elastic
diff --git a/‎src/cli/serve/serve.js‎
Lines changed: 4 additions & 4 deletions b/‎src/cli/serve/serve.js‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/cli/serve/serve.test.js‎
Lines changed: 21 additions & 21 deletions b/‎src/cli/serve/serve.test.js‎
Lines changed: 21 additions & 21 deletions
diff --git a/‎src/platform/packages/private/kbn-mock-idp-utils/src/utils.ts‎
Lines changed: 7 additions & 2 deletions b/‎src/platform/packages/private/kbn-mock-idp-utils/src/utils.ts‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎src/platform/packages/shared/kbn-es/src/cli_commands/serverless.ts‎
Lines changed: 2 additions & 1 deletion b/‎src/platform/packages/shared/kbn-es/src/cli_commands/serverless.ts‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/platform/packages/shared/kbn-es/src/utils/docker_uiam.test.ts‎
Lines changed: 2 additions & 0 deletions b/‎src/platform/packages/shared/kbn-es/src/utils/docker_uiam.test.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/platform/packages/shared/kbn-es/src/utils/docker_uiam.ts‎
Lines changed: 2 additions & 0 deletions b/‎src/platform/packages/shared/kbn-es/src/utils/docker_uiam.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/platform/packages/shared/kbn-scout/src/servers/configs/config_sets/automatic_import_v2/serverless/security_complete.serverless.config.ts‎
Lines changed: 0 additions & 1 deletion b/‎src/platform/packages/shared/kbn-scout/src/servers/configs/config_sets/automatic_import_v2/serverless/security_complete.serverless.config.ts‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎src/platform/packages/shared/kbn-scout/src/servers/configs/config_sets/default/serverless/serverless.base.config.ts‎
Lines changed: 22 additions & 2 deletions b/‎src/platform/packages/shared/kbn-scout/src/servers/configs/config_sets/default/serverless/serverless.base.config.ts‎
Lines changed: 22 additions & 2 deletions
diff --git a/‎src/platform/packages/shared/kbn-scout/src/servers/configs/config_sets/uiam_local/serverless/observability_complete.serverless.config.ts‎
Lines changed: 11 additions & 16 deletions b/‎src/platform/packages/shared/kbn-scout/src/servers/configs/config_sets/uiam_local/serverless/observability_complete.serverless.config.ts‎
Lines changed: 11 additions & 16 deletions
diff --git a/‎src/platform/packages/shared/kbn-scout/src/servers/configs/config_sets/uiam_local/serverless/observability_logs_essentials.serverless.config.ts‎
Lines changed: 29 additions & 0 deletions b/‎src/platform/packages/shared/kbn-scout/src/servers/configs/config_sets/uiam_local/serverless/observability_logs_essentials.serverless.config.ts‎
Lines changed: 29 additions & 0 deletions
@@ -279,8 +279,8 @@ export default function (program) {
         'Collect more complete stack traces. See src/cli/dev.js for explanation.'
       )
       .option(
-        '--uiam',
-        'Configure Kibana with Universal Identity and Access Management (UIAM) support when running in serverless project mode.'
+        '--no-uiam',
+        'Prevents configuring Kibana with Universal Identity and Access Management (UIAM) support when running in serverless project mode.'
       );
   }
 
@@ -323,7 +323,7 @@ export default function (program) {
       cache: !!opts.cache,
       dist: !!opts.dist,
       serverless: isServerlessMode,
-      uiam: isServerlessSamlSupported && !!opts.uiam,
+      uiam: isServerlessSamlSupported && opts.uiam !== false,
     };
 
     // In development mode, the main process uses the @kbn/dev-cli-mode
@@ -442,7 +442,7 @@ function tryConfigureServerlessSamlProvider(rawConfig, opts, extraCliOptions) {
     });
   }
 
-  if (opts.uiam && DEV_UTILS_SUPPORTED) {
+  if (opts.uiam !== false && DEV_UTILS_SUPPORTED) {
     // Ensure the key/cert pair is loaded dynamically to exclude it from the production build.
     // eslint-disable-next-line import/no-dynamic-require
     const { KBN_CERT_PATH, KBN_KEY_PATH } = require(DEV_UTILS_PATH);
 
@@ -83,15 +83,22 @@ describe('applyConfigOverrides', () => {
     });
   });
 
-  it('alters config to enable SAML Mock IdP in serverless dev mode', () => {
-    expect(applyConfigOverrides({}, { dev: true, serverless: true }, {}, {})).toEqual({
+  it('alters config to enable SAML Mock IdP and UIAM in serverless dev mode', () => {
+    expect(applyConfigOverrides({}, { dev: true, serverless: true, uiam: true }, {}, {})).toEqual({
       elasticsearch: {
         hosts: ['https://localhost:9200'],
         serviceAccountToken: kibanaDevServiceAccount.token,
         ssl: { certificateAuthorities: expect.stringContaining('ca.crt') },
       },
+      mockIdpPlugin: { uiam: { enabled: true } },
       plugins: { paths: [] },
       xpack: {
+        cloud: {
+          id: 'local-dev:ZG9ja2VyLmludGVybmFsOjkyMDAkaG9zdDo5MjAwJGtpYmFuYTo5MjAw',
+          organization_id: 'org1234567890',
+          projects_url: '',
+          serverless: { project_id: 'abcdef12345678901234567890123456' },
+        },
         security: {
           authc: {
             providers: {
@@ -108,27 +115,30 @@ describe('applyConfigOverrides', () => {
             },
             selector: { enabled: false },
           },
+          uiam: {
+            enabled: true,
+            sharedSecret: 'Dw7eRt5yU2iO9pL3aS4dF6gH8jK0lZ1xC2vB3nM4qW5=',
+            url: 'https://localhost:8443',
+            ssl: {
+              certificate: KBN_CERT_PATH,
+              key: KBN_KEY_PATH,
+              verificationMode: 'none',
+            },
+          },
         },
       },
     });
   });
 
-  it('alters config to enable UIAM if `--uiam` flag is passed in serverless dev mode', () => {
-    expect(applyConfigOverrides({}, { dev: true, serverless: true, uiam: true }, {}, {})).toEqual({
+  it('omits UIAM config if `--no-uiam` flag is passed in serverless dev mode', () => {
+    expect(applyConfigOverrides({}, { dev: true, serverless: true, uiam: false }, {}, {})).toEqual({
       elasticsearch: {
         hosts: ['https://localhost:9200'],
         serviceAccountToken: kibanaDevServiceAccount.token,
         ssl: { certificateAuthorities: expect.stringContaining('ca.crt') },
       },
-      mockIdpPlugin: { uiam: { enabled: true } },
       plugins: { paths: [] },
       xpack: {
-        cloud: {
-          id: 'local-dev:ZG9ja2VyLmludGVybmFsOjkyMDAkaG9zdDo5MjAwJGtpYmFuYTo5MjAw',
-          organization_id: 'org1234567890',
-          projects_url: '',
-          serverless: { project_id: 'abcdef12345678901234567890123456' },
-        },
         security: {
           authc: {
             providers: {
@@ -145,16 +155,6 @@ describe('applyConfigOverrides', () => {
             },
             selector: { enabled: false },
           },
-          uiam: {
-            enabled: true,
-            sharedSecret: 'Dw7eRt5yU2iO9pL3aS4dF6gH8jK0lZ1xC2vB3nM4qW5=',
-            url: 'https://localhost:8443',
-            ssl: {
-              certificate: KBN_CERT_PATH,
-              key: KBN_KEY_PATH,
-              verificationMode: 'none',
-            },
-          },
         },
       },
     });
 
@@ -318,11 +318,16 @@ export async function createUiamSessionTokens({
   const givenName = fullName ? fullName.split(' ')[0] : 'Test';
   const familyName = fullName ? fullName.split(' ').slice(1).join(' ') : 'User';
 
+  // UIAM expects project types to be in a specific format, so we need to convert the project type
+  // if it's one of the known types.
+  const uiamProjectType =
+    projectType === 'oblt' ? 'observability' : projectType === 'es' ? 'elasticsearch' : projectType;
+
   const userSeedResult = await seedTestUser({
     userId: username,
     organizationId,
     roleId: 'cloud-role-id',
-    projectType,
+    projectType: uiamProjectType,
     applicationRoles: roles,
     email,
     firstName: givenName,
@@ -358,7 +363,7 @@ export async function createUiamSessionTokens({
           {
             role_id: 'cloud-role-id',
             organization_id: organizationId,
-            project_type: projectType,
+            project_type: uiamProjectType,
             application_roles: roles,
             project_scope: { scope: 'all' },
           },
 
@@ -64,7 +64,7 @@ export const serverless: Command = {
                           ${SERVERLESS_RESOURCES_PATHS.map((filePath) => basename(filePath)).join(
                             ' | '
                           )}
-      --uiam              Configure ES serverless with Universal Identity and Access Management (UIAM) support.
+      --uiam              Configure ES serverless with Universal Identity and Access Management (UIAM) support [default: true].
 
       -E                  Additional key=value settings to pass to ES
       -F                  Absolute paths for files to mount into containers
@@ -118,6 +118,7 @@ export const serverless: Command = {
         kibanaUrl: 'http://localhost:5601/',
         dataPath: 'stateless',
         ssl: true,
+        uiam: true,
       },
     }) as unknown as ServerlessOptions;
 
 
@@ -190,6 +190,8 @@ describe(`#runUiamContainer()`, () => {
             "--env",
             "quarkus.log.category.\\"co.elastic.cloud.uiam\\".level=DEBUG",
             "--env",
+            "quarkus.log.category.\\"co.elastic.cloud.uiam.app.authentication.ClientCertificateExtractor\\".level=INFO",
+            "--env",
             "quarkus.log.console.json.enabled=false",
             "--env",
             "quarkus.log.level=INFO",
 
@@ -154,6 +154,8 @@ export const UIAM_CONTAINERS = [
       '--env',
       `quarkus.log.category."co.elastic.cloud.uiam".level=${env.UIAM_APP_LOGGING_LEVEL}`,
       '--env',
+      `quarkus.log.category."co.elastic.cloud.uiam.app.authentication.ClientCertificateExtractor".level=${env.UIAM_LOGGING_LEVEL}`,
+      '--env',
       'quarkus.log.console.json.enabled=false',
       '--env',
       `quarkus.log.level=${env.UIAM_LOGGING_LEVEL}`,
 
@@ -12,7 +12,6 @@ import type { ScoutServerConfig } from '../../../../../types';
 
 export const servers: ScoutServerConfig = {
   ...defaultConfig,
-  esServerlessOptions: { uiam: true },
   kbnTestServer: {
     ...defaultConfig.kbnTestServer,
     serverArgs: [
 
@@ -11,7 +11,7 @@ import { resolve, join } from 'path';
 import { format as formatUrl } from 'url';
 import Fs from 'fs';
 
-import { CA_CERT_PATH, kibanaDevServiceAccount } from '@kbn/dev-utils';
+import { CA_CERT_PATH, KBN_CERT_PATH, KBN_KEY_PATH, kibanaDevServiceAccount } from '@kbn/dev-utils';
 import {
   fleetPackageRegistryDockerImage,
   defineDockerServersConfig,
@@ -21,6 +21,8 @@ import {
   MOCK_IDP_REALM_NAME,
   MOCK_IDP_UIAM_ORGANIZATION_ID,
   MOCK_IDP_UIAM_PROJECT_ID,
+  MOCK_IDP_UIAM_SERVICE_URL,
+  MOCK_IDP_UIAM_SHARED_SECRET,
 } from '@kbn/mock-idp-utils';
 import { REPO_ROOT } from '@kbn/repo-info';
 import type { ScoutServerConfig } from '../../../../../types';
@@ -37,6 +39,9 @@ const dockerArgs: string[] = ['-v', `${packageRegistryConfig}:/package-registry/
  */
 const dockerRegistryPort: string | undefined = process.env.FLEET_PACKAGE_REGISTRY_PORT;
 
+// Indicates whether the config is used on CI or locally.
+const isRunOnCI = process.env.CI;
+
 const servers = {
   elasticsearch: {
     protocol: 'https',
@@ -94,6 +99,7 @@ export const defaultConfig: ScoutServerConfig = {
     ],
     ssl: true, // SSL is required for SAML realm
   },
+  esServerlessOptions: { uiam: true },
   kbnTestServer: {
     buildArgs: [],
     env: {
@@ -150,7 +156,14 @@ export const defaultConfig: ScoutServerConfig = {
       '--xpack.cloud.base_url=https://fake-cloud.elastic.co',
       '--xpack.cloud.billing_url=/billing/overview/',
       '--xpack.cloud.deployments_url=/deployments',
-      '--xpack.cloud.id=ftr_fake_cloud_id',
+      // cloud.id is decoded by the security plugin to obtain the ES endpoint for UIAM API key conversion.
+      // CI:    decodes to https://es01:9220 (ES listens on port 9220 inside the Docker network)
+      // Local: decodes to https://host.docker.internal:9220 (ES is on the host, reached via Docker bridge)
+      `--xpack.cloud.id=${
+        isRunOnCI
+          ? 'ci:ZXMwMTo5MjIwJDo5MjIwJGtpYmFuYTo5MjIw'
+          : 'local-dev:ZG9ja2VyLmludGVybmFsOjkyMjAkaG9zdDo5MjIwJGtpYmFuYTo5MjIw'
+      }`,
       `--xpack.cloud.organization_id=${MOCK_IDP_UIAM_ORGANIZATION_ID}`,
       '--xpack.cloud.organization_url=/account/',
       '--xpack.cloud.profile_url=/user/settings/',
@@ -194,6 +207,13 @@ export const defaultConfig: ScoutServerConfig = {
           ],
         },
       ])}`,
+      ...(isRunOnCI ? [] : ['--mockIdpPlugin.uiam.enabled=true']),
+      `--xpack.security.uiam.enabled=true`,
+      `--xpack.security.uiam.url=${MOCK_IDP_UIAM_SERVICE_URL}`,
+      `--xpack.security.uiam.sharedSecret=${MOCK_IDP_UIAM_SHARED_SECRET}`,
+      `--xpack.security.uiam.ssl.certificate=${KBN_CERT_PATH}`,
+      `--xpack.security.uiam.ssl.key=${KBN_KEY_PATH}`,
+      '--xpack.security.uiam.ssl.verificationMode=none',
     ],
   },
 };
@@ -7,28 +7,23 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-import { MOCK_IDP_UIAM_SERVICE_URL, MOCK_IDP_UIAM_SHARED_SECRET } from '@kbn/mock-idp-utils';
-import { KBN_CERT_PATH, KBN_KEY_PATH } from '@kbn/dev-utils';
-import { servers as defaultConfig } from '../../default/serverless/security_complete.serverless.config';
+import { resolve } from 'path';
+import { REPO_ROOT } from '@kbn/repo-info';
+import { servers as defaultConfig } from '../../default/serverless/observability_complete.serverless.config';
 import type { ScoutServerConfig } from '../../../../../types';
 
-// Indicates whether the config is used on CI or locally.
-const isRunOnCI = process.env.CI;
+// We need to test certain APIs that are only exposed by the plugin contract and not through
+// any HTTP endpoint, so this test plugin exposes these APIs through test HTTP endpoints that
+// we can call in our tests.
+const pluginPath = `--plugin-path=${resolve(
+  REPO_ROOT,
+  'x-pack/platform/test/security_functional/plugins/test_endpoints'
+)}`;
 
 export const servers: ScoutServerConfig = {
   ...defaultConfig,
-  esServerlessOptions: { uiam: true },
   kbnTestServer: {
     ...defaultConfig.kbnTestServer,
-    serverArgs: [
-      ...defaultConfig.kbnTestServer.serverArgs,
-      ...(isRunOnCI ? [] : ['--mockIdpPlugin.uiam.enabled=true']),
-      `--xpack.security.uiam.enabled=true`,
-      `--xpack.security.uiam.url=${MOCK_IDP_UIAM_SERVICE_URL}`,
-      `--xpack.security.uiam.sharedSecret=${MOCK_IDP_UIAM_SHARED_SECRET}`,
-      `--xpack.security.uiam.ssl.certificate=${KBN_CERT_PATH}`,
-      `--xpack.security.uiam.ssl.key=${KBN_KEY_PATH}`,
-      '--xpack.security.uiam.ssl.verificationMode=none',
-    ],
+    serverArgs: [...defaultConfig.kbnTestServer.serverArgs, pluginPath],
   },
 };
@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { resolve } from 'path';
+import { REPO_ROOT } from '@kbn/repo-info';
+import { servers as defaultConfig } from '../../default/serverless/observability_logs_essentials.serverless.config';
+import type { ScoutServerConfig } from '../../../../../types';
+
+// We need to test certain APIs that are only exposed by the plugin contract and not through
+// any HTTP endpoint, so this test plugin exposes these APIs through test HTTP endpoints that
+// we can call in our tests.
+const pluginPath = `--plugin-path=${resolve(
+  REPO_ROOT,
+  'x-pack/platform/test/security_functional/plugins/test_endpoints'
+)}`;
+
+export const servers: ScoutServerConfig = {
+  ...defaultConfig,
+  kbnTestServer: {
+    ...defaultConfig.kbnTestServer,
+    serverArgs: [...defaultConfig.kbnTestServer.serverArgs, pluginPath],
+  },
+};