Add support for ESOs in the "Check Saved Objects" CI check#253470
Add support for ESOs in the "Check Saved Objects" CI check#253470jeramysoucy merged 12 commits intoelastic:mainfrom
Conversation
| .map(({ name }) => name), | ||
| { | ||
| encryptionExtension: encryptedSavedObjects | ||
| ? encryptedSavedObjects?.__testCreateExtension(typeRegistry) |
There was a problem hiding this comment.
Here is where you could pass in overrides for specific types, like the connector token. Something like this:
const savedObjectsRepository = SavedObjectsRepository.createRepository(
migrator,
typeRegistry,
kibanaIndex,
client,
loggerFactory.get('saved_objects'),
// the toolkit's SavedObjectsRepository must allow testing hidden types
typeRegistry
.getAllTypes()
.filter(({ hidden }) => hidden)
.map(({ name }) => name),
{
encryptionExtension: encryptedSavedObjects
? encryptedSavedObjects?.__testCreateExtension(typeRegistry, [
{
type: 'connector_token',
attributesToEncrypt: new Set(['token']),
attributesToIncludeInAAD: new Set([
'connectorId',
'tokenType',
'expiresAt',
'createdAt',
'updatedAt',
]),
},
])
: undefined,
}
);
Though, it would probably make sense to store the overrides somewhere for easier access/clarity.
packages/kbn-check-saved-objects-cli/src/commands/tasks/test_rollback.ts
Outdated
Show resolved
Hide resolved
ef3c7b6 to
1fec797
Compare
_plugins map on internal core start contract| fix: boolean; | ||
| } | ||
|
|
||
| export const encryptionOverrides: EncryptedSavedObjectTypeRegistration[] = [ |
There was a problem hiding this comment.
I'm sure someone will inject something soon! 😆
src/platform/packages/private/kbn-migrator-test-kit/src/kibana_migrator_test_kit.ts
Outdated
Show resolved
Hide resolved
|
Pinging @elastic/kibana-core (Team:Core) |
jloleysens
left a comment
There was a problem hiding this comment.
Approving to unblock progress, left a q about a possible simplification
| __testCreateDangerousExtension: ( | ||
| typeRegistry: ISavedObjectTypeRegistry, | ||
| typeRegistrationOverrides?: EncryptedSavedObjectTypeRegistration[] | ||
| ): SavedObjectsEncryptionExtension => { | ||
| const testService = new EncryptedSavedObjectsService({ | ||
| primaryCrypto: this.primaryCrypto, | ||
| decryptionOnlyCryptos: this.decryptionOnlyCryptos, | ||
| logger: this.logger, | ||
| }); | ||
|
|
||
| const registeredTypes = new Set<string>(); | ||
|
|
||
| for (const typeRegistration of typeRegistrationOverrides ?? []) { | ||
| testService.registerType(dangerouslyExposeAttributes(typeRegistration)); | ||
| registeredTypes.add(typeRegistration.type); | ||
| } | ||
|
|
||
| for (const typeRegistration of this.typeRegistrations) { | ||
| if (!registeredTypes.has(typeRegistration.type)) { | ||
| testService.registerType(dangerouslyExposeAttributes(typeRegistration)); | ||
| } | ||
| } | ||
|
|
||
| return new SavedObjectsEncryptionExtension({ | ||
| baseTypeRegistry: typeRegistry, | ||
| service: testService, | ||
| getCurrentUser: async () => undefined, | ||
| }); | ||
| }, |
There was a problem hiding this comment.
Is it possible for this to be a stateless function exported from x-pack/platform/plugins/shared/encrypted_saved_objects/server?
Then test migrator kit can pass in typeRegistry, typeRegistry overrides and logger. Just not sure about the crypto values... are they easy to mock or create test counterparts for? We could also avoid coreStart._plugins workaround.
There was a problem hiding this comment.
It would be possible, but we'd have to move a few things that are currently encapsulated in the ESO plugin class or define them in the test code.
-
The primary and decryption-only Crypto instances. Without providing this internally in the plugin, the test code would need to create these instances. The decryption-only cryptos would likely just be an empty array. So this could be as simple as passing in an encryption key for the primary crypto from the test code.
-
The array of registered types derived from the setup phase. Without providing this internally in the plugin, the test code would need to register all applicable ESO types, which could become a pain.
I can push a commit with these changes and ask @azasypkin if hew has a preference.
There was a problem hiding this comment.
@azasypkin After discussing with Gerard, given this is a temporary solution, we're going to hold off making further changes. So, this PR is ready for review. Let us know your thoughts on JL's suggestion.
|
|
||
| await this.plugins.start(this.coreStart); | ||
| const { contracts } = await this.plugins.start(this.coreStart); | ||
| this.coreStart._plugins = contracts; |
There was a problem hiding this comment.
I think this is OK given this is all internal to Core.
Adds a temporary `_plugins` property to `InternalCoreStart` that exposes the plugin start contracts map. This is intended for internal use only and enables `kbn-check-saved-objects-cli` to access the `encryptedSavedObjects` plugin, which is needed to add ESO support to the saved objects check tooling. Co-authored-by: Cursor <cursoragent@cursor.com>
… connector token ESO for testing
Removes commented console log
226c754 to
28668af
Compare
d3d615d to
1326be5
Compare
|
Pinging @elastic/obs-ux-management-team (Team:obs-ux-management) |
kdelemme
left a comment
There was a problem hiding this comment.
Mock update looks good to me
|
ACK: will review today, sorry for the delay |
azasypkin
left a comment
There was a problem hiding this comment.
LGTM, just one non-blocking suggestion to not keep test-only registration state for production use and concentrate everything within the encryption service.
x-pack/platform/plugins/shared/encrypted_saved_objects/server/plugin.ts
Outdated
Show resolved
Hide resolved
…ngerous clone function
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Public APIs missing comments
Public APIs missing exports
Unknown metric groupsAPI count
History
cc @jeramysoucy |
…53470) ## Summary Closes elastic/kibana-team#2867 The `Check Saved Objects` CI check performs automated upgrade and rollback testing for any updated SO types. None of the Encrypted Saved Objects had been updated since the check was put in place, up until recently. To add support for ESOs, the `KibanaMigratorTestKit` must accept an _encryptedSavedObjects_ service, so that the underlying SOR can be built with the encryption extension. This PR adds a workaround to support encryption / decryption in the `KibanaMigratorTestKit`, unblocking elastic#252104. Made with [Cursor](https://cursor.com) --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: “jeramysoucy” <jeramy.soucy@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Summary
Closes https://github.com/elastic/kibana-team/issues/2867
The
Check Saved ObjectsCI check performs automated upgrade and rollback testing for any updated SO types.None of the Encrypted Saved Objects had been updated since the check was put in place, up until recently.
To add support for ESOs, the
KibanaMigratorTestKitmust accept an encryptedSavedObjects service, so that the underlying SOR can be built with the encryption extension.This PR adds a workaround to support encryption / decryption in the
KibanaMigratorTestKit, unblocking #252104.Made with Cursor