Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[6.x] Update token API calls in elaticsearch.js (#26650) #26773

Merged
merged 1 commit into from
Dec 6, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ describe('SAMLAuthenticationProvider', () => {
expect(request.headers).to.not.have.property('authorization');
expect(authenticationResult.failed()).to.be(true);
expect(authenticationResult.error).to.be(failureReason);
sinon.assert.neverCalledWith(callWithRequest, 'shield.samlRefreshAccessToken');
sinon.assert.neverCalledWith(callWithRequest, 'shield.getAccessToken');
});

it('succeeds if token from the state is expired, but has been successfully refreshed.', async () => {
Expand All @@ -259,7 +259,7 @@ describe('SAMLAuthenticationProvider', () => {

callWithInternalUser
.withArgs(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: 'valid-refresh-token' } }
)
.returns(Promise.resolve({ access_token: 'new-access-token', refresh_token: 'new-refresh-token' }));
Expand Down Expand Up @@ -291,7 +291,7 @@ describe('SAMLAuthenticationProvider', () => {
const refreshFailureReason = new Error('Something is wrong with refresh token.');
callWithInternalUser
.withArgs(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
)
.returns(Promise.reject(refreshFailureReason));
Expand All @@ -318,7 +318,7 @@ describe('SAMLAuthenticationProvider', () => {

callWithInternalUser
.withArgs(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
)
.returns(Promise.reject({ body: { error_description: 'token has already been refreshed' } }));
Expand Down Expand Up @@ -352,7 +352,7 @@ describe('SAMLAuthenticationProvider', () => {

callWithInternalUser
.withArgs(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
)
.returns(Promise.reject({ body: { error_description: 'token has already been refreshed' } }));
Expand Down Expand Up @@ -388,7 +388,7 @@ describe('SAMLAuthenticationProvider', () => {

callWithInternalUser
.withArgs(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: 'expired-refresh-token' } }
)
.returns(Promise.reject({ body: { error_description: 'refresh token is expired' } }));
Expand Down Expand Up @@ -422,7 +422,7 @@ describe('SAMLAuthenticationProvider', () => {

callWithInternalUser
.withArgs(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: 'expired-refresh-token' } }
)
.returns(Promise.reject({ body: { error_description: 'refresh token is expired' } }));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ function isAccessTokenExpiredError(err) {
}

/**
* Checks the error returned by Elasticsearch as the result of `samlRefreshAccessToken` call and returns `true` if
* Checks the error returned by Elasticsearch as the result of `getAccessToken` call and returns `true` if
* request has been rejected because of invalid refresh token (expired after 24 hours or have been used already),
* otherwise returns `false`.
* @param {Object} err Error returned from Elasticsearch.
Expand Down Expand Up @@ -269,7 +269,7 @@ export class SAMLAuthenticationProvider {
access_token: newAccessToken,
refresh_token: newRefreshToken
} = await this._options.client.callWithInternalUser(
'shield.samlRefreshAccessToken',
'shield.getAccessToken',
{ body: { grant_type: 'refresh_token', refresh_token: refreshToken } }
);

Expand Down
24 changes: 22 additions & 2 deletions x-pack/server/lib/esjs_shield_plugin.js
Original file line number Diff line number Diff line change
Expand Up @@ -360,21 +360,41 @@
});

/**
* Refreshes SAML access token.
* Refreshes an access token.
*
* @param {string} grant_type Currently only "refresh_token" grant type is supported.
* @param {string} refresh_token One-time refresh token that will be exchanged to the new access/refresh token pair.
*
* @returns {{access_token: string, type: string, expires_in: number, refresh_token: string}}
*/
shield.samlRefreshAccessToken = ca({
shield.getAccessToken = ca({
method: 'POST',
needBody: true,
url: {
fmt: '/_xpack/security/oauth2/token'
}
});

/**
* Invalidates an access token.
*
* @param {string} token The access token to invalidate
*
* @returns {{created: boolean}}
*/
shield.deleteAccessToken = ca({
method: 'DELETE',
needBody: true,
params: {
token: {
type: 'string'
}
},
url: {
fmt: '/_xpack/security/oauth2/token'
}
});

shield.getPrivilege = ca({
method: 'GET',
urls: [{
Expand Down