Update token API calls in elaticsearch.js (#26650)

elastic · Dec 6, 2018 · 84f9638 · 84f9638
1 parent cf8da06
commit 84f9638
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 11 deletions.
diff --git a/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js b/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js
@@ -236,7 +236,7 @@ describe('SAMLAuthenticationProvider', () => {
  expect(request.headers).to.not.have.property('authorization');
  expect(authenticationResult.failed()).to.be(true);
  expect(authenticationResult.error).to.be(failureReason);
- sinon.assert.neverCalledWith(callWithRequest, 'shield.samlRefreshAccessToken');
+ sinon.assert.neverCalledWith(callWithRequest, 'shield.getAccessToken');
  });
 
  it('succeeds if token from the state is expired, but has been successfully refreshed.', async () => {
@@ -259,7 +259,7 @@ describe('SAMLAuthenticationProvider', () => {
 
  callWithInternalUser
  .withArgs(
- 'shield.samlRefreshAccessToken',
+ 'shield.getAccessToken',
  { body: { grant_type: 'refresh_token', refresh_token: 'valid-refresh-token' } }
  )
  .returns(Promise.resolve({ access_token: 'new-access-token', refresh_token: 'new-refresh-token' }));
@@ -291,7 +291,7 @@ describe('SAMLAuthenticationProvider', () => {
  const refreshFailureReason = new Error('Something is wrong with refresh token.');
  callWithInternalUser
  .withArgs(
- 'shield.samlRefreshAccessToken',
+ 'shield.getAccessToken',
  { body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
  )
  .returns(Promise.reject(refreshFailureReason));
@@ -318,7 +318,7 @@ describe('SAMLAuthenticationProvider', () => {
 
  callWithInternalUser
  .withArgs(
- 'shield.samlRefreshAccessToken',
+ 'shield.getAccessToken',
  { body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
  )
  .returns(Promise.reject({ body: { error_description: 'token has already been refreshed' } }));
@@ -352,7 +352,7 @@ describe('SAMLAuthenticationProvider', () => {
 
  callWithInternalUser
  .withArgs(
- 'shield.samlRefreshAccessToken',
+ 'shield.getAccessToken',
  { body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
  )
  .returns(Promise.reject({ body: { error_description: 'token has already been refreshed' } }));
@@ -388,7 +388,7 @@ describe('SAMLAuthenticationProvider', () => {
 
  callWithInternalUser
  .withArgs(
- 'shield.samlRefreshAccessToken',
+ 'shield.getAccessToken',
  { body: { grant_type: 'refresh_token', refresh_token: 'expired-refresh-token' } }
  )
  .returns(Promise.reject({ body: { error_description: 'refresh token is expired' } }));
@@ -422,7 +422,7 @@ describe('SAMLAuthenticationProvider', () => {
 
  callWithInternalUser
  .withArgs(
- 'shield.samlRefreshAccessToken',
+ 'shield.getAccessToken',
  { body: { grant_type: 'refresh_token', refresh_token: 'expired-refresh-token' } }
  )
  .returns(Promise.reject({ body: { error_description: 'refresh token is expired' } }));

diff --git a/x-pack/plugins/security/server/lib/authentication/providers/saml.js b/x-pack/plugins/security/server/lib/authentication/providers/saml.js
@@ -34,7 +34,7 @@ function isAccessTokenExpiredError(err) {
 }
 
 /**
- * Checks the error returned by Elasticsearch as the result of `samlRefreshAccessToken` call and returns `true` if
+ * Checks the error returned by Elasticsearch as the result of `getAccessToken` call and returns `true` if
  * request has been rejected because of invalid refresh token (expired after 24 hours or have been used already),
  * otherwise returns `false`.
  * @param {Object} err Error returned from Elasticsearch.
@@ -269,7 +269,7 @@ export class SAMLAuthenticationProvider {
  access_token: newAccessToken,
  refresh_token: newRefreshToken
  } = await this._options.client.callWithInternalUser(
- 'shield.samlRefreshAccessToken',
+ 'shield.getAccessToken',
  { body: { grant_type: 'refresh_token', refresh_token: refreshToken } }
  );
 

diff --git a/x-pack/server/lib/esjs_shield_plugin.js b/x-pack/server/lib/esjs_shield_plugin.js
@@ -360,21 +360,41 @@
  });
 
  /**
- * Refreshes SAML access token.
+ * Refreshes an access token.
  *
  * @param {string} grant_type Currently only "refresh_token" grant type is supported.
  * @param {string} refresh_token One-time refresh token that will be exchanged to the new access/refresh token pair.
  *
  * @returns {{access_token: string, type: string, expires_in: number, refresh_token: string}}
  */
- shield.samlRefreshAccessToken = ca({
+ shield.getAccessToken = ca({
  method: 'POST',
  needBody: true,
  url: {
  fmt: '/_xpack/security/oauth2/token'
  }
  });
 
+ /**
+ * Invalidates an access token.
+ *
+ * @param {string} token The access token to invalidate
+ *
+ * @returns {{created: boolean}}
+ */
+ shield.deleteAccessToken = ca({
+ method: 'DELETE',
+ needBody: true,
+ params: {
+ token: {
+ type: 'string'
+ }
+ },
+ url: {
+ fmt: '/_xpack/security/oauth2/token'
+ }
+ });
+
  shield.getPrivilege = ca({
  method: 'GET',
  urls: [{