[7.x] Do not embedd credentials into ES URL and enable anonymous tests. (#88005)

test/common/config.js

@@ -44,7 +44,14 @@ export default function () {
         '--logging.json=false',
         `--server.port=${kbnTestConfig.getPort()}`,
         '--status.allowAnonymous=true',
-        `--elasticsearch.hosts=${formatUrl(servers.elasticsearch)}`,
+        // We shouldn't embed credentials into the URL since Kibana requests to Elasticsearch should
+        // either include `kibanaServerTestUser` credentials, or credentials provided by the test
+        // user, or none at all in case anonymous access is used.
+        `--elasticsearch.hosts=${formatUrl(
+          Object.fromEntries(
+            Object.entries(servers.elasticsearch).filter(([key]) => key.toLowerCase() !== 'auth')
+          )
+        )}`,
         `--elasticsearch.username=${kibanaServerTestUser.username}`,
         `--elasticsearch.password=${kibanaServerTestUser.password}`,
         `--home.disableWelcomeScreen=true`,

x-pack/scripts/functional_tests.js

@@ -45,6 +45,7 @@ require('@kbn/test').runTestsCli([
   require.resolve('../test/security_api_integration/oidc_implicit_flow.config.ts'),
   require.resolve('../test/security_api_integration/token.config.ts'),
   require.resolve('../test/security_api_integration/anonymous.config.ts'),
+  require.resolve('../test/security_api_integration/anonymous_es_anonymous.config.ts'),
   require.resolve('../test/observability_api_integration/basic/config.ts'),
   require.resolve('../test/observability_api_integration/trial/config.ts'),
   require.resolve('../test/encrypted_saved_objects_api_integration/config'),

x-pack/test/functional/page_objects/security_page.ts

@@ -4,6 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+import { adminTestUser } from '@kbn/test';
 import { FtrProviderContext } from '../ftr_provider_context';
 import { AuthenticatedUser, Role } from '../../../plugins/security/common/model';
 
@@ -122,9 +123,8 @@ export function SecurityPageProvider({ getService, getPageObjects }: FtrProvider
       await browser.setLocalStorageItem('home:welcome:show', 'false');
       await waitForLoginForm();
 
-      const [superUsername, superPassword] = config.get('servers.elasticsearch.auth').split(':');
-      await testSubjects.setValue('loginUsername', username || superUsername);
-      await testSubjects.setValue('loginPassword', password || superPassword);
+      await testSubjects.setValue('loginUsername', username || adminTestUser.username);
+      await testSubjects.setValue('loginPassword', password || adminTestUser.password);
       await testSubjects.click('loginSubmit');
 
       await waitForLoginResult(
@@ -162,9 +162,8 @@ export function SecurityPageProvider({ getService, getPageObjects }: FtrProvider
       if (providerType === 'basic' || providerType === 'token') {
         await waitForLoginForm();
 
-        const [superUsername, superPassword] = config.get('servers.elasticsearch.auth').split(':');
-        await testSubjects.setValue('loginUsername', options?.username ?? superUsername);
-        await testSubjects.setValue('loginPassword', options?.password ?? superPassword);
+        await testSubjects.setValue('loginUsername', options?.username ?? adminTestUser.username);
+        await testSubjects.setValue('loginPassword', options?.password ?? adminTestUser.password);
         await testSubjects.click('loginSubmit');
       }
 

x-pack/test/security_api_integration/tests/anonymous/login.ts

@@ -6,6 +6,7 @@
 
 import expect from '@kbn/expect';
 import request, { Cookie } from 'request';
+import { adminTestUser } from '@kbn/test';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
@@ -55,7 +56,6 @@ export default function ({ getService }: FtrProviderContext) {
     });
 
     it('does not prevent basic login', async () => {
-      const [username, password] = config.get('servers.elasticsearch.auth').split(':');
       const response = await supertest
         .post('/internal/security/login')
         .set('kbn-xsrf', 'xxx')
@@ -63,7 +63,7 @@ export default function ({ getService }: FtrProviderContext) {
           providerType: 'basic',
           providerName: 'basic1',
           currentURL: '/',
-          params: { username, password },
+          params: { username: adminTestUser.username, password: adminTestUser.password },
         })
         .expect(200);
 
@@ -79,7 +79,7 @@ export default function ({ getService }: FtrProviderContext) {
         .set('Cookie', cookie.cookieString())
         .expect(200);
 
-      expect(user.username).to.eql(username);
+      expect(user.username).to.eql(adminTestUser.username);
       expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic1' });
       expect(user.authentication_type).to.eql('realm');
       // Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud

x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts

@@ -7,6 +7,7 @@
 import expect from '@kbn/expect';
 import request, { Cookie } from 'request';
 import { delay } from 'bluebird';
+import { adminTestUser } from '@kbn/test';
 import { FtrProviderContext } from '../../ftr_provider_context';
 import {
   getMutualAuthenticationResponseToken,
@@ -54,7 +55,6 @@ export default function ({ getService }: FtrProviderContext) {
     });
 
     it('does not prevent basic login', async () => {
-      const [username, password] = config.get('servers.elasticsearch.auth').split(':');
       const response = await supertest
         .post('/internal/security/login')
         .set('kbn-xsrf', 'xxx')
@@ -62,7 +62,7 @@ export default function ({ getService }: FtrProviderContext) {
           providerType: 'basic',
           providerName: 'basic',
           currentURL: '/',
-          params: { username, password },
+          params: { username: adminTestUser.username, password: adminTestUser.password },
         })
         .expect(200);
 
@@ -78,7 +78,7 @@ export default function ({ getService }: FtrProviderContext) {
         .set('Cookie', cookie.cookieString())
         .expect(200);
 
-      expect(user.username).to.eql(username);
+      expect(user.username).to.eql(adminTestUser.username);
       expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' });
       expect(user.authentication_type).to.eql('realm');
       // Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud

x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts

@@ -8,12 +8,12 @@ import expect from '@kbn/expect';
 import request, { Cookie } from 'request';
 import url from 'url';
 import { delay } from 'bluebird';
+import { adminTestUser } from '@kbn/test';
 import { getStateAndNonce } from '../../../fixtures/oidc/oidc_tools';
 import { FtrProviderContext } from '../../../ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
   const supertest = getService('supertestWithoutAuth');
-  const config = getService('config');
 
   describe('OpenID Connect authentication', () => {
     it('should reject API requests if client is not authenticated', async () => {
@@ -21,7 +21,6 @@ export default function ({ getService }: FtrProviderContext) {
     });
 
     it('does not prevent basic login', async () => {
-      const [username, password] = config.get('servers.elasticsearch.auth').split(':');
       const response = await supertest
         .post('/internal/security/login')
         .set('kbn-xsrf', 'xxx')
@@ -29,7 +28,7 @@ export default function ({ getService }: FtrProviderContext) {
           providerType: 'basic',
           providerName: 'basic',
           currentURL: '/',
-          params: { username, password },
+          params: { username: adminTestUser.username, password: adminTestUser.password },
         })
         .expect(200);
 
@@ -42,10 +41,10 @@ export default function ({ getService }: FtrProviderContext) {
         .set('Cookie', request.cookie(cookies[0])!.cookieString())
         .expect(200);
 
-      expect(user.username).to.eql(username);
+      expect(user.username).to.eql(adminTestUser.username);
       expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' });
       expect(user.authentication_type).to.be('realm');
-      // Do not assert on the `authentication_realm`, as the value differes for on-prem vs cloud
+      // Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud
     });
 
     describe('initiating handshake', () => {

x-pack/test/security_api_integration/tests/pki/pki_auth.ts

@@ -10,6 +10,7 @@ import { delay } from 'bluebird';
 import { readFileSync } from 'fs';
 import { resolve } from 'path';
 import { CA_CERT_PATH } from '@kbn/dev-utils';
+import { adminTestUser } from '@kbn/test';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
 const CA_CERT = readFileSync(CA_CERT_PATH);
@@ -21,7 +22,6 @@ const UNTRUSTED_CLIENT_CERT = readFileSync(
 
 export default function ({ getService }: FtrProviderContext) {
   const supertest = getService('supertestWithoutAuth');
-  const config = getService('config');
 
   function checkCookieIsSet(cookie: Cookie) {
     expect(cookie.value).to.not.be.empty();
@@ -64,7 +64,6 @@ export default function ({ getService }: FtrProviderContext) {
     });
 
     it('does not prevent basic login', async () => {
-      const [username, password] = config.get('servers.elasticsearch.auth').split(':');
       const response = await supertest
         .post('/internal/security/login')
         .ca(CA_CERT)
@@ -74,7 +73,7 @@ export default function ({ getService }: FtrProviderContext) {
           providerType: 'basic',
           providerName: 'basic',
           currentURL: '/',
-          params: { username, password },
+          params: { username: adminTestUser.username, password: adminTestUser.password },
         })
         .expect(200);
 
@@ -92,7 +91,7 @@ export default function ({ getService }: FtrProviderContext) {
         .set('Cookie', cookie.cookieString())
         .expect(200);
 
-      expect(user.username).to.eql(username);
+      expect(user.username).to.eql(adminTestUser.username);
       expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' });
       // Do not assert on the `authentication_realm`, as the value differs for on-prem vs cloud
     });

x-pack/test/security_api_integration/tests/saml/saml_login.ts

@@ -9,6 +9,7 @@ import url from 'url';
 import { delay } from 'bluebird';
 import expect from '@kbn/expect';
 import request, { Cookie } from 'request';
+import { adminTestUser } from '@kbn/test';
 import {
   getLogoutRequest,
   getSAMLRequestId,
@@ -75,7 +76,6 @@ export default function ({ getService }: FtrProviderContext) {
     });
 
     it('does not prevent basic login', async () => {
-      const [username, password] = config.get('servers.elasticsearch.auth').split(':');
       const response = await supertest
         .post('/internal/security/login')
         .set('kbn-xsrf', 'xxx')
@@ -83,7 +83,7 @@ export default function ({ getService }: FtrProviderContext) {
           providerType: 'basic',
           providerName: 'basic',
           currentURL: '/',
-          params: { username, password },
+          params: { username: adminTestUser.username, password: adminTestUser.password },
         })
         .expect(200);
 
@@ -96,7 +96,7 @@ export default function ({ getService }: FtrProviderContext) {
         .set('Cookie', request.cookie(cookies[0])!.cookieString())
         .expect(200);
 
-      expect(user.username).to.eql(username);
+      expect(user.username).to.eql(adminTestUser.username);
       expect(user.authentication_provider).to.eql({ type: 'basic', name: 'basic' });
       expect(user.authentication_type).to.be('realm');
       // Do not assert on the `authentication_realm`, as the value differes for on-prem vs cloud

x-pack/test/security_api_integration/tests/session_idle/cleanup.ts

@@ -7,6 +7,7 @@
 import request, { Cookie } from 'request';
 import { delay } from 'bluebird';
 import expect from '@kbn/expect';
+import { adminTestUser } from '@kbn/test';
 import type { AuthenticationProvider } from '../../../../plugins/security/common/model';
 import { getSAMLRequestId, getSAMLResponse } from '../../fixtures/saml/saml_tools';
 import { FtrProviderContext } from '../../ftr_provider_context';
@@ -17,7 +18,7 @@ export default function ({ getService }: FtrProviderContext) {
   const config = getService('config');
   const log = getService('log');
   const randomness = getService('randomness');
-  const [basicUsername, basicPassword] = config.get('servers.elasticsearch.auth').split(':');
+  const { username: basicUsername, password: basicPassword } = adminTestUser;
   const kibanaServerConfig = config.get('servers.kibana');
 
   async function checkSessionCookie(

x-pack/test/security_api_integration/tests/session_lifespan/cleanup.ts

@@ -7,6 +7,7 @@
 import request, { Cookie } from 'request';
 import { delay } from 'bluebird';
 import expect from '@kbn/expect';
+import { adminTestUser } from '@kbn/test';
 import type { AuthenticationProvider } from '../../../../plugins/security/common/model';
 import { getSAMLRequestId, getSAMLResponse } from '../../fixtures/saml/saml_tools';
 import { FtrProviderContext } from '../../ftr_provider_context';
@@ -16,7 +17,7 @@ export default function ({ getService }: FtrProviderContext) {
   const es = getService('es');
   const config = getService('config');
   const randomness = getService('randomness');
-  const [basicUsername, basicPassword] = config.get('servers.elasticsearch.auth').split(':');
+  const { username: basicUsername, password: basicPassword } = adminTestUser;
   const kibanaServerConfig = config.get('servers.kibana');
 
   async function checkSessionCookie(