From 5f60a54967b557b600aeb72baac3313e99d6097d Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Thu, 9 Mar 2023 16:35:17 -0500 Subject: [PATCH 1/4] initial test file structure for validating RBAC entries in the Roles page --- .../e2e/mocked_data/endpoint_role_rbac.cy.ts | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts diff --git a/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts b/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts new file mode 100644 index 0000000000000..f92d380319367 --- /dev/null +++ b/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts @@ -0,0 +1,76 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { login } from '../../tasks/login'; + +describe('When defining a kibana role for Endpoint security access', () => { + const privilegesChecks: ReadonlyArray<{ + label: string; + testSubj: string[]; + }> = [ + { + label: 'Endpoint List', + testSubj: ['endpoint_list_all', 'endpoint_list_read'], + }, + { + label: 'Trusted Applications', + testSubj: ['trusted_applications_all', 'trusted_applications_read'], + }, + { + label: 'Host Isolation Exceptions', + testSubj: ['host_isolation_exceptions_all', 'host_isolation_exceptions_read'], + }, + { + label: 'Blocklist', + testSubj: ['blocklist_all', 'blocklist_read'], + }, + { + label: 'Event Filters', + testSubj: ['event_filters_all', 'event_filters_read'], + }, + { + label: 'Policy Management', + testSubj: ['policy_management_all', 'policy_management_read'], + }, + { + label: 'Response Actions History', + testSubj: ['actions_log_management_all', 'actions_log_management_read'], + }, + { + label: 'Host Isolation', + testSubj: ['host_isolation_all'], + }, + { + label: 'Process Operations', + testSubj: ['process_operations_all'], + }, + { + label: 'File Operations', + testSubj: ['file_operations_all'], + }, + { + label: 'Execute Operations', + testSubj: ['execute_operations_all'], + }, + ]; + + beforeEach(() => { + login(); + cy.visit('/app/management/security/roles/edit'); + cy.getByTestSubj('addSpacePrivilegeButton').click(); + cy.get('button[aria-controls="featureCategory_securitySolution"]'); + cy.get('button[aria-controls="featurePrivilegeControls_siem"]'); + }); + + it.todo('should displays the expected number of RBAC entries'); + + it.todo('should display all RBAC entries set to None by default'); + + for (const privilegesCheck of privilegesChecks) { + // + } +}); From 6dab2b3d9a9c10d74bb68da8aabef4139068ab93 Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Thu, 9 Mar 2023 17:43:06 -0500 Subject: [PATCH 2/4] Tests for validating RBAC in Role kibana privileges panel --- .../e2e/mocked_data/endpoint_role_rbac.cy.ts | 98 ++++++++----------- 1 file changed, 42 insertions(+), 56 deletions(-) diff --git a/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts b/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts index f92d380319367..9fa8a66ee9f57 100644 --- a/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts +++ b/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts @@ -5,72 +5,58 @@ * 2.0. */ +import { closeAllToasts } from '../../tasks/close_all_toasts'; import { login } from '../../tasks/login'; describe('When defining a kibana role for Endpoint security access', () => { - const privilegesChecks: ReadonlyArray<{ - label: string; - testSubj: string[]; - }> = [ - { - label: 'Endpoint List', - testSubj: ['endpoint_list_all', 'endpoint_list_read'], - }, - { - label: 'Trusted Applications', - testSubj: ['trusted_applications_all', 'trusted_applications_read'], - }, - { - label: 'Host Isolation Exceptions', - testSubj: ['host_isolation_exceptions_all', 'host_isolation_exceptions_read'], - }, - { - label: 'Blocklist', - testSubj: ['blocklist_all', 'blocklist_read'], - }, - { - label: 'Event Filters', - testSubj: ['event_filters_all', 'event_filters_read'], - }, - { - label: 'Policy Management', - testSubj: ['policy_management_all', 'policy_management_read'], - }, - { - label: 'Response Actions History', - testSubj: ['actions_log_management_all', 'actions_log_management_read'], - }, - { - label: 'Host Isolation', - testSubj: ['host_isolation_all'], - }, - { - label: 'Process Operations', - testSubj: ['process_operations_all'], - }, - { - label: 'File Operations', - testSubj: ['file_operations_all'], - }, - { - label: 'Execute Operations', - testSubj: ['execute_operations_all'], - }, - ]; + const getAllSubFeatureRows = (): Cypress.Chainable> => { + return cy + .get('#featurePrivilegeControls_siem') + .findByTestSubj('mutexSubFeaturePrivilegeControl') + .closest('.euiFlexGroup'); + }; beforeEach(() => { login(); cy.visit('/app/management/security/roles/edit'); + closeAllToasts(); cy.getByTestSubj('addSpacePrivilegeButton').click(); - cy.get('button[aria-controls="featureCategory_securitySolution"]'); - cy.get('button[aria-controls="featurePrivilegeControls_siem"]'); + cy.getByTestSubj('featureCategoryButton_securitySolution').closest('button').click(); + cy.get('.featurePrivilegeName:contains("Security")').closest('button').click(); }); - it.todo('should displays the expected number of RBAC entries'); + it('should display the expected number of RBAC entries', () => { + getAllSubFeatureRows().should('have.length', 11); + }); + + it('should display RBAC entries with expected controls', () => { + getAllSubFeatureRows() + .then(($subFeatures) => { + const featureRows: string[] = []; + $subFeatures.each((_, $subFeature) => { + featureRows.push($subFeature.textContent ?? ''); + }); - it.todo('should display all RBAC entries set to None by default'); + return featureRows; + }) + .should('deep.equal', [ + 'Endpoint List Displays all hosts running Elastic Defend and their relevant integration details.Endpoint List sub-feature privilegeAllReadNone', + 'Trusted Applications Helps mitigate conflicts with other software, usually other antivirus or endpoint security applications.Trusted Applications sub-feature privilegeAllReadNone', + 'Host Isolation Exceptions Add specific IP addresses that isolated hosts are still allowed to communicate with, even when isolated from the rest of the network.Host Isolation Exceptions sub-feature privilegeAllReadNone', + 'Blocklist Extend Elastic Defend’s protection against malicious processes and protect against potentially harmful applications.Blocklist sub-feature privilegeAllReadNone', + 'Event Filters Filter out endpoint events that you do not need or want stored in Elasticsearch.Event Filters sub-feature privilegeAllReadNone', + 'Elastic Defend Policy Management Access the Elastic Defend integration policy to configure protections, event collection, and advanced policy features.Elastic Defend Policy Management sub-feature privilegeAllReadNone', + 'Response Actions History Access the history of response actions performed on endpoints.Response Actions History sub-feature privilegeAllReadNone', + 'Host Isolation Perform the "isolate" and "release" response actions.Host Isolation sub-feature privilegeAllNone', + 'Process Operations Perform process-related response actions in the response console.Process Operations sub-feature privilegeAllNone', + 'File Operations Perform file-related response actions in the response console.File Operations sub-feature privilegeAllNone', + 'Execute Operations Perform script execution on the endpoint.Execute Operations sub-feature privilegeAllNone', + ]); + }); - for (const privilegesCheck of privilegesChecks) { - // - } + it('should display all RBAC entries set to None by default', () => { + getAllSubFeatureRows() + .findByTestSubj('none') + .should('have.class', 'euiButtonGroupButton-isSelected'); + }); }); From 9fdd06d1cd9480455544a2a2a2f17d0f37c3ff3e Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Thu, 9 Mar 2023 17:46:58 -0500 Subject: [PATCH 3/4] Remove redundant test + comment out line item for Execute operations --- .../cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts b/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts index 9fa8a66ee9f57..201819e3be7bf 100644 --- a/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts +++ b/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts @@ -25,12 +25,9 @@ describe('When defining a kibana role for Endpoint security access', () => { cy.get('.featurePrivilegeName:contains("Security")').closest('button').click(); }); - it('should display the expected number of RBAC entries', () => { - getAllSubFeatureRows().should('have.length', 11); - }); - it('should display RBAC entries with expected controls', () => { getAllSubFeatureRows() + .should('have.length', 11) .then(($subFeatures) => { const featureRows: string[] = []; $subFeatures.each((_, $subFeature) => { @@ -50,7 +47,8 @@ describe('When defining a kibana role for Endpoint security access', () => { 'Host Isolation Perform the "isolate" and "release" response actions.Host Isolation sub-feature privilegeAllNone', 'Process Operations Perform process-related response actions in the response console.Process Operations sub-feature privilegeAllNone', 'File Operations Perform file-related response actions in the response console.File Operations sub-feature privilegeAllNone', - 'Execute Operations Perform script execution on the endpoint.Execute Operations sub-feature privilegeAllNone', + // TODO: uncomment item below once Execute response action FF is enabled + // 'Execute Operations Perform script execution on the endpoint.Execute Operations sub-feature privilegeAllNone', ]); }); From 3bf82ccfc351b1e51e207080534ef972f08aede3 Mon Sep 17 00:00:00 2001 From: Paul Tavares Date: Thu, 9 Mar 2023 20:07:19 -0500 Subject: [PATCH 4/4] correct test --- .../management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts b/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts index 201819e3be7bf..eb17a74df8f8d 100644 --- a/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts +++ b/x-pack/plugins/security_solution/public/management/cypress/e2e/mocked_data/endpoint_role_rbac.cy.ts @@ -27,7 +27,6 @@ describe('When defining a kibana role for Endpoint security access', () => { it('should display RBAC entries with expected controls', () => { getAllSubFeatureRows() - .should('have.length', 11) .then(($subFeatures) => { const featureRows: string[] = []; $subFeatures.each((_, $subFeature) => {