Skip to content

Commit

Permalink
Update token API calls in elaticsearch.js (#26650)
Browse files Browse the repository at this point in the history
  • Loading branch information
epixa authored Dec 6, 2018
1 parent cf8da06 commit 84f9638
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ describe('SAMLAuthenticationProvider', () => {
expect(request.headers).to.not.have.property('authorization');
expect(authenticationResult.failed()).to.be(true);
expect(authenticationResult.error).to.be(failureReason);
sinon.assert.neverCalledWith(callWithRequest, 'shield.samlRefreshAccessToken');
sinon.assert.neverCalledWith(callWithRequest, 'shield.getAccessToken');
});

it('succeeds if token from the state is expired, but has been successfully refreshed.', async () => {
Expand All @@ -259,7 +259,7 @@ describe('SAMLAuthenticationProvider', () => {

callWithInternalUser
.withArgs(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: 'valid-refresh-token' } }
)
.returns(Promise.resolve({ access_token: 'new-access-token', refresh_token: 'new-refresh-token' }));
Expand Down Expand Up @@ -291,7 +291,7 @@ describe('SAMLAuthenticationProvider', () => {
const refreshFailureReason = new Error('Something is wrong with refresh token.');
callWithInternalUser
.withArgs(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
)
.returns(Promise.reject(refreshFailureReason));
Expand All @@ -318,7 +318,7 @@ describe('SAMLAuthenticationProvider', () => {

callWithInternalUser
.withArgs(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
)
.returns(Promise.reject({ body: { error_description: 'token has already been refreshed' } }));
Expand Down Expand Up @@ -352,7 +352,7 @@ describe('SAMLAuthenticationProvider', () => {

callWithInternalUser
.withArgs(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
)
.returns(Promise.reject({ body: { error_description: 'token has already been refreshed' } }));
Expand Down Expand Up @@ -388,7 +388,7 @@ describe('SAMLAuthenticationProvider', () => {

callWithInternalUser
.withArgs(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: 'expired-refresh-token' } }
)
.returns(Promise.reject({ body: { error_description: 'refresh token is expired' } }));
Expand Down Expand Up @@ -422,7 +422,7 @@ describe('SAMLAuthenticationProvider', () => {

callWithInternalUser
.withArgs(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: 'expired-refresh-token' } }
)
.returns(Promise.reject({ body: { error_description: 'refresh token is expired' } }));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ function isAccessTokenExpiredError(err) {
}

/**
* Checks the error returned by Elasticsearch as the result of `samlRefreshAccessToken` call and returns `true` if
* Checks the error returned by Elasticsearch as the result of `getAccessToken` call and returns `true` if
* request has been rejected because of invalid refresh token (expired after 24 hours or have been used already),
* otherwise returns `false`.
* @param {Object} err Error returned from Elasticsearch.
Expand Down Expand Up @@ -269,7 +269,7 @@ export class SAMLAuthenticationProvider {
access_token: newAccessToken,
refresh_token: newRefreshToken
} = await this._options.client.callWithInternalUser(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: refreshToken } }
);

Expand Down
24 changes: 22 additions & 2 deletions x-pack/server/lib/esjs_shield_plugin.js
Original file line number Diff line number Diff line change
Expand Up @@ -360,21 +360,41 @@
});

/**
* Refreshes SAML access token.
* Refreshes an access token.
*
* @param {string} grant_type Currently only "refresh_token" grant type is supported.
* @param {string} refresh_token One-time refresh token that will be exchanged to the new access/refresh token pair.
*
* @returns {{access_token: string, type: string, expires_in: number, refresh_token: string}}
*/
shield.samlRefreshAccessToken = ca({
shield.getAccessToken = ca({
method: 'POST',
needBody: true,
url: {
fmt: '/_xpack/security/oauth2/token'
}
});

/**
* Invalidates an access token.
*
* @param {string} token The access token to invalidate
*
* @returns {{created: boolean}}
*/
shield.deleteAccessToken = ca({
method: 'DELETE',
needBody: true,
params: {
token: {
type: 'string'
}
},
url: {
fmt: '/_xpack/security/oauth2/token'
}
});

shield.getPrivilege = ca({
method: 'GET',
urls: [{
Expand Down

0 comments on commit 84f9638

Please sign in to comment.