new role migration FTR added for global artifact management

2025-06-27 18:51:07 -04:00 · 2025-06-19 15:21:58 +02:00 · 2025-06-19 15:21:58 +02:00 · b8d90d085f
commit b8d90d085f
parent ea215212dd
5 changed files with 281 additions and 0 deletions
--- a/.buildkite/ftr_security_stateful_configs.yml
+++ b/.buildkite/ftr_security_stateful_configs.yml
@ -101,6 +101,8 @@ enabled:
  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/policy/trial_license_complete_tier/configs/ess.config.ts
  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/resolver/trial_license_complete_tier/configs/ess.config.ts
  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/response_actions/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts
  - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/configs/ess.config.ts
  - x-pack/test/security_solution_api_integration/test_suites/siem_migrations/rules/trial_license_complete_tier/configs/ess.config.ts
  - x-pack/test/security_solution_endpoint/configs/endpoint.config.ts
--- a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts
@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrConfigProviderContext } from '@kbn/test';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const functionalConfig = await readConfigFile(
+    require.resolve('../../../../../config/ess/config.base.edr_workflows.trial')
+  );
+
+  return {
+    ...functionalConfig.getAll(),
+    testFiles: [require.resolve('..')],
+    junit: {
+      reportName: 'EDR Workflows - Role Migration Tests - ESS Env - Trial License',
+    },
+  };
+}
--- a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts
@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { FtrConfigProviderContext } from '@kbn/test';
+
+export default async function ({ readConfigFile }: FtrConfigProviderContext) {
+  const functionalConfig = await readConfigFile(
+    require.resolve('../../../../../config/serverless/config.base.edr_workflows')
+  );
+
+  return {
+    ...functionalConfig.getAll(),
+    testFiles: [require.resolve('..')],
+    junit: {
+      reportName: 'EDR Workflows API - Role Migration Tests - Serverless Env - Complete',
+    },
+  };
+}
--- a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts
@ -0,0 +1,41 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { getRegistryUrl as getRegistryUrlFromIngest } from '@kbn/fleet-plugin/server';
+import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows';
+import { ROLE } from '../../../../config/services/security_solution_edr_workflows_roles_users';
+
+export default function endpointAPIIntegrationTests(providerContext: FtrProviderContext) {
+  const { loadTestFile, getService } = providerContext;
+
+  describe('Endpoint related user role migrations', function () {
+    const ingestManager = getService('ingestManager');
+    const rolesUsersProvider = getService('rolesUsersProvider');
+    const kbnClient = getService('kibanaServer');
+    const log = getService('log');
+    const endpointRegistryHelpers = getService('endpointRegistryHelpers');
+    const endpointTestResources = getService('endpointTestResources');
+
+    const roles = Object.values(ROLE);
+    before(async () => {
+      if (!endpointRegistryHelpers.isRegistryEnabled()) {
+        log.warning('These tests are being run with an external package registry');
+      }
+
+      const registryUrl =
+        endpointRegistryHelpers.getRegistryUrlFromTestEnv() ?? getRegistryUrlFromIngest();
+      log.info(`Package registry URL for tests: ${registryUrl}`);
+
+      try {
+        await ingestManager.setup();
+      } catch (err) {
+        log.warning(`Error setting up ingestManager: ${err}`);
+      }
+    });
+
+    loadTestFile(require.resolve('./siem_v3_global_artifact_management'));
+  });
+}
--- a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts
@ -0,0 +1,194 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common';
+import { FeaturesPrivileges, Role } from '@kbn/security-plugin-types-common';
+import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows';
+
+export default function ({ getService }: FtrProviderContext) {
+  const supertest = getService('supertest');
+
+  const DEPRECATED_SIEM_VERSIONS = ['siem', 'siemV2'];
+
+  // these artifact privileges are shared between ESS and Serverless, while Endpoint Exceptions privilege exists only on Serverless
+  const ARTIFACTS = [
+    'trusted_applications',
+    'event_filters',
+    'blocklist',
+    'host_isolation_exceptions',
+  ];
+
+  const ROLE_NAME = 'siem_v3_test_role';
+
+  const putKibanaFeatureInRole = (feature: string) => (privileges: string[]) =>
+    supertest
+      .put(`/api/security/role/${ROLE_NAME}`)
+      .set('kbn-xsrf', 'true')
+      .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
+      .send({
+        elasticsearch: { cluster: [], indices: [], run_as: [] },
+        kibana: [
+          {
+            base: [],
+            feature: {
+              [feature]: privileges,
+            },
+            spaces: ['*'],
+          },
+        ],
+      })
+      .expect(204);
+
+  const getMigratedSiemFeaturesFromRole = async (): Promise<FeaturesPrivileges[string]> => {
+    const response = await supertest
+      .get(`/api/security/role/${ROLE_NAME}`)
+      .query({ replaceDeprecatedPrivileges: true }) // triggering on-the-fly role migration
+      .set('kbn-xsrf', 'true')
+      .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
+      .expect(200);
+
+    const role = response.body as Role;
+    expect(role._transform_error).to.have.length(
+      0,
+      `Role migration encountered an error, probably a non-existing privilege is added.
+      Transform error: ${JSON.stringify(role._transform_error)}`
+    );
+
+    // migrating from `siem` adds timeline and notes, but in this test it is irrelevant
+    return role.kibana[0].feature.siemV3;
+  };
+
+  describe('@ess @serverless @skipInServerlessMKI Role migrations towards siemV3', () => {
+    afterEach(async () => {
+      await supertest
+        .delete(`/api/security/role/${ROLE_NAME}`)
+        .set('kbn-xsrf', 'true')
+        .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
+        .expect([204, 404]);
+    });
+
+    for (const deprecatedSiem of DEPRECATED_SIEM_VERSIONS) {
+      describe(`from ${deprecatedSiem}`, () => {
+        const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole(deprecatedSiem);
+
+        describe(`${deprecatedSiem}:READ`, () => {
+          it('should keep READ privilege', async () => {
+            await putDeprecatedSiemPrivilegesInRole(['read']);
+
+            expect(await getMigratedSiemFeaturesFromRole()).to.eql(['read']);
+          });
+        });
+
+        describe(`${deprecatedSiem}:MINIMAL_READ`, () => {
+          for (const artifact of ARTIFACTS) {
+            it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => {
+              await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]);
+
+              expect(await getMigratedSiemFeaturesFromRole()).to.eql([
+                'minimal_read',
+                `${artifact}_read`,
+              ]);
+            });
+          }
+
+          // Endpoint Exception privilege only exists on Serverless
+          it('@skipInEss should NOT add global_artifact_management:ALL to endpoint_exceptions:READ', async () => {
+            await putDeprecatedSiemPrivilegesInRole(['minimal_read', `endpoint_exceptions_read`]);
+
+            expect(await getMigratedSiemFeaturesFromRole()).to.eql([
+              'minimal_read',
+              `endpoint_exceptions_read`,
+            ]);
+          });
+
+          // adding Global Artifact Management to any artifact:WRITE privilege
+          for (const artifact of ARTIFACTS) {
+            it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => {
+              await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]);
+
+              expect(await getMigratedSiemFeaturesFromRole()).to.eql([
+                'minimal_read',
+                `${artifact}_all`,
+                'global_artifact_management_all',
+              ]);
+            });
+          }
+
+          // Endpoint Exception privilege only exists on Serverless
+          it('@skipInEss should add global_artifact_management:ALL to endpoint_exceptions:ALL', async () => {
+            await putDeprecatedSiemPrivilegesInRole(['minimal_read', 'endpoint_exceptions_all']);
+
+            expect(await getMigratedSiemFeaturesFromRole()).to.eql([
+              'minimal_read',
+              'endpoint_exceptions_all',
+              'global_artifact_management_all',
+            ]);
+          });
+        });
+
+        describe(`${deprecatedSiem}:ALL`, () => {
+          // siem:ALL includes Endpoint Exceptions both on ESS and Serverless
+          it('should add global_artifact_management:ALL', async () => {
+            await putDeprecatedSiemPrivilegesInRole(['all']);
+
+            expect(await getMigratedSiemFeaturesFromRole()).to.eql([
+              // sub-features toggle enabled to show Global Artifact Management
+              'minimal_all',
+              // Endpoint exceptions are tied to siem:ALL, hence the global_artifact_management_all
+              'global_artifact_management_all',
+            ]);
+          });
+        });
+
+        describe(`${deprecatedSiem}:MINIMAL_ALL`, () => {
+          // on ESS, siem:MINIMAL_ALL includes Endpoint Exceptions ALL
+          describe('@skipInServerless ESS', () => {
+            it('should add global_artifact_management:ALL', async () => {
+              await putDeprecatedSiemPrivilegesInRole(['minimal_all']);
+
+              expect(await getMigratedSiemFeaturesFromRole()).to.eql([
+                'minimal_all',
+                'global_artifact_management_all',
+              ]);
+            });
+          });
+
+          // on Serverless, siem:MINIMAL_ALL means that Endpoint Exceptions is controlled by sub-feature privilege, it can be NONE
+          describe('@skipInEss on Serverless', () => {
+            it('@skipInEss should NOT add global_artifact_management:ALL', async () => {
+              await putDeprecatedSiemPrivilegesInRole(['minimal_all']);
+
+              expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']);
+            });
+
+            for (const artifact of [...ARTIFACTS, 'endpoint_exceptions']) {
+              it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => {
+                await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]);
+
+                expect(await getMigratedSiemFeaturesFromRole()).to.eql([
+                  'minimal_read',
+                  `${artifact}_read`,
+                ]);
+              });
+
+              it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => {
+                await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]);
+
+                expect(await getMigratedSiemFeaturesFromRole()).to.eql([
+                  'minimal_read',
+                  `${artifact}_all`,
+                  'global_artifact_management_all',
+                ]);
+              });
+            }
+          });
+        });
+      });
+    }
+  });
+}