elastic · kobelb · Oct 24, 2019 · Jun 21, 2019 · Jun 21, 2019 · Jul 29, 2019
diff --git a/src/core/public/index.ts b/src/core/public/index.ts
@@ -102,6 +102,7 @@ export {
   HttpResponse,
   HttpHandler,
   HttpBody,
+  HttpInterceptController,
 } from './http';
 
 /**

diff --git a/x-pack/dev-tools/jest/setup/polyfills.js b/x-pack/dev-tools/jest/setup/polyfills.js
@@ -13,3 +13,5 @@ bluebird.Promise.setScheduler(function (fn) { global.setImmediate.call(global, f
 
 const MutationObserver = require('mutation-observer');
 Object.defineProperty(window, 'MutationObserver', { value: MutationObserver });
+
+require('whatwg-fetch');
diff --git a/...ugins/security/public/components/management/change_password_form/change_password_form.tsx b/...ugins/security/public/components/management/change_password_form/change_password_form.tsx
@@ -314,7 +314,7 @@ export class ChangePasswordForm extends Component<Props, State> {
   };
 
   private handleChangePasswordFailure = (error: Record<string, any>) => {
-    if (error.body && error.body.statusCode === 401) {
+    if (error.body && error.body.statusCode === 403) {
       this.setState({ currentPasswordError: true });
     } else {
       toastNotifications.addDanger(

diff --git a/x-pack/legacy/plugins/security/public/hacks/on_session_timeout.js b/x-pack/legacy/plugins/security/public/hacks/on_session_timeout.js
@@ -4,81 +4,31 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React from 'react';
 import _ from 'lodash';
-import { i18n } from '@kbn/i18n';
 import { uiModules } from 'ui/modules';
 import { isSystemApiRequest } from 'ui/system_api';
 import { Path } from 'plugins/xpack_main/services/path';
-import { toastNotifications } from 'ui/notify';
-import 'plugins/security/services/auto_logout';
-import { SessionExpirationWarning } from '../components/session_expiration_warning';
+import { npSetup } from 'ui/new_platform';
 
 /**
  * Client session timeout is decreased by this number so that Kibana server
  * can still access session content during logout request to properly clean
  * user session up (invalidate access tokens, redirect to logout portal etc.).
  * @type {number}
  */
-const SESSION_TIMEOUT_GRACE_PERIOD_MS = 5000;
 
 const module = uiModules.get('security', []);
 module.config(($httpProvider) => {
   $httpProvider.interceptors.push((
-    $timeout,
     $q,
-    $injector,
-    sessionTimeout,
-    Private,
-    autoLogout
   ) => {
 
-    function refreshSession() {
-      // Make a simple request to keep the session alive
-      $injector.get('es').ping();
-      clearNotifications();
-    }
-
     const isUnauthenticated = Path.isUnauthenticated();
-    const notificationLifetime = 60 * 1000;
-    const notificationOptions = {
-      color: 'warning',
-      text: (
-        <SessionExpirationWarning onRefreshSession={refreshSession} />
-      ),
-      title: i18n.translate('xpack.security.hacks.warningTitle', {
-        defaultMessage: 'Warning'
-      }),
-      toastLifeTimeMs: Math.min(
-        (sessionTimeout - SESSION_TIMEOUT_GRACE_PERIOD_MS),
-        notificationLifetime
-      ),
-    };
-
-    let pendingNotification;
-    let activeNotification;
-    let pendingSessionExpiration;
-
-    function clearNotifications() {
-      if (pendingNotification) $timeout.cancel(pendingNotification);
-      if (pendingSessionExpiration) clearTimeout(pendingSessionExpiration);
-      if (activeNotification) toastNotifications.remove(activeNotification);
-    }
-
-    function scheduleNotification() {
-      pendingNotification = $timeout(showNotification, Math.max(sessionTimeout - notificationLifetime, 0));
-    }
-
-    function showNotification() {
-      activeNotification = toastNotifications.add(notificationOptions);
-      pendingSessionExpiration = setTimeout(() => autoLogout(), notificationOptions.toastLifeTimeMs);
-    }
 
     function interceptorFactory(responseHandler) {
       return function interceptor(response) {
-        if (!isUnauthenticated && !isSystemApiRequest(response.config) && sessionTimeout !== null) {
-          clearNotifications();
-          scheduleNotification();
+        if (!isUnauthenticated && !isSystemApiRequest(response.config)) {
+          npSetup.plugins.security.sessionTimeout.extend();
         }
         return responseHandler(response);
       };

diff --git a/x-pack/legacy/plugins/security/server/routes/api/v1/__tests__/users.js b/x-pack/legacy/plugins/security/server/routes/api/v1/__tests__/users.js
@@ -81,7 +81,7 @@ describe('User routes', () => {
           );
       });
 
-      it('returns 401 if old password is wrong.', async () => {
+      it('returns 403 if old password is wrong.', async () => {
         getUserStub.returns(Promise.reject(new Error('Something went wrong.')));
 
         return changePasswordRoute
@@ -90,14 +90,14 @@ describe('User routes', () => {
             sinon.assert.notCalled(clusterStub.callWithRequest);
             expect(response.isBoom).to.be(true);
             expect(response.output.payload).to.eql({
-              statusCode: 401,
-              error: 'Unauthorized',
+              statusCode: 403,
+              error: 'Forbidden',
               message: 'Something went wrong.'
             });
           });
       });
 
-      it('returns 401 if user can authenticate with new password.', async () => {
+      it(`returns 401 if user can't authenticate with new password.`, async () => {
         getUserStub.returns(Promise.resolve({}));
 
         loginStub

diff --git a/x-pack/legacy/plugins/security/server/routes/api/v1/users.js b/x-pack/legacy/plugins/security/server/routes/api/v1/users.js
@@ -95,7 +95,7 @@ export function initUsersApi({ authc: { login }, config }, server) {
             BasicCredentials.decorateRequest(request, username, password)
           );
         } catch(err) {
-          throw Boom.unauthorized(err);
+          throw Boom.forbidden(err);
         }
       }
 

diff --git a/x-pack/package.json b/x-pack/package.json
@@ -175,6 +175,7 @@
     "ts-loader": "^6.0.4",
     "typescript": "3.5.3",
     "vinyl-fs": "^3.0.2",
+    "whatwg-fetch": "^3.0.0",
     "xml-crypto": "^0.10.1",
     "yargs": "4.8.1"
   },

diff --git a/x-pack/plugins/security/kibana.json b/x-pack/plugins/security/kibana.json
@@ -4,5 +4,5 @@
   "kibanaVersion": "kibana",
   "configPath": ["xpack", "security"],
   "server": true,
-  "ui": false
+  "ui": true
 }
diff --git a/x-pack/plugins/security/public/anonymous_paths.test.ts b/x-pack/plugins/security/public/anonymous_paths.test.ts
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AnonymousPaths } from './anonymous_paths';
+import { BasePath } from 'src/core/public/http/base_path_service';
+
+describe('#isAnonymous', () => {
+  it('returns true for initialPaths', () => {
+    const basePath = new BasePath('/foo');
+    const anonymousPaths = new AnonymousPaths(basePath, ['/bar', '/baz']);
+    expect(anonymousPaths.isAnonymous('/foo/bar')).toBe(true);
+    expect(anonymousPaths.isAnonymous('/foo/baz')).toBe(true);
+  });
+
+  it('returns true for registered paths', () => {
+    const basePath = new BasePath('/foo');
+    const anonymousPaths = new AnonymousPaths(basePath, []);
+    anonymousPaths.register('/bar');
+    expect(anonymousPaths.isAnonymous('/foo/bar')).toBe(true);
+  });
+
+  it('returns false for other paths', () => {
+    const basePath = new BasePath('/foo');
+    const anonymousPaths = new AnonymousPaths(basePath, ['/bar', '/baz']);
+    anonymousPaths.register('/qux');
+    expect(anonymousPaths.isAnonymous('/foo/quux')).toBe(false);
+  });
+});
diff --git a/x-pack/plugins/security/public/anonymous_paths.ts b/x-pack/plugins/security/public/anonymous_paths.ts
@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { HttpSetup } from 'src/core/public';
+
+export class AnonymousPaths {
+  private paths: Set<string>;
+
+  constructor(private basePath: HttpSetup['basePath'], initialAnonymousPaths: string[]) {
+    this.paths = new Set(initialAnonymousPaths);
+  }
+
+  public isAnonymous(path: string): boolean {
+    return this.paths.has(this.basePath.remove(path));
+  }
+
+  public register(path: string) {
+    this.paths.add(path);
+  }
+}
diff --git a/x-pack/plugins/security/public/index.ts b/x-pack/plugins/security/public/index.ts
@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { PluginInitializer } from 'src/core/public';
+import { SecurityPlugin, SecurityPluginSetup, SecurityPluginStart } from './plugin';
+
+export const plugin: PluginInitializer<SecurityPluginSetup, SecurityPluginStart> = () =>
+  new SecurityPlugin();
diff --git a/x-pack/plugins/security/public/plugin.ts b/x-pack/plugins/security/public/plugin.ts
@@ -0,0 +1,39 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { Plugin, CoreSetup } from 'src/core/public';
+import { AnonymousPaths } from './anonymous_paths';
+import { SessionExpired } from './session_expired';
+import { SessionTimeout } from './session_timeout';
+import { SessionTimeoutInterceptor } from './session_timeout_interceptor';
+import { UnauthorizedResponseInterceptor } from './unauthorized_response_interceptor';
+
+export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPluginStart> {
+  public setup(core: CoreSetup, deps: {}) {
+    const { http, notifications } = core;
+    const sessionExpired = new SessionExpired(http.basePath);
+    const anonymousPaths = new AnonymousPaths(http.basePath, [
+      '/login',
+      '/logout',
+      '/logged_out',
+      '/status',
+    ]);
+    http.intercept(new UnauthorizedResponseInterceptor(sessionExpired, anonymousPaths));
+
+    const sessionTimeout = new SessionTimeout(1.5 * 60 * 1000, notifications, sessionExpired, http);
+    http.intercept(new SessionTimeoutInterceptor(sessionTimeout, anonymousPaths));
+
+    return {
+      anonymousPaths,
+      sessionTimeout,
+    };
+  }
+
+  public start() {}
+}
+
+export type SecurityPluginSetup = ReturnType<SecurityPlugin['setup']>;
+export type SecurityPluginStart = ReturnType<SecurityPlugin['start']>;
diff --git a/...rning/session_expiration_warning.test.tsx → ...ublic/session_expiration_warning.test.tsx b/...rning/session_expiration_warning.test.tsx → ...ublic/session_expiration_warning.test.tsx
diff --git a/...on_warning/session_expiration_warning.tsx → ...ity/public/session_expiration_warning.tsx b/...on_warning/session_expiration_warning.tsx → ...ity/public/session_expiration_warning.tsx
diff --git a/x-pack/plugins/security/public/session_expired.test.ts b/x-pack/plugins/security/public/session_expired.test.ts
@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { BasePath } from 'src/core/public/http/base_path_service';
+import { SessionExpired } from './session_expired';
+
+const mockCurrentUrl = (url: string) => window.history.pushState({}, '', url);
+
+it('redirects user to "/logout" when there is no basePath', async () => {
+  mockCurrentUrl('/foo/bar?baz=quz#quuz');
+  const sessionExpired = new SessionExpired(new BasePath());
+  const newUrlPromise = new Promise<string>(resolve => {
+    jest.spyOn(window.location, 'assign').mockImplementation(url => {
+      resolve(url);
+    });
+  });
+
+  sessionExpired.logout();
+
+  const url = await newUrlPromise;
+  expect(url).toBe(
+    `/logout?next=${encodeURIComponent('/foo/bar?baz=quz#quuz')}&msg=SESSION_EXPIRED`
+  );
+});
+
+it('redirects user to "/${basePath}/logout" and removes basePath from next parameter when there is a basePath', async () => {
+  mockCurrentUrl('/foo/bar?baz=quz#quuz');
+  const sessionExpired = new SessionExpired(new BasePath('/foo'));
+  const newUrlPromise = new Promise<string>(resolve => {
+    jest.spyOn(window.location, 'assign').mockImplementation(url => {
+      resolve(url);
+    });
+  });
+
+  sessionExpired.logout();
+
+  const url = await newUrlPromise;
+  expect(url).toBe(
+    `/foo/logout?next=${encodeURIComponent('/bar?baz=quz#quuz')}&msg=SESSION_EXPIRED`
+  );
+});
diff --git a/x-pack/plugins/security/public/session_expired.ts b/x-pack/plugins/security/public/session_expired.ts
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { HttpSetup } from 'src/core/public';
+
+export class SessionExpired {
+  constructor(private basePath: HttpSetup['basePath']) {}
+
+  public logout() {
+    const next = this.basePath.remove(
+      `${window.location.pathname}${window.location.search}${window.location.hash}`
+    );
+    window.location.assign(
+      this.basePath.prepend(`/logout?next=${encodeURIComponent(next)}&msg=SESSION_EXPIRED`)
+    );
+  }
+}