[Osquery] Add Scout API tests for saved queries, packs, and response actions (elastic#258534)

This PR adds initial Scout API tests for the Osquery platform plugin.
This is a very early step towards breaking down the wonderful work
started by PR elastic#252216 in multiple
easy-to-review pieces, while still ensuring the tests follow Scout's
[best
practices](https://www.elastic.co/docs/extend/kibana/scout/best-practices).
Note that some of the Cypress tests intercept API calls, which we
usually don't recommend doing (a dedicated Scout API test ensure an
isolated + clear testing environment).

These API tests tests cover saved queries, packs, and detection rule
response actions with RBAC permission boundaries so UI tests don't have
to intercept these calls or verify this data correctness behavior.

These are 7 new Scout API tests. Exact breakdown details available
below.

### Coverage Parity Report

| Scout spec | Focus | Migrated from FTR? |
|---|---|---|
| `packs_admin.spec.ts` | Profile UID on create/find | Yes (from
`packs.ts`) |
| `packs_editor.spec.ts` | Packs CRUD, multi-query, search/filter | Yes
(from `packs.ts`) |
| `packs_viewer.spec.ts` | RBAC: read allowed, write denied | **New** |
| `saved_queries_admin.spec.ts` | Profile UID on create/read/find | Yes
(from `saved_queries.ts`) |
| `saved_queries_editor.spec.ts` | Saved queries CRUD, search/filter |
Yes (from `saved_queries.ts`) |
| `saved_queries_viewer.spec.ts` | RBAC: read allowed, write denied |
**New** |
| `response_actions_rules.spec.ts` | Detection rules with osquery
actions | **New** |

### FTR tests still remaining (6 files) -- NOT migrated

| FTR file | Tests | API type | Migration notes |
|---|---|---|---|
| `packs.ts` (2 remaining) | Fleet config multi-line/single-line query
format | Internal + Fleet | Requires Fleet agent/package policy setup;
consider migrating if Scout supports Fleet fixtures |
| `assets.ts` | Prebuilt pack assets status, install/update | Internal
(`/internal/osquery/assets`) | Good candidate for Scout migration |
| `fleet_wrapper.ts` | 7 Fleet wrapper endpoints (agents, policies,
package policies) | Internal (`/internal/osquery/fleet_wrapper/*`) |
Requires Fleet agent enrollment; depends on `fleetAndAgents` FTR service
|
| `privileges_check.ts` | Superuser privileges check | Internal
(`/internal/osquery/privileges_check`) | Simple test, easy to migrate |
| `status.ts` | Osquery installation status | Internal
(`/internal/osquery/status`) | Requires osquery package install;
moderate to migrate |
| `live_queries.ts` | Live query details and results | Public
(`/api/osquery/live_queries`) | Uses ES directly to seed action docs;
moderate to migrate |
| `history_tags.ts` | 17 tag CRUD tests + aggregation + validation |
Public + Internal (`/api/osquery/history`,
`/internal/osquery/history/tags`) | Large test suite; uses ES directly
for action/response docs; good candidate but substantial effort |

### Follow-ups

Further PRs will focus on migrating some of the Cypress tests. This
initial PR is a way for me / the team to get acquainted with Osquery /
ensure we have some very early (though for now limited) Scout coverage.
Feedback welcome!

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

Author: csr

.buildkite/scout_ci_config.yml

@@ -26,6 +26,7 @@ plugins:
     - navigation
     - observability
     - observability_onboarding
+    - osquery
     - painless_lab
     - profiling
     - search_getting_started

x-pack/platform/plugins/shared/osquery/moon.yml

@@ -85,6 +85,7 @@ dependsOn:
   - '@kbn/unified-search-plugin'
   - '@kbn/core-notifications-browser'
   - '@kbn/core-chrome-browser'
+  - '@kbn/scout'
 tags:
   - plugin
   - prod
@@ -98,6 +99,7 @@ fileGroups:
     - scripts/**/*
     - scripts/**/*.json
     - server/**/*
+    - test/scout/**/*
     - public/common/schemas/*/*.json
     - '!target/**/*'
 tasks:

x-pack/platform/plugins/shared/osquery/test/scout/api/fixtures/constants.ts

@@ -0,0 +1,62 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { OSQUERY_API_VERSION } from '../../common/constants';
+
+export { OSQUERY_API_VERSION };
+
+export const COMMON_HEADERS = {
+  'kbn-xsrf': 'some-xsrf-token',
+  'x-elastic-internal-origin': 'kibana',
+  'Content-Type': 'application/json;charset=UTF-8',
+  'elastic-api-version': OSQUERY_API_VERSION,
+} as const;
+
+export const API_PATHS = {
+  DETECTION_RULES: 'api/detection_engine/rules',
+  OSQUERY_SAVED_QUERIES: 'api/osquery/saved_queries',
+  OSQUERY_PACKS: 'api/osquery/packs',
+} as const;
+
+const uniqueId = () => `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+
+export const getMinimalRule = (overrides: Record<string, unknown> = {}) => ({
+  type: 'query',
+  index: ['auditbeat-*'],
+  language: 'kuery',
+  query: '_id:*',
+  name: `Test rule ${uniqueId()}`,
+  description: 'Test rule for Osquery response actions',
+  risk_score: 21,
+  severity: 'low',
+  interval: '5m',
+  from: 'now-360s',
+  to: 'now',
+  enabled: false,
+  ...overrides,
+});
+
+export const getMinimalPack = (overrides: Record<string, unknown> = {}) => ({
+  name: `test-pack-${uniqueId()}`,
+  description: 'Test pack for Osquery Scout tests',
+  enabled: true,
+  queries: {
+    testQuery: {
+      query: 'select * from uptime;',
+      interval: 3600,
+    },
+  },
+  shards: {},
+  ...overrides,
+});
+
+export const getMinimalSavedQuery = (overrides: Record<string, unknown> = {}) => ({
+  id: `test-saved-query-${uniqueId()}`,
+  query: 'select 1;',
+  interval: '3600',
+  ...overrides,
+});

x-pack/platform/plugins/shared/osquery/test/scout/api/fixtures/index.ts

@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { ApiServicesFixture, ScoutTestFixtures, ScoutWorkerFixtures } from '@kbn/scout';
+import { apiTest as baseApiTest } from '@kbn/scout';
+import {
+  getOsqueryApiService,
+  type OsqueryApiService,
+} from '../../common/services/osquery_api_service';
+
+export interface OsqueryApiServicesFixture extends ApiServicesFixture {
+  osquery: OsqueryApiService;
+}
+
+export const apiTest = baseApiTest.extend<
+  ScoutTestFixtures,
+  { apiServices: OsqueryApiServicesFixture }
+>({
+  apiServices: [
+    async (
+      {
+        apiServices,
+        kbnClient,
+        log,
+      }: {
+        apiServices: ApiServicesFixture;
+        kbnClient: ScoutWorkerFixtures['kbnClient'];
+        log: ScoutWorkerFixtures['log'];
+      },
+      use: (extendedApiServices: OsqueryApiServicesFixture) => Promise<void>
+    ) => {
+      const extendedApiServices = apiServices as OsqueryApiServicesFixture;
+      extendedApiServices.osquery = getOsqueryApiService({ kbnClient, log });
+      await use(extendedApiServices);
+    },
+    { scope: 'worker' },
+  ],
+});
+
+export * as testData from './constants';

x-pack/platform/plugins/shared/osquery/test/scout/api/playwright.config.ts

@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { createPlaywrightConfig } from '@kbn/scout';
+
+export default createPlaywrightConfig({
+  testDir: './tests',
+});

x-pack/platform/plugins/shared/osquery/test/scout/api/tests/packs_admin.spec.ts

@@ -0,0 +1,61 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { RoleSessionCredentials } from '@kbn/scout';
+import { expect } from '@kbn/scout/api';
+import { tags } from '@kbn/scout';
+import { apiTest, testData } from '../fixtures';
+
+// TODO: run on ECH once PR #258866 makes it to prod
+apiTest.describe(
+  'Osquery packs - admin',
+  {
+    tag: ['@local-stateful-classic', ...tags.serverless.security.complete],
+  },
+  () => {
+    let adminCredentials: RoleSessionCredentials;
+    const createdPackIds: string[] = [];
+
+    apiTest.beforeAll(async ({ samlAuth }) => {
+      // TODO: investigate why this test only passes with cookie-based authentication while similar
+      // tests (saved_queries_admin.spec.ts) pass with API key-based authentication
+      adminCredentials = await samlAuth.asInteractiveUser('admin');
+    });
+
+    apiTest.afterAll(async ({ apiServices }) => {
+      for (const packId of createdPackIds) {
+        await apiServices.osquery.packs.delete(packId);
+      }
+    });
+
+    apiTest('includes profile_uid fields on create and find', async ({ apiClient }) => {
+      const createResponse = await apiClient.post(testData.API_PATHS.OSQUERY_PACKS, {
+        headers: { ...testData.COMMON_HEADERS, ...adminCredentials.cookieHeader },
+        body: testData.getMinimalPack(),
+        responseType: 'json',
+      });
+      expect(createResponse).toHaveStatusCode(200);
+      expect(createResponse.body.data).toBeDefined();
+      createdPackIds.push(createResponse.body.data.saved_object_id);
+
+      expect('created_by_profile_uid' in createResponse.body.data).toBe(true);
+      expect('updated_by_profile_uid' in createResponse.body.data).toBe(true);
+      expect(createResponse.body.data.created_by).toBeDefined();
+
+      const findResponse = await apiClient.get(
+        `${testData.API_PATHS.OSQUERY_PACKS}?search=${createResponse.body.data.name}`,
+        {
+          headers: { ...testData.COMMON_HEADERS, ...adminCredentials.cookieHeader },
+          responseType: 'json',
+        }
+      );
+      expect(findResponse).toHaveStatusCode(200);
+      expect(findResponse.body.data).toBeDefined();
+      expect('created_by_profile_uid' in findResponse.body.data[0]).toBe(true);
+    });
+  }
+);