[8.x] [FTR] support custom native roles in serverless tests (elastic#194677) (elastic#196351)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[FTR] support custom native roles in serverless tests
(elastic#194677)](elastic#194677)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Dzmitry
Lemechko","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-11T15:11:23Z","message":"[FTR]
support custom native roles in serverless tests (elastic#194677)\n\n##
Summary\r\n\r\nThis PR updates FTR services to support authentication
with custom\r\nnative role. Few notes:\r\n- for compatibility with MKI
we reserve **\"customRole\"** as a custom\r\nrole name used in
tests\r\n- test user is **automatically assigned** to this role, but
before login\r\nin browser/ generating cookie header or API key in each
test suite\r\n**role privileges must me updated according test
scenario**\r\n\r\nHow to test:\r\nI added a new test file for Search
project:\r\n`x-pack/test_serverless/functional/test_suites/search/custom_role_access.ts`\r\n\r\nIt
can be run locally with:\r\n```\r\n node scripts/functional_tests
--config=x-pack/test_serverless/functional/test_suites/search/config.ts
--grep \"With custom role\"\r\n```\r\n\r\nFTR UI test
example:\r\n\r\n```ts\r\n// First set privileges for custom
role\r\nawait samlAuth.setCustomRole({\r\n elasticsearch: {\r\n indices:
[{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata']
}],\r\n },\r\n kibana: [\r\n {\r\n feature: {\r\n discover:
['read'],\r\n },\r\n spaces: ['*'],\r\n },\r\n ],\r\n });\r\n
});\r\n\r\n// Then you can login in browser as a user with newly defined
privileges\r\nawait
pageObjects.svlCommonPage.loginWithCustomRole();\r\n```\r\n\r\nFTR
api_integration test example:\r\n\r\n```ts\r\n// First set privileges
for custom role\r\nawait samlAuth.setCustomRole({\r\n elasticsearch:
{\r\n indices: [{ names: ['logstash-*'], privileges: ['read',
'view_index_metadata'] }],\r\n },\r\n kibana: [\r\n {\r\n feature: {\r\n
discover: ['read'],\r\n },\r\n spaces: ['*'],\r\n },\r\n ],\r\n });\r\n
});\r\n// Then you can generate an API key with newly defined
privileges\r\nconst roleAuthc = await
samlAuth.createM2mApiKeyWithRoleScope('customRole');\r\n// Don't forget
to invalidate the API key in the end\r\nawait
samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc);\r\n```","sha":"f00ac7a8a21463e6bb4a2784c3a3884f36c62900","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","FTR","v8.16.0","backport:version"],"number":194677,"url":"https://github.com/elastic/kibana/pull/194677","mergeCommit":{"message":"[FTR]
support custom native roles in serverless tests (elastic#194677)\n\n##
Summary\r\n\r\nThis PR updates FTR services to support authentication
with custom\r\nnative role. Few notes:\r\n- for compatibility with MKI
we reserve **\"customRole\"** as a custom\r\nrole name used in
tests\r\n- test user is **automatically assigned** to this role, but
before login\r\nin browser/ generating cookie header or API key in each
test suite\r\n**role privileges must me updated according test
scenario**\r\n\r\nHow to test:\r\nI added a new test file for Search
project:\r\n`x-pack/test_serverless/functional/test_suites/search/custom_role_access.ts`\r\n\r\nIt
can be run locally with:\r\n```\r\n node scripts/functional_tests
--config=x-pack/test_serverless/functional/test_suites/search/config.ts
--grep \"With custom role\"\r\n```\r\n\r\nFTR UI test
example:\r\n\r\n```ts\r\n// First set privileges for custom
role\r\nawait samlAuth.setCustomRole({\r\n elasticsearch: {\r\n indices:
[{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata']
}],\r\n },\r\n kibana: [\r\n {\r\n feature: {\r\n discover:
['read'],\r\n },\r\n spaces: ['*'],\r\n },\r\n ],\r\n });\r\n
});\r\n\r\n// Then you can login in browser as a user with newly defined
privileges\r\nawait
pageObjects.svlCommonPage.loginWithCustomRole();\r\n```\r\n\r\nFTR
api_integration test example:\r\n\r\n```ts\r\n// First set privileges
for custom role\r\nawait samlAuth.setCustomRole({\r\n elasticsearch:
{\r\n indices: [{ names: ['logstash-*'], privileges: ['read',
'view_index_metadata'] }],\r\n },\r\n kibana: [\r\n {\r\n feature: {\r\n
discover: ['read'],\r\n },\r\n spaces: ['*'],\r\n },\r\n ],\r\n });\r\n
});\r\n// Then you can generate an API key with newly defined
privileges\r\nconst roleAuthc = await
samlAuth.createM2mApiKeyWithRoleScope('customRole');\r\n// Don't forget
to invalidate the API key in the end\r\nawait
samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc);\r\n```","sha":"f00ac7a8a21463e6bb4a2784c3a3884f36c62900"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194677","number":194677,"mergeCommit":{"message":"[FTR]
support custom native roles in serverless tests (elastic#194677)\n\n##
Summary\r\n\r\nThis PR updates FTR services to support authentication
with custom\r\nnative role. Few notes:\r\n- for compatibility with MKI
we reserve **\"customRole\"** as a custom\r\nrole name used in
tests\r\n- test user is **automatically assigned** to this role, but
before login\r\nin browser/ generating cookie header or API key in each
test suite\r\n**role privileges must me updated according test
scenario**\r\n\r\nHow to test:\r\nI added a new test file for Search
project:\r\n`x-pack/test_serverless/functional/test_suites/search/custom_role_access.ts`\r\n\r\nIt
can be run locally with:\r\n```\r\n node scripts/functional_tests
--config=x-pack/test_serverless/functional/test_suites/search/config.ts
--grep \"With custom role\"\r\n```\r\n\r\nFTR UI test
example:\r\n\r\n```ts\r\n// First set privileges for custom
role\r\nawait samlAuth.setCustomRole({\r\n elasticsearch: {\r\n indices:
[{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata']
}],\r\n },\r\n kibana: [\r\n {\r\n feature: {\r\n discover:
['read'],\r\n },\r\n spaces: ['*'],\r\n },\r\n ],\r\n });\r\n
});\r\n\r\n// Then you can login in browser as a user with newly defined
privileges\r\nawait
pageObjects.svlCommonPage.loginWithCustomRole();\r\n```\r\n\r\nFTR
api_integration test example:\r\n\r\n```ts\r\n// First set privileges
for custom role\r\nawait samlAuth.setCustomRole({\r\n elasticsearch:
{\r\n indices: [{ names: ['logstash-*'], privileges: ['read',
'view_index_metadata'] }],\r\n },\r\n kibana: [\r\n {\r\n feature: {\r\n
discover: ['read'],\r\n },\r\n spaces: ['*'],\r\n },\r\n ],\r\n });\r\n
});\r\n// Then you can generate an API key with newly defined
privileges\r\nconst roleAuthc = await
samlAuth.createM2mApiKeyWithRoleScope('customRole');\r\n// Don't forget
to invalidate the API key in the end\r\nawait
samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc);\r\n```","sha":"f00ac7a8a21463e6bb4a2784c3a3884f36c62900"}},{"branch":"8.x","label":"v8.16.0","labelRegex":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Author: dmlemeshko

packages/kbn-ftr-common-functional-services/index.ts

@@ -30,6 +30,7 @@ export type {
   InternalRequestHeader,
   RoleCredentials,
   CookieCredentials,
+  KibanaRoleDescriptors,
 } from './services/saml_auth';
 
 import { SamlAuthProvider } from './services/saml_auth/saml_auth_provider';

packages/kbn-ftr-common-functional-services/services/saml_auth/get_auth_provider.ts

@@ -12,8 +12,10 @@ import { ServerlessAuthProvider } from './serverless/auth_provider';
 import { StatefulAuthProvider } from './stateful/auth_provider';
 
 export interface AuthProvider {
-  getSupportedRoleDescriptors(): Record<string, unknown>;
+  getSupportedRoleDescriptors(): Map<string, any>;
   getDefaultRole(): string;
+  isCustomRoleEnabled(): boolean;
+  getCustomRole(): string;
   getRolesDefinitionPath(): string;
   getCommonRequestHeader(): { [key: string]: string };
   getInternalRequestHeader(): { [key: string]: string };

packages/kbn-ftr-common-functional-services/services/saml_auth/index.ts

@@ -8,5 +8,9 @@
  */
 
 export { SamlAuthProvider } from './saml_auth_provider';
-export type { RoleCredentials, CookieCredentials } from './saml_auth_provider';
+export type {
+  RoleCredentials,
+  CookieCredentials,
+  KibanaRoleDescriptors,
+} from './saml_auth_provider';
 export type { InternalRequestHeader } from './default_request_headers';

packages/kbn-ftr-common-functional-services/services/saml_auth/saml_auth_provider.ts

@@ -27,6 +27,19 @@ export interface CookieCredentials {
   [header: string]: string;
 }
 
+export interface KibanaRoleDescriptors {
+  kibana: any;
+  elasticsearch?: any;
+}
+
+const throwIfRoleNotSet = (role: string, customRole: string, roleDescriptors: Map<string, any>) => {
+  if (role === customRole && !roleDescriptors.has(customRole)) {
+    throw new Error(
+      `Set privileges for '${customRole}' using 'samlAuth.setCustomRole' before authentication.`
+    );
+  }
+};
+
 export function SamlAuthProvider({ getService }: FtrProviderContext) {
   const config = getService('config');
   const log = getService('log');
@@ -35,9 +48,8 @@ export function SamlAuthProvider({ getService }: FtrProviderContext) {
 
   const authRoleProvider = getAuthProvider({ config });
   const supportedRoleDescriptors = authRoleProvider.getSupportedRoleDescriptors();
-  const supportedRoles = Object.keys(supportedRoleDescriptors);
-
-  const customRolesFileName: string | undefined = process.env.ROLES_FILENAME_OVERRIDE;
+  const supportedRoles = Array.from(supportedRoleDescriptors.keys());
+  const customRolesFileName = process.env.ROLES_FILENAME_OVERRIDE;
   const cloudUsersFilePath = resolve(REPO_ROOT, '.ftr', customRolesFileName ?? 'role_users.json');
 
   // Sharing the instance within FTR config run means cookies are persistent for each role between tests.
@@ -61,55 +73,78 @@ export function SamlAuthProvider({ getService }: FtrProviderContext) {
   const DEFAULT_ROLE = authRoleProvider.getDefaultRole();
   const COMMON_REQUEST_HEADERS = authRoleProvider.getCommonRequestHeader();
   const INTERNAL_REQUEST_HEADERS = authRoleProvider.getInternalRequestHeader();
+  const CUSTOM_ROLE = authRoleProvider.getCustomRole();
+  const isCustomRoleEnabled = authRoleProvider.isCustomRoleEnabled();
+
+  const getAdminCredentials = async () => {
+    return await sessionManager.getApiCredentialsForRole('admin');
+  };
+
+  const createApiKeyPayload = (role: string, roleDescriptors: any) => {
+    return {
+      name: `myTestApiKey_${role}`,
+      metadata: {},
+      ...(role === CUSTOM_ROLE
+        ? { kibana_role_descriptors: roleDescriptors }
+        : { role_descriptors: roleDescriptors }),
+    };
+  };
 
   return {
     async getInteractiveUserSessionCookieWithRoleScope(role: string) {
+      // Custom role has no descriptors by default, check if it was added before authentication
+      throwIfRoleNotSet(role, CUSTOM_ROLE, supportedRoleDescriptors);
       return sessionManager.getInteractiveUserSessionCookieWithRoleScope(role);
     },
+
     async getM2MApiCookieCredentialsWithRoleScope(role: string): Promise<CookieCredentials> {
+      // Custom role has no descriptors by default, check if it was added before authentication
+      throwIfRoleNotSet(role, CUSTOM_ROLE, supportedRoleDescriptors);
       return sessionManager.getApiCredentialsForRole(role);
     },
+
     async getEmail(role: string) {
       return sessionManager.getEmail(role);
     },
 
     async getUserData(role: string) {
       return sessionManager.getUserData(role);
     },
+
     async createM2mApiKeyWithDefaultRoleScope() {
-      log.debug(`Creating api key for default role: [${this.DEFAULT_ROLE}]`);
-      return this.createM2mApiKeyWithRoleScope(this.DEFAULT_ROLE);
+      log.debug(`Creating API key for default role: [${DEFAULT_ROLE}]`);
+      return this.createM2mApiKeyWithRoleScope(DEFAULT_ROLE);
     },
+
     async createM2mApiKeyWithRoleScope(role: string): Promise<RoleCredentials> {
       // Get admin credentials in order to create the API key
-      const adminCookieHeader = await this.getM2MApiCookieCredentialsWithRoleScope('admin');
-
-      // Get the role descrtiptor for the role
+      const adminCookieHeader = await getAdminCredentials();
       let roleDescriptors = {};
+
       if (role !== 'admin') {
-        const roleDescriptor = supportedRoleDescriptors[role];
+        if (role === CUSTOM_ROLE && !isCustomRoleEnabled) {
+          throw new Error(`Custom roles are not supported for the current deployment`);
+        }
+        const roleDescriptor = supportedRoleDescriptors.get(role);
         if (!roleDescriptor) {
-          throw new Error(`Cannot create API key for non-existent role "${role}"`);
+          throw new Error(
+            role === CUSTOM_ROLE
+              ? `Before creating API key for '${CUSTOM_ROLE}', use 'samlAuth.setCustomRole' to set the role privileges`
+              : `Cannot create API key for non-existent role "${role}"`
+          );
         }
         log.debug(
-          `Creating api key for ${role} role with the following privileges ${JSON.stringify(
-            roleDescriptor
-          )}`
+          `Creating API key for ${role} with privileges: ${JSON.stringify(roleDescriptor)}`
         );
-        roleDescriptors = {
-          [role]: roleDescriptor,
-        };
+        roleDescriptors = { [role]: roleDescriptor };
       }
 
+      const payload = createApiKeyPayload(role, roleDescriptors);
       const response = await supertestWithoutAuth
         .post('/internal/security/api_key')
         .set(INTERNAL_REQUEST_HEADERS)
         .set(adminCookieHeader)
-        .send({
-          name: 'myTestApiKey',
-          metadata: {},
-          role_descriptors: roleDescriptors,
-        });
+        .send(payload);
 
       if (response.status !== 200) {
         throw new Error(
@@ -120,38 +155,59 @@ export function SamlAuthProvider({ getService }: FtrProviderContext) {
       const apiKey = response.body;
       const apiKeyHeader = { Authorization: 'ApiKey ' + apiKey.encoded };
 
-      log.debug(`Created api key for role: [${role}]`);
+      log.debug(`Created API key for role: [${role}]`);
       return { apiKey, apiKeyHeader };
     },
+
     async invalidateM2mApiKeyWithRoleScope(roleCredentials: RoleCredentials) {
       // Get admin credentials in order to invalidate the API key
-      const adminCookieHeader = await this.getM2MApiCookieCredentialsWithRoleScope('admin');
-
-      const requestBody = {
-        apiKeys: [
-          {
-            id: roleCredentials.apiKey.id,
-            name: roleCredentials.apiKey.name,
-          },
-        ],
-        isAdmin: true,
-      };
+      const adminCookieHeader = await getAdminCredentials();
 
       const { status } = await supertestWithoutAuth
         .post('/internal/security/api_key/invalidate')
         .set(INTERNAL_REQUEST_HEADERS)
         .set(adminCookieHeader)
-        .send(requestBody);
+        .send({
+          apiKeys: [{ id: roleCredentials.apiKey.id, name: roleCredentials.apiKey.name }],
+          isAdmin: true,
+        });
 
       expect(status).to.be(200);
     },
+
+    async setCustomRole(descriptors: KibanaRoleDescriptors) {
+      if (!isCustomRoleEnabled) {
+        throw new Error(`Custom roles are not supported for the current deployment`);
+      }
+      log.debug(`Updating role ${CUSTOM_ROLE}`);
+      const adminCookieHeader = await getAdminCredentials();
+
+      const customRoleDescriptors = {
+        kibana: descriptors.kibana,
+        elasticsearch: descriptors.elasticsearch ?? [],
+      };
+
+      const { status } = await supertestWithoutAuth
+        .put(`/api/security/role/${CUSTOM_ROLE}`)
+        .set(INTERNAL_REQUEST_HEADERS)
+        .set(adminCookieHeader)
+        .send(customRoleDescriptors);
+
+      expect(status).to.be(204);
+
+      // Update descriptors for custome role, it will be used to create API key
+      supportedRoleDescriptors.set(CUSTOM_ROLE, customRoleDescriptors);
+    },
+
     getCommonRequestHeader() {
       return COMMON_REQUEST_HEADERS;
     },
 
     getInternalRequestHeader(): InternalRequestHeader {
       return INTERNAL_REQUEST_HEADERS;
     },
+
     DEFAULT_ROLE,
+    CUSTOM_ROLE,
   };
 }

packages/kbn-ftr-common-functional-services/services/saml_auth/serverless/auth_provider.ts

@@ -24,6 +24,8 @@ const projectDefaultRoles = new Map<string, Role>([
   ['oblt', 'editor'],
 ]);
 
+const projectTypesWithCustomRolesEnabled = ['es', 'security'];
+
 const getDefaultServerlessRole = (projectType: string) => {
   if (projectDefaultRoles.has(projectType)) {
     return projectDefaultRoles.get(projectType)!;
@@ -50,18 +52,39 @@ export class ServerlessAuthProvider implements AuthProvider {
     this.rolesDefinitionPath = resolve(SERVERLESS_ROLES_ROOT_PATH, this.projectType, 'roles.yml');
   }
 
-  getSupportedRoleDescriptors(): Record<string, unknown> {
-    return readRolesDescriptorsFromResource(this.rolesDefinitionPath);
+  getSupportedRoleDescriptors() {
+    const roleDescriptors = new Map<string, any>(
+      Object.entries(
+        readRolesDescriptorsFromResource(this.rolesDefinitionPath) as Record<string, unknown>
+      )
+    );
+    // Adding custom role to the map without privileges, so it can be later updated and used in the tests
+    if (this.isCustomRoleEnabled()) {
+      roleDescriptors.set(this.getCustomRole(), null);
+    }
+    return roleDescriptors;
   }
+
   getDefaultRole(): string {
     return getDefaultServerlessRole(this.projectType);
   }
+
+  isCustomRoleEnabled() {
+    return projectTypesWithCustomRolesEnabled.includes(this.projectType);
+  }
+
+  getCustomRole() {
+    return 'customRole';
+  }
+
   getRolesDefinitionPath(): string {
     return this.rolesDefinitionPath;
   }
+
   getCommonRequestHeader() {
     return COMMON_REQUEST_HEADERS;
   }
+
   getInternalRequestHeader() {
     return getServerlessInternalRequestHeaders();
   }

packages/kbn-ftr-common-functional-services/services/saml_auth/stateful/auth_provider.ts

@@ -18,12 +18,31 @@ import {
 
 export class StatefulAuthProvider implements AuthProvider {
   private readonly rolesDefinitionPath = resolve(REPO_ROOT, STATEFUL_ROLES_ROOT_PATH, 'roles.yml');
-  getSupportedRoleDescriptors(): Record<string, unknown> {
-    return readRolesDescriptorsFromResource(this.rolesDefinitionPath);
+
+  getSupportedRoleDescriptors() {
+    const roleDescriptors = new Map<string, any>(
+      Object.entries(
+        readRolesDescriptorsFromResource(this.rolesDefinitionPath) as Record<string, unknown>
+      )
+    );
+    // no privileges set by default
+    roleDescriptors.set(this.getCustomRole(), null);
+
+    return roleDescriptors;
   }
+
   getDefaultRole() {
     return 'editor';
   }
+
+  isCustomRoleEnabled() {
+    return true;
+  }
+
+  getCustomRole() {
+    return 'customRole';
+  }
+
   getRolesDefinitionPath() {
     return this.rolesDefinitionPath;
   }

x-pack/test/api_integration/deployment_agnostic/default_configs/serverless.config.base.ts

@@ -100,6 +100,10 @@ export function createServerlessTestConfig<T extends DeploymentAgnosticCommonSer
         ...svlSharedConfig.get('esTestCluster'),
         serverArgs: [
           ...svlSharedConfig.get('esTestCluster.serverArgs'),
+          // custom native roles are enabled only for search and security projects
+          ...(options.serverlessProject !== 'oblt'
+            ? ['xpack.security.authc.native_roles.enabled=true']
+            : []),
           ...esServerArgsFromController[options.serverlessProject],
         ],
       },
@@ -109,6 +113,10 @@ export function createServerlessTestConfig<T extends DeploymentAgnosticCommonSer
           ...svlSharedConfig.get('kbnTestServer.serverArgs'),
           ...kbnServerArgsFromController[options.serverlessProject],
           `--serverless=${options.serverlessProject}`,
+          // custom native roles are enabled only for search and security projects
+          ...(options.serverlessProject !== 'oblt'
+            ? ['--xpack.security.roleManagementEnabled=true']
+            : []),
         ],
       },
       testFiles: options.testFiles,

x-pack/test_serverless/README.md

@@ -202,6 +202,59 @@ describe("my internal APIs test suite", async function() {
 });
 ```
 
+#### Testing with custom roles
+
+With custom native roles now enabled for the Security and Search projects on MKI, the FTR supports
+defining and authenticating with custom roles in both UI functional tests and API integration tests.
+
+For compatibility with MKI, the role name `customRole` is reserved for use in tests. The test user is automatically assigned to this role, but before logging in via the browser, generating a cookie header, or creating an API key in each test suite, the role’s privileges must be updated.
+
+Note: We are still working on a solution to run these tests against MKI. In the meantime, please tag the suite with `skipMKI`.
+
+FTR UI test example:
+```
+// First, set privileges for the custom role
+await samlAuth.setCustomRole({
+  elasticsearch: {
+    indices: [{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata'] }],
+  },
+  kibana: [
+    {
+      feature: {
+        discover: ['read'],
+      },
+      spaces: ['*'],
+    },
+  ],
+});
+// Then, log in via the browser as a user with the newly defined privileges
+await pageObjects.svlCommonPage.loginWithCustomRole();
+```
+
+FTR api_integration test example:
+```
+// First, set privileges for the custom role
+await samlAuth.setCustomRole({
+  elasticsearch: {
+    indices: [{ names: ['logstash-*'], privileges: ['read', 'view_index_metadata'] }],
+  },
+  kibana: [
+    {
+      feature: {
+        discover: ['read'],
+      },
+      spaces: ['*'],
+    },
+  ],
+});
+
+// Then, generate an API key with the newly defined privileges
+const roleAuthc = await samlAuth.createM2mApiKeyWithRoleScope('customRole');
+
+// Remember to invalidate the API key after use
+await samlAuth.invalidateM2mApiKeyWithRoleScope(roleAuthc);
+```
+
 ### Testing with feature flags
 
 **tl;dr:** Tests specific to functionality behind a feature flag need special