONLY_USER.USERNAME, - password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READONLY_USER.PASSWORD, - }, - spaceId, tests: { spaceAware: { statusCode: 403, @@ -404,5 +252,6 @@ export default function ({ getService }) { } }); }); + }); } diff --git a/x-pack/test/saved_object_api_integration/security_only/apis/saved_objects/create.js b/x-pack/test/saved_object_api_integration/security_only/apis/saved_objects/create.js index 12709a3686107c..c7a0b0e4e71d2a 100644 --- a/x-pack/test/saved_object_api_integration/security_only/apis/saved_objects/create.js +++ b/x-pack/test/saved_object_api_integration/security_only/apis/saved_objects/create.js @@ -176,40 +176,78 @@ export default function ({ getService }) { } }); - createTest(`kibana rbac default space user`, { + createTest(`kibana rbac default space all user`, { auth: { - username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_USER.USERNAME, - password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_USER.PASSWORD, + username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME, + password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.PASSWORD, }, tests: { spaceAware: { statusCode: 403, // this will change to RBAC once the ES PR for checking all app privileges merges - response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_USER.USERNAME), + response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME), }, notSpaceAware: { statusCode: 403, // this will change to RBAC once the ES PR for checking all app privileges merges - response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_USER.USERNAME), + response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_ALL_USER.USERNAME), + }, + } + }); + + createTest(`kibana rbac default space read user`, { + auth: { + username: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME, + password: AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.PASSWORD, + }, + tests: { + spaceAware: { + statusCode: 403, + // this will change to RBAC once the ES PR for checking all app privileges merges + response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME), + }, + notSpaceAware: { + statusCode: 403, + // this will change to RBAC once the ES PR for checking all app privileges merges + response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_RBAC_DEFAULT_SPACE_READ_USER.USERNAME), + }, + } + }); + + createTest(`kibana rbac space 1 all user`, { + auth: { + username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME, + password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.PASSWORD, + }, + tests: { + spaceAware: { + statusCode: 403, + // this will change to RBAC once the ES PR for checking all app privileges merges + response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME), + }, + notSpaceAware: { + statusCode: 403, + // this will change to RBAC once the ES PR for checking all app privileges merges + response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_RBAC_SPACE_1_ALL_USER.USERNAME), }, } }); createTest(`kibana rbac space 1 readonly user`, { auth: { - username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READONLY_USER.USERNAME, - password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READONLY_USER.PASSWORD, + username: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME, + password: AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.PASSWORD, }, tests: { spaceAware: { statusCode: 403, // this will change to RBAC once the ES PR for checking all app privileges merges - response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_RBAC_SPACE_1_READONLY_USER.USERNAME), + response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME), }, notSpaceAware: { statusCode: 403, // this will change to RBAC once the ES PR for checking all app privileges merges - response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_RBAC_SPACE_1_READONLY_USER.USERNAME), + response: createExpectLegacyForbidden(AUTHENTICATION.KIBANA_RBAC_SPACE_1_READ_USER.USERNAME), }, } });