Merge remote-tracking branch 'upstream/main' into fix/remove-multipage

Author: jen-huang

.github/CODEOWNERS

@@ -2094,6 +2094,8 @@ x-pack/platform/plugins/shared/streams/common/sig_events_tuning_config.ts @elast
 /x-pack/platform/plugins/shared/stack_alerts/server/rule_types/geo_containment @elastic/kibana-presentation
 /x-pack/platform/plugins/shared/stack_alerts/public/rule_types/geo_containment @elastic/kibana-presentation
 
+# Visualization
+/x-pack/platform/test/functional/services/lens.ts @elastic/kibana-visualization
 
 # Machine Learning
 /x-pack/platform/test/stack_functional_integration/apps/ml @elastic/ml-ui

src/platform/packages/private/kbn-journeys/services/auth.ts

@@ -8,87 +8,35 @@
  */
 
 import Url from 'url';
-import { format } from 'util';
 
+import { fetchSessionCookie } from '@kbn/ftr-common-functional-services';
 import { FtrService } from './ftr_context_provider';
 
 export interface Credentials {
   username: string;
   password: string;
 }
 
-function extractCookieValue(headers: Headers) {
-  // Headers.getSetCookie() is the Node 22 / undici API; fall back to Headers.get for
-  // older runtimes (jsdom in the test config).
-  const headersWithGetSetCookie = headers as Headers & { getSetCookie?: () => string[] };
-  const firstSetCookie = headersWithGetSetCookie.getSetCookie
-    ? headersWithGetSetCookie.getSetCookie()[0]
-    : headers.get('set-cookie');
-  return firstSetCookie?.split(';')[0].split('sid=')[1] ?? '';
-}
 export class AuthService extends FtrService {
   private readonly config = this.ctx.getService('config');
   private readonly log = this.ctx.getService('log');
   private readonly kibanaServer = this.ctx.getService('kibanaServer');
 
   public async login(credentials?: Credentials) {
-    const baseUrl = new URL(
-      Url.format({
-        protocol: this.config.get('servers.kibana.protocol'),
-        hostname: this.config.get('servers.kibana.hostname'),
-        port: this.config.get('servers.kibana.port'),
-      })
-    );
-    const loginUrl = new URL('/internal/security/login', baseUrl);
-    const provider = this.isCloud() ? 'cloud-basic' : 'basic';
-
-    const version = await this.kibanaServer.version.get();
-
-    this.log.info('fetching auth cookie from', loginUrl.href);
-    const authResponse = await fetch(loginUrl, {
-      method: 'POST',
-      headers: {
-        'content-type': 'application/json',
-        'kbn-version': version,
-        'sec-fetch-mode': 'cors',
-        'sec-fetch-site': 'same-origin',
-        'x-elastic-internal-origin': 'Kibana',
-      },
-      body: JSON.stringify({
-        providerType: 'basic',
-        providerName: provider,
-        currentURL: new URL('/login?next=%2F', baseUrl).href,
-        params: credentials ?? { username: this.getUsername(), password: this.getPassword() },
-      }),
-      redirect: 'manual',
+    const baseUrl = Url.format({
+      protocol: this.config.get('servers.kibana.protocol'),
+      hostname: this.config.get('servers.kibana.hostname'),
+      port: this.config.get('servers.kibana.port'),
     });
-
-    if (authResponse.status !== 200) {
-      throw new Error(
-        `Kibana auth failed: code: ${authResponse.status}, message: ${authResponse.statusText}`
-      );
-    }
-
-    const cookie = extractCookieValue(authResponse.headers);
-    if (cookie) {
-      this.log.info('captured auth cookie');
-    } else {
-      this.log.error(
-        format('unable to determine auth cookie from response', {
-          status: `${authResponse.status} ${authResponse.statusText}`,
-          body: await authResponse.text(),
-          headers: Object.fromEntries(authResponse.headers.entries()),
-        })
-      );
-
-      throw new Error(`failed to determine auth cookie`);
-    }
-
-    return {
-      name: 'sid',
-      value: cookie,
-      url: baseUrl.href,
-    };
+    const provider = this.isCloud() ? 'cloud-basic' : 'basic';
+    const kbnVersion = await this.kibanaServer.version.get();
+    const username = credentials?.username ?? this.getUsername();
+    const password = credentials?.password ?? this.getPassword();
+
+    this.log.info(`fetching auth cookie from ${baseUrl}/internal/security/login`);
+    const cookie = await fetchSessionCookie({ baseUrl, username, password, kbnVersion, provider });
+    this.log.info('captured auth cookie');
+    return cookie;
   }
 
   public getUsername() {

src/platform/packages/shared/kbn-ftr-common-functional-services/index.ts

@@ -47,3 +47,5 @@ export { RandomnessService } from './services/randomness';
 export { KibanaSupertestProvider, ElasticsearchSupertestProvider } from './services/supertest';
 export { retryForSuccess } from './services/retry/retry_for_success';
 export { SecurityService } from './services/security';
+export { fetchSessionCookie } from './services/cookie_auth';
+export type { SessionCookie, FetchSessionCookieParams } from './services/cookie_auth';

src/platform/packages/shared/kbn-ftr-common-functional-services/services/all.ts

@@ -22,6 +22,8 @@ import { SupertestWithoutAuthProvider } from './supertest_without_auth';
 import { SamlAuthProvider } from './saml_auth';
 import { KibanaSupertestProvider, ElasticsearchSupertestProvider } from './supertest';
 import { SecurityServiceProvider } from './security';
+import { CookieAuthService } from './cookie_auth';
+import { BrowserAuthService } from './browser_auth';
 
 export const services = {
   es: EsProvider,
@@ -40,4 +42,6 @@ export const services = {
   esSupertest: ElasticsearchSupertestProvider,
   supertestWithoutAuth: SupertestWithoutAuthProvider,
   security: SecurityServiceProvider,
+  cookieAuth: CookieAuthService,
+  browserAuth: BrowserAuthService,
 };

src/platform/packages/shared/kbn-ftr-common-functional-services/services/browser_auth/browser_auth_service.ts

@@ -0,0 +1,145 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { FtrService } from '../ftr_provider_context';
+import type { Cookie } from '../cookie_auth';
+
+export interface LoginByCookieOptions {
+  /** When provided, verifies GET /internal/security/me returns this username. */
+  expectedUsername?: string;
+  /** Whether to assert the userMenuButton test-subject is rendered after login. Defaults to true. */
+  expectUserMenuButton?: boolean;
+  /**
+   * Where to navigate after injecting the cookie. Defaults to the Kibana root (`/`).
+   * Pass the actual target app URL to avoid a second navigation in the caller.
+   */
+  targetUrl?: string;
+}
+
+/**
+ * Browser-side cookie injection service.
+ *
+ * Mirrors the pattern used by the serverless `svl_common_page.loginWithRole()`:
+ *   1. Navigate to /bootstrap-anonymous.js (no-auth endpoint to enter the Kibana origin)
+ *   2. Clean all browser state (cookies, session storage, local storage)
+ *   3. Set the `sid` cookie
+ *   4. Navigate to Kibana home and optionally verify identity
+ *
+ * Consumed by SecurityPageObject.login() and TestUser.setRoles() when
+ * `security.cookieLogin: true` is set in the FTR config.
+ *
+ * Note: `browser` and `testSubjects` are not part of the common FTR provider context type —
+ * they come from @kbn/ftr-common-functional-ui-services, which functional test configs spread
+ * on top. We use `hasService` + `as any` (same pattern as TestUser) to access them safely.
+ */
+export class BrowserAuthService extends FtrService {
+  private readonly log = this.ctx.getService('log');
+  private readonly deployment = this.ctx.getService('deployment');
+  private readonly supertestWithoutAuth = this.ctx.getService('supertestWithoutAuth');
+
+  // Browser-specific services — only present in functional (UI) test contexts.
+
+  private readonly browser: any = this.ctx.hasService('browser')
+    ? this.ctx.getService('browser' as any)
+    : undefined;
+
+  private readonly testSubjects: any = this.ctx.hasService('testSubjects')
+    ? this.ctx.getService('testSubjects' as any)
+    : undefined;
+
+  /**
+   * Clears all browser state (cookies, session storage, local storage).
+   *
+   * Navigates to `/bootstrap-anonymous.js` first only when the browser is not already on the
+   * Kibana origin — e.g. when starting from `about:blank`. If the browser is already on a
+   * Kibana page (e.g. `/login` after a redirect) the extra navigation is skipped.
+   */
+  async cleanBrowserState(): Promise<void> {
+    if (!this.browser) {
+      throw new Error(
+        '[browserAuth] browser service is not available — ' +
+          'cleanBrowserState() can only be called from functional UI test configs.'
+      );
+    }
+
+    const hostPort = this.deployment.getHostPort();
+    const currentUrl: string = await this.browser.getCurrentUrl();
+
+    if (!currentUrl.startsWith(hostPort)) {
+      // Not on the Kibana origin yet — navigate to a lightweight no-auth endpoint
+      // so cookie operations target the correct domain.
+      this.log.debug('[browserAuth] navigating to /bootstrap-anonymous.js for cookie domain');
+      await this.browser.get(hostPort + '/bootstrap-anonymous.js');
+      const alert = await this.browser.getAlert();
+      if (alert) await alert.accept();
+    }
+
+    this.log.debug('[browserAuth] deleting all cookies and clearing storage');
+    await this.browser.deleteAllCookies();
+    await this.browser.clearSessionStorage();
+    await this.browser.clearLocalStorage();
+  }
+
+  /**
+   * Injects a Kibana `sid` session cookie into the browser context and navigates to
+   * `options.targetUrl` (defaults to Kibana root `/`), verifying login succeeded.
+   *
+   * Pass `targetUrl` equal to the final app URL to avoid a second navigation in the caller.
+   */
+  async loginByCookie(cookie: Cookie, options: LoginByCookieOptions = {}): Promise<void> {
+    if (!this.browser || !this.testSubjects) {
+      throw new Error(
+        '[browserAuth] browser services are not available — ' +
+          'loginByCookie() can only be called from functional UI test configs.'
+      );
+    }
+
+    const { expectUserMenuButton = true, targetUrl } = options;
+
+    await this.cleanBrowserState();
+
+    // cleanBrowserState() wipes localStorage. Restore the flag that suppresses the
+    // welcome screen so it does not overlay the UI after the first navigation.
+    await this.browser.setLocalStorageItem('home:welcome:show', 'false');
+
+    this.log.debug(`[browserAuth] injecting 'sid' cookie`);
+    await this.browser.setCookie('sid', cookie.value);
+
+    const destination = targetUrl ?? this.deployment.getHostPort();
+    this.log.debug(`[browserAuth] navigating to ${destination}`);
+    await this.browser.get(destination);
+
+    if (options.expectedUsername) {
+      const cookies = await this.browser.getCookies();
+      const sidValue = (cookies as Array<{ name: string; value: string }>).find(
+        (c) => c.name === 'sid'
+      )?.value;
+
+      if (sidValue) {
+        const { body } = await this.supertestWithoutAuth
+          .get('/internal/security/me')
+          .set('kbn-xsrf', 'xxx')
+          .set('Cookie', `sid=${sidValue}`)
+          .expect(200);
+
+        if (body.username !== options.expectedUsername) {
+          throw new Error(
+            `[browserAuth] expected username '${options.expectedUsername}' but got '${body.username}'`
+          );
+        }
+        this.log.debug(`[browserAuth] verified session for '${options.expectedUsername}'`);
+      }
+    }
+
+    if (expectUserMenuButton) {
+      await this.testSubjects.existOrFail('userMenuButton', { timeout: 10_000 });
+      this.log.debug('[browserAuth] login confirmed via userMenuButton');
+    }
+  }
+}

src/platform/packages/shared/kbn-ftr-common-functional-services/services/browser_auth/index.ts

@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+export { BrowserAuthService } from './browser_auth_service';
+export type { LoginByCookieOptions } from './browser_auth_service';

src/platform/packages/shared/kbn-ftr-common-functional-services/services/cookie_auth/cookie_auth_service.ts

@@ -0,0 +1,68 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import Url from 'url';
+import { FtrService } from '../ftr_provider_context';
+import { fetchSessionCookie } from './fetch_session_cookie';
+
+export type { SessionCookie as Cookie } from './fetch_session_cookie';
+
+const TEST_USER_NAME = 'test_user';
+const TEST_USER_PASSWORD = 'changeme';
+
+/**
+ * Generates a Kibana session cookie (`sid`) by posting to the internal basic-auth login endpoint.
+ * Works for both local (`basic` provider) and Cloud (`cloud-basic` provider) deployments.
+ *
+ * This is purely HTTP — no browser dependency. Consumed by BrowserAuthService (browser-side
+ * cookie injection) and directly by API-level test helpers.
+ */
+export class CookieAuthService extends FtrService {
+  private readonly config = this.ctx.getService('config');
+  private readonly log = this.ctx.getService('log');
+  private readonly kibanaServer = this.ctx.getService('kibanaServer');
+
+  private getBaseUrl(): string {
+    return Url.format({
+      protocol: this.config.get('servers.kibana.protocol'),
+      hostname: this.config.get('servers.kibana.hostname'),
+      port: this.config.get('servers.kibana.port'),
+    });
+  }
+
+  isCloud(): boolean {
+    return this.config.get('servers.kibana.hostname') !== 'localhost';
+  }
+
+  async getCookieForUser(username: string, password: string) {
+    const baseUrl = this.getBaseUrl();
+    const provider = this.isCloud() ? 'cloud-basic' : 'basic';
+    const kbnVersion = await this.kibanaServer.version.get();
+
+    this.log.info(
+      `[cookieAuth] fetching auth cookie for '${username}' from ${baseUrl}/internal/security/login`
+    );
+    const cookie = await fetchSessionCookie({ baseUrl, username, password, kbnVersion, provider });
+    this.log.info(`[cookieAuth] captured auth cookie for '${username}'`);
+    return cookie;
+  }
+
+  /** Cookie for the shared FTR test_user (username: test_user, password: changeme). */
+  async getCookieForTestUser() {
+    return this.getCookieForUser(TEST_USER_NAME, TEST_USER_PASSWORD);
+  }
+
+  /** Cookie for the Kibana server user configured in `servers.kibana.username/password`. */
+  async getCookieForKibanaUser() {
+    return this.getCookieForUser(
+      this.config.get('servers.kibana.username'),
+      this.config.get('servers.kibana.password')
+    );
+  }
+}