Skip to content

Commit

Permalink
[7.7] Add tests for the concurrent refresh token requests. (#65634)
Browse files Browse the repository at this point in the history
  • Loading branch information
@azasypkin
azasypkin authored May 13, 2020
1 parent 1f26316 commit 22dd476
Showing 1 changed file with 36 additions and 10 deletions.
46 changes: 36 additions & 10 deletions x-pack/test/saml_api_integration/apis/security/saml_login.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -513,7 +513,9 @@ export default function({ getService }: FtrProviderContext) {
describe('API access with expired access token.', () => {
let sessionCookie: Cookie;

beforeEach(async () => {
beforeEach(async function() {
this.timeout(40000);

const captureURLResponse = await supertest
.get('/abc/xyz/handshake?one=two three')
.expect(302);
Expand All @@ -537,6 +539,10 @@ export default function({ getService }: FtrProviderContext) {
.expect(302);

sessionCookie = request.cookie(samlAuthenticationResponse.headers['set-cookie'][0])!;

// Access token expiration is set to 15s for API integration tests.
// Let's wait for 20s to make sure token expires.
await delay(20000);
});

const expectNewSessionCookie = (cookie: Cookie) => {
Expand All @@ -547,13 +553,7 @@ export default function({ getService }: FtrProviderContext) {
expect(cookie.value).to.not.be(sessionCookie.value);
};

it('expired access token should be automatically refreshed', async function() {
this.timeout(40000);

// Access token expiration is set to 15s for API integration tests.
// Let's wait for 20s to make sure token expires.
await delay(20000);

it('expired access token should be automatically refreshed', async () => {
// This api call should succeed and automatically refresh token. Returned cookie will contain
// the new access and refresh token pair.
const firstResponse = await supertest
Expand Down Expand Up @@ -598,6 +598,19 @@ export default function({ getService }: FtrProviderContext) {
.set('Cookie', secondNewCookie.cookieString())
.expect(200);
});

it('should refresh access token even if multiple concurrent requests try to refresh it', async () => {
// Send 5 concurrent requests with a cookie that contains an expired access token.
await Promise.all(
Array.from({ length: 5 }).map((value, index) =>
supertest
.get(`/internal/security/me?a=${index}`)
.set('kbn-xsrf', 'xxx')
.set('Cookie', sessionCookie.cookieString())
.expect(200)
)
);
});
});

describe('API access with missing access token document.', () => {
Expand Down Expand Up @@ -627,9 +640,7 @@ export default function({ getService }: FtrProviderContext) {
.expect(302);

sessionCookie = request.cookie(samlAuthenticationResponse.headers['set-cookie'][0])!;
});

it('should properly set cookie and start new SAML handshake', async function() {
// Let's delete tokens from `.security` index directly to simulate the case when
// Elasticsearch automatically removes access/refresh token document from the index
// after some period of time.
Expand All @@ -641,7 +652,9 @@ export default function({ getService }: FtrProviderContext) {
expect(esResponse)
.to.have.property('deleted')
.greaterThan(0);
});

it('should properly set cookie and start new SAML handshake', async () => {
const handshakeResponse = await supertest
.get('/abc/xyz/handshake?one=two three')
.set('Cookie', sessionCookie.cookieString())
Expand All @@ -660,6 +673,19 @@ export default function({ getService }: FtrProviderContext) {
'/internal/security/saml/capture-url-fragment'
);
});

it('should start new SAML handshake even if multiple concurrent requests try to refresh access token', async () => {
// Issue 5 concurrent requests with a cookie that contains access/refresh token pair without
// a corresponding document in Elasticsearch.
await Promise.all(
Array.from({ length: 5 }).map((value, index) =>
supertest
.get(`/abc/xyz/handshake?one=two three&a=${index}`)
.set('Cookie', sessionCookie.cookieString())
.expect(302)
)
);
});
});

describe('IdP initiated login with active session', () => {
Expand Down

0 comments on commit 22dd476

Please sign in to comment.