Merge branch 'master' into convertTestsReportingViz

packages/kbn-securitysolution-list-utils/src/helpers/index.ts

@@ -95,6 +95,10 @@ export const filterExceptionItems = (
         }
       }, []);
 
+      if (entries.length === 0) {
+        return acc;
+      }
+
       const item = { ...exception, entries };
 
       if (exceptionListItemSchema.is(item)) {

packages/kbn-test/src/functional_tests/lib/run_elasticsearch.ts

@@ -12,8 +12,6 @@ import { KIBANA_ROOT } from './paths';
 import type { Config } from '../../functional_test_runner/';
 import { createTestEsCluster } from '../../es';
 
-import { setupUsers, DEFAULT_SUPERUSER_PASS } from './auth';
-
 interface RunElasticsearchOptions {
   log: ToolingLog;
   esFrom: string;
@@ -34,9 +32,7 @@ export async function runElasticsearch({
 
   const cluster = createTestEsCluster({
     port: config.get('servers.elasticsearch.port'),
-    password: isSecurityEnabled
-      ? DEFAULT_SUPERUSER_PASS
-      : config.get('servers.elasticsearch.password'),
+    password: isSecurityEnabled ? 'changeme' : config.get('servers.elasticsearch.password'),
     license,
     log,
     basePath: resolve(KIBANA_ROOT, '.es'),
@@ -49,22 +45,5 @@ export async function runElasticsearch({
 
   await cluster.start();
 
-  if (isSecurityEnabled) {
-    await setupUsers({
-      log,
-      esPort: config.get('servers.elasticsearch.port'),
-      updates: [config.get('servers.elasticsearch'), config.get('servers.kibana')],
-      protocol: config.get('servers.elasticsearch').protocol,
-      caPath: getRelativeCertificateAuthorityPath(config.get('kbnTestServer.serverArgs')),
-    });
-  }
-
   return cluster;
 }
-
-function getRelativeCertificateAuthorityPath(esConfig: string[] = []) {
-  const caConfig = esConfig.find(
-    (config) => config.indexOf('--elasticsearch.ssl.certificateAuthorities') === 0
-  );
-  return caConfig ? caConfig.split('=')[1] : undefined;
-}

packages/kbn-test/src/index.ts

@@ -29,8 +29,6 @@ export { esTestConfig, createTestEsCluster } from './es';
 
 export { kbnTestConfig, kibanaServerTestUser, kibanaTestUser, adminTestUser } from './kbn';
 
-export { setupUsers, DEFAULT_SUPERUSER_PASS } from './functional_tests/lib/auth';
-
 export { readConfigFile } from './functional_test_runner/lib/config/read_config_file';
 
 export { runFtrCli } from './functional_test_runner/cli';

src/core/test_helpers/kbn_server.ts

@@ -7,15 +7,7 @@
  */
 
 import { ToolingLog, REPO_ROOT } from '@kbn/dev-utils';
-import {
-  createTestEsCluster,
-  DEFAULT_SUPERUSER_PASS,
-  esTestConfig,
-  kbnTestConfig,
-  kibanaServerTestUser,
-  kibanaTestUser,
-  setupUsers,
-} from '@kbn/test';
+import { createTestEsCluster, esTestConfig, kibanaServerTestUser, kibanaTestUser } from '@kbn/test';
 import { defaultsDeep } from 'lodash';
 import { resolve } from 'path';
 import { BehaviorSubject } from 'rxjs';
@@ -208,7 +200,6 @@ export function createTestServers({
     defaultsDeep({}, settings.es ?? {}, {
       log,
       license,
-      password: license === 'trial' ? DEFAULT_SUPERUSER_PASS : undefined,
     })
   );
 
@@ -224,19 +215,7 @@ export function createTestServers({
       await es.start();
 
       if (['gold', 'trial'].includes(license)) {
-        await setupUsers({
-          log,
-          esPort: esTestConfig.getUrlParts().port,
-          updates: [
-            ...usersToBeAdded,
-            // user elastic
-            esTestConfig.getUrlParts() as { username: string; password: string },
-            // user kibana
-            kbnTestConfig.getUrlParts() as { username: string; password: string },
-          ],
-        });
-
-        // Override provided configs, we know what the elastic user is now
+        // Override provided configs
         kbnSettings.elasticsearch = {
           hosts: [esTestConfig.getUrl()],
           username: kibanaServerTestUser.username,

x-pack/plugins/fleet/server/services/epm/elasticsearch/ingest_pipeline/final_pipeline.ts

@@ -59,25 +59,26 @@ processors:
         }
 
         String verified(def ctx, def params) {
-          // Agents only use API keys.
-          if (ctx?._security?.authentication_type == null || ctx._security.authentication_type != 'API_KEY') {
-            return "no_api_key";
+          // No agent.id field to validate.
+          if (ctx?.agent?.id == null) {
+            return "missing";
           }
 
-          // Verify the API key owner before trusting any metadata it contains.
-          if (!is_user_trusted(ctx, params.trusted_users)) {
-            return "untrusted_user";
-          }
-
-          // API keys created by Fleet include metadata about the agent they were issued to.
-          if (ctx?._security?.api_key?.metadata?.agent_id == null || ctx?.agent?.id == null) {
-            return "missing_metadata";
+          // Check auth metadata from API key.
+          if (ctx?._security?.authentication_type == null
+              // Agents only use API keys.
+              || ctx._security.authentication_type != 'API_KEY'
+              // Verify the API key owner before trusting any metadata it contains.
+              || !is_user_trusted(ctx, params.trusted_users)
+              // Verify the API key has metadata indicating the assigned agent ID.
+              || ctx?._security?.api_key?.metadata?.agent_id == null) {
+            return "auth_metadata_missing";
           }
 
           // The API key can only be used represent the agent.id it was issued to.
           if (ctx._security.api_key.metadata.agent_id != ctx.agent.id) {
             // Potential masquerade attempt.
-            return "agent_id_mismatch";
+            return "mismatch";
           }
 
           return "verified";

x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts

@@ -1697,9 +1697,9 @@ describe('Exception builder helpers', () => {
         namespaceType: 'single',
         ruleName: 'rule name',
       });
-      const exceptions = filterExceptionItems([{ ...rest, meta }]);
+      const exceptions = filterExceptionItems([{ ...rest, entries: [getEntryMatchMock()], meta }]);
 
-      expect(exceptions).toEqual([{ ...rest, entries: [], meta: undefined }]);
+      expect(exceptions).toEqual([{ ...rest, entries: [getEntryMatchMock()], meta: undefined }]);
     });
   });
 

x-pack/test/fleet_api_integration/apis/epm/final_pipeline.ts

@@ -112,14 +112,14 @@ export default function (providerContext: FtrProviderContext) {
       // @ts-expect-error
       const event = doc._source.event;
 
-      expect(event.agent_id_status).to.be('no_api_key');
+      expect(event.agent_id_status).to.be('auth_metadata_missing');
       expect(event).to.have.property('ingested');
     });
 
     const scenarios = [
       {
         name: 'API key without metadata',
-        expectedStatus: 'missing_metadata',
+        expectedStatus: 'auth_metadata_missing',
         event: { agent: { id: 'agent1' } },
       },
       {
@@ -134,7 +134,7 @@ export default function (providerContext: FtrProviderContext) {
       },
       {
         name: 'API key with agent id metadata and no agent id in event',
-        expectedStatus: 'missing_metadata',
+        expectedStatus: 'missing',
         apiKey: {
           metadata: {
             agent_id: 'agent1',
@@ -143,7 +143,7 @@ export default function (providerContext: FtrProviderContext) {
       },
       {
         name: 'API key with agent id metadata and tampered agent id in event',
-        expectedStatus: 'agent_id_mismatch',
+        expectedStatus: 'mismatch',
         apiKey: {
           metadata: {
             agent_id: 'agent2',