support built-in roles in apiTest

Author: dmlemeshko

src/platform/packages/shared/kbn-scout/src/playwright/fixtures/scope/worker/api_key.ts

@@ -64,6 +64,18 @@ export interface RequestAuthFixture {
    * Elasticsearch projects, `editor` for all other deployments and project types.
    */
   getApiKeyForPrivilegedUser: () => Promise<RoleApiCredentials>;
+  /**
+   * Fetches the descriptor of the named ES role and creates an API key scoped
+   * to those privileges. Works for built-in ES roles (e.g. `'kibana_admin'`,
+   * `'superuser'`) without requiring an entry in `roles.yml`.
+   *
+   * The descriptor is embedded inline in the API key — no separate role is
+   * created in Elasticsearch.
+   *
+   * @example
+   * const { apiKeyHeader } = await requestAuth.getApiKeyForBuiltinRole('kibana_admin');
+   */
+  getApiKeyForBuiltinRole: (roleName: string) => Promise<RoleApiCredentials>;
 }
 
 export const requestAuthFixture = coreWorkerFixtures.extend<
@@ -204,12 +216,20 @@ export const requestAuthFixture = coreWorkerFixtures.extend<
         );
       };
 
+      const getApiKeyForBuiltinRole = async (roleName: string): Promise<RoleApiCredentials> => {
+        const descriptor = await samlAuth.setBuiltinRole(roleName);
+        return createApiKeyWithAdminCredentials(samlAuth.customRoleName, {
+          [samlAuth.customRoleName]: descriptor,
+        });
+      };
+
       await use({
         getApiKey,
         getApiKeyForCustomRole,
         getApiKeyForAdmin,
         getApiKeyForViewer,
         getApiKeyForPrivilegedUser,
+        getApiKeyForBuiltinRole,
       });
 
       // Invalidate all API Keys after tests

src/platform/packages/shared/kbn-scout/src/playwright/fixtures/scope/worker/core_fixtures.ts

@@ -38,7 +38,7 @@ export interface RoleSessionCredentials {
   cookieHeader: CookieHeader;
 }
 
-export interface BaseCoreWorkerFixtures {
+export interface BaseWorkerFixtures {
   log: ScoutLogger;
   config: ScoutTestConfig;
   kbnUrl: KibanaUrl;
@@ -69,7 +69,7 @@ export interface BaseCoreWorkerFixtures {
  * Note: `samlAuth` is added by the `samlAuthFixture` in `./saml_auth/index.ts`, which
  * extends this base. The combined fixture (with samlAuth) is what `worker/index.ts` exports.
  */
-export const coreWorkerFixtures = base.extend<{}, BaseCoreWorkerFixtures>({
+export const coreWorkerFixtures = base.extend<{}, BaseWorkerFixtures>({
   // Provides a scoped logger instance for each worker to use in fixtures and tests.
   // For parallel workers logger context is matching worker index+1, e.g. '[scout-worker-1]', '[scout-worker-2]', etc.
   log: [

src/platform/packages/shared/kbn-scout/src/playwright/fixtures/scope/worker/saml_auth/index.ts

@@ -10,7 +10,7 @@
 import type { SamlSessionManager } from '@kbn/test-saml-auth';
 import { createSamlSessionManager } from '../../../../../common/services';
 import type { ElasticsearchRoleDescriptor, KibanaRole } from '../../../../../common/services';
-import type { RoleSessionCredentials, BaseCoreWorkerFixtures } from '../core_fixtures';
+import type { RoleSessionCredentials, BaseWorkerFixtures } from '../core_fixtures';
 import { coreWorkerFixtures } from '../core_fixtures';
 import { SamlAuthManager } from './saml_auth_manager';
 
@@ -65,7 +65,7 @@ export interface SamlAuth {
    *
    * @param roleName - The name of the role to look up in Elasticsearch.
    */
-  setBuiltinRole(roleName: string): Promise<void>;
+  setBuiltinRole(roleName: string): Promise<ElasticsearchRoleDescriptor>;
   /**
    * Generates a SAML session cookie for an interactive user with the specified role.
    *
@@ -104,7 +104,7 @@ export interface SamlAuth {
  * Full worker fixture set: base fixtures + samlAuth.
  * Use this type when you need to reference the complete worker fixture surface.
  */
-export interface CoreWorkerFixtures extends BaseCoreWorkerFixtures {
+export interface CoreWorkerFixtures extends BaseWorkerFixtures {
   samlAuth: SamlAuth;
 }
 

src/platform/packages/shared/kbn-scout/src/playwright/fixtures/scope/worker/saml_auth/saml_auth_manager.ts

@@ -67,7 +67,7 @@ export class SamlAuthManager {
    *
    * @param roleName - The name of the role to look up in Elasticsearch.
    */
-  async setBuiltinRole(roleName: string): Promise<void> {
+  async setBuiltinRole(roleName: string): Promise<ElasticsearchRoleDescriptor> {
     const response = await this.esClient.security.getRole({ name: roleName });
     const roleData = response[roleName];
     if (!roleData) {
@@ -76,6 +76,7 @@ export class SamlAuthManager {
     // Strip non-privilege metadata before delegating to the generic custom-role path
     const { metadata: _metadata, transient_metadata: _transient, ...descriptor } = roleData;
     await this.setCustomRole(descriptor as ElasticsearchRoleDescriptor);
+    return descriptor as ElasticsearchRoleDescriptor;
   }
 
   async asInteractiveUser(

src/platform/packages/shared/kbn-scout/test/scout/api/parallel_tests/auth/saml_login.spec.ts

@@ -26,12 +26,23 @@ apiTest.describe(
     });
 
     apiTest(
-      `should create a session for a built-in ES role via setBuiltinRole`,
+      `setBuiltinRole should provision the custom role slot and return the descriptor`,
       async ({ samlAuth }) => {
-        await samlAuth.setBuiltinRole('kibana_admin');
+        const descriptor = await samlAuth.setBuiltinRole('kibana_admin');
+        expect(descriptor).toBeDefined();
         const credentials = await samlAuth.asInteractiveUser(samlAuth.customRoleName);
         expect(credentials.cookieValue).toBeDefined();
       }
     );
+
+    apiTest(
+      `getApiKeyForBuiltinRole should create an API key scoped to a built-in ES role`,
+      async ({ requestAuth }) => {
+        const { apiKey, apiKeyHeader } = await requestAuth.getApiKeyForBuiltinRole('kibana_admin');
+        expect(apiKey.id).toBeDefined();
+        expect(apiKey.name).toBeDefined();
+        expect(apiKeyHeader.Authorization).toMatch(/^ApiKey /);
+      }
+    );
   }
 );