Turn on internal API restriction for serverless tests (#162636)

## Summary Since we already have some E2E tests running for serverless, this PR turns on the internal API restriction flag to test whether our UI functions _as such_ under these tests. An alternative could be to have a specific smoke test for this, but it seems this is thoroughly covered by piggy-backing off the existing set of tests. Blocks: https://github.com/elastic/kibana/pull/162149
2025-04-24 09:48:58 -04:00 · 2023-08-01 10:19:57 +02:00 · 2023-08-01 10:19:57 +02:00 · 87ff936b34
commit 87ff936b34
parent 8c7c621205
17 changed files with 65 additions and 19 deletions
--- a/packages/kbn-test/src/kbn_client/kbn_client_requester.ts
+++ b/packages/kbn-test/src/kbn_client/kbn_client_requester.ts
@ -131,6 +131,7 @@ export class KbnClientRequester {
          headers: {
            ...options.headers,
            'kbn-xsrf': 'kbn-client',
+            'x-elastic-internal-origin': 'kbn-client',
          },
          httpsAgent: this.httpsAgent,
          responseType: options.responseType,
--- a/x-pack/test/api_integration/services/usage_api.ts
+++ b/x-pack/test/api_integration/services/usage_api.ts
@ -31,6 +31,7 @@ export function UsageAPIProvider({ getService }: FtrProviderContext) {
    const { body } = await supertest
      .post('/api/telemetry/v2/clusters/_stats')
      .set('kbn-xsrf', 'xxx')
+      .set('x-elastic-internal-origin', 'xxx')
      .send({ refreshCache: true, ...payload })
      .expect(200);
    return body;
--- a/x-pack/test/apm_api_integration/common/apm_api_supertest.ts
+++ b/x-pack/test/apm_api_integration/common/apm_api_supertest.ts
@ -29,7 +29,10 @@ export function createApmApiClient(st: supertest.SuperTest<supertest.Test>) {
    const { method, pathname, version } = formatRequest(endpoint, params.path);
    const url = format({ pathname, query: params?.query });

-    const headers: Record<string, string> = { 'kbn-xsrf': 'foo' };
+    const headers: Record<string, string> = {
+      'kbn-xsrf': 'foo',
+      'x-elastic-internal-origin': 'foo',
+    };

    if (version) {
      headers['Elastic-Api-Version'] = version;
--- a/x-pack/test_serverless/api_integration/test_suites/common/security_response_headers.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/common/security_response_headers.ts
@ -41,7 +41,7 @@ export default function ({ getService }: FtrProviderContext) {
    it('redirect endpoint response contains default security headers', async () => {
      const { header } = await supertest
        .get(`/logout`)
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
        .expect(200);

      expect(header).toBeDefined();
--- a/x-pack/test_serverless/api_integration/test_suites/common/security_users.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/common/security_users.ts
@ -17,7 +17,7 @@ export default function ({ getService }: FtrProviderContext) {
    it('rejects request to create user', async () => {
      const { body, status } = await supertest
        .post(`/internal/security/users/some_testuser`)
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
        .send({ username: 'some_testuser', password: 'testpassword', roles: [] });

      // in a non-serverless environment this would succeed with a 200
--- a/x-pack/test_serverless/api_integration/test_suites/observability/apm_api_integration/common/apm_api_supertest.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/observability/apm_api_integration/common/apm_api_supertest.ts
@ -34,7 +34,10 @@ export function createApmApiClient(st: supertest.SuperTest<supertest.Test>) {
    const { method, pathname, version } = formatRequest(endpoint, params.path);
    const url = format({ pathname, query: params?.query });

-    const headers: Record<string, string> = { 'kbn-xsrf': 'foo' };
+    const headers: Record<string, string> = {
+      'kbn-xsrf': 'foo',
+      'x-elastic-internal-origin': 'foo',
+    };

    if (version) {
      headers['Elastic-Api-Version'] = version;
--- a/x-pack/test_serverless/api_integration/test_suites/observability/fleet.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/observability/fleet.ts
@ -16,7 +16,7 @@ export default function ({ getService }: FtrProviderContext) {
    it('rejects request to create a new fleet server hosts', async () => {
      const { body, status } = await supertest
        .post('/api/fleet/fleet_server_hosts')
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
        .send({
          name: 'test',
          host_urls: ['https://localhost:8220'],
@ -34,7 +34,7 @@ export default function ({ getService }: FtrProviderContext) {
    it('rejects request to create a new proxy', async () => {
      const { body, status } = await supertest
        .post('/api/fleet/proxies')
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
        .send({
          name: 'test',
          url: 'https://localhost:8220',
--- a/x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_api_helper.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_api_helper.ts
@ -21,6 +21,7 @@ export async function createIndexConnector({
  const { body } = await supertest
    .post(`/api/actions/connector`)
    .set('kbn-xsrf', 'foo')
+    .set('x-elastic-internal-origin', 'foo')
    .send({
      name,
      config: {
@ -54,6 +55,7 @@ export async function createRule({
  const { body } = await supertest
    .post(`/api/alerting/rule`)
    .set('kbn-xsrf', 'foo')
+    .set('x-elastic-internal-origin', 'foo')
    .send({
      params,
      consumer,
--- a/x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_wait_for_helpers.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/observability/helpers/alerting_wait_for_helpers.ts
@ -25,7 +25,10 @@ export async function waitForRuleStatus({
 }): Promise<Record<string, any>> {
  return pRetry(
    async () => {
-      const response = await supertest.get(`/api/alerting/rule/${id}`);
+      const response = await supertest
+        .get(`/api/alerting/rule/${id}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
      const { execution_status: executionStatus } = response.body || {};
      const { status } = executionStatus || {};
      if (status !== expectedStatus) {
--- a/x-pack/test_serverless/api_integration/test_suites/observability/helpers/data_view.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/observability/helpers/data_view.ts
@ -21,6 +21,7 @@ export const createDataView = async ({
  const { body } = await supertest
    .post(`/api/content_management/rpc/create`)
    .set('kbn-xsrf', 'foo')
+    .set('x-elastic-internal-origin', 'foo')
    .send({
      contentTypeId: 'index-pattern',
      data: {
@ -49,6 +50,7 @@ export const deleteDataView = async ({
  const { body } = await supertest
    .post(`/api/content_management/rpc/delete`)
    .set('kbn-xsrf', 'foo')
+    .set('x-elastic-internal-origin', 'foo')
    .send({
      contentTypeId: 'index-pattern',
      id,
--- a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_fired.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_fired.ts
@ -40,8 +40,14 @@ export default function ({ getService }: FtrProviderContext) {
    });

    after(async () => {
-      await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo');
-      await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo');
+      await supertest
+        .delete(`/api/alerting/rule/${ruleId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
+      await supertest
+        .delete(`/api/actions/connector/${actionId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
      await esClient.deleteByQuery({
        index: THRESHOLD_RULE_ALERT_INDEX,
        query: { term: { 'kibana.alert.rule.uuid': ruleId } },
--- a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_no_data.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/avg_pct_no_data.ts
@ -35,8 +35,14 @@ export default function ({ getService }: FtrProviderContext) {
    });

    after(async () => {
-      await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo');
-      await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo');
+      await supertest
+        .delete(`/api/alerting/rule/${ruleId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
+      await supertest
+        .delete(`/api/actions/connector/${actionId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
      await esClient.deleteByQuery({
        index: THRESHOLD_RULE_ALERT_INDEX,
        query: { term: { 'kibana.alert.rule.uuid': ruleId } },
--- a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/custom_eq_avg_bytes_fired.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/custom_eq_avg_bytes_fired.ts
@ -46,8 +46,14 @@ export default function ({ getService }: FtrProviderContext) {
    });

    after(async () => {
-      await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo');
-      await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo');
+      await supertest
+        .delete(`/api/alerting/rule/${ruleId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
+      await supertest
+        .delete(`/api/actions/connector/${actionId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
      await esClient.deleteByQuery({
        index: THRESHOLD_RULE_ALERT_INDEX,
        query: { term: { 'kibana.alert.rule.uuid': ruleId } },
--- a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/documents_count_fired.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/documents_count_fired.ts
@ -40,8 +40,14 @@ export default function ({ getService }: FtrProviderContext) {
    });

    after(async () => {
-      await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo');
-      await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo');
+      await supertest
+        .delete(`/api/alerting/rule/${ruleId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
+      await supertest
+        .delete(`/api/actions/connector/${actionId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
      await esClient.deleteByQuery({
        index: THRESHOLD_RULE_ALERT_INDEX,
        query: { term: { 'kibana.alert.rule.uuid': ruleId } },
--- a/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/group_by_fired.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/observability/threshold_rule/group_by_fired.ts
@ -53,8 +53,14 @@ export default function ({ getService }: FtrProviderContext) {
    });

    after(async () => {
-      await supertest.delete(`/api/alerting/rule/${ruleId}`).set('kbn-xsrf', 'foo');
-      await supertest.delete(`/api/actions/connector/${actionId}`).set('kbn-xsrf', 'foo');
+      await supertest
+        .delete(`/api/alerting/rule/${ruleId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
+      await supertest
+        .delete(`/api/actions/connector/${actionId}`)
+        .set('kbn-xsrf', 'foo')
+        .set('x-elastic-internal-origin', 'foo');
      await esClient.deleteByQuery({
        index: THRESHOLD_RULE_ALERT_INDEX,
        query: { term: { 'kibana.alert.rule.uuid': ruleId } },
--- a/x-pack/test_serverless/api_integration/test_suites/security/fleet.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/security/fleet.ts
@ -16,7 +16,7 @@ export default function ({ getService }: FtrProviderContext) {
    it('rejects request to create a new fleet server hosts', async () => {
      const { body, status } = await supertest
        .post('/api/fleet/fleet_server_hosts')
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
        .send({
          name: 'test',
          host_urls: ['https://localhost:8220'],
@ -34,7 +34,7 @@ export default function ({ getService }: FtrProviderContext) {
    it('rejects request to create a new proxy', async () => {
      const { body, status } = await supertest
        .post('/api/fleet/proxies')
-        .set(svlCommonApi.getCommonRequestHeader())
+        .set(svlCommonApi.getInternalRequestHeader())
        .send({
          name: 'test',
          url: 'https://localhost:8220',
--- a/x-pack/test_serverless/shared/config.base.ts
+++ b/x-pack/test_serverless/shared/config.base.ts
@ -33,6 +33,7 @@ export default async () => {
      },
      sourceArgs: ['--no-base-path', '--env.name=development'],
      serverArgs: [
+        `--server.restrictInternalApis=true`,
        `--server.port=${kbnTestConfig.getPort()}`,
        '--status.allowAnonymous=true',
        // We shouldn't embed credentials into the URL since Kibana requests to Elasticsearch should