diff --git a/.eslintrc.js b/.eslintrc.js index f45088f046bd..c12cc7c1eb49 100644 --- a/.eslintrc.js +++ b/.eslintrc.js @@ -498,6 +498,7 @@ module.exports = { 'x-pack/plugins/apm/**/*.js', 'test/*/config.ts', 'test/*/config_open.ts', + 'test/*/*.config.ts', 'test/*/{tests,test_suites,apis,apps}/**/*', 'test/visual_regression/tests/**/*', 'x-pack/test/*/{tests,test_suites,apis,apps}/**/*', @@ -1596,6 +1597,7 @@ module.exports = { { files: [ 'src/plugins/interactive_setup/**/*.{js,mjs,ts,tsx}', + 'test/interactive_setup_api_integration/**/*.{js,mjs,ts,tsx}', 'x-pack/plugins/encrypted_saved_objects/**/*.{js,mjs,ts,tsx}', 'x-pack/plugins/security/**/*.{js,mjs,ts,tsx}', 'x-pack/plugins/spaces/**/*.{js,mjs,ts,tsx}', diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 1e0a8b187c77..ec03acc752d5 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -244,7 +244,6 @@ /packages/kbn-std/ @elastic/kibana-core /packages/kbn-config/ @elastic/kibana-core /packages/kbn-logging/ @elastic/kibana-core -/packages/kbn-crypto/ @elastic/kibana-core /packages/kbn-http-tools/ @elastic/kibana-core /src/plugins/saved_objects_management/ @elastic/kibana-core /src/dev/run_check_published_api_changes.ts @elastic/kibana-core @@ -285,9 +284,11 @@ /packages/kbn-i18n/ @elastic/kibana-localization @elastic/kibana-core #CC# /x-pack/plugins/translations/ @elastic/kibana-localization @elastic/kibana-core -# Security +# Kibana Platform Security +/packages/kbn-crypto/ @elastic/kibana-security /src/core/server/csp/ @elastic/kibana-security @elastic/kibana-core /src/plugins/interactive_setup/ @elastic/kibana-security +/test/interactive_setup_api_integration/ @elastic/kibana-security /x-pack/plugins/spaces/ @elastic/kibana-security /x-pack/plugins/encrypted_saved_objects/ @elastic/kibana-security /x-pack/plugins/security/ @elastic/kibana-security diff --git a/packages/kbn-crypto/src/__fixtures__/no_ca.p12 b/packages/kbn-crypto/src/__fixtures__/no_ca.p12 index 1e6df9a0f71c..c4beef55cf3b 100644 Binary files a/packages/kbn-crypto/src/__fixtures__/no_ca.p12 and b/packages/kbn-crypto/src/__fixtures__/no_ca.p12 differ diff --git a/packages/kbn-crypto/src/__fixtures__/no_cert.p12 b/packages/kbn-crypto/src/__fixtures__/no_cert.p12 index 8453fe878e78..40e4da49f227 100644 Binary files a/packages/kbn-crypto/src/__fixtures__/no_cert.p12 and b/packages/kbn-crypto/src/__fixtures__/no_cert.p12 differ diff --git a/packages/kbn-crypto/src/__fixtures__/no_key.p12 b/packages/kbn-crypto/src/__fixtures__/no_key.p12 index 1bffb7a301b2..7192bbc7de55 100644 Binary files a/packages/kbn-crypto/src/__fixtures__/no_key.p12 and b/packages/kbn-crypto/src/__fixtures__/no_key.p12 differ diff --git a/packages/kbn-crypto/src/__fixtures__/two_cas.p12 b/packages/kbn-crypto/src/__fixtures__/two_cas.p12 index 25784a6fb9a9..2de839be3e41 100644 Binary files a/packages/kbn-crypto/src/__fixtures__/two_cas.p12 and b/packages/kbn-crypto/src/__fixtures__/two_cas.p12 differ diff --git a/packages/kbn-crypto/src/__fixtures__/two_keys.p12 b/packages/kbn-crypto/src/__fixtures__/two_keys.p12 index c934b34901a9..784b3033ebf6 100644 Binary files a/packages/kbn-crypto/src/__fixtures__/two_keys.p12 and b/packages/kbn-crypto/src/__fixtures__/two_keys.p12 differ diff --git a/packages/kbn-dev-utils/certs/README.md b/packages/kbn-dev-utils/certs/README.md index fdf789278940..869f18ad2ed2 100644 --- a/packages/kbn-dev-utils/certs/README.md +++ b/packages/kbn-dev-utils/certs/README.md @@ -30,15 +30,17 @@ The password used for both of these is "storepass". Other copies are also provid [Elasticsearch cert-util](https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html) and [OpenSSL](https://www.openssl.org/) were used to generate these certificates. The following commands were used from the root directory of Elasticsearch: +__IMPORTANT:__ CA keystore (ca.p12) is not checked in intentionally, talk to @elastic/kibana-security if you need it to sign new certificates. + ``` # Generate the PKCS #12 keystore for a CA, valid for 50 years -bin/elasticsearch-certutil ca -days 18250 --pass castorepass +bin/elasticsearch-certutil ca --out ca.p12 -days 18250 --pass castorepass # Generate the PKCS #12 keystore for Elasticsearch and sign it with the CA -bin/elasticsearch-certutil cert -days 18250 --ca elastic-stack-ca.p12 --ca-pass castorepass --name elasticsearch --dns localhost --pass storepass +bin/elasticsearch-certutil cert --out elasticsearch.p12 -days 18250 --ca ca.p12 --ca-pass castorepass --name elasticsearch --dns localhost --pass storepass # Generate the PKCS #12 keystore for Kibana and sign it with the CA -bin/elasticsearch-certutil cert -days 18250 --ca elastic-stack-ca.p12 --ca-pass castorepass --name kibana --dns localhost --pass storepass +bin/elasticsearch-certutil cert --out kibana.p12 -days 18250 --ca ca.p12 --ca-pass castorepass --name kibana --dns localhost --pass storepass # Copy the PKCS #12 keystore for Elasticsearch with an empty password openssl pkcs12 -in elasticsearch.p12 -nodes -passin pass:"storepass" -passout pass:"" | openssl pkcs12 -export -out elasticsearch_emptypassword.p12 -passout pass:"" diff --git a/packages/kbn-dev-utils/certs/ca.crt b/packages/kbn-dev-utils/certs/ca.crt index 217935b8d83f..3a99c58d6b51 100644 --- a/packages/kbn-dev-utils/certs/ca.crt +++ b/packages/kbn-dev-utils/certs/ca.crt @@ -1,29 +1,29 @@ Bag Attributes friendlyName: elasticsearch - localKeyID: 54 69 6D 65 20 31 35 37 37 34 36 36 31 39 38 30 33 37 + localKeyID: 54 69 6D 65 20 31 36 33 34 31 32 30 31 35 32 31 39 33 Key Attributes: Bag Attributes friendlyName: ca 2.16.840.1.113894.746875.1.1: -subject=/CN=Elastic Certificate Tool Autogenerated CA -issuer=/CN=Elastic Certificate Tool Autogenerated CA +subject=CN = Elastic Certificate Tool Autogenerated CA +issuer=CN = Elastic Certificate Tool Autogenerated CA -----BEGIN CERTIFICATE----- -MIIDSzCCAjOgAwIBAgIUW0brhEtYK3tUBYlXnUa+AMmAX6kwDQYJKoZIhvcNAQEL -BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l -cmF0ZWQgQ0EwIBcNMTkxMjI3MTcwMjMyWhgPMjA2OTEyMTQxNzAyMzJaMDQxMjAw -BgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2VuZXJhdGVkIENB -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplO5m5Xy8xERyA0/G5SM -Nu2QXkfS+m7ZTFjSmtwqX7BI1I6ISI4Yw8QxzcIgSbEGlSqb7baeT+A/1JQj0gZN -KOnKbazl+ujVRJpsfpt5iUsnQyVPheGekcHkB+9WkZPgZ1oGRENr/4Eb1VImQf+Y -yo/FUj8X939tYW0fficAqYKv8/4NWpBUbeop8wsBtkz738QKlmPkMwC4FbuF2/bN -vNuzQuRbGMVmPeyivZJRfDAMKExoXjCCLmbShdg4dUHsUjVeWQZ6s4vbims+8qF9 -b4bseayScQNNU3hc5mkfhEhSM0KB0lDpSvoCxuXvXzb6bOk7xIdYo+O4vHUhvSkQ -mwIDAQABo1MwUTAdBgNVHQ4EFgQUGu0mDnvDRnBdNBG8DxwPdWArB0kwHwYDVR0j -BBgwFoAUGu0mDnvDRnBdNBG8DxwPdWArB0kwDwYDVR0TAQH/BAUwAwEB/zANBgkq -hkiG9w0BAQsFAAOCAQEASv/FYOwWGnQreH8ulcVupGeZj25dIjZiuKfJmslH8QN/ -pVCIzAxNZjGjCpKxbJoCu5U9USaBylbhigeBJEq4wmYTs/WPu4uYMgDj0MILuHin -RQqgEVG0uADGEgH2nnk8DeY8gQvGpJRQGlXNK8pb+pCsy6F8k/svGOeBND9osHfU -CVEo5nXjfq6JCFt6hPx7kl4h3/j3C4wNy/Dv/QINdpPsl6CnF17Q9R9d60WFv42/ -pkl7W1hszCG9foNJOJabuWfVoPkvKQjoCvPitZt/hCaFZAW49PmAVhK+DAohQ91l -TZhDmYqHoXNiRDQiUT68OS7RlfKgNpr/vMTZXDxpmw== +MIIDTDCCAjSgAwIBAgIVAJUW7Ky1rVeyYxsS1dGcF3HZpknsMA0GCSqGSIb3DQEB +CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu +ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU0MVoYDzIwNzExMDAxMTAxNTQxWjA0MTIw +MAYDVQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBD +QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSQK7Q/wBblLXhD8WZc +HO0mwEOILBVRCY2wcSLaibfzxvX/EhX7mAbozrCgj0hOTFZldzoSHURZmLUntONF +vUxWyR3ulAXuCfpvxoh7+WJWWvk0m8iI5GzwYjCYoRDRgLrzPlNSRd6CuW4z5vXC +sT7MjE69iAEmXR6bdV6GvQ3kBVUJVCz23QbXLCl4gzWAWsfXuNx1+ZjJXeM/eEkH +dQbmBoG6jKJtnSlXjG/s2aSi/Jv/GoHJJT7YQXSvWFpklu3Dk9c+FacQoz95HZD1 +qbaruKq1SjIG6Leht3DNpNT7n5q1EQeZ5uhhWMAI81vRgAZYZxwGJQF19Qgz13D6 +de8CAwEAAaNTMFEwHQYDVR0OBBYEFDBMKsCOW9DGKTccGhyfU8NS6d6eMB8GA1Ud +IwQYMBaAFDBMKsCOW9DGKTccGhyfU8NS6d6eMA8GA1UdEwEB/wQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBABf0ZznDu2m9IVn7ThLPb5UJU/rZiTkRyP6cqPFFtSww +TiZ0+AS5phGFV8f/znC/scU2u57EAl8DWSalJZTXJMekboFpfXJME/BK66I6wdSi +TfL99HjYR6LYyjvkXhoIBhR1eCw1zwm8IGzRV++/zY5ksYb5GQ9smFr3TNgqgdsv +GnPJgytVc/sYXuc1l7MS8j1Q+JLhpIymDKCJ2CB+x2p2oMYqJmFstc8I0z6vZtiM +zeyy07qK71uOfD5F1HHw/rv738yrlq7NwAH9fc3/0fPueyjTHSQtKiSBfc0phEMz +TV7Px45EUVFhn9YgIHGBSKPkA5QCC3bPNb6iYGREDcU= -----END CERTIFICATE----- diff --git a/packages/kbn-dev-utils/certs/elasticsearch.crt b/packages/kbn-dev-utils/certs/elasticsearch.crt index 87ba02019903..a95b7c63ad5e 100644 --- a/packages/kbn-dev-utils/certs/elasticsearch.crt +++ b/packages/kbn-dev-utils/certs/elasticsearch.crt @@ -1,29 +1,29 @@ Bag Attributes friendlyName: elasticsearch - localKeyID: 54 69 6D 65 20 31 35 37 37 34 36 36 31 39 38 30 33 37 + localKeyID: 54 69 6D 65 20 31 36 33 34 31 32 30 31 35 32 31 39 33 Key Attributes: Bag Attributes friendlyName: elasticsearch - localKeyID: 54 69 6D 65 20 31 35 37 37 34 36 36 31 39 38 30 33 37 -subject=/CN=elasticsearch -issuer=/CN=Elastic Certificate Tool Autogenerated CA + localKeyID: 54 69 6D 65 20 31 36 33 34 31 32 30 31 35 32 31 39 33 +subject=CN = elasticsearch +issuer=CN = Elastic Certificate Tool Autogenerated CA -----BEGIN CERTIFICATE----- -MIIDQDCCAiigAwIBAgIVAI93OQE6tZffPyzenSg3ljE3JJBzMA0GCSqGSIb3DQEB -CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu -ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDMxN1oYDzIwNjkxMjE0MTcwMzE3WjAYMRYw -FAYDVQQDEw1lbGFzdGljc2VhcmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEA2EkPfvE3ZNMjHCAQZhpImoXBCIN6KavvJSbVHRtLzAXB4wxige+vFQWb -4umqPeEeVH7FvrsRqn24tUgGIkag9p9AOwYxfcT3vwNqcK/EztIlYFs72pmYg7Ez -s6+qLc/YSLOT3aMoHKDHE93z1jYIDGccyjGbv9NsdgCbLHD0TQuqm+7pKy1MZoJm -0qn4KYw4kXakVNWlxm5GIwr8uqU/w4phrikcOOWqRzsxByoQajypLOA4eD/uWnI2 -zGyPQy7Bkxojiy1ss0CVlrl8fJgcjC4PONpm1ibUSX3SoZ8PopPThR6gvvwoQolR -rYu4+D+rsX7q/ldA6vBOiHBD8r4QoQIDAQABo2MwYTAdBgNVHQ4EFgQUSlIMCYYd -e72A0rUqaCkjVPkGPIwwHwYDVR0jBBgwFoAUGu0mDnvDRnBdNBG8DxwPdWArB0kw -FAYDVR0RBA0wC4IJbG9jYWxob3N0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQAD -ggEBAImbzBVAEjiLRsNDLP7QAl0k7lVmfQRFz5G95ZTAUSUgbqqymDvry47yInFF -3o12TuI1GxK5zHzi+qzpJLyrnGwGK5JBR+VGxIBBKFVcFh1WNGKV6kSO/zBzO7PO -4Jw4G7By/ImWvS0RBhBUQ9XbQZN3WcVkVVV8UQw5Y7JoKtM+fzyEKXKRCTsvgH+h -3+fUBgqwal2Mz4KPH57Jrtk209dtn7tnQxHTNLo0niHyEcfrpuG3YFqTwekr+5FF -FniIcYHPGjag1WzLIdyhe88FFpuav19mlCaxBACc7t97v+euSVUWnsKpy4dLydpv -NxJiI9eWbJZ7f5VM7o64pm7U1cU= +MIIDPzCCAiegAwIBAgIUCTO1pAvYtfaJndsQwa9cS/AtoSowDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwIBcNMjExMDEzMTAxNTUyWhgPMjA3MTEwMDExMDE1NTJaMBgxFjAU +BgNVBAMTDWVsYXN0aWNzZWFyY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCJK4KLS0kSIM+eqdMq4nO1p7nQ7ADUXIYjeRKaCycSJ7sj//1FRdj2NhLb +gdSX2VGIUZyOw4ptw6bGo0A7KyFE4yJZdG9m+VC1PFck3WaIdQHFdxgMia9deIHx +sU1ETnC4PstdkrsZZpf5+twS6O9TaIQolG6nEShst075v2b3y0NDHcxKW+BtSw27 +HEHlchhP/Uj4haVMABQahfP8gv5vlHqStuOOWeoSgwF5FngCekx+ZeoIf5wVWfE1 +SzDlU7L/JdYOrAp+kN+2g+b4qcr+WvFNCEwbhjJjd9/VIJ5z9kIjJhG9z1NilPhR +RVPG4njS6PxTufejbWN/360HfZbZAgMBAAGjYzBhMB0GA1UdDgQWBBR0kfoZtlNi +ZKxVBPhhpipoXdTQMjAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAU +BgNVHREEDTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOC +AQEAkNcEM6mBzCdECFtuor3lfxrXzmrIo3wUspbv6Rrm4+n6TwJIYp6ydf4OcruR +Uv5feevaYXwDRHBkIEGvhU5po6sGp6k7ppXS5bgrEtAhJSK8SOsLINnbJLnptmZQ +Jharcks5STEqfJFB2QBZvFSLLpvO9g/N8sMro6ZvaUXhfW9DNpd6GIUXQiMhKLex +t80Sb4zuahTRqUSi2j5Hoq8ouc7U9T/RmA3zXNmzq7YvL/gv2it67qdyKvpzoX7t +HJaT1HU0o5Xi/Ol33C/wvfRe05UrHEUil148n/XWz3EJky7El2LYbg36/++mVTHX +xUXS+FdZ1rBlGnGwOHTPHj5FMQ== -----END CERTIFICATE----- diff --git a/packages/kbn-dev-utils/certs/elasticsearch.key b/packages/kbn-dev-utils/certs/elasticsearch.key index 9ae4e314630d..4a114a0458a8 100644 --- a/packages/kbn-dev-utils/certs/elasticsearch.key +++ b/packages/kbn-dev-utils/certs/elasticsearch.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEA2EkPfvE3ZNMjHCAQZhpImoXBCIN6KavvJSbVHRtLzAXB4wxi -ge+vFQWb4umqPeEeVH7FvrsRqn24tUgGIkag9p9AOwYxfcT3vwNqcK/EztIlYFs7 -2pmYg7Ezs6+qLc/YSLOT3aMoHKDHE93z1jYIDGccyjGbv9NsdgCbLHD0TQuqm+7p -Ky1MZoJm0qn4KYw4kXakVNWlxm5GIwr8uqU/w4phrikcOOWqRzsxByoQajypLOA4 -eD/uWnI2zGyPQy7Bkxojiy1ss0CVlrl8fJgcjC4PONpm1ibUSX3SoZ8PopPThR6g -vvwoQolRrYu4+D+rsX7q/ldA6vBOiHBD8r4QoQIDAQABAoIBAB+s44YV0aUEfvnZ -gE1TwBpRSGn0x2le8tEgFMoEe19P4Itd/vdEoQGVJrVevz38wDJjtpYuU3ICo5B5 -EdznNx+nRwLd71WaCSaCW45RT6Nyh2LLOcLUB9ARnZ7NNUEsVWKgWiF1iaRXr5Ar -S1Ct7RPT7hV2mnbHgfTuNcuWZ1D5BUcqNczNoHsV6guFChiwTr7ZObnKj4qJLwdu -ioYYWno4ZLgsk4SfW6DXUCvfKROfYdDd2rGu0NQ4QxT3Q98AsXlrlUITBQbpQEgy -5GSTEh/4sRYj4NQZqncDpPgXm22kYdU7voBjt/zu66oq1W6kKQ4JwPmyc2SI0haa -/pyCMtkCgYEA/y3vs59RvrM6xpT77lf7WigSBbIBQxeKs9RGNoN0Nn/eR0MlQAUG -SmCkkEOcUGuVMnoo5Kc73IP/Q1+O4UGg7f1Gs8KeFPFQMm/wcSL7obvRWray1Bw6 -ohITJPqZYZrw3hmkOMxkLpvUydivN1Unm7BezjOa+T/+OaV3PyAYufsCgYEA2Psb -S8OQhFiVbOKlMYOebvG+AnhAzJiSVus9R9NcViv20E61PRj2rfA398pYpZ8nxaQp -cWGy+POZbkxRCprZ1GHkwWjaQysgeOCbJv8nQ2oh5C0ZCaGw6lfmi2mN097+Prmx -QE8j8OKj3wVI6bniCF7vzwfG3c5cU73elLTAWRMCgYBoA/eDRlvx2ekJbU1MGDzy -wQann6l4Ca6WIt8D9Y13caPPdIVIlUO9KauqyoR7G39TdgwZODnkZ0Gz2s3I8BGD -MQyS1a/OZZcFGC/wTgw4HvD1gydd4qvbyHZZSnUfHiM0xUr1hAsKHKceJ980NNfS -VJAwiUSQeQ9NvC7hYlnx5QKBgDxESsmZcRuBa0eKEC4Xi7rvBEK1WfI58nOX9TZs -+3mnzm7/XZGxzFp1nWYC2uptsWNQ/H3UkBxbtOMQ6XWTmytFYX9i+zSq1uMcJ5wG -RMaRxQYWjJzDP1tnvM4+LDmL93w+oX/mO2pd2PxKAH2CtshybhNH6rGS7swHsboG -FmLnAoGAYTnTcWD1qiwjbJR5ZdukAjIq39cGcf0YOVJCiaFS+5vTirbw04ARvNyM -rxU8EpVN1sKC411pgNvlm6KZJHwihRRQoY+UI2fn78bHBH991QhlrTPO6TBZx7Aw -+hzyxqAiSBX65dQo0e4C15wZysQO/bdT5Def0+UTDR8j8ZgMAQg= +MIIEowIBAAKCAQEAiSuCi0tJEiDPnqnTKuJztae50OwA1FyGI3kSmgsnEie7I//9 +RUXY9jYS24HUl9lRiFGcjsOKbcOmxqNAOyshROMiWXRvZvlQtTxXJN1miHUBxXcY +DImvXXiB8bFNRE5wuD7LXZK7GWaX+frcEujvU2iEKJRupxEobLdO+b9m98tDQx3M +SlvgbUsNuxxB5XIYT/1I+IWlTAAUGoXz/IL+b5R6krbjjlnqEoMBeRZ4AnpMfmXq +CH+cFVnxNUsw5VOy/yXWDqwKfpDftoPm+KnK/lrxTQhMG4YyY3ff1SCec/ZCIyYR +vc9TYpT4UUVTxuJ40uj8U7n3o21jf9+tB32W2QIDAQABAoIBAAdC/+q65hfpF8S5 +Dd5X1bNYuUwXqmWTrmBDYRo5m+xooQ4jV7eqnnVOYIoxYd1WGmxikay3KmVsNbCP +ZO+c9WptsdxVfy5O5ZhqpNxlQi/YLetTxjins1p57jsq3UHP+0StwltmULRkC4im +4K65mS3ruw9g6Ei87kxvGeW73coha0syjORYGcFUynX/DfLi5svUjtSyVUQ1KCiU +KYc0q+SzsgXd71Ngr/HZR4ncCoACW3q/pLp0AUvDY0wZMkACOav2m9D2AnRPbPrA ++/n7LlrD0+LDScZx5nwO3ToFZuTDUXt3G0UWRaQfqiAZxNs2oeOc2gKegEJnPKIo +/BLN/D8CgYEAvMmtcZyrw8vifpP32erSBx2+wftt2JA9GdtZlOxu/kbWH7DAZ75g +YUT0nkcIRrvAS5FCVpOIENZit0RIvA5gM08Brko2mBIRQAbMWmu+c7RUBIa2xVDF +kjputhlWTT7xY03VbJThqUG4oK+zJJSb/RfRM4x2dRYskb7MEwqZFzcCgYEAugFT +t/0Lj+OXR+2pcjPk5VmxjCv4xohNOaX4YZ4/rK4H+gi9iyx232zE/1Dtz5SB4+uw +6hx7Aw3r5U9h1fauT60rSrydChEpFqcfpNQca7HncbF2DDdtEX+ZBkBDZ/U3LJ6Y +pI4o0vCLmiqZYbQ/+4v2f2/5ZqrzyMKLJ3zeqm8CgYAfCHP3ag6eJ+S6c+5ZJw2R +V+Vkk8URxVwV5QXLwjXYnKJUIUTviM7lDmW7oueMYQ6SHXWvL589TVB62cGvEBnm +NUWMdeyVgNrPEI8FChMLiAgLmm1u8AEaMXrDelTCa+dYMJI1wB98KC6GU3t6NueR +ahnchGlwg82dw6ReOO7DbwKBgGe5Sbg2EfaBUeE4dN9MdP44kDu8YZREedwF44Z8 +OsHOooAZ06kCeJ+LBifiN1skU3KIAjXq/+XqI3vSUpqAXx/rT1Lz7xaoDyOkuo6u +AdNEd+38qfmSBu5VGz5TI8ObCNOG9VP+OmG25gJocvP7EhryJ9lU1d0cw6lWY0b3 +6StdAoGBAKUkfbN7qbB+jiZt/6ArYWQE4PL4pqi+B+84xSrp46e41mmocezKhnsp +DxdcuZyg9OXs1xi6AaJtCbelho9bT8jC51GZSFvf887fvGVq7j1TgxWp4mvlqiX7 +tztiggaPXwRZQiThxdJaCIadw26hxdLNOcdGOl/u2m0rudvwybab -----END RSA PRIVATE KEY----- diff --git a/packages/kbn-dev-utils/certs/elasticsearch.p12 b/packages/kbn-dev-utils/certs/elasticsearch.p12 index 02a9183cd8a5..9f88e6bd42a9 100644 Binary files a/packages/kbn-dev-utils/certs/elasticsearch.p12 and b/packages/kbn-dev-utils/certs/elasticsearch.p12 differ diff --git a/packages/kbn-dev-utils/certs/elasticsearch_emptypassword.p12 b/packages/kbn-dev-utils/certs/elasticsearch_emptypassword.p12 index 3162982ac635..32ba1781d059 100644 Binary files a/packages/kbn-dev-utils/certs/elasticsearch_emptypassword.p12 and b/packages/kbn-dev-utils/certs/elasticsearch_emptypassword.p12 differ diff --git a/packages/kbn-dev-utils/certs/elasticsearch_nopassword.p12 b/packages/kbn-dev-utils/certs/elasticsearch_nopassword.p12 index 3a22a58d207d..8ea7d49ab39a 100644 Binary files a/packages/kbn-dev-utils/certs/elasticsearch_nopassword.p12 and b/packages/kbn-dev-utils/certs/elasticsearch_nopassword.p12 differ diff --git a/packages/kbn-dev-utils/certs/kibana.crt b/packages/kbn-dev-utils/certs/kibana.crt index 1c83be587bff..b73885dc7a0f 100644 --- a/packages/kbn-dev-utils/certs/kibana.crt +++ b/packages/kbn-dev-utils/certs/kibana.crt @@ -1,29 +1,29 @@ Bag Attributes friendlyName: kibana - localKeyID: 54 69 6D 65 20 31 35 37 37 34 36 36 32 32 33 30 33 39 + localKeyID: 54 69 6D 65 20 31 36 33 34 31 32 30 31 35 38 38 30 33 Key Attributes: Bag Attributes friendlyName: kibana - localKeyID: 54 69 6D 65 20 31 35 37 37 34 36 36 32 32 33 30 33 39 -subject=/CN=kibana -issuer=/CN=Elastic Certificate Tool Autogenerated CA + localKeyID: 54 69 6D 65 20 31 36 33 34 31 32 30 31 35 38 38 30 33 +subject=CN = kibana +issuer=CN = Elastic Certificate Tool Autogenerated CA -----BEGIN CERTIFICATE----- -MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB +MIIDOTCCAiGgAwIBAgIVAN0GVNLw3IaUBuG7t6CeW8w2wyymMA0GCSqGSIb3DQEB CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu -ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w -DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ -wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU -FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q -OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ -s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU -vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T -BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz -V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE -DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/ -z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv -+frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX -TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy -b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk -cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O -eOUsdwn1yDKHRxDHyA== +ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU1OFoYDzIwNzExMDAxMTAxNTU4WjARMQ8w +DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3 +nvfL3/26D8EkLso+t9S0m+tSJipLsBWs0dCpc8KRJ/+ijDRnAQ5lOmOAcxt43SNY +KFr0EntQEZyYaRwMIM8aPR0WYW/VV5o4fq2o/JnmHqzZJRJCwZq+5WiCiDPt012N +mRGYCMUxjlEwejue6diLAeQhZ/sfN4jUp217bMEHrhHrNBWTwwJ+Uk5TBQMhviCW +LKbsKrfluA6DGHWrXN4pH7Xmaf/Zyc9AYL/nxwv3VQHZzIAK/U/WNCgFJJ3qoFYY +6TUwDDNa30mSj165OOds9N+VmUlDC3IFiHV3osBWscSU4HJd6QJ8huHrFLLV4y4i +u62el47Qr+/8Ut3SzeIXAgMBAAGjYzBhMB0GA1UdDgQWBBQli5f2bYL9jKUA5Uxp +yRRHeCoPJzAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAUBgNVHREE +DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATFNj +WkTBPfgflGYZD4OsYvfT/rVjFKbJP/u1a0rkzNamA2QKNzI9JTOzONPTyRhe9yVS +zeO8X2rtN63l38dtgMjFQ15Xxnp7GFT7GkXfa1JR+tGSGTgVld8nLUzig+mNmBoR +nE4cNc0JJ1PsXPzfPgJ6WMp2WOoNUrQf2cm42i36Jk+7KGcosfyFMPQILZE34Geo +DAgCVpNWPgST4HYBUCHMC7S14LHLVdUXPsfGZPEqU5Zf9Hvy61rQC/RdNjnMI6JD +s57l9oHASNeEg55NQm01aOmwq/z1DXs3UP2nRmp6XCCfE61ghofO5dtV1j3cZ3f5 +dzkzSBV7H6+/MD3Y8Q== -----END CERTIFICATE----- diff --git a/packages/kbn-dev-utils/certs/kibana.key b/packages/kbn-dev-utils/certs/kibana.key index 4a4e6b4cb8c3..aae299d43058 100644 --- a/packages/kbn-dev-utils/certs/kibana.key +++ b/packages/kbn-dev-utils/certs/kibana.key @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAkMGGG0LW0QSieLjWXNviIEVPuzTS9tWXm0JRCDICu4wKjjK7 -Ftm+QwE8+NRXfhkBVBVGGI8KPj0I+rCR7ITiaP4DW99h68nbzCO2D73r5LM5LhBg -n18UNw8NkUwAi4A9EDgpMB7590zH9JaJaFf3jxlmmQ2GWl4t2uQ3VovxxRaCcrIB -dCVdn+l8ioSZBmhHybPaVl9uvcx/10LxjceARIpiaWAfIeCZw2DxSIkHao/rJdm/ -pEtYR/ZC+YAQDF4xVL3DZ1/j5sk48iaxqO+ZNJLvrKQX9WzMLkLd7kpjPk0CF5Lx -Q5ktAzlREq6QORAtUwVBkc+qPyPPF8eDLne+9QIDAQABAoIBAHl9suxWYKz00te3 -alJtSZAEHDLm1tjL034/XnseXiTCGGnYMiWvgnwCIgZFUVlH61GCuV4LT3GFEHA2 -mYKE1PGBn5gQF8MpnAvtPPRhVgaQVUFQBYg86F59h8mWnC545sciG4+DsA/apUem -wJSOn/u+Odni/AwEV0ALolZFBhl+0rccSr+6paJnzJ7QNiIn6EWbgb0n9WXqkhap -TqoPclBHm0ObeBI6lNyfvBZ8HB3hyjWZInNCaAs9DnkNPh4evuttUn/KlOPOVn9r -xz2UYsmVW6E+yPXUpSYkFQN9aaPF6alOz8PIfF8Wit7pmZMmInluGcwi/us9+ZTN -8gNvpoECgYEA0KC7XEoXRsBTN4kPznkGftvj1dtgB35W/HxXNouArQQjCbLhqcsA -jqaK0f+stYzSWZXGsKl9yQU9KA7u/wCHmLep70l7WsYYUKdkhWouK0HU5MeeLwB0 -N4ekQOQuQGqelqMo7IG2hQhTYD9PB4F3G0Sz1FgdObfuGPKfvNFVjckCgYEAsaAA -IY/TpRBWeWZfyXrnkp3atOPzkdpjb6cfT8Kib9bIECXr7ULUxA5QANX05ofodhsW -3+7iW5wicyZ1VNVEsPRL0aw7YUbNpBvob8faBUZ2KEdKQr42IfVOo7TQnvVXtumR -UE+dNvWUL2PbL0wMxD1XbMSmOze/wF8X2CeyDc0CgYBQnLqol2xVBz1gaRJ1emgb -HoXzfVemrZeY6cadKdwnfkC3n6n4fJsTg6CCMiOe5vHkca4bVvJmeSK/Vr3cRG0g -gl8kOaVzVrXQfE2oC3YZes9zMvqZOLivODcsZ77DXy82D4dhk2FeF/B3cR7tTIYk -QDCoLP/l7H8QnrdAMza2mQKBgDODwuX475ncviehUEB/26+DBo4V2ms/mj0kjAk2 -2qNy+DzuspjyHADsYbmMU+WUHxA51Q2HG7ET/E3HJpo+7BgiEecye1pADZ391hCt -Nob3I4eU/W2T+uEoYvFJnIOthg3veYyAOolY+ewwmr4B4WX8oGFUOx3Lklo5ehHf -mV01AoGBAI/c6OoHdcqQsZxKlxDNLyB2bTbowAcccoZIOjkC5fkkbsmMDLfScBfW -Q4YYJsmJBdrWNvo7jCl17Mcc4Is3RlmHDrItRkaZj+ehqAN3ejrnPLdgYeW/5XDK -e7yBj7oJd4oKZc59jVytdHvo5R8K0QohAv9gQEZ/tdypX+xWe+5E +MIIEpQIBAAKCAQEAt573y9/9ug/BJC7KPrfUtJvrUiYqS7AVrNHQqXPCkSf/oow0 +ZwEOZTpjgHMbeN0jWCha9BJ7UBGcmGkcDCDPGj0dFmFv1VeaOH6tqPyZ5h6s2SUS +QsGavuVogogz7dNdjZkRmAjFMY5RMHo7nunYiwHkIWf7HzeI1Kdte2zBB64R6zQV +k8MCflJOUwUDIb4gliym7Cq35bgOgxh1q1zeKR+15mn/2cnPQGC/58cL91UB2cyA +Cv1P1jQoBSSd6qBWGOk1MAwzWt9Jko9euTjnbPTflZlJQwtyBYh1d6LAVrHElOBy +XekCfIbh6xSy1eMuIrutnpeO0K/v/FLd0s3iFwIDAQABAoIBAAKgqzzHI/Xdfi7l +iS5e6hPQPAytECOMza/vQV7+EZWLLtIlfdB63Y5e8107XclxJ1gpHQLAyvPz3zui +cWzOVrhc5zAn98uOmTM1bjMXXkptO52l3/4wOrsq7upt8YmgjIZXX5Q/N+HZfq7v +aNqsJQBO6B6pmBiJGROrS6/y9/Yt+3jDolgtI6fifYZcMXACoal++BAXbiHYPoff ++nG5lHrAdQoEfNACNnGFlq2O85EWmr3qxUsZV8TblOirAuaUFk5KhhDvTOfTknHY +pW8Z4ttD26+QITyUbI56flgLOfe57y0u4XsOPtWQWEteIBxBFsB9MMj4B8XYdiO/ +hma1jSUCgYEA14H/6vtzM42INgphoj0lHFVL8N0DnuUquR77vQStTO2sDvMQrVTk +BKpy5iYmokHPjY7qV7C37/tQVKdQpUz9Lr0ylwinHwX1KasJkYEJGv++Z59sKH+C +CZX9lZjfTqPpuEonGgPruc8LOXaaM/+g3Nvs7M4S339gnjCZExNzpLsCgYEA2h8z +OhHJpOWOy004HHVjpkWHKTxgZ9xfMLCKjMi1m5sCJ2PCdkd4+wTtkY+u7+iFF1cp +5CVSvZC6fS0rk11ygXix1ZP7cDJj1y4mxvbzWOtPxvZc882Xv0RDXAQBLXgHW6YE +RqvdMczfAx0mbUNke4Umwa5PngSWQAqCYkXNkFUCgYEAhEAY5wEsLyTZxCAWzlMr +pPmLQuK+yBHmZ/hlkBeAqkboYbw0Lcp8q4hWPnqHFufAEST1Fp8yIaleILUUvnxC +mx4sH5eFx3oGe22kz5AaIGF1XW3uF+Q3zt4m4lkQINhiI2AOIt7pF/vA7aCk/OgQ +tbiY6rGDz3gBuNIl/hjfzOUCgYEAy1rDO6RRxnZuhoPbiEy5Ns8jkAJGLw55gL9W +rKKDDiuZ+nc7WWKRHBYgFtFKW0kArB4LZDSXyzwfYYy3T5CTrLmFsoVgqd2Qz5Cr +flvFzGS139zYFETc8OkHk8X4AxggZAWHfwvEESXb1N9ccAmgqLgexftpJv1HxzUF +EfHaEHECgYEArtWvtUdvRQ20r/X/g+mNyUhbYOy15pAgswLK4gIi8rmQPxR08spl +uJJ/cl4fGxG95dl/OV+lNdwl4UcvjATdreEMKvG4X4Cxd+42SUf40M6pGxXoyYz+ +i4WujBaEqBBqjKmYNJVgY7EvqF+VYLBVFZYB1zQhdNPcoPgIH/97vvI= -----END RSA PRIVATE KEY----- diff --git a/packages/kbn-dev-utils/certs/kibana.p12 b/packages/kbn-dev-utils/certs/kibana.p12 index 06bbd2388129..f9e689cf33e0 100644 Binary files a/packages/kbn-dev-utils/certs/kibana.p12 and b/packages/kbn-dev-utils/certs/kibana.p12 differ diff --git a/packages/kbn-es/src/cluster.js b/packages/kbn-es/src/cluster.js index dd9c17055fb1..36616694e69a 100644 --- a/packages/kbn-es/src/cluster.js +++ b/packages/kbn-es/src/cluster.js @@ -257,9 +257,13 @@ exports.Cluster = class Cluster { // Add to esArgs if ssl is enabled if (this._ssl) { esArgs.push('xpack.security.http.ssl.enabled=true'); - esArgs.push(`xpack.security.http.ssl.keystore.path=${ES_P12_PATH}`); - esArgs.push(`xpack.security.http.ssl.keystore.type=PKCS12`); - esArgs.push(`xpack.security.http.ssl.keystore.password=${ES_P12_PASSWORD}`); + + // Include default keystore settings only if keystore isn't configured. + if (!esArgs.some((arg) => arg.startsWith('xpack.security.http.ssl.keystore'))) { + esArgs.push(`xpack.security.http.ssl.keystore.path=${ES_P12_PATH}`); + esArgs.push(`xpack.security.http.ssl.keystore.type=PKCS12`); + esArgs.push(`xpack.security.http.ssl.keystore.password=${ES_P12_PASSWORD}`); + } } const args = parseSettings(extractConfigFiles(esArgs, installPath, { log: this._log }), { diff --git a/packages/kbn-es/src/utils/native_realm.js b/packages/kbn-es/src/utils/native_realm.js index a5051cdb0d89..c1682e0d1800 100644 --- a/packages/kbn-es/src/utils/native_realm.js +++ b/packages/kbn-es/src/utils/native_realm.js @@ -13,15 +13,12 @@ const { log: defaultLog } = require('./log'); exports.NativeRealm = class NativeRealm { constructor({ elasticPassword, port, log = defaultLog, ssl = false, caCert }) { - this._client = new Client({ - node: `${ssl ? 'https' : 'http'}://elastic:${elasticPassword}@localhost:${port}`, - ssl: ssl - ? { - ca: caCert, - rejectUnauthorized: true, - } - : undefined, - }); + const auth = { username: 'elastic', password: elasticPassword }; + this._client = new Client( + ssl + ? { node: `https://localhost:${port}`, ssl: { ca: caCert, rejectUnauthorized: true }, auth } + : { node: `http://localhost:${port}`, auth } + ); this._elasticPassword = elasticPassword; this._log = log; } diff --git a/packages/kbn-test/src/functional_tests/tasks.ts b/packages/kbn-test/src/functional_tests/tasks.ts index b220c3899a63..6dde114d3a98 100644 --- a/packages/kbn-test/src/functional_tests/tasks.ts +++ b/packages/kbn-test/src/functional_tests/tasks.ts @@ -169,7 +169,7 @@ export async function startServers({ ...options }: StartServerOptions) { ...opts, extraKbnOpts: [ ...options.extraKbnOpts, - ...(options.installDir ? [] : ['--dev', '--no-dev-config']), + ...(options.installDir ? [] : ['--dev', '--no-dev-config', '--no-dev-credentials']), ], }, }); diff --git a/packages/kbn-test/src/kbn_client/kbn_client_plugins.ts b/packages/kbn-test/src/kbn_client/kbn_client_plugins.ts index 25c3d7e156e9..744a80d14684 100644 --- a/packages/kbn-test/src/kbn_client/kbn_client_plugins.ts +++ b/packages/kbn-test/src/kbn_client/kbn_client_plugins.ts @@ -16,6 +16,7 @@ export class KbnClientPlugins { public async getEnabledIds() { const apiResp = await this.status.get(); - return Object.keys(apiResp.status.plugins); + // Status may not be available at the `preboot` stage. + return Object.keys(apiResp.status?.plugins ?? {}); } } diff --git a/scripts/functional_tests.js b/scripts/functional_tests.js index 89f20121867d..601ee3096e0b 100644 --- a/scripts/functional_tests.js +++ b/scripts/functional_tests.js @@ -12,6 +12,11 @@ const alwaysImportedTests = [ require.resolve('../test/plugin_functional/config.ts'), require.resolve('../test/ui_capabilities/newsfeed_err/config.ts'), require.resolve('../test/new_visualize_flow/config.ts'), + require.resolve('../test/interactive_setup_api_integration/enrollment_flow.config.ts'), + require.resolve('../test/interactive_setup_api_integration/manual_configuration_flow.config.ts'), + require.resolve( + '../test/interactive_setup_api_integration/manual_configuration_flow_without_tls.config.ts' + ), ]; // eslint-disable-next-line no-restricted-syntax const onlyNotInCoverageTests = [ diff --git a/src/cli/serve/serve.js b/src/cli/serve/serve.js index 8b346d38cfea..b7228780a100 100644 --- a/src/cli/serve/serve.js +++ b/src/cli/serve/serve.js @@ -67,7 +67,7 @@ function applyConfigOverrides(rawConfig, opts, extraCliOptions) { delete extraCliOptions.env; if (opts.dev) { - if (!has('elasticsearch.serviceAccountToken')) { + if (!has('elasticsearch.serviceAccountToken') && opts.devCredentials !== false) { if (!has('elasticsearch.username')) { set('elasticsearch.username', 'kibana_system'); } @@ -191,7 +191,11 @@ export default function (program) { .option('--no-watch', 'Prevents automatic restarts of the server in --dev mode') .option('--no-optimizer', 'Disable the kbn/optimizer completely') .option('--no-cache', 'Disable the kbn/optimizer cache') - .option('--no-dev-config', 'Prevents loading the kibana.dev.yml file in --dev mode'); + .option('--no-dev-config', 'Prevents loading the kibana.dev.yml file in --dev mode') + .option( + '--no-dev-credentials', + 'Prevents setting default values for `elasticsearch.username` and `elasticsearch.password` in --dev mode' + ); } command.action(async function (opts) { diff --git a/src/plugins/interactive_setup/server/plugin.ts b/src/plugins/interactive_setup/server/plugin.ts index 2c3b517e78c5..8c1d00a25476 100644 --- a/src/plugins/interactive_setup/server/plugin.ts +++ b/src/plugins/interactive_setup/server/plugin.ts @@ -67,8 +67,13 @@ export class InteractiveSetupPlugin implements PrebootPlugin { core.elasticsearch.config.hosts.length === 1 && DEFAULT_ELASTICSEARCH_HOSTS.includes(core.elasticsearch.config.hosts[0]); if (!shouldActiveSetupMode) { + const reason = core.elasticsearch.config.credentialsSpecified + ? 'Kibana system user credentials are specified' + : core.elasticsearch.config.hosts.length > 1 + ? 'more than one Elasticsearch host is specified' + : 'non-default Elasticsearch host is used'; this.#logger.debug( - 'Interactive setup mode will not be activated since Elasticsearch connection is already configured.' + `Interactive setup mode will not be activated since Elasticsearch connection is already configured: ${reason}.` ); return; } diff --git a/test/interactive_setup_api_integration/enrollment_flow.config.ts b/test/interactive_setup_api_integration/enrollment_flow.config.ts new file mode 100644 index 000000000000..5432e8002bdd --- /dev/null +++ b/test/interactive_setup_api_integration/enrollment_flow.config.ts @@ -0,0 +1,54 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import fs from 'fs/promises'; +import { join, resolve } from 'path'; + +import type { FtrConfigProviderContext } from '@kbn/test'; +import { getDataPath } from '@kbn/utils'; + +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const manualConfigurationFlowTestsConfig = await readConfigFile( + require.resolve('./manual_configuration_flow.config.ts') + ); + + const tempKibanaYamlFile = join(getDataPath(), `interactive_setup_kibana_${Date.now()}.yml`); + await fs.writeFile(tempKibanaYamlFile, ''); + + const caPath = resolve(__dirname, './fixtures/elasticsearch.p12'); + + return { + ...manualConfigurationFlowTestsConfig.getAll(), + + testFiles: [require.resolve('./tests/enrollment_flow')], + + junit: { + reportName: 'Interactive Setup API Integration Tests (Enrollment flow)', + }, + + esTestCluster: { + ...manualConfigurationFlowTestsConfig.get('esTestCluster'), + serverArgs: [ + ...manualConfigurationFlowTestsConfig.get('esTestCluster.serverArgs'), + 'xpack.security.enrollment.enabled=true', + `xpack.security.http.ssl.keystore.path=${caPath}`, + 'xpack.security.http.ssl.keystore.password=storepass', + ], + }, + + kbnTestServer: { + ...manualConfigurationFlowTestsConfig.get('kbnTestServer'), + serverArgs: [ + ...manualConfigurationFlowTestsConfig + .get('kbnTestServer.serverArgs') + .filter((arg: string) => !arg.startsWith('--config')), + `--config=${tempKibanaYamlFile}`, + ], + }, + }; +} diff --git a/test/interactive_setup_api_integration/fixtures/README.md b/test/interactive_setup_api_integration/fixtures/README.md new file mode 100644 index 000000000000..5a7238bbba75 --- /dev/null +++ b/test/interactive_setup_api_integration/fixtures/README.md @@ -0,0 +1,32 @@ +## Certificate generation + +The Elasticsearch HTTP layer keystore is supposed to mimic the PKCS12 keystore that the elasticsearch startup script will auto-generate for a node. The keystore contains: + +- A PrivateKeyEntry for the node's key and certificate for the HTTP layer +- A PrivateKeyEntry for the CA's key and certificate +- A TrustedCertificateEntry for the CA's certificate + +```bash +$ES_HOME/bin/elasticsearch-certutil cert \ + --out $KIBANA_HOME/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 \ + --ca $KIBANA_HOME/packages/kbn-dev-utils/certs/ca.p12 --ca-pass "castorepass" --pass "storepass" \ + --dns=localhost --dns=localhost.localdomain --dns=localhost4 --dns=localhost4.localdomain4 \ + --dns=localhost6 --dns=localhost6.localdomain6 \ + --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1 +``` + +Change the alias of the TrustedCertificateEntry so that it won't clash with the CA PrivateKeyEntry +```bash +keytool -changealias -alias ca -destalias cacert -keystore \ + $KIBANA_HOME/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 \ + -deststorepass "storepass" +``` + +Import the CA PrivateKeyEntry +```bash +keytool -importkeystore \ + -srckeystore $KIBANA_HOME/packages/kbn-dev-utils/certs/ca.p12 \ + -srcstorepass "castorepass" \ + -destkeystore $KIBANA_HOME/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 \ + -deststorepass "storepass" +``` diff --git a/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 b/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 new file mode 100644 index 000000000000..964932d8ffe5 Binary files /dev/null and b/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 differ diff --git a/test/interactive_setup_api_integration/fixtures/test_endpoints/kibana.json b/test/interactive_setup_api_integration/fixtures/test_endpoints/kibana.json new file mode 100644 index 000000000000..f9969966456a --- /dev/null +++ b/test/interactive_setup_api_integration/fixtures/test_endpoints/kibana.json @@ -0,0 +1,12 @@ +{ + "id": "interactiveSetupTestEndpoints", + "owner": { + "name": "Platform Security", + "githubTeam": "kibana-security" + }, + "version": "8.0.0", + "kibanaVersion": "kibana", + "type": "preboot", + "server": true, + "ui": false +} diff --git a/test/interactive_setup_api_integration/fixtures/test_endpoints/server/index.ts b/test/interactive_setup_api_integration/fixtures/test_endpoints/server/index.ts new file mode 100644 index 000000000000..3373da1180d0 --- /dev/null +++ b/test/interactive_setup_api_integration/fixtures/test_endpoints/server/index.ts @@ -0,0 +1,42 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import fs from 'fs/promises'; +import path from 'path'; + +import type { PluginInitializer, PrebootPlugin } from 'kibana/server'; + +export const plugin: PluginInitializer = (initializerContext): PrebootPlugin => ({ + setup: (core) => { + core.http.registerRoutes('', (router) => { + router.get( + { + path: '/test_endpoints/verification_code', + validate: false, + options: { authRequired: false }, + }, + async (context, request, response) => { + // [HACK]: On CI tests are run from the different directories than the built and running Kibana instance. That + // means Kibana from a Directory A is running with the test plugins from a Directory B. The problem is that + // the data path that interactive setup plugin uses to store verification code is determined by the + // `__dirname` that depends on the physical location of the file where it's used. This is the reason why we + // end up with different data paths in Kibana built-in and test plugins. To workaround that we use Kibana + // `process.cwd()` to construct data path manually. + const verificationCodePath = path.join(process.cwd(), 'data', 'verification_code'); + initializerContext.logger.get().info(`Will read code from ${verificationCodePath}`); + return response.ok({ + body: { + verificationCode: (await fs.readFile(verificationCodePath)).toString(), + }, + }); + } + ); + }); + }, + stop: () => {}, +}); diff --git a/test/interactive_setup_api_integration/fixtures/test_endpoints/tsconfig.json b/test/interactive_setup_api_integration/fixtures/test_endpoints/tsconfig.json new file mode 100644 index 000000000000..893665751cf3 --- /dev/null +++ b/test/interactive_setup_api_integration/fixtures/test_endpoints/tsconfig.json @@ -0,0 +1,16 @@ +{ + "extends": "../../../../tsconfig.base.json", + "compilerOptions": { + "outDir": "./target/types", + "emitDeclarationOnly": true, + "declaration": true, + "declarationMap": true + }, + "include": [ + "server/**/*.ts", + ], + "exclude": [], + "references": [ + { "path": "../../../../src/core/tsconfig.json" }, + ], +} diff --git a/test/interactive_setup_api_integration/fixtures/test_helpers.ts b/test/interactive_setup_api_integration/fixtures/test_helpers.ts new file mode 100644 index 000000000000..f1e72785af02 --- /dev/null +++ b/test/interactive_setup_api_integration/fixtures/test_helpers.ts @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { delay } from 'bluebird'; + +import expect from '@kbn/expect'; + +import type { FtrProviderContext } from '../ftr_provider_context'; + +export async function hasKibanaBooted(context: FtrProviderContext) { + const supertest = context.getService('supertest'); + const log = context.getService('log'); + + // Run 30 consecutive requests with 1.5s delay to check if Kibana is up and running. + let kibanaHasBooted = false; + for (const counter of [...Array(30).keys()]) { + await delay(1500); + + try { + expect((await supertest.get('/api/status').expect(200)).body).to.have.keys([ + 'version', + 'status', + ]); + + log.debug(`Kibana has booted after ${(counter + 1) * 1.5}s.`); + kibanaHasBooted = true; + break; + } catch (err) { + log.debug(`Kibana is still booting after ${(counter + 1) * 1.5}s due to: ${err.message}`); + } + } + + return kibanaHasBooted; +} diff --git a/test/interactive_setup_api_integration/fixtures/tls_tools.ts b/test/interactive_setup_api_integration/fixtures/tls_tools.ts new file mode 100644 index 000000000000..ea6e40cbffba --- /dev/null +++ b/test/interactive_setup_api_integration/fixtures/tls_tools.ts @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import tls from 'tls'; + +export async function getElasticsearchCaCertificate(host: string, port: string) { + let peerCertificate = await new Promise((resolve, reject) => { + const socket = tls.connect({ host, port: Number(port), rejectUnauthorized: false }); + socket.once('secureConnect', () => { + const cert = socket.getPeerCertificate(true); + socket.destroy(); + resolve(cert); + }); + socket.once('error', reject); + }); + + while ( + peerCertificate.issuerCertificate && + peerCertificate.fingerprint256 !== peerCertificate.issuerCertificate.fingerprint256 + ) { + peerCertificate = peerCertificate.issuerCertificate; + } + + return peerCertificate; +} diff --git a/test/interactive_setup_api_integration/ftr_provider_context.d.ts b/test/interactive_setup_api_integration/ftr_provider_context.d.ts new file mode 100644 index 000000000000..96f5dde2df0a --- /dev/null +++ b/test/interactive_setup_api_integration/ftr_provider_context.d.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import type { GenericFtrProviderContext } from '@kbn/test'; + +import type { services } from './services'; + +export type FtrProviderContext = GenericFtrProviderContext; diff --git a/test/interactive_setup_api_integration/manual_configuration_flow.config.ts b/test/interactive_setup_api_integration/manual_configuration_flow.config.ts new file mode 100644 index 000000000000..9bb89a802975 --- /dev/null +++ b/test/interactive_setup_api_integration/manual_configuration_flow.config.ts @@ -0,0 +1,55 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import fs from 'fs/promises'; +import { join } from 'path'; + +import type { FtrConfigProviderContext } from '@kbn/test'; +import { getDataPath } from '@kbn/utils'; + +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const manualConfigurationFlowWithoutTlsTestsConfig = await readConfigFile( + require.resolve('./manual_configuration_flow_without_tls.config.ts') + ); + + const tempKibanaYamlFile = join(getDataPath(), `interactive_setup_kibana_${Date.now()}.yml`); + await fs.writeFile(tempKibanaYamlFile, ''); + + return { + ...manualConfigurationFlowWithoutTlsTestsConfig.getAll(), + + testFiles: [require.resolve('./tests/manual_configuration_flow')], + + servers: { + ...manualConfigurationFlowWithoutTlsTestsConfig.get('servers'), + elasticsearch: { + ...manualConfigurationFlowWithoutTlsTestsConfig.get('servers.elasticsearch'), + protocol: 'https', + }, + }, + + junit: { + reportName: 'Interactive Setup API Integration Tests (Manual configuration flow)', + }, + + esTestCluster: { + ...manualConfigurationFlowWithoutTlsTestsConfig.get('esTestCluster'), + ssl: true, + }, + + kbnTestServer: { + ...manualConfigurationFlowWithoutTlsTestsConfig.get('kbnTestServer'), + serverArgs: [ + ...manualConfigurationFlowWithoutTlsTestsConfig + .get('kbnTestServer.serverArgs') + .filter((arg: string) => !arg.startsWith('--config')), + `--config=${tempKibanaYamlFile}`, + ], + }, + }; +} diff --git a/test/interactive_setup_api_integration/manual_configuration_flow_without_tls.config.ts b/test/interactive_setup_api_integration/manual_configuration_flow_without_tls.config.ts new file mode 100644 index 000000000000..5317026a1d8d --- /dev/null +++ b/test/interactive_setup_api_integration/manual_configuration_flow_without_tls.config.ts @@ -0,0 +1,57 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import fs from 'fs/promises'; +import { join, resolve } from 'path'; + +import type { FtrConfigProviderContext } from '@kbn/test'; +import { getDataPath } from '@kbn/utils'; + +import { services } from './services'; + +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const xPackAPITestsConfig = await readConfigFile(require.resolve('../api_integration/config')); + + const testEndpointsPlugin = resolve(__dirname, './fixtures/test_endpoints'); + + const tempKibanaYamlFile = join(getDataPath(), `interactive_setup_kibana_${Date.now()}.yml`); + await fs.writeFile(tempKibanaYamlFile, ''); + + return { + testFiles: [require.resolve('./tests/manual_configuration_flow_without_tls')], + servers: xPackAPITestsConfig.get('servers'), + services, + junit: { + reportName: 'Interactive Setup API Integration Tests (Manual configuration flow without TLS)', + }, + + esTestCluster: { + ...xPackAPITestsConfig.get('esTestCluster'), + serverArgs: [ + ...xPackAPITestsConfig.get('esTestCluster.serverArgs'), + 'xpack.security.enabled=true', + ], + }, + + kbnTestServer: { + ...xPackAPITestsConfig.get('kbnTestServer'), + serverArgs: [ + ...xPackAPITestsConfig + .get('kbnTestServer.serverArgs') + .filter((arg: string) => !arg.startsWith('--elasticsearch.')), + `--plugin-path=${testEndpointsPlugin}`, + `--config=${tempKibanaYamlFile}`, + '--interactiveSetup.enabled=true', + ], + runOptions: { + ...xPackAPITestsConfig.get('kbnTestServer.runOptions'), + wait: /Kibana has not been configured/, + }, + }, + }; +} diff --git a/test/interactive_setup_api_integration/services.ts b/test/interactive_setup_api_integration/services.ts new file mode 100644 index 000000000000..b0385a7a0b9c --- /dev/null +++ b/test/interactive_setup_api_integration/services.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import { services as apiIntegrationServices } from '../api_integration/services'; + +export const services = { + ...apiIntegrationServices, +}; diff --git a/test/interactive_setup_api_integration/tests/enrollment_flow.ts b/test/interactive_setup_api_integration/tests/enrollment_flow.ts new file mode 100644 index 000000000000..9f61529cc343 --- /dev/null +++ b/test/interactive_setup_api_integration/tests/enrollment_flow.ts @@ -0,0 +1,151 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import expect from '@kbn/expect'; +import { getUrl } from '@kbn/test'; + +import { hasKibanaBooted } from '../fixtures/test_helpers'; +import { getElasticsearchCaCertificate } from '../fixtures/tls_tools'; +import type { FtrProviderContext } from '../ftr_provider_context'; + +export default function (context: FtrProviderContext) { + const supertest = context.getService('supertest'); + const es = context.getService('es'); + const log = context.getService('log'); + const config = context.getService('config'); + + describe('Interactive setup APIs - Enrollment flow', function () { + this.tags(['skipCloud', 'ciGroup2']); + + let kibanaVerificationCode: string; + let elasticsearchCaFingerprint: string; + before(async () => { + const esServerConfig = config.get('servers.elasticsearch'); + elasticsearchCaFingerprint = ( + await getElasticsearchCaCertificate(esServerConfig.host, esServerConfig.port) + ).fingerprint256.replace(/:/g, ''); + + kibanaVerificationCode = ( + await supertest.get('/test_endpoints/verification_code').expect(200) + ).body.verificationCode; + }); + + let enrollmentAPIKey: string; + beforeEach(async () => { + const apiResponse = await es.security.createApiKey({ body: { name: 'enrollment_api_key' } }); + enrollmentAPIKey = Buffer.from(`${apiResponse.body.id}:${apiResponse.body.api_key}`).toString( + 'base64' + ); + }); + + afterEach(async () => { + await es.security.invalidateApiKey({ body: { name: 'enrollment_api_key' } }); + }); + + it('fails to enroll with invalid authentication code', async () => { + const esHost = getUrl.baseUrl(config.get('servers.elasticsearch')); + const enrollPayload = { + apiKey: enrollmentAPIKey, + code: '000000', + caFingerprint: elasticsearchCaFingerprint, + hosts: [esHost], + }; + + log.debug(`Enroll payload ${JSON.stringify(enrollPayload)}`); + + await supertest + .post('/internal/interactive_setup/enroll') + .set('kbn-xsrf', 'xxx') + .send(enrollPayload) + .expect(403, { statusCode: 403, error: 'Forbidden', message: 'Forbidden' }); + }); + + it('fails to enroll with invalid CA fingerprint', async () => { + const esHost = getUrl.baseUrl(config.get('servers.elasticsearch')); + const enrollPayload = { + apiKey: enrollmentAPIKey, + code: kibanaVerificationCode, + caFingerprint: '3FDAEE71A3604070E6AE6B01412D19772DE5AE129F69C413F0453B293D9BE65D', + hosts: [esHost], + }; + + log.debug(`Enroll payload ${JSON.stringify(enrollPayload)}`); + + await supertest + .post('/internal/interactive_setup/enroll') + .set('kbn-xsrf', 'xxx') + .send(enrollPayload) + .expect(500, { + statusCode: 500, + error: 'Internal Server Error', + message: 'Failed to enroll.', + attributes: { type: 'enroll_failure' }, + }); + }); + + it('fails to enroll with invalid api key', async function () { + const esServerConfig = config.get('servers.elasticsearch'); + const enrollPayload = { + apiKey: enrollmentAPIKey, + code: kibanaVerificationCode, + caFingerprint: elasticsearchCaFingerprint, + hosts: [getUrl.baseUrl(esServerConfig)], + }; + + log.debug(`Enroll payload ${JSON.stringify(enrollPayload)}`); + + // Invalidate API key. + await es.security.invalidateApiKey({ body: { name: 'enrollment_api_key' } }); + + await supertest + .post('/internal/interactive_setup/enroll') + .set('kbn-xsrf', 'xxx') + .send(enrollPayload) + .expect(500, { + statusCode: 500, + error: 'Internal Server Error', + message: 'Failed to enroll.', + attributes: { type: 'enroll_failure' }, + }); + }); + + it('should be able to enroll with valid authentication code', async function () { + this.timeout(60000); + + const esServerConfig = config.get('servers.elasticsearch'); + const enrollPayload = { + apiKey: enrollmentAPIKey, + code: kibanaVerificationCode, + caFingerprint: elasticsearchCaFingerprint, + hosts: [getUrl.baseUrl(esServerConfig)], + }; + + log.debug(`Enroll payload ${JSON.stringify(enrollPayload)}`); + + await supertest + .post('/internal/interactive_setup/enroll') + .set('kbn-xsrf', 'xxx') + .send(enrollPayload) + .expect(204, {}); + + // Enroll should no longer accept requests. + await supertest + .post('/internal/interactive_setup/enroll') + .set('kbn-xsrf', 'xxx') + .send(enrollPayload) + .expect(400, { + error: 'Bad Request', + message: 'Cannot process request outside of preboot stage.', + statusCode: 400, + attributes: { type: 'outside_preboot_stage' }, + }); + + expect(await hasKibanaBooted(context)).to.be(true); + }); + }); +} diff --git a/test/interactive_setup_api_integration/tests/manual_configuration_flow.ts b/test/interactive_setup_api_integration/tests/manual_configuration_flow.ts new file mode 100644 index 000000000000..2db59dd446fc --- /dev/null +++ b/test/interactive_setup_api_integration/tests/manual_configuration_flow.ts @@ -0,0 +1,136 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import expect from '@kbn/expect'; +import { getUrl, kibanaServerTestUser } from '@kbn/test'; + +import { hasKibanaBooted } from '../fixtures/test_helpers'; +import { getElasticsearchCaCertificate } from '../fixtures/tls_tools'; +import type { FtrProviderContext } from '../ftr_provider_context'; + +export default function (context: FtrProviderContext) { + const supertest = context.getService('supertest'); + const log = context.getService('log'); + const config = context.getService('config'); + + describe('Interactive setup APIs - Manual configuration flow', function () { + this.tags(['skipCloud', 'ciGroup2']); + + let kibanaVerificationCode: string; + let elasticsearchCaCertificate: string; + before(async () => { + const esServerConfig = config.get('servers.elasticsearch'); + elasticsearchCaCertificate = ( + await getElasticsearchCaCertificate(esServerConfig.host, esServerConfig.port) + ).raw.toString('base64'); + + kibanaVerificationCode = ( + await supertest.get('/test_endpoints/verification_code').expect(200) + ).body.verificationCode; + }); + + it('fails to configure with invalid authentication code', async () => { + const esServerConfig = config.get('servers.elasticsearch'); + const configurePayload = { + host: getUrl.baseUrl(esServerConfig), + code: '000000', + caCert: elasticsearchCaCertificate, + ...kibanaServerTestUser, + }; + + log.debug(`Configure payload ${JSON.stringify(configurePayload)}`); + + await supertest + .post('/internal/interactive_setup/configure') + .set('kbn-xsrf', 'xxx') + .send(configurePayload) + .expect(403, { statusCode: 403, error: 'Forbidden', message: 'Forbidden' }); + }); + + it('fails to configure with invalid CA certificate', async () => { + const esServerConfig = config.get('servers.elasticsearch'); + const configurePayload = { + host: getUrl.baseUrl(esServerConfig), + code: kibanaVerificationCode, + caCert: elasticsearchCaCertificate.split('').reverse().join(''), + ...kibanaServerTestUser, + }; + + log.debug(`Configure payload ${JSON.stringify(configurePayload)}`); + + await supertest + .post('/internal/interactive_setup/configure') + .set('kbn-xsrf', 'xxx') + .send(configurePayload) + .expect(500, { + statusCode: 500, + error: 'Internal Server Error', + message: 'Failed to configure.', + attributes: { type: 'configure_failure' }, + }); + }); + + it('fails to configure with invalid credentials', async function () { + const esServerConfig = config.get('servers.elasticsearch'); + const configurePayload = { + host: getUrl.baseUrl(esServerConfig), + code: kibanaVerificationCode, + caCert: elasticsearchCaCertificate, + ...kibanaServerTestUser, + password: 'no-way', + }; + + log.debug(`Configure payload ${JSON.stringify(configurePayload)}`); + + await supertest + .post('/internal/interactive_setup/configure') + .set('kbn-xsrf', 'xxx') + .send(configurePayload) + .expect(500, { + statusCode: 500, + error: 'Internal Server Error', + message: 'Failed to configure.', + attributes: { type: 'configure_failure' }, + }); + }); + + it('should be able to configure with valid authentication code', async function () { + this.timeout(60000); + + const esServerConfig = config.get('servers.elasticsearch'); + const configurePayload = { + host: getUrl.baseUrl(esServerConfig), + code: kibanaVerificationCode, + caCert: elasticsearchCaCertificate, + ...kibanaServerTestUser, + }; + + log.debug(`Configure payload ${JSON.stringify(configurePayload)}`); + + await supertest + .post('/internal/interactive_setup/configure') + .set('kbn-xsrf', 'xxx') + .send(configurePayload) + .expect(204, {}); + + // Configure should no longer accept requests. + await supertest + .post('/internal/interactive_setup/configure') + .set('kbn-xsrf', 'xxx') + .send(configurePayload) + .expect(400, { + error: 'Bad Request', + message: 'Cannot process request outside of preboot stage.', + statusCode: 400, + attributes: { type: 'outside_preboot_stage' }, + }); + + expect(await hasKibanaBooted(context)).to.be(true); + }); + }); +} diff --git a/test/interactive_setup_api_integration/tests/manual_configuration_flow_without_tls.ts b/test/interactive_setup_api_integration/tests/manual_configuration_flow_without_tls.ts new file mode 100644 index 000000000000..97a3e490e965 --- /dev/null +++ b/test/interactive_setup_api_integration/tests/manual_configuration_flow_without_tls.ts @@ -0,0 +1,103 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import expect from '@kbn/expect'; +import { getUrl, kibanaServerTestUser } from '@kbn/test'; + +import { hasKibanaBooted } from '../fixtures/test_helpers'; +import type { FtrProviderContext } from '../ftr_provider_context'; + +export default function (context: FtrProviderContext) { + const supertest = context.getService('supertest'); + const log = context.getService('log'); + const config = context.getService('config'); + + describe('Interactive setup APIs - Manual configuration flow without TLS', function () { + this.tags(['skipCloud', 'ciGroup2']); + + let kibanaVerificationCode: string; + before(async () => { + kibanaVerificationCode = ( + await supertest.get('/test_endpoints/verification_code').expect(200) + ).body.verificationCode; + }); + + it('fails to configure with invalid authentication code', async () => { + const esServerConfig = config.get('servers.elasticsearch'); + const configurePayload = { + host: getUrl.baseUrl(esServerConfig), + code: '000000', + ...kibanaServerTestUser, + }; + + log.debug(`Configure payload ${JSON.stringify(configurePayload)}`); + + await supertest + .post('/internal/interactive_setup/configure') + .set('kbn-xsrf', 'xxx') + .send(configurePayload) + .expect(403, { statusCode: 403, error: 'Forbidden', message: 'Forbidden' }); + }); + + it('fails to configure with invalid credentials', async function () { + const esServerConfig = config.get('servers.elasticsearch'); + const configurePayload = { + host: getUrl.baseUrl(esServerConfig), + code: kibanaVerificationCode, + ...kibanaServerTestUser, + password: 'no-way', + }; + + log.debug(`Configure payload ${JSON.stringify(configurePayload)}`); + + await supertest + .post('/internal/interactive_setup/configure') + .set('kbn-xsrf', 'xxx') + .send(configurePayload) + .expect(500, { + statusCode: 500, + error: 'Internal Server Error', + message: 'Failed to configure.', + attributes: { type: 'configure_failure' }, + }); + }); + + it('should be able to configure with valid authentication code', async function () { + this.timeout(60000); + + const esServerConfig = config.get('servers.elasticsearch'); + const configurePayload = { + host: getUrl.baseUrl(esServerConfig), + code: kibanaVerificationCode, + ...kibanaServerTestUser, + }; + + log.debug(`Configure payload ${JSON.stringify(configurePayload)}`); + + await supertest + .post('/internal/interactive_setup/configure') + .set('kbn-xsrf', 'xxx') + .send(configurePayload) + .expect(204, {}); + + // Configure should no longer accept requests. + await supertest + .post('/internal/interactive_setup/configure') + .set('kbn-xsrf', 'xxx') + .send(configurePayload) + .expect(400, { + error: 'Bad Request', + message: 'Cannot process request outside of preboot stage.', + statusCode: 400, + attributes: { type: 'outside_preboot_stage' }, + }); + + expect(await hasKibanaBooted(context)).to.be(true); + }); + }); +} diff --git a/test/tsconfig.json b/test/tsconfig.json index 660850ffeb6c..288d152bf4bc 100644 --- a/test/tsconfig.json +++ b/test/tsconfig.json @@ -53,6 +53,7 @@ { "path": "../src/plugins/usage_collection/tsconfig.json" }, { "path": "../src/plugins/index_pattern_management/tsconfig.json" }, { "path": "../src/plugins/visualize/tsconfig.json" }, + { "path": "interactive_setup_api_integration/fixtures/test_endpoints/tsconfig.json" }, { "path": "plugin_functional/plugins/core_app_status/tsconfig.json" }, { "path": "plugin_functional/plugins/core_provider_plugin/tsconfig.json" }, { "path": "server_integration/__fixtures__/plugins/status_plugin_a/tsconfig.json" }, diff --git a/x-pack/test/cloud_integration/fixtures/saml/saml_provider/metadata.xml b/x-pack/test/cloud_integration/fixtures/saml/saml_provider/metadata.xml index 19a6c1326414..8cb33193f56c 100644 --- a/x-pack/test/cloud_integration/fixtures/saml/saml_provider/metadata.xml +++ b/x-pack/test/cloud_integration/fixtures/saml/saml_provider/metadata.xml @@ -7,25 +7,24 @@ - MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB + MIIDOTCCAiGgAwIBAgIVAN0GVNLw3IaUBuG7t6CeW8w2wyymMA0GCSqGSIb3DQEB CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu -ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w -DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ -wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU -FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q -OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ -s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU -vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T -BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz -V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE -DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/ -z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv -+frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX -TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy -b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk -cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O -eOUsdwn1yDKHRxDHyA== - +ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU1OFoYDzIwNzExMDAxMTAxNTU4WjARMQ8w +DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3 +nvfL3/26D8EkLso+t9S0m+tSJipLsBWs0dCpc8KRJ/+ijDRnAQ5lOmOAcxt43SNY +KFr0EntQEZyYaRwMIM8aPR0WYW/VV5o4fq2o/JnmHqzZJRJCwZq+5WiCiDPt012N +mRGYCMUxjlEwejue6diLAeQhZ/sfN4jUp217bMEHrhHrNBWTwwJ+Uk5TBQMhviCW +LKbsKrfluA6DGHWrXN4pH7Xmaf/Zyc9AYL/nxwv3VQHZzIAK/U/WNCgFJJ3qoFYY +6TUwDDNa30mSj165OOds9N+VmUlDC3IFiHV3osBWscSU4HJd6QJ8huHrFLLV4y4i +u62el47Qr+/8Ut3SzeIXAgMBAAGjYzBhMB0GA1UdDgQWBBQli5f2bYL9jKUA5Uxp +yRRHeCoPJzAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAUBgNVHREE +DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATFNj +WkTBPfgflGYZD4OsYvfT/rVjFKbJP/u1a0rkzNamA2QKNzI9JTOzONPTyRhe9yVS +zeO8X2rtN63l38dtgMjFQ15Xxnp7GFT7GkXfa1JR+tGSGTgVld8nLUzig+mNmBoR +nE4cNc0JJ1PsXPzfPgJ6WMp2WOoNUrQf2cm42i36Jk+7KGcosfyFMPQILZE34Geo +DAgCVpNWPgST4HYBUCHMC7S14LHLVdUXPsfGZPEqU5Zf9Hvy61rQC/RdNjnMI6JD +s57l9oHASNeEg55NQm01aOmwq/z1DXs3UP2nRmp6XCCfE61ghofO5dtV1j3cZ3f5 +dzkzSBV7H6+/MD3Y8Q== diff --git a/x-pack/test/security_api_integration/fixtures/pki/README.md b/x-pack/test/security_api_integration/fixtures/pki/README.md index ac2be482c6e3..ae8623ab6411 100644 --- a/x-pack/test/security_api_integration/fixtures/pki/README.md +++ b/x-pack/test/security_api_integration/fixtures/pki/README.md @@ -9,8 +9,8 @@ The `first_client.p12` and `second_client.p12` files were generated the same tim following commands: ``` -bin/elasticsearch-certutil cert -days 18250 --ca elastic-stack-ca.p12 --ca-pass castorepass --name first_client --pass "" -bin/elasticsearch-certutil cert -days 18250 --ca elastic-stack-ca.p12 --ca-pass castorepass --name second_client --pass "" +bin/elasticsearch-certutil cert -days 18250 --ca $KIBANA_HOME/packages/kbn-dev-utils/certs/ca.p12 --ca-pass castorepass --name first_client --pass "" +bin/elasticsearch-certutil cert -days 18250 --ca $KIBANA_HOME/packages/kbn-dev-utils/certs/ca.p12 --ca-pass castorepass --name second_client --pass "" ``` If that CA is ever changed, these two files must be regenerated. diff --git a/x-pack/test/security_api_integration/fixtures/pki/first_client.p12 b/x-pack/test/security_api_integration/fixtures/pki/first_client.p12 index 9d838199e839..9c2aa4401d1c 100644 Binary files a/x-pack/test/security_api_integration/fixtures/pki/first_client.p12 and b/x-pack/test/security_api_integration/fixtures/pki/first_client.p12 differ diff --git a/x-pack/test/security_api_integration/fixtures/pki/second_client.p12 b/x-pack/test/security_api_integration/fixtures/pki/second_client.p12 index f41c0e030ba7..a06e6947f75d 100644 Binary files a/x-pack/test/security_api_integration/fixtures/pki/second_client.p12 and b/x-pack/test/security_api_integration/fixtures/pki/second_client.p12 differ diff --git a/x-pack/test/security_api_integration/fixtures/saml/idp_metadata.xml b/x-pack/test/security_api_integration/fixtures/saml/idp_metadata.xml index 57b9e824c9d5..207148665c29 100644 --- a/x-pack/test/security_api_integration/fixtures/saml/idp_metadata.xml +++ b/x-pack/test/security_api_integration/fixtures/saml/idp_metadata.xml @@ -7,25 +7,24 @@ - MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB + MIIDOTCCAiGgAwIBAgIVAN0GVNLw3IaUBuG7t6CeW8w2wyymMA0GCSqGSIb3DQEB CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu -ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w -DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ -wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU -FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q -OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ -s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU -vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T -BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz -V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE -DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/ -z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv -+frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX -TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy -b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk -cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O -eOUsdwn1yDKHRxDHyA== - +ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU1OFoYDzIwNzExMDAxMTAxNTU4WjARMQ8w +DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3 +nvfL3/26D8EkLso+t9S0m+tSJipLsBWs0dCpc8KRJ/+ijDRnAQ5lOmOAcxt43SNY +KFr0EntQEZyYaRwMIM8aPR0WYW/VV5o4fq2o/JnmHqzZJRJCwZq+5WiCiDPt012N +mRGYCMUxjlEwejue6diLAeQhZ/sfN4jUp217bMEHrhHrNBWTwwJ+Uk5TBQMhviCW +LKbsKrfluA6DGHWrXN4pH7Xmaf/Zyc9AYL/nxwv3VQHZzIAK/U/WNCgFJJ3qoFYY +6TUwDDNa30mSj165OOds9N+VmUlDC3IFiHV3osBWscSU4HJd6QJ8huHrFLLV4y4i +u62el47Qr+/8Ut3SzeIXAgMBAAGjYzBhMB0GA1UdDgQWBBQli5f2bYL9jKUA5Uxp +yRRHeCoPJzAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAUBgNVHREE +DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATFNj +WkTBPfgflGYZD4OsYvfT/rVjFKbJP/u1a0rkzNamA2QKNzI9JTOzONPTyRhe9yVS +zeO8X2rtN63l38dtgMjFQ15Xxnp7GFT7GkXfa1JR+tGSGTgVld8nLUzig+mNmBoR +nE4cNc0JJ1PsXPzfPgJ6WMp2WOoNUrQf2cm42i36Jk+7KGcosfyFMPQILZE34Geo +DAgCVpNWPgST4HYBUCHMC7S14LHLVdUXPsfGZPEqU5Zf9Hvy61rQC/RdNjnMI6JD +s57l9oHASNeEg55NQm01aOmwq/z1DXs3UP2nRmp6XCCfE61ghofO5dtV1j3cZ3f5 +dzkzSBV7H6+/MD3Y8Q== diff --git a/x-pack/test/security_api_integration/fixtures/saml/idp_metadata_2.xml b/x-pack/test/security_api_integration/fixtures/saml/idp_metadata_2.xml index ff67779d7732..ff1f6eccaf6d 100644 --- a/x-pack/test/security_api_integration/fixtures/saml/idp_metadata_2.xml +++ b/x-pack/test/security_api_integration/fixtures/saml/idp_metadata_2.xml @@ -7,25 +7,24 @@ - MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB + MIIDOTCCAiGgAwIBAgIVAN0GVNLw3IaUBuG7t6CeW8w2wyymMA0GCSqGSIb3DQEB CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu -ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w -DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ -wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU -FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q -OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ -s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU -vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T -BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz -V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE -DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/ -z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv -+frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX -TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy -b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk -cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O -eOUsdwn1yDKHRxDHyA== - +ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU1OFoYDzIwNzExMDAxMTAxNTU4WjARMQ8w +DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3 +nvfL3/26D8EkLso+t9S0m+tSJipLsBWs0dCpc8KRJ/+ijDRnAQ5lOmOAcxt43SNY +KFr0EntQEZyYaRwMIM8aPR0WYW/VV5o4fq2o/JnmHqzZJRJCwZq+5WiCiDPt012N +mRGYCMUxjlEwejue6diLAeQhZ/sfN4jUp217bMEHrhHrNBWTwwJ+Uk5TBQMhviCW +LKbsKrfluA6DGHWrXN4pH7Xmaf/Zyc9AYL/nxwv3VQHZzIAK/U/WNCgFJJ3qoFYY +6TUwDDNa30mSj165OOds9N+VmUlDC3IFiHV3osBWscSU4HJd6QJ8huHrFLLV4y4i +u62el47Qr+/8Ut3SzeIXAgMBAAGjYzBhMB0GA1UdDgQWBBQli5f2bYL9jKUA5Uxp +yRRHeCoPJzAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAUBgNVHREE +DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATFNj +WkTBPfgflGYZD4OsYvfT/rVjFKbJP/u1a0rkzNamA2QKNzI9JTOzONPTyRhe9yVS +zeO8X2rtN63l38dtgMjFQ15Xxnp7GFT7GkXfa1JR+tGSGTgVld8nLUzig+mNmBoR +nE4cNc0JJ1PsXPzfPgJ6WMp2WOoNUrQf2cm42i36Jk+7KGcosfyFMPQILZE34Geo +DAgCVpNWPgST4HYBUCHMC7S14LHLVdUXPsfGZPEqU5Zf9Hvy61rQC/RdNjnMI6JD +s57l9oHASNeEg55NQm01aOmwq/z1DXs3UP2nRmp6XCCfE61ghofO5dtV1j3cZ3f5 +dzkzSBV7H6+/MD3Y8Q== diff --git a/x-pack/test/security_api_integration/fixtures/saml/idp_metadata_never_login.xml b/x-pack/test/security_api_integration/fixtures/saml/idp_metadata_never_login.xml index 44b2ede5060f..6ab5e1aeb708 100644 --- a/x-pack/test/security_api_integration/fixtures/saml/idp_metadata_never_login.xml +++ b/x-pack/test/security_api_integration/fixtures/saml/idp_metadata_never_login.xml @@ -7,25 +7,24 @@ - MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB + MIIDOTCCAiGgAwIBAgIVAN0GVNLw3IaUBuG7t6CeW8w2wyymMA0GCSqGSIb3DQEB CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu -ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w -DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ -wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU -FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q -OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ -s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU -vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T -BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz -V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE -DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/ -z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv -+frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX -TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy -b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk -cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O -eOUsdwn1yDKHRxDHyA== - +ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU1OFoYDzIwNzExMDAxMTAxNTU4WjARMQ8w +DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3 +nvfL3/26D8EkLso+t9S0m+tSJipLsBWs0dCpc8KRJ/+ijDRnAQ5lOmOAcxt43SNY +KFr0EntQEZyYaRwMIM8aPR0WYW/VV5o4fq2o/JnmHqzZJRJCwZq+5WiCiDPt012N +mRGYCMUxjlEwejue6diLAeQhZ/sfN4jUp217bMEHrhHrNBWTwwJ+Uk5TBQMhviCW +LKbsKrfluA6DGHWrXN4pH7Xmaf/Zyc9AYL/nxwv3VQHZzIAK/U/WNCgFJJ3qoFYY +6TUwDDNa30mSj165OOds9N+VmUlDC3IFiHV3osBWscSU4HJd6QJ8huHrFLLV4y4i +u62el47Qr+/8Ut3SzeIXAgMBAAGjYzBhMB0GA1UdDgQWBBQli5f2bYL9jKUA5Uxp +yRRHeCoPJzAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAUBgNVHREE +DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATFNj +WkTBPfgflGYZD4OsYvfT/rVjFKbJP/u1a0rkzNamA2QKNzI9JTOzONPTyRhe9yVS +zeO8X2rtN63l38dtgMjFQ15Xxnp7GFT7GkXfa1JR+tGSGTgVld8nLUzig+mNmBoR +nE4cNc0JJ1PsXPzfPgJ6WMp2WOoNUrQf2cm42i36Jk+7KGcosfyFMPQILZE34Geo +DAgCVpNWPgST4HYBUCHMC7S14LHLVdUXPsfGZPEqU5Zf9Hvy61rQC/RdNjnMI6JD +s57l9oHASNeEg55NQm01aOmwq/z1DXs3UP2nRmp6XCCfE61ghofO5dtV1j3cZ3f5 +dzkzSBV7H6+/MD3Y8Q== diff --git a/x-pack/test/security_api_integration/fixtures/saml/saml_provider/metadata.xml b/x-pack/test/security_api_integration/fixtures/saml/saml_provider/metadata.xml index 19a6c1326414..8cb33193f56c 100644 --- a/x-pack/test/security_api_integration/fixtures/saml/saml_provider/metadata.xml +++ b/x-pack/test/security_api_integration/fixtures/saml/saml_provider/metadata.xml @@ -7,25 +7,24 @@ - MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB + MIIDOTCCAiGgAwIBAgIVAN0GVNLw3IaUBuG7t6CeW8w2wyymMA0GCSqGSIb3DQEB CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu -ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w -DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ -wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU -FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q -OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ -s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU -vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T -BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz -V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE -DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/ -z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv -+frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX -TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy -b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk -cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O -eOUsdwn1yDKHRxDHyA== - +ZXJhdGVkIENBMCAXDTIxMTAxMzEwMTU1OFoYDzIwNzExMDAxMTAxNTU4WjARMQ8w +DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3 +nvfL3/26D8EkLso+t9S0m+tSJipLsBWs0dCpc8KRJ/+ijDRnAQ5lOmOAcxt43SNY +KFr0EntQEZyYaRwMIM8aPR0WYW/VV5o4fq2o/JnmHqzZJRJCwZq+5WiCiDPt012N +mRGYCMUxjlEwejue6diLAeQhZ/sfN4jUp217bMEHrhHrNBWTwwJ+Uk5TBQMhviCW +LKbsKrfluA6DGHWrXN4pH7Xmaf/Zyc9AYL/nxwv3VQHZzIAK/U/WNCgFJJ3qoFYY +6TUwDDNa30mSj165OOds9N+VmUlDC3IFiHV3osBWscSU4HJd6QJ8huHrFLLV4y4i +u62el47Qr+/8Ut3SzeIXAgMBAAGjYzBhMB0GA1UdDgQWBBQli5f2bYL9jKUA5Uxp +yRRHeCoPJzAfBgNVHSMEGDAWgBQwTCrAjlvQxik3HBocn1PDUunenjAUBgNVHREE +DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEATFNj +WkTBPfgflGYZD4OsYvfT/rVjFKbJP/u1a0rkzNamA2QKNzI9JTOzONPTyRhe9yVS +zeO8X2rtN63l38dtgMjFQ15Xxnp7GFT7GkXfa1JR+tGSGTgVld8nLUzig+mNmBoR +nE4cNc0JJ1PsXPzfPgJ6WMp2WOoNUrQf2cm42i36Jk+7KGcosfyFMPQILZE34Geo +DAgCVpNWPgST4HYBUCHMC7S14LHLVdUXPsfGZPEqU5Zf9Hvy61rQC/RdNjnMI6JD +s57l9oHASNeEg55NQm01aOmwq/z1DXs3UP2nRmp6XCCfE61ghofO5dtV1j3cZ3f5 +dzkzSBV7H6+/MD3Y8Q==