From f442437e64514886699455cf389ff9b60c8de639 Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Thu, 12 Dec 2019 14:24:58 +0100 Subject: [PATCH 01/11] Introduce Login Selector functionality. --- .../kbn-config-schema/src/internals/index.ts | 12 +- x-pack/legacy/plugins/security/index.ts | 5 +- .../login => common}/login_state.ts | 10 +- .../authentication/login/_login_page.scss | 4 + .../public/authentication/login/login_app.ts | 3 - .../authentication/login/login_page.tsx | 219 +++++++++------ .../authentication/authenticator.test.ts | 28 +- .../server/authentication/authenticator.ts | 258 ++++++++++-------- .../security/server/authentication/index.ts | 4 +- .../server/authentication/providers/base.ts | 11 +- .../server/authentication/providers/basic.ts | 11 +- .../server/authentication/providers/index.ts | 4 +- .../authentication/providers/kerberos.ts | 9 + .../authentication/providers/oidc.test.ts | 8 +- .../server/authentication/providers/oidc.ts | 90 +++--- .../server/authentication/providers/pki.ts | 9 + .../authentication/providers/saml.test.ts | 36 +-- .../server/authentication/providers/saml.ts | 104 +++++-- .../server/authentication/providers/token.ts | 19 +- x-pack/plugins/security/server/config.ts | 122 +++++++-- x-pack/plugins/security/server/index.ts | 43 ++- x-pack/plugins/security/server/plugin.ts | 7 - .../routes/authentication/basic.test.ts | 4 +- .../server/routes/authentication/basic.ts | 7 +- .../server/routes/authentication/common.ts | 56 +++- .../server/routes/authentication/index.ts | 6 +- .../server/routes/authentication/oidc.ts | 21 +- .../server/routes/authentication/saml.test.ts | 6 +- .../server/routes/authentication/saml.ts | 28 +- .../server/routes/users/change_password.ts | 2 +- .../server/routes/views/index.test.ts | 6 +- .../security/server/routes/views/index.ts | 6 +- .../security/server/routes/views/login.ts | 25 +- .../apis/security/saml_login.ts | 40 ++- 34 files changed, 822 insertions(+), 401 deletions(-) rename x-pack/plugins/security/{public/authentication/login => common}/login_state.ts (53%) diff --git a/packages/kbn-config-schema/src/internals/index.ts b/packages/kbn-config-schema/src/internals/index.ts index 8f5d09e5b8b49..f84e14d2f741d 100644 --- a/packages/kbn-config-schema/src/internals/index.ts +++ b/packages/kbn-config-schema/src/internals/index.ts @@ -314,7 +314,8 @@ export const internals = Joi.extend([ for (const [entryKey, entryValue] of value) { const { value: validatedEntryKey, error: keyError } = Joi.validate( entryKey, - params.key + params.key, + { presence: 'required' } ); if (keyError) { @@ -323,7 +324,8 @@ export const internals = Joi.extend([ const { value: validatedEntryValue, error: valueError } = Joi.validate( entryValue, - params.value + params.value, + { presence: 'required' } ); if (valueError) { @@ -374,7 +376,8 @@ export const internals = Joi.extend([ for (const [entryKey, entryValue] of Object.entries(value)) { const { value: validatedEntryKey, error: keyError } = Joi.validate( entryKey, - params.key + params.key, + { presence: 'required' } ); if (keyError) { @@ -383,7 +386,8 @@ export const internals = Joi.extend([ const { value: validatedEntryValue, error: valueError } = Joi.validate( entryValue, - params.value + params.value, + { presence: 'required' } ); if (valueError) { diff --git a/x-pack/legacy/plugins/security/index.ts b/x-pack/legacy/plugins/security/index.ts index deebbccf5aa49..5b2218af1fd52 100644 --- a/x-pack/legacy/plugins/security/index.ts +++ b/x-pack/legacy/plugins/security/index.ts @@ -51,10 +51,7 @@ export const security = (kibana: Record) => uiExports: { hacks: ['plugins/security/hacks/legacy'], injectDefaultVars: (server: Server) => { - return { - secureCookies: getSecurityPluginSetup(server).__legacyCompat.config.secureCookies, - enableSpaceAwarePrivileges: server.config().get('xpack.spaces.enabled'), - }; + return { enableSpaceAwarePrivileges: server.config().get('xpack.spaces.enabled') }; }, }, diff --git a/x-pack/plugins/security/public/authentication/login/login_state.ts b/x-pack/plugins/security/common/login_state.ts similarity index 53% rename from x-pack/plugins/security/public/authentication/login/login_state.ts rename to x-pack/plugins/security/common/login_state.ts index 6ca38296706fe..9eba6acf2b46f 100644 --- a/x-pack/plugins/security/public/authentication/login/login_state.ts +++ b/x-pack/plugins/security/common/login_state.ts @@ -4,9 +4,17 @@ * you may not use this file except in compliance with the Elastic License. */ -import { LoginLayout } from '../../../common/licensing'; +import { LoginLayout } from './licensing'; + +interface LoginSelector { + enabled: boolean; + providers: Array<{ type: string; name: string; options: { description: string; order: number } }>; +} export interface LoginState { layout: LoginLayout; allowLogin: boolean; + showLoginForm: boolean; + requiresSecureConnection: boolean; + selector: LoginSelector; } diff --git a/x-pack/plugins/security/public/authentication/login/_login_page.scss b/x-pack/plugins/security/public/authentication/login/_login_page.scss index cdfad55ee064a..33d66e1d93eed 100644 --- a/x-pack/plugins/security/public/authentication/login/_login_page.scss +++ b/x-pack/plugins/security/public/authentication/login/_login_page.scss @@ -27,3 +27,7 @@ max-width: 700px; } } + +.loginWelcome__selectorButton { + margin-bottom: $euiSize; +} diff --git a/x-pack/plugins/security/public/authentication/login/login_app.ts b/x-pack/plugins/security/public/authentication/login/login_app.ts index 4f4bf3903a1fa..f462cb0adf783 100644 --- a/x-pack/plugins/security/public/authentication/login/login_app.ts +++ b/x-pack/plugins/security/public/authentication/login/login_app.ts @@ -33,9 +33,6 @@ export const loginApp = Object.freeze({ http: coreStart.http, fatalErrors: coreStart.fatalErrors, loginAssistanceMessage: config.loginAssistanceMessage, - requiresSecureConnection: coreStart.injectedMetadata.getInjectedVar( - 'secureCookies' - ) as boolean, }); }, }); diff --git a/x-pack/plugins/security/public/authentication/login/login_page.tsx b/x-pack/plugins/security/public/authentication/login/login_page.tsx index 848751aa03352..0e5c983361435 100644 --- a/x-pack/plugins/security/public/authentication/login/login_page.tsx +++ b/x-pack/plugins/security/public/authentication/login/login_page.tsx @@ -9,19 +9,17 @@ import ReactDOM from 'react-dom'; import classNames from 'classnames'; import { BehaviorSubject } from 'rxjs'; import { parse } from 'url'; -import { EuiFlexGroup, EuiFlexItem, EuiIcon, EuiSpacer, EuiText, EuiTitle } from '@elastic/eui'; +import { EuiButton, EuiIcon, EuiSpacer, EuiText, EuiTitle } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n/react'; import { CoreStart, FatalErrorsStart, HttpStart } from 'src/core/public'; -import { LoginLayout } from '../../../common/licensing'; +import { LoginState } from '../../../common/login_state'; import { BasicLoginForm, DisabledLoginForm } from './components'; -import { LoginState } from './login_state'; interface Props { http: HttpStart; fatalErrors: FatalErrorsStart; loginAssistanceMessage: string; - requiresSecureConnection: boolean; } interface State { @@ -67,12 +65,10 @@ export class LoginPage extends Component { } const isSecureConnection = !!window.location.protocol.match(/^https/); - const { allowLogin, layout } = loginState; + const { allowLogin, layout, requiresSecureConnection } = loginState; const loginIsSupported = - this.props.requiresSecureConnection && !isSecureConnection - ? false - : allowLogin && layout === 'form'; + requiresSecureConnection && !isSecureConnection ? false : allowLogin && layout === 'form'; const contentHeaderClasses = classNames('loginWelcome__content', 'eui-textCenter', { ['loginWelcome__contentDisabledForm']: !loginIsSupported, @@ -110,22 +106,40 @@ export class LoginPage extends Component {
- - {this.getLoginForm({ isSecureConnection, layout })} - + {this.getLoginForm({ ...loginState, isSecureConnection })}
); } private getLoginForm = ({ - isSecureConnection, layout, - }: { - isSecureConnection: boolean; - layout: LoginLayout; - }) => { - if (this.props.requiresSecureConnection && !isSecureConnection) { + requiresSecureConnection, + isSecureConnection, + selector, + showLoginForm, + }: LoginState & { isSecureConnection: boolean }) => { + const showLoginSelector = selector.providers.length > 0; + if (!showLoginSelector && !showLoginForm) { + return ( + + } + message={ + + } + /> + ); + } + + if (requiresSecureConnection && !isSecureConnection) { return ( { ); } - switch (layout) { - case 'form': - return ( - - ); - case 'error-es-unavailable': - return ( - - } - message={ - - } - /> - ); - case 'error-xpack-unavailable': - return ( - - } - message={ - - } - /> - ); - default: - return ( - - } - message={ - - } - /> - ); + if (layout === 'error-es-unavailable') { + return ( + + } + message={ + + } + /> + ); + } + + if (layout === 'error-xpack-unavailable') { + return ( + + } + message={ + + } + /> + ); + } + + if (layout !== 'form') { + return ( + + } + message={ + + } + /> + ); } + + const loginSelector = + showLoginSelector && + selector.providers.map((provider, index) => ( + this.login(provider.type, provider.name)} + > + {provider.options.description} + + )); + + const loginSelectorAndLoginFormSeparator = showLoginSelector && showLoginForm && ( + <> + + ―――   + +   ――― + + + + ); + + const loginForm = showLoginForm && ( + + ); + + return ( + <> + {loginSelector} + {loginSelectorAndLoginFormSeparator} + {loginForm} + + ); + }; + + private login = (providerType: string, providerName: string) => { + const query = parse(window.location.href, true).query; + const next = + Array.isArray(query.next) && query.next.length > 0 ? query.next[0] : (query.next as string); + const queryString = next ? `?next=${encodeURIComponent(next)}${window.location.hash}` : ''; + + window.location.href = `${ + this.props.http.basePath.serverBasePath + }/internal/security/login/${encodeURIComponent(providerType)}/${encodeURIComponent( + providerName + )}${queryString}`; }; } diff --git a/x-pack/plugins/security/server/authentication/authenticator.test.ts b/x-pack/plugins/security/server/authentication/authenticator.test.ts index af019ff10dedc..577bb1c849d9d 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.test.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.test.ts @@ -98,8 +98,8 @@ describe('Authenticator', () => { it('enabled by default', () => { const authenticator = new Authenticator(getMockOptions({ providers: ['basic'] })); - expect(authenticator.isProviderEnabled('basic')).toBe(true); - expect(authenticator.isProviderEnabled('http')).toBe(true); + expect(authenticator.isProviderTypeEnabled('basic')).toBe(true); + expect(authenticator.isProviderTypeEnabled('http')).toBe(true); expect( jest.requireMock('./providers/http').HTTPAuthenticationProvider @@ -112,9 +112,9 @@ describe('Authenticator', () => { const authenticator = new Authenticator( getMockOptions({ providers: ['basic', 'kerberos'] }) ); - expect(authenticator.isProviderEnabled('basic')).toBe(true); - expect(authenticator.isProviderEnabled('kerberos')).toBe(true); - expect(authenticator.isProviderEnabled('http')).toBe(true); + expect(authenticator.isProviderTypeEnabled('basic')).toBe(true); + expect(authenticator.isProviderTypeEnabled('kerberos')).toBe(true); + expect(authenticator.isProviderTypeEnabled('http')).toBe(true); expect( jest.requireMock('./providers/http').HTTPAuthenticationProvider @@ -127,9 +127,9 @@ describe('Authenticator', () => { const authenticator = new Authenticator( getMockOptions({ providers: ['basic', 'kerberos'], http: { autoSchemesEnabled: false } }) ); - expect(authenticator.isProviderEnabled('basic')).toBe(true); - expect(authenticator.isProviderEnabled('kerberos')).toBe(true); - expect(authenticator.isProviderEnabled('http')).toBe(true); + expect(authenticator.isProviderTypeEnabled('basic')).toBe(true); + expect(authenticator.isProviderTypeEnabled('kerberos')).toBe(true); + expect(authenticator.isProviderTypeEnabled('http')).toBe(true); expect( jest.requireMock('./providers/http').HTTPAuthenticationProvider @@ -140,8 +140,8 @@ describe('Authenticator', () => { const authenticator = new Authenticator( getMockOptions({ providers: ['basic'], http: { enabled: false } }) ); - expect(authenticator.isProviderEnabled('basic')).toBe(true); - expect(authenticator.isProviderEnabled('http')).toBe(false); + expect(authenticator.isProviderTypeEnabled('basic')).toBe(true); + expect(authenticator.isProviderTypeEnabled('http')).toBe(false); expect( jest.requireMock('./providers/http').HTTPAuthenticationProvider @@ -918,12 +918,12 @@ describe('Authenticator', () => { describe('`isProviderEnabled` method', () => { it('returns `true` only if specified provider is enabled', () => { let authenticator = new Authenticator(getMockOptions({ providers: ['basic'] })); - expect(authenticator.isProviderEnabled('basic')).toBe(true); - expect(authenticator.isProviderEnabled('saml')).toBe(false); + expect(authenticator.isProviderTypeEnabled('basic')).toBe(true); + expect(authenticator.isProviderTypeEnabled('saml')).toBe(false); authenticator = new Authenticator(getMockOptions({ providers: ['basic', 'saml'] })); - expect(authenticator.isProviderEnabled('basic')).toBe(true); - expect(authenticator.isProviderEnabled('saml')).toBe(true); + expect(authenticator.isProviderTypeEnabled('basic')).toBe(true); + expect(authenticator.isProviderTypeEnabled('saml')).toBe(true); }); }); }); diff --git a/x-pack/plugins/security/server/authentication/authenticator.ts b/x-pack/plugins/security/server/authentication/authenticator.ts index e2e2d12917394..2d0517fefcf13 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.ts @@ -28,21 +28,22 @@ import { OIDCAuthenticationProvider, PKIAuthenticationProvider, HTTPAuthenticationProvider, - isSAMLRequestQuery, } from './providers'; import { AuthenticationResult } from './authentication_result'; import { DeauthenticationResult } from './deauthentication_result'; import { Tokens } from './tokens'; import { SessionInfo } from '../../public'; +import { canRedirectRequest } from './can_redirect_request'; +import { getHTTPAuthenticationScheme } from './get_http_authentication_scheme'; /** * The shape of the session that is actually stored in the cookie. */ export interface ProviderSession { /** - * Name/type of the provider this session belongs to. + * Name and type of the provider this session belongs to. */ - provider: string; + provider: { type: string; name: string }; /** * The Unix time in ms when the session should be considered expired. If `null`, session will stay @@ -73,9 +74,9 @@ export interface ProviderSession { */ export interface ProviderLoginAttempt { /** - * Name/type of the provider this login attempt is targeted for. + * Name or type of the provider this login attempt is targeted for. */ - provider: string; + provider: { name: string } | { type: string }; /** * Login attempt can have any form and defined by the specific provider. @@ -115,11 +116,33 @@ function assertRequest(request: KibanaRequest) { } function assertLoginAttempt(attempt: ProviderLoginAttempt) { - if (!attempt || !attempt.provider || typeof attempt.provider !== 'string') { - throw new Error('Login attempt should be an object with non-empty "provider" property.'); + if (!isLoginAttemptWithProviderType(attempt) && !isLoginAttemptWithProviderName(attempt)) { + throw new Error( + 'Login attempt should be an object with non-empty "provider.type" or "provider.name" property.' + ); } } +function isLoginAttemptWithProviderName( + attempt: unknown +): attempt is { value: unknown; provider: { name: string } } { + return ( + typeof attempt === 'object' && + (attempt as any)?.provider?.name && + typeof (attempt as any)?.provider?.name === 'string' + ); +} + +function isLoginAttemptWithProviderType( + attempt: unknown +): attempt is { value: unknown; provider: { type: string } } { + return ( + typeof attempt === 'object' && + (attempt as any)?.provider?.type && + typeof (attempt as any)?.provider?.type === 'string' + ); +} + /** * Instantiates authentication provider based on the provider key from config. * @param providerType Provider type key. @@ -194,29 +217,22 @@ export class Authenticator { }), }; - const authProviders = this.options.config.authc.providers; - if (authProviders.length === 0) { - throw new Error( - 'No authentication provider is configured. Verify `xpack.security.authc.providers` config value.' - ); - } - this.providers = new Map( - authProviders.map(providerType => { - const providerSpecificOptions = this.options.config.authc.hasOwnProperty(providerType) - ? (this.options.config.authc as Record)[providerType] - : undefined; - - this.logger.debug(`Enabling "${providerType}" authentication provider.`); + this.options.config.authc.sortedProviders.map(({ type, name }) => { + this.logger.debug(`Enabling "${name}" (${type}) authentication provider.`); return [ - providerType, + name, instantiateProvider( - providerType, - Object.freeze({ ...providerCommonOptions, logger: options.loggers.get(providerType) }), - providerSpecificOptions + type, + Object.freeze({ + ...providerCommonOptions, + name, + logger: options.loggers.get(type, name), + }), + this.options.config.authc.providers[type]?.[name] ), - ] as [string, BaseAuthenticationProvider]; + ]; }) ); @@ -225,11 +241,18 @@ export class Authenticator { this.setupHTTPAuthenticationProvider( Object.freeze({ ...providerCommonOptions, + name: '__http__', logger: options.loggers.get(HTTPAuthenticationProvider.type), }) ); } + if (this.providers.size === 0) { + throw new Error( + 'No authentication provider is configured. Verify `xpack.security.authc.*` config value.' + ); + } + this.serverBasePath = this.options.basePath.serverBasePath || '/'; this.idleTimeout = this.options.config.session.idleTimeout; @@ -245,60 +268,58 @@ export class Authenticator { assertRequest(request); assertLoginAttempt(attempt); - // If there is an attempt to login with a provider that isn't enabled, we should fail. - const provider = this.providers.get(attempt.provider); - if (provider === undefined) { + const sessionStorage = this.options.sessionStorageFactory.asScoped(request); + const existingSession = await this.getSessionValue(sessionStorage); + + // Login attempt can target specific provider by its name (e.g. chosen at the Login Selector UI) + // or a group of providers with the specified type (e.g. in case of 3rd-party initiated login + // attempts we may not know what provider exactly can handle that attempt and we have to try + // every enabled provider of the specified type). + const providers: Array<[string, BaseAuthenticationProvider]> = + isLoginAttemptWithProviderName(attempt) && this.providers.has(attempt.provider.name) + ? [[attempt.provider.name, this.providers.get(attempt.provider.name)!]] + : isLoginAttemptWithProviderType(attempt) + ? [...this.providerIterator(existingSession)].filter( + ([, { type }]) => type === attempt.provider.type + ) + : []; + + if (providers.length === 0) { this.logger.debug( - `Login attempt for provider "${attempt.provider}" is detected, but it isn't enabled.` + `Login attempt for provider with ${ + isLoginAttemptWithProviderName(attempt) + ? `name ${attempt.provider.name}` + : `type "${(attempt.provider as Record).type}"` + } is detected, but it isn't enabled.` ); return AuthenticationResult.notHandled(); } - this.logger.debug(`Performing login using "${attempt.provider}" provider.`); - - const sessionStorage = this.options.sessionStorageFactory.asScoped(request); + for (const [providerName, provider] of providers) { + // Check if current session has been set by this provider. + const ownsSession = + existingSession?.provider.name === providerName && + existingSession?.provider.type === provider.type; - // If we detect an existing session that belongs to a different provider than the one requested - // to perform a login we should clear such session. - let existingSession = await this.getSessionValue(sessionStorage); - if (existingSession && existingSession.provider !== attempt.provider) { - this.logger.debug( - `Clearing existing session of another ("${existingSession.provider}") provider.` + const authenticationResult = await provider.login( + request, + attempt.value, + ownsSession ? existingSession!.state : null ); - sessionStorage.clear(); - existingSession = null; - } - const authenticationResult = await provider.login( - request, - attempt.value, - existingSession && existingSession.state - ); - - // There are two possible cases when we'd want to clear existing state: - // 1. If provider owned the state (e.g. intermediate state used for multi step login), but failed - // to login, that likely means that state is not valid anymore and we should clear it. - // 2. Also provider can specifically ask to clear state by setting it to `null` even if - // authentication attempt didn't fail (e.g. custom realm could "pin" client/request identity to - // a server-side only session established during multi step login that relied on intermediate - // client-side state which isn't needed anymore). - const shouldClearSession = - authenticationResult.shouldClearState() || - (authenticationResult.failed() && getErrorStatusCode(authenticationResult.error) === 401); - if (existingSession && shouldClearSession) { - sessionStorage.clear(); - } else if (authenticationResult.shouldUpdateState()) { - const { idleTimeoutExpiration, lifespanExpiration } = this.calculateExpiry(existingSession); - sessionStorage.set({ - state: authenticationResult.state, - provider: attempt.provider, - idleTimeoutExpiration, - lifespanExpiration, - path: this.serverBasePath, + this.updateSessionValue(sessionStorage, { + provider: { type: provider.type, name: providerName }, + isSystemRequest: request.isSystemRequest, + authenticationResult, + existingSession: ownsSession ? existingSession : null, }); + + if (!authenticationResult.notHandled()) { + return authenticationResult; + } } - return authenticationResult; + return AuthenticationResult.notHandled(); } /** @@ -311,33 +332,46 @@ export class Authenticator { const sessionStorage = this.options.sessionStorageFactory.asScoped(request); const existingSession = await this.getSessionValue(sessionStorage); - let authenticationResult = AuthenticationResult.notHandled(); - for (const [providerType, provider] of this.providerIterator(existingSession)) { + // If request doesn't have any session information, isn't attributed with HTTP Authorization + // header and Login Selector is enabled, we must redirect user to the login selector. + const useLoginSelector = + !existingSession && + this.options.config.authc.selector.enabled && + canRedirectRequest(request) && + getHTTPAuthenticationScheme(request) == null; + if (useLoginSelector) { + this.logger.debug('Redirecting request to Login Selector.'); + return AuthenticationResult.redirectTo( + `${this.serverBasePath}login?next=${encodeURIComponent( + `${this.options.basePath.get(request)}${request.url.path}` + )}` + ); + } + + for (const [providerName, provider] of this.providerIterator(existingSession)) { // Check if current session has been set by this provider. - const ownsSession = existingSession && existingSession.provider === providerType; + const ownsSession = + existingSession?.provider.name === providerName && + existingSession?.provider.type === provider.type; - authenticationResult = await provider.authenticate( + const authenticationResult = await provider.authenticate( request, ownsSession ? existingSession!.state : null ); this.updateSessionValue(sessionStorage, { - providerType, + provider: { type: provider.type, name: providerName }, isSystemRequest: request.isSystemRequest, authenticationResult, existingSession: ownsSession ? existingSession : null, }); - if ( - authenticationResult.failed() || - authenticationResult.succeeded() || - authenticationResult.redirected() - ) { + if (!authenticationResult.notHandled()) { return authenticationResult; } } - return authenticationResult; + return AuthenticationResult.notHandled(); } /** @@ -349,28 +383,33 @@ export class Authenticator { const sessionStorage = this.options.sessionStorageFactory.asScoped(request); const sessionValue = await this.getSessionValue(sessionStorage); - const providerName = this.getProviderName(request.query); if (sessionValue) { sessionStorage.clear(); - return this.providers.get(sessionValue.provider)!.logout(request, sessionValue.state); - } else if (providerName) { + return this.providers.get(sessionValue.provider.name)!.logout(request, sessionValue.state); + } + + const providerName = this.getProviderName(request.query); + if (providerName) { // provider name is passed in a query param and sourced from the browser's local storage; // hence, we can't assume that this provider exists, so we have to check it const provider = this.providers.get(providerName); if (provider) { return provider.logout(request, null); } - } - - // Normally when there is no active session in Kibana, `logout` method shouldn't do anything - // and user will eventually be redirected to the home page to log in. But if SAML is supported there - // is a special case when logout is initiated by the IdP or another SP, then IdP will request _every_ - // SP associated with the current user session to do the logout. So if Kibana (without active session) - // receives such a request it shouldn't redirect user to the home page, but rather redirect back to IdP - // with correct logout response and only Elasticsearch knows how to do that. - if (isSAMLRequestQuery(request.query) && this.providers.has('saml')) { - return this.providers.get('saml')!.logout(request); + } else { + // In case logout is called and we cannot figure out what provider is supposed to handle it, + // we should iterate through all providers and let them decide if they can perform a logout. + // This can be necessary if some 3rd-party initiates logout. And even if user doesn't have an + // active session already some providers can still properly respond to the 3rd-party logout + // request. For example SAML provider can process logout request encoded in `SAMLRequest` + // query string parameter. + for (const [, provider] of this.providerIterator(null)) { + const deauthenticationResult = await provider.logout(request); + if (!deauthenticationResult.notHandled()) { + return deauthenticationResult; + } + } } return DeauthenticationResult.notHandled(); @@ -393,7 +432,7 @@ export class Authenticator { now: Date.now(), idleTimeoutExpiration: sessionValue.idleTimeoutExpiration, lifespanExpiration: sessionValue.lifespanExpiration, - provider: sessionValue.provider, + provider: sessionValue.provider.name, }; } return null; @@ -403,8 +442,8 @@ export class Authenticator { * Checks whether specified provider type is currently enabled. * @param providerType Type of the provider (`basic`, `saml`, `pki` etc.). */ - isProviderEnabled(providerType: string) { - return this.providers.has(providerType); + isProviderTypeEnabled(providerType: string) { + return [...this.providers.values()].some(provider => provider.type === providerType); } /** @@ -428,10 +467,11 @@ export class Authenticator { } } - this.providers.set( - HTTPAuthenticationProvider.type, - new HTTPAuthenticationProvider(options, { supportedSchemes }) - ); + if (this.providers.has(options.name)) { + throw new Error(`Provider name "${options.name}" is reserved.`); + } + + this.providers.set(options.name, new HTTPAuthenticationProvider(options, { supportedSchemes })); } /** @@ -447,11 +487,11 @@ export class Authenticator { if (!sessionValue) { yield* this.providers; } else { - yield [sessionValue.provider, this.providers.get(sessionValue.provider)!]; + yield [sessionValue.provider.name, this.providers.get(sessionValue.provider.name)!]; - for (const [providerType, provider] of this.providers) { - if (providerType !== sessionValue.provider) { - yield [providerType, provider]; + for (const [providerName, provider] of this.providers) { + if (providerName !== sessionValue.provider.name) { + yield [providerName, provider]; } } } @@ -468,7 +508,11 @@ export class Authenticator { // If for some reason we have a session stored for the provider that is not available // (e.g. when user was logged in with one provider, but then configuration has changed // and that provider is no longer available), then we should clear session entirely. - if (sessionValue && !this.providers.has(sessionValue.provider)) { + const sessionProvider = sessionValue && this.providers.get(sessionValue.provider.name); + if ( + sessionValue && + (!sessionProvider || sessionProvider.type !== sessionValue?.provider.type) + ) { sessionStorage.clear(); sessionValue = null; } @@ -479,12 +523,12 @@ export class Authenticator { private updateSessionValue( sessionStorage: SessionStorage, { - providerType, + provider, authenticationResult, existingSession, isSystemRequest, }: { - providerType: string; + provider: { type: string; name: string }; authenticationResult: AuthenticationResult; existingSession: ProviderSession | null; isSystemRequest: boolean; @@ -515,7 +559,7 @@ export class Authenticator { state: authenticationResult.shouldUpdateState() ? authenticationResult.state : existingSession!.state, - provider: providerType, + provider, idleTimeoutExpiration, lifespanExpiration, path: this.serverBasePath, diff --git a/x-pack/plugins/security/server/authentication/index.ts b/x-pack/plugins/security/server/authentication/index.ts index 1eed53efc6441..ce9f086b08d7d 100644 --- a/x-pack/plugins/security/server/authentication/index.ts +++ b/x-pack/plugins/security/server/authentication/index.ts @@ -21,7 +21,7 @@ export { canRedirectRequest } from './can_redirect_request'; export { Authenticator, ProviderLoginAttempt } from './authenticator'; export { AuthenticationResult } from './authentication_result'; export { DeauthenticationResult } from './deauthentication_result'; -export { OIDCAuthenticationFlow, SAMLLoginStep } from './providers'; +export { OIDCLogin, SAMLLogin } from './providers'; export { CreateAPIKeyResult, InvalidateAPIKeyResult, @@ -165,7 +165,7 @@ export async function setupAuthentication({ login: authenticator.login.bind(authenticator), logout: authenticator.logout.bind(authenticator), getSessionInfo: authenticator.getSessionInfo.bind(authenticator), - isProviderEnabled: authenticator.isProviderEnabled.bind(authenticator), + isProviderTypeEnabled: authenticator.isProviderTypeEnabled.bind(authenticator), getCurrentUser, createAPIKey: (request: KibanaRequest, params: CreateAPIKeyParams) => apiKeys.create(request, params), diff --git a/x-pack/plugins/security/server/authentication/providers/base.ts b/x-pack/plugins/security/server/authentication/providers/base.ts index 300e59d9ea3da..48a73586a6fed 100644 --- a/x-pack/plugins/security/server/authentication/providers/base.ts +++ b/x-pack/plugins/security/server/authentication/providers/base.ts @@ -21,6 +21,7 @@ import { Tokens } from '../tokens'; * Represents available provider options. */ export interface AuthenticationProviderOptions { + name: string; basePath: HttpServiceSetup['basePath']; client: IClusterClient; logger: Logger; @@ -41,6 +42,12 @@ export abstract class BaseAuthenticationProvider { */ static readonly type: string; + /** + * Type of the provider. We use `this.constructor` trick to get access to the static `type` field + * of the specific `BaseAuthenticationProvider` subclass. + */ + public readonly type = (this.constructor as any).type as string; + /** * Logger instance bound to a specific provider context. */ @@ -102,9 +109,7 @@ export abstract class BaseAuthenticationProvider { ...(await this.options.client .asScoped({ headers: { ...request.headers, ...authHeaders } }) .callAsCurrentUser('shield.authenticate')), - // We use `this.constructor` trick to get access to the static `type` field of the specific - // `BaseAuthenticationProvider` subclass. - authentication_provider: (this.constructor as any).type, + authentication_provider: this.options.name, } as AuthenticatedUser); } } diff --git a/x-pack/plugins/security/server/authentication/providers/basic.ts b/x-pack/plugins/security/server/authentication/providers/basic.ts index ad46aff8afa51..a1eea84e17319 100644 --- a/x-pack/plugins/security/server/authentication/providers/basic.ts +++ b/x-pack/plugins/security/server/authentication/providers/basic.ts @@ -100,8 +100,15 @@ export class BasicAuthenticationProvider extends BaseAuthenticationProvider { /** * Redirects user to the login page preserving query string parameters. * @param request Request instance. + * @param [state] Optional state object associated with the provider. */ - public async logout(request: KibanaRequest) { + public async logout(request: KibanaRequest, state?: ProviderState | null) { + this.logger.debug(`Trying to log user out via ${request.url.path}.`); + + if (!state) { + return DeauthenticationResult.notHandled(); + } + // Query string may contain the path where logout has been called or // logout reason that login page may need to know. const queryString = request.url.search || `?msg=LOGGED_OUT`; @@ -128,7 +135,7 @@ export class BasicAuthenticationProvider extends BaseAuthenticationProvider { this.logger.debug('Trying to authenticate via state.'); if (!authorization) { - this.logger.debug('Access token is not found in state.'); + this.logger.debug('Authorization header is not found in state.'); return AuthenticationResult.notHandled(); } diff --git a/x-pack/plugins/security/server/authentication/providers/index.ts b/x-pack/plugins/security/server/authentication/providers/index.ts index cd8f5a70c64e3..048afb6190d18 100644 --- a/x-pack/plugins/security/server/authentication/providers/index.ts +++ b/x-pack/plugins/security/server/authentication/providers/index.ts @@ -11,8 +11,8 @@ export { } from './base'; export { BasicAuthenticationProvider } from './basic'; export { KerberosAuthenticationProvider } from './kerberos'; -export { SAMLAuthenticationProvider, isSAMLRequestQuery, SAMLLoginStep } from './saml'; +export { SAMLAuthenticationProvider, SAMLLogin } from './saml'; export { TokenAuthenticationProvider } from './token'; -export { OIDCAuthenticationProvider, OIDCAuthenticationFlow } from './oidc'; +export { OIDCAuthenticationProvider, OIDCLogin } from './oidc'; export { PKIAuthenticationProvider } from './pki'; export { HTTPAuthenticationProvider } from './http'; diff --git a/x-pack/plugins/security/server/authentication/providers/kerberos.ts b/x-pack/plugins/security/server/authentication/providers/kerberos.ts index 632a07ca2b21a..a0818da90e5a3 100644 --- a/x-pack/plugins/security/server/authentication/providers/kerberos.ts +++ b/x-pack/plugins/security/server/authentication/providers/kerberos.ts @@ -36,6 +36,15 @@ export class KerberosAuthenticationProvider extends BaseAuthenticationProvider { */ static readonly type = 'kerberos'; + /** + * Performs initial login request. + * @param request Request instance. + */ + public async login(request: KibanaRequest) { + this.logger.debug('Trying to perform a login.'); + return await this.authenticateViaSPNEGO(request); + } + /** * Performs Kerberos request authentication. * @param request Request instance. diff --git a/x-pack/plugins/security/server/authentication/providers/oidc.test.ts b/x-pack/plugins/security/server/authentication/providers/oidc.test.ts index 6a4ba1ccb41e2..8091afe2f44bb 100644 --- a/x-pack/plugins/security/server/authentication/providers/oidc.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/oidc.test.ts @@ -18,7 +18,7 @@ import { } from '../../../../../../src/core/server'; import { AuthenticationResult } from '../authentication_result'; import { DeauthenticationResult } from '../deauthentication_result'; -import { OIDCAuthenticationProvider, OIDCAuthenticationFlow, ProviderLoginAttempt } from './oidc'; +import { OIDCAuthenticationProvider, OIDCLogin, ProviderLoginAttempt } from './oidc'; function expectAuthenticateCall( mockClusterClient: jest.Mocked, @@ -72,7 +72,7 @@ describe('OIDCAuthenticationProvider', () => { await expect( provider.login(request, { - flow: OIDCAuthenticationFlow.InitiatedBy3rdParty, + type: OIDCLogin.LoginInitiatedBy3rdParty, iss: 'theissuer', loginHint: 'loginhint', }) @@ -215,7 +215,7 @@ describe('OIDCAuthenticationProvider', () => { path: '/api/security/oidc/callback?code=somecodehere&state=somestatehere', }), attempt: { - flow: OIDCAuthenticationFlow.AuthorizationCode, + type: OIDCLogin.LoginWithAuthorizationCodeFlow, authenticationResponseURI: '/api/security/oidc/callback?code=somecodehere&state=somestatehere', }, @@ -230,7 +230,7 @@ describe('OIDCAuthenticationProvider', () => { '/api/security/oidc/callback?authenticationResponseURI=http://kibana/api/security/oidc/implicit#id_token=sometoken', }), attempt: { - flow: OIDCAuthenticationFlow.Implicit, + type: OIDCLogin.LoginWithImplicitFlow, authenticationResponseURI: 'http://kibana/api/security/oidc/implicit#id_token=sometoken', }, expectedRedirectURI: 'http://kibana/api/security/oidc/implicit#id_token=sometoken', diff --git a/x-pack/plugins/security/server/authentication/providers/oidc.ts b/x-pack/plugins/security/server/authentication/providers/oidc.ts index d52466826c2be..a6fa3c7dabf9b 100644 --- a/x-pack/plugins/security/server/authentication/providers/oidc.ts +++ b/x-pack/plugins/security/server/authentication/providers/oidc.ts @@ -19,23 +19,25 @@ import { } from './base'; /** - * Describes possible OpenID Connect authentication flows. + * Describes possible OpenID Connect login flows. */ -export enum OIDCAuthenticationFlow { - Implicit = 'implicit', - AuthorizationCode = 'authorization-code', - InitiatedBy3rdParty = 'initiated-by-3rd-party', +export enum OIDCLogin { + LoginInitiatedByUser = 'login-by-user', + LoginWithImplicitFlow = 'login-implicit', + LoginWithAuthorizationCodeFlow = 'login-authorization-code', + LoginInitiatedBy3rdParty = 'login-initiated-by-3rd-party', } /** * Describes the parameters that are required by the provider to process the initial login request. */ export type ProviderLoginAttempt = + | { type: OIDCLogin.LoginInitiatedByUser; redirectURL?: string } | { - flow: OIDCAuthenticationFlow.Implicit | OIDCAuthenticationFlow.AuthorizationCode; + type: OIDCLogin.LoginWithImplicitFlow | OIDCLogin.LoginWithAuthorizationCodeFlow; authenticationResponseURI: string; } - | { flow: OIDCAuthenticationFlow.InitiatedBy3rdParty; iss: string; loginHint?: string }; + | { type: OIDCLogin.LoginInitiatedBy3rdParty; iss: string; loginHint?: string }; /** * The state supported by the provider (for the OpenID Connect handshake or established session). @@ -57,6 +59,11 @@ interface ProviderState extends Partial { * URL to redirect user to after successful OpenID Connect handshake. */ nextURL?: string; + + /** + * The name of the OpenID Connect realm that was used to establish session. + */ + realm: string; } /** @@ -102,15 +109,30 @@ export class OIDCAuthenticationProvider extends BaseAuthenticationProvider { ) { this.logger.debug('Trying to perform a login.'); - if (attempt.flow === OIDCAuthenticationFlow.InitiatedBy3rdParty) { - this.logger.debug('Authentication has been initiated by a Third Party.'); + // It may happen that Kibana is re-configured to use different realm for the same provider name, + // we should clear such session an log user out. + if (state?.realm && state.realm !== this.realm) { + const message = `State based on realm "${state.realm}", but provider with the name "${this.options.name}" is configured to use realm "${this.realm}".`; + this.logger.debug(message); + return AuthenticationResult.failed(Boom.unauthorized(message)); + } + + if (attempt.type === OIDCLogin.LoginInitiatedBy3rdParty) { + this.logger.debug('Login has been initiated by a Third Party.'); // We might already have a state and nonce generated by Elasticsearch (from an unfinished authentication in // another tab) const oidcPrepareParams = attempt.loginHint ? { iss: attempt.iss, login_hint: attempt.loginHint } : { iss: attempt.iss }; - return this.initiateOIDCAuthentication(request, oidcPrepareParams); - } else if (attempt.flow === OIDCAuthenticationFlow.Implicit) { + return this.initiateOIDCAuthentication( + request, + oidcPrepareParams, + `${this.options.basePath.serverBasePath}/` + ); + } else if (attempt.type === OIDCLogin.LoginInitiatedByUser) { + this.logger.debug(`Login has been initiated by a user.`); + return this.initiateOIDCAuthentication(request, { realm: this.realm }, attempt.redirectURL); + } else if (attempt.type === OIDCLogin.LoginWithImplicitFlow) { this.logger.debug('OpenID Connect Implicit Authentication flow is used.'); } else { this.logger.debug('OpenID Connect Authorization Code Authentication flow is used.'); @@ -136,6 +158,14 @@ export class OIDCAuthenticationProvider extends BaseAuthenticationProvider { return AuthenticationResult.notHandled(); } + // It may happen that Kibana is re-configured to use different realm for the same provider name, + // we should clear such session an log user out. + if (state?.realm && state.realm !== this.realm) { + const message = `State based on realm "${state.realm}", but provider with the name "${this.options.name}" is configured to use realm "${this.realm}".`; + this.logger.debug(message); + return AuthenticationResult.failed(Boom.unauthorized(message)); + } + let authenticationResult = AuthenticationResult.notHandled(); if (state) { authenticationResult = await this.authenticateViaState(request, state); @@ -211,7 +241,7 @@ export class OIDCAuthenticationProvider extends BaseAuthenticationProvider { this.logger.debug('Request has been authenticated via OpenID Connect.'); return AuthenticationResult.redirectTo(stateRedirectURL, { - state: { accessToken, refreshToken }, + state: { accessToken, refreshToken, realm: this.realm }, }); } catch (err) { this.logger.debug(`Failed to authenticate request via OpenID Connect: ${err.message}`); @@ -224,12 +254,13 @@ export class OIDCAuthenticationProvider extends BaseAuthenticationProvider { * * @param request Request instance. * @param params OIDC authentication parameters. - * @param [sessionState] Optional state object associated with the provider. + * @param [redirectURL] Optional URL user is supposed to be redirected to after successful login. + * If not provided the URL of the specified request is used. */ private async initiateOIDCAuthentication( request: KibanaRequest, params: { realm: string } | { iss: string; login_hint?: string }, - sessionState?: ProviderState | null + redirectURL = `${this.options.basePath.get(request)}${request.url.path}` ) { this.logger.debug('Trying to initiate OpenID Connect authentication.'); @@ -240,33 +271,19 @@ export class OIDCAuthenticationProvider extends BaseAuthenticationProvider { } try { - /* - * Possibly adds the state and nonce parameter that was saved in the user's session state to - * the params. There is no use case where we would have only a state parameter or only a nonce - * parameter in the session state so we only enrich the params object if we have both - */ - const oidcPrepareParams = - sessionState && sessionState.nonce && sessionState.state - ? { ...params, nonce: sessionState.nonce, state: sessionState.state } - : params; // This operation should be performed on behalf of the user with a privilege that normal // user usually doesn't have `cluster:admin/xpack/security/oidc/prepare`. - const { state, nonce, redirect } = await this.options.client.callAsInternalUser( - 'shield.oidcPrepare', - { - body: oidcPrepareParams, - } - ); + const { + state, + nonce, + redirect, + } = await this.options.client.callAsInternalUser('shield.oidcPrepare', { body: params }); this.logger.debug('Redirecting to OpenID Connect Provider with authentication request.'); - // If this is a third party initiated login, redirect to the base path - const redirectAfterLogin = `${this.options.basePath.get(request)}${ - 'iss' in params ? '/' : request.url.path - }`; return AuthenticationResult.redirectTo( redirect, // Store the state and nonce parameters in the session state of the user - { state: { state, nonce, nextURL: redirectAfterLogin } } + { state: { state, nonce, nextURL: redirectURL, realm: this.realm } } ); } catch (err) { this.logger.debug(`Failed to initiate OpenID Connect authentication: ${err.message}`); @@ -349,7 +366,10 @@ export class OIDCAuthenticationProvider extends BaseAuthenticationProvider { const user = await this.getUser(request, authHeaders); this.logger.debug('Request has been authenticated via refreshed token.'); - return AuthenticationResult.succeeded(user, { authHeaders, state: refreshedTokenPair }); + return AuthenticationResult.succeeded(user, { + authHeaders, + state: { ...refreshedTokenPair, realm: this.realm }, + }); } catch (err) { this.logger.debug(`Failed to refresh elasticsearch access token: ${err.message}`); return AuthenticationResult.failed(err); diff --git a/x-pack/plugins/security/server/authentication/providers/pki.ts b/x-pack/plugins/security/server/authentication/providers/pki.ts index 252ab8cc67144..9bd599eb0ba74 100644 --- a/x-pack/plugins/security/server/authentication/providers/pki.ts +++ b/x-pack/plugins/security/server/authentication/providers/pki.ts @@ -37,6 +37,15 @@ export class PKIAuthenticationProvider extends BaseAuthenticationProvider { */ static readonly type = 'pki'; + /** + * Performs initial login request. + * @param request Request instance. + */ + public async login(request: KibanaRequest) { + this.logger.debug('Trying to perform a login.'); + return await this.authenticateViaPeerCertificate(request); + } + /** * Performs PKI request authentication. * @param request Request instance. diff --git a/x-pack/plugins/security/server/authentication/providers/saml.test.ts b/x-pack/plugins/security/server/authentication/providers/saml.test.ts index e00d3b89fb0bf..46e503f2700d1 100644 --- a/x-pack/plugins/security/server/authentication/providers/saml.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/saml.test.ts @@ -18,7 +18,7 @@ import { } from '../../../../../../src/core/server'; import { AuthenticationResult } from '../authentication_result'; import { DeauthenticationResult } from '../deauthentication_result'; -import { SAMLAuthenticationProvider, SAMLLoginStep } from './saml'; +import { SAMLAuthenticationProvider, SAMLLogin } from './saml'; function expectAuthenticateCall( mockClusterClient: jest.Mocked, @@ -86,7 +86,7 @@ describe('SAMLAuthenticationProvider', () => { await expect( provider.login( request, - { step: SAMLLoginStep.SAMLResponseReceived, samlResponse: 'saml-response-xml' }, + { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, { requestId: 'some-request-id', redirectURL: '/test-base-path/some-path#some-app' } ) ).resolves.toEqual( @@ -111,7 +111,7 @@ describe('SAMLAuthenticationProvider', () => { await expect( provider.login( request, - { step: SAMLLoginStep.SAMLResponseReceived, samlResponse: 'saml-response-xml' }, + { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, {} ) ).resolves.toEqual( @@ -134,7 +134,7 @@ describe('SAMLAuthenticationProvider', () => { await expect( provider.login( request, - { step: SAMLLoginStep.SAMLResponseReceived, samlResponse: 'saml-response-xml' }, + { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, { requestId: 'some-request-id', redirectURL: '' } ) ).resolves.toEqual( @@ -162,7 +162,7 @@ describe('SAMLAuthenticationProvider', () => { await expect( provider.login(request, { - step: SAMLLoginStep.SAMLResponseReceived, + type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml', }) ).resolves.toEqual( @@ -189,7 +189,7 @@ describe('SAMLAuthenticationProvider', () => { await expect( provider.login( request, - { step: SAMLLoginStep.SAMLResponseReceived, samlResponse: 'saml-response-xml' }, + { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, { requestId: 'some-request-id', redirectURL: '/test-base-path/some-path' } ) ).resolves.toEqual(AuthenticationResult.failed(failureReason)); @@ -216,7 +216,7 @@ describe('SAMLAuthenticationProvider', () => { await expect( provider.login( request, - { step: SAMLLoginStep.SAMLResponseReceived, samlResponse: 'saml-response-xml' }, + { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, { username: 'user', accessToken: 'some-valid-token', @@ -261,7 +261,7 @@ describe('SAMLAuthenticationProvider', () => { await expect( provider.login( request, - { step: SAMLLoginStep.SAMLResponseReceived, samlResponse: 'saml-response-xml' }, + { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, state ) ).resolves.toEqual(AuthenticationResult.failed(failureReason)); @@ -307,7 +307,7 @@ describe('SAMLAuthenticationProvider', () => { await expect( provider.login( request, - { step: SAMLLoginStep.SAMLResponseReceived, samlResponse: 'saml-response-xml' }, + { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, state ) ).resolves.toEqual( @@ -361,7 +361,7 @@ describe('SAMLAuthenticationProvider', () => { await expect( provider.login( request, - { step: SAMLLoginStep.SAMLResponseReceived, samlResponse: 'saml-response-xml' }, + { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, state ) ).resolves.toEqual( @@ -397,7 +397,7 @@ describe('SAMLAuthenticationProvider', () => { await expect( provider.login(request, { - step: SAMLLoginStep.RedirectURLFragmentCaptured, + type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, redirectURLFragment: '#some-fragment', }) ).resolves.toEqual( @@ -416,7 +416,7 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { - step: SAMLLoginStep.RedirectURLFragmentCaptured, + type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, redirectURLFragment: '#some-fragment', }, { redirectURL: '/test-base-path/some-path' } @@ -438,7 +438,7 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { - step: SAMLLoginStep.RedirectURLFragmentCaptured, + type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, redirectURLFragment: '#some-fragment', }, { redirectURL: '/test-base-path/some-path' } @@ -474,7 +474,7 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { - step: SAMLLoginStep.RedirectURLFragmentCaptured, + type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, redirectURLFragment: '../some-fragment', }, { redirectURL: '/test-base-path/some-path' } @@ -513,7 +513,7 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { - step: SAMLLoginStep.RedirectURLFragmentCaptured, + type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, redirectURLFragment: '#some-fragment'.repeat(10), }, { redirectURL: '/test-base-path/some-path' } @@ -550,7 +550,7 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { - step: SAMLLoginStep.RedirectURLFragmentCaptured, + type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, redirectURLFragment: '#some-fragment', }, { redirectURL: '/test-base-path/some-path' } @@ -613,7 +613,7 @@ describe('SAMLAuthenticationProvider', () => { await expect(provider.authenticate(request)).resolves.toEqual( AuthenticationResult.redirectTo( - '/mock-server-basepath/api/security/saml/capture-url-fragment', + '/mock-server-basepath/internal/security/saml/capture-url-fragment', { state: { redirectURL: '/base-path/s/foo/some-path' } } ) ); @@ -849,7 +849,7 @@ describe('SAMLAuthenticationProvider', () => { await expect(provider.authenticate(request, state)).resolves.toEqual( AuthenticationResult.redirectTo( - '/mock-server-basepath/api/security/saml/capture-url-fragment', + '/mock-server-basepath/internal/security/saml/capture-url-fragment', { state: { redirectURL: '/base-path/s/foo/some-path' } } ) ); diff --git a/x-pack/plugins/security/server/authentication/providers/saml.ts b/x-pack/plugins/security/server/authentication/providers/saml.ts index 1152ee5048699..e1b6664191483 100644 --- a/x-pack/plugins/security/server/authentication/providers/saml.ts +++ b/x-pack/plugins/security/server/authentication/providers/saml.ts @@ -32,34 +32,45 @@ interface ProviderState extends Partial { * initiate SAML handshake and where we should redirect user after successful authentication. */ redirectURL?: string; + + /** + * The name of the SAML realm that was used to establish session. + */ + realm: string; } /** - * Describes possible SAML Login steps. + * Describes possible SAML Login flows. */ -export enum SAMLLoginStep { +export enum SAMLLogin { + /** + * The login flow when user initiates SAML handshake (SP Initiated Login). + */ + LoginInitiatedByUser = 'login-by-user', /** - * The final login step when IdP responds with SAML Response payload. + * The login flow when IdP responds with SAML Response payload (last step of the SP Initiated + * Login or IdP initiated Login). */ - SAMLResponseReceived = 'saml-response-received', + LoginWithSAMLResponse = 'login-saml-response', /** - * The login step when we've captured user URL fragment and ready to start SAML handshake. + * The login flow when we've captured user URL fragment and ready to start SAML handshake. */ - RedirectURLFragmentCaptured = 'redirect-url-fragment-captured', + LoginWithRedirectURLFragmentCaptured = 'login-redirect-url-fragment-captured', } /** * Describes the parameters that are required by the provider to process the initial login request. */ type ProviderLoginAttempt = - | { step: SAMLLoginStep.RedirectURLFragmentCaptured; redirectURLFragment: string } - | { step: SAMLLoginStep.SAMLResponseReceived; samlResponse: string }; + | { type: SAMLLogin.LoginInitiatedByUser; redirectURL?: string } + | { type: SAMLLogin.LoginWithRedirectURLFragmentCaptured; redirectURLFragment: string } + | { type: SAMLLogin.LoginWithSAMLResponse; samlResponse: string }; /** * Checks whether request query includes SAML request from IdP. * @param query Parsed HTTP request query. */ -export function isSAMLRequestQuery(query: any): query is { SAMLRequest: string } { +function isSAMLRequestQuery(query: any): query is { SAMLRequest: string } { return query && query.SAMLRequest; } @@ -113,7 +124,15 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { ) { this.logger.debug('Trying to perform a login.'); - if (attempt.step === SAMLLoginStep.RedirectURLFragmentCaptured) { + // It may happen that Kibana is re-configured to use different realm for the same provider name, + // we should clear such session an log user out. + if (state?.realm && state.realm !== this.realm) { + const message = `State based on realm "${state.realm}", but provider with the name "${this.options.name}" is configured to use realm "${this.realm}".`; + this.logger.debug(message); + return AuthenticationResult.failed(Boom.unauthorized(message)); + } + + if (attempt.type === SAMLLogin.LoginWithRedirectURLFragmentCaptured) { if (!state || !state.redirectURL) { const message = 'State does not include URL path to redirect to.'; this.logger.debug(message); @@ -140,6 +159,10 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { return this.authenticateViaHandshake(request, redirectURL); } + if (attempt.type === SAMLLogin.LoginInitiatedByUser) { + return this.captureRedirectURL(request, attempt.redirectURL); + } + const { samlResponse } = attempt; const authenticationResult = state ? await this.authenticateViaState(request, state) @@ -186,6 +209,14 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { return AuthenticationResult.notHandled(); } + // It may happen that Kibana is re-configured to use different realm for the same provider name, + // we should clear such session an log user out. + if (state?.realm && state.realm !== this.realm) { + const message = `State based on realm "${state.realm}", but provider with the name "${this.options.name}" is configured to use realm "${this.realm}".`; + this.logger.debug(message); + return AuthenticationResult.failed(Boom.unauthorized(message)); + } + let authenticationResult = AuthenticationResult.notHandled(); if (state) { authenticationResult = await this.authenticateViaState(request, state); @@ -212,15 +243,23 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { public async logout(request: KibanaRequest, state?: ProviderState) { this.logger.debug(`Trying to log user out via ${request.url.path}.`); - if ((!state || !state.accessToken) && !isSAMLRequestQuery(request.query)) { - this.logger.debug('There is neither access token nor SAML session to invalidate.'); + // Normally when there is no active session in Kibana, `logout` method shouldn't do anything + // and user will eventually be redirected to the home page to log in. But when SAML is enabled + // there is a special case when logout is initiated by the IdP or another SP, then IdP will + // request _every_ SP associated with the current user session to do the logout. So if Kibana, + // without an active session, receives such request it shouldn't redirect user to the home page, + // but rather redirect back to IdP with correct logout response and only Elasticsearch knows how + // to do that. + const isIdPInitiatedSLO = isSAMLRequestQuery(request.query); + if (!state?.accessToken && !isIdPInitiatedSLO) { + this.logger.debug('There is no SAML session to invalidate.'); return DeauthenticationResult.notHandled(); } try { - const redirect = isSAMLRequestQuery(request.query) + const redirect = isIdPInitiatedSLO ? await this.performIdPInitiatedSingleLogout(request) - : await this.performUserInitiatedSingleLogout(state!.accessToken!, state!.refreshToken!); + : await this.performUserInitiatedSingleLogout(state?.accessToken!, state?.refreshToken!); // Having non-null `redirect` field within logout response means that IdP // supports SAML Single Logout and we should redirect user to the specified @@ -283,8 +322,9 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { } // When we don't have state and hence request id we assume that SAMLResponse came from the IdP initiated login. + const isIdPInitiatedLogin = !stateRequestId; this.logger.debug( - stateRequestId + !isIdPInitiatedLogin ? 'Login has been previously initiated by Kibana.' : 'Login has been initiated by Identity Provider.' ); @@ -298,7 +338,7 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { refresh_token: refreshToken, } = await this.options.client.callAsInternalUser('shield.samlAuthenticate', { body: { - ids: stateRequestId ? [stateRequestId] : [], + ids: !isIdPInitiatedLogin ? [stateRequestId] : [], content: samlResponse, realm: this.realm, }, @@ -307,11 +347,17 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { this.logger.debug('Login has been performed with SAML response.'); return AuthenticationResult.redirectTo( stateRedirectURL || `${this.options.basePath.get(request)}/`, - { state: { username, accessToken, refreshToken } } + { state: { username, accessToken, refreshToken, realm: this.realm } } ); } catch (err) { this.logger.debug(`Failed to log in with SAML response: ${err.message}`); - return AuthenticationResult.failed(err); + + // Since we don't know upfront what realm is targeted by the Identity Provider initiated login + // there is a chance that it failed because of realm mismatch and hence we should return + // `notHandled` and give other SAML providers a chance to properly handle it instead. + return isIdPInitiatedLogin + ? AuthenticationResult.notHandled() + : AuthenticationResult.failed(err); } } @@ -336,7 +382,7 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { // First let's try to authenticate via SAML Response payload. const payloadAuthenticationResult = await this.loginWithSAMLResponse(request, samlResponse); - if (payloadAuthenticationResult.failed()) { + if (payloadAuthenticationResult.failed() || payloadAuthenticationResult.notHandled()) { return payloadAuthenticationResult; } @@ -451,7 +497,7 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { this.logger.debug('Request has been authenticated via refreshed token.'); return AuthenticationResult.succeeded(user, { authHeaders, - state: { username, ...refreshedTokenPair }, + state: { username, realm: this.realm, ...refreshedTokenPair }, }); } catch (err) { this.logger.debug( @@ -488,7 +534,9 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { this.logger.debug('Redirecting to Identity Provider with SAML request.'); // Store request id in the state so that we can reuse it once we receive `SAMLResponse`. - return AuthenticationResult.redirectTo(redirect, { state: { requestId, redirectURL } }); + return AuthenticationResult.redirectTo(redirect, { + state: { requestId, redirectURL, realm: this.realm }, + }); } catch (err) { this.logger.debug(`Failed to initiate SAML handshake: ${err.message}`); return AuthenticationResult.failed(err); @@ -541,11 +589,13 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { * Redirects user to the client-side page that will grab URL fragment and redirect user back to Kibana * to initiate SAML handshake. * @param request Request instance. + * @param [redirectURL] Optional URL user is supposed to be redirected to after successful login. + * If not provided the URL of the specified request is used. */ - private captureRedirectURL(request: KibanaRequest) { - const basePath = this.options.basePath.get(request); - const redirectURL = `${basePath}${request.url.path}`; - + private captureRedirectURL( + request: KibanaRequest, + redirectURL = `${this.options.basePath.get(request)}${request.url.path}` + ) { // If the size of the path already exceeds the maximum allowed size of the URL to store in the // session there is no reason to try to capture URL fragment and we start handshake immediately. // In this case user will be redirected to the Kibana home/root after successful login. @@ -558,8 +608,8 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { } return AuthenticationResult.redirectTo( - `${this.options.basePath.serverBasePath}/api/security/saml/capture-url-fragment`, - { state: { redirectURL } } + `${this.options.basePath.serverBasePath}/internal/security/saml/capture-url-fragment`, + { state: { redirectURL, realm: this.realm } } ); } } diff --git a/x-pack/plugins/security/server/authentication/providers/token.ts b/x-pack/plugins/security/server/authentication/providers/token.ts index fffac254ed30a..920ac5b69ebb5 100644 --- a/x-pack/plugins/security/server/authentication/providers/token.ts +++ b/x-pack/plugins/security/server/authentication/providers/token.ts @@ -116,16 +116,17 @@ export class TokenAuthenticationProvider extends BaseAuthenticationProvider { public async logout(request: KibanaRequest, state?: ProviderState | null) { this.logger.debug(`Trying to log user out via ${request.url.path}.`); - if (state) { - this.logger.debug('Token-based logout has been initiated by the user.'); - try { - await this.options.tokens.invalidate(state); - } catch (err) { - this.logger.debug(`Failed invalidating user's access token: ${err.message}`); - return DeauthenticationResult.failed(err); - } - } else { + if (!state) { this.logger.debug('There are no access and refresh tokens to invalidate.'); + return DeauthenticationResult.notHandled(); + } + + this.logger.debug('Token-based logout has been initiated by the user.'); + try { + await this.options.tokens.invalidate(state); + } catch (err) { + this.logger.debug(`Failed invalidating user's access token: ${err.message}`); + return DeauthenticationResult.failed(err); } const queryString = request.url.search || `?msg=LOGGED_OUT`; diff --git a/x-pack/plugins/security/server/config.ts b/x-pack/plugins/security/server/config.ts index 2345249e94bc8..f8cedbe92a14a 100644 --- a/x-pack/plugins/security/server/config.ts +++ b/x-pack/plugins/security/server/config.ts @@ -7,22 +7,94 @@ import crypto from 'crypto'; import { Observable } from 'rxjs'; import { map } from 'rxjs/operators'; -import { schema, Type, TypeOf } from '@kbn/config-schema'; +import { schema, TypeOf } from '@kbn/config-schema'; import { PluginInitializerContext } from '../../../../src/core/server'; export type ConfigType = ReturnType extends Observable ? P : ReturnType; -const providerOptionsSchema = (providerType: string, optionsSchema: Type) => - schema.conditional( - schema.siblingRef('providers'), - schema.arrayOf(schema.string(), { - validate: providers => (!providers.includes(providerType) ? 'error' : undefined), - }), - optionsSchema, - schema.never() +function getCommonProviderSchemaProperties(providerType: string) { + return { + enabled: schema.boolean({ defaultValue: true }), + order: schema.number({ min: 0 }), + description: schema.string({ defaultValue: providerType }), + }; +} + +function getUniqueProviderSchema(providerType: string) { + return schema.maybe( + schema.recordOf( + schema.string(), + schema.object(getCommonProviderSchemaProperties(providerType)), + { + validate(config) { + if (Object.values(config).filter(provider => provider.enabled).length > 1) { + return `Only one "${providerType}" provider can be configured.`; + } + }, + } + ) ); +} + +const providersConfigSchema = schema.object( + { + basic: getUniqueProviderSchema('basic'), + token: getUniqueProviderSchema('token'), + kerberos: getUniqueProviderSchema('kerberos'), + pki: getUniqueProviderSchema('pki'), + saml: schema.maybe( + schema.recordOf( + schema.string(), + schema.object({ + ...getCommonProviderSchemaProperties('saml'), + realm: schema.string(), + maxRedirectURLSize: schema.byteSize({ defaultValue: '2kb' }), + }) + ) + ), + oidc: schema.maybe( + schema.recordOf( + schema.string(), + schema.object({ ...getCommonProviderSchemaProperties('oidc'), realm: schema.string() }) + ) + ), + }, + { + defaultValue: { + basic: { basic: { enabled: true, order: 0, description: 'basic' } }, + token: undefined, + saml: undefined, + oidc: undefined, + pki: undefined, + kerberos: undefined, + }, + validate(config) { + const checks = { sameOrder: new Map(), sameName: new Map() }; + for (const [providerType, providerGroup] of Object.entries(config)) { + for (const [providerName, { enabled, order }] of Object.entries(providerGroup ?? {})) { + if (!enabled) { + continue; + } + + const providerPath = `xpack.security.authc.providers.${providerType}.${providerName}`; + const providerWithSameOrderPath = checks.sameOrder.get(order); + if (providerWithSameOrderPath) { + return `Found multiple providers configured with the same order "${order}": [${providerWithSameOrderPath}, ${providerPath}]`; + } + checks.sameOrder.set(order, providerPath); + + const providerWithSameName = checks.sameName.get(providerName); + if (providerWithSameName) { + return `Found multiple providers configured with the same name "${providerName}": [${providerWithSameName}, ${providerPath}]`; + } + checks.sameName.set(providerName, providerPath); + } + } + }, + } +); export const ConfigSchema = schema.object({ enabled: schema.boolean({ defaultValue: true }), @@ -40,15 +112,8 @@ export const ConfigSchema = schema.object({ }), secureCookies: schema.boolean({ defaultValue: false }), authc: schema.object({ - providers: schema.arrayOf(schema.string(), { defaultValue: ['basic'], minSize: 1 }), - oidc: providerOptionsSchema('oidc', schema.object({ realm: schema.string() })), - saml: providerOptionsSchema( - 'saml', - schema.object({ - realm: schema.string(), - maxRedirectURLSize: schema.byteSize({ defaultValue: '2kb' }), - }) - ), + selector: schema.object({ enabled: schema.boolean({ defaultValue: false }) }), + providers: providersConfigSchema, http: schema.object({ enabled: schema.boolean({ defaultValue: true }), autoSchemesEnabled: schema.boolean({ defaultValue: true }), @@ -91,8 +156,29 @@ export function createConfig$(context: PluginInitializerContext, isTLSEnabled: b secureCookies = true; } + // Remove disabled providers and sort the rest. + const sortedProviders: Array<{ + type: keyof TypeOf; + name: string; + options: { order: number; description: string }; + }> = []; + for (const [type, providerGroup] of Object.entries(config.authc.providers)) { + for (const [name, { enabled, order, description }] of Object.entries(providerGroup ?? {})) { + if (!enabled) { + delete providerGroup![name]; + } else { + sortedProviders.push({ type: type as any, name, options: { order, description } }); + } + } + } + + sortedProviders.sort(({ options: { order: orderA } }, { options: { order: orderB } }) => + orderA < orderB ? -1 : orderA > orderB ? 1 : 0 + ); + return { ...config, + authc: { ...config.authc, sortedProviders: Object.freeze(sortedProviders) }, encryptionKey, secureCookies, }; diff --git a/x-pack/plugins/security/server/index.ts b/x-pack/plugins/security/server/index.ts index 0b17f0554fac8..0563f417428aa 100644 --- a/x-pack/plugins/security/server/index.ts +++ b/x-pack/plugins/security/server/index.ts @@ -23,6 +23,8 @@ export { CreateAPIKeyResult, InvalidateAPIKeyParams, InvalidateAPIKeyResult, + SAMLLogin, + OIDCLogin, } from './authentication'; export { SecurityPluginSetup }; export { AuthenticatedUser } from '../common/model'; @@ -32,11 +34,46 @@ export const config: PluginConfigDescriptor> = { deprecations: ({ rename, unused }) => [ rename('sessionTimeout', 'session.idleTimeout'), unused('authorization.legacyFallback.enabled'), + // Deprecation transformation for the old array-based format of `xpack.security.authc.providers`. (settings, fromPath, log) => { - const hasProvider = (provider: string) => - settings?.xpack?.security?.authc?.providers?.includes(provider) ?? false; + const authcConfig = settings?.xpack?.security?.authc; + if (!Array.isArray(authcConfig?.providers)) { + return settings; + } + + log( + 'Defining `xpack.security.authc.providers` as an array of provider types is deprecated. Use extended `object` format.' + ); + + const providerTypes = new Set(authcConfig.providers as string[]); + authcConfig.providers = {}; + + let order = 0; + for (const providerType of providerTypes) { + const isProviderWithAdditionalConfig = providerType === 'saml' || providerType === 'oidc'; + authcConfig.providers[providerType] = { + [providerType]: isProviderWithAdditionalConfig + ? { enabled: true, order, ...authcConfig[providerType] } + : { enabled: true, order }, + }; + + if (isProviderWithAdditionalConfig) { + delete authcConfig[providerType]; + } + + order++; + } + + return settings; + }, + (settings, fromPath, log) => { + const hasProviderType = (providerType: string) => { + return Object.values( + settings?.xpack?.security?.authc?.providers?.[providerType] || {} + ).some(provider => (provider as { enabled: boolean | undefined })?.enabled !== false); + }; - if (hasProvider('basic') && hasProvider('token')) { + if (hasProviderType('basic') && hasProviderType('token')) { log( 'Enabling both `basic` and `token` authentication providers in `xpack.security.authc.providers` is deprecated. Login page will only use `token` provider.' ); diff --git a/x-pack/plugins/security/server/plugin.ts b/x-pack/plugins/security/server/plugin.ts index 13300ee55eba0..52483c3500aa3 100644 --- a/x-pack/plugins/security/server/plugin.ts +++ b/x-pack/plugins/security/server/plugin.ts @@ -11,7 +11,6 @@ import { CoreSetup, Logger, PluginInitializerContext, - RecursiveReadonly, } from '../../../../src/core/server'; import { deepFreeze } from '../../../../src/core/utils'; import { SpacesPluginSetup } from '../../spaces/server'; @@ -65,7 +64,6 @@ export interface SecurityPluginSetup { registerLegacyAPI: (legacyAPI: LegacyAPI) => void; registerPrivilegesWithCluster: () => void; license: SecurityLicense; - config: RecursiveReadonly<{ secureCookies: boolean }>; }; } @@ -183,11 +181,6 @@ export class Plugin { registerPrivilegesWithCluster: async () => await authz.registerPrivilegesWithCluster(), license, - - // We should stop exposing this config as soon as only new platform plugin consumes it. - // This is only currently required because we use legacy code to inject this as metadata - // for consumption by public code in the new platform. - config: { secureCookies: config.secureCookies }, }, }); } diff --git a/x-pack/plugins/security/server/routes/authentication/basic.test.ts b/x-pack/plugins/security/server/routes/authentication/basic.test.ts index cd3b871671551..6e5f99b5c0517 100644 --- a/x-pack/plugins/security/server/routes/authentication/basic.test.ts +++ b/x-pack/plugins/security/server/routes/authentication/basic.test.ts @@ -29,7 +29,7 @@ describe('Basic authentication routes', () => { router = routeParamsMock.router; authc = routeParamsMock.authc; - authc.isProviderEnabled.mockImplementation(provider => provider === 'basic'); + authc.isProviderTypeEnabled.mockImplementation(provider => provider === 'basic'); mockContext = ({ licensing: { @@ -156,7 +156,7 @@ describe('Basic authentication routes', () => { it('prefers `token` authentication provider if it is enabled', async () => { authc.login.mockResolvedValue(AuthenticationResult.succeeded(mockAuthenticatedUser())); - authc.isProviderEnabled.mockImplementation( + authc.isProviderTypeEnabled.mockImplementation( provider => provider === 'token' || provider === 'basic' ); diff --git a/x-pack/plugins/security/server/routes/authentication/basic.ts b/x-pack/plugins/security/server/routes/authentication/basic.ts index db36e45fc07e8..ccc6a8df24d6e 100644 --- a/x-pack/plugins/security/server/routes/authentication/basic.ts +++ b/x-pack/plugins/security/server/routes/authentication/basic.ts @@ -26,9 +26,10 @@ export function defineBasicRoutes({ router, authc, config }: RouteDefinitionPara }, createLicensedRouteHandler(async (context, request, response) => { // We should prefer `token` over `basic` if possible. - const loginAttempt = authc.isProviderEnabled('token') - ? { provider: 'token', value: request.body } - : { provider: 'basic', value: request.body }; + const loginAttempt = { + provider: { type: authc.isProviderTypeEnabled('token') ? 'token' : 'basic' }, + value: request.body, + }; try { const authenticationResult = await authc.login(request, loginAttempt); diff --git a/x-pack/plugins/security/server/routes/authentication/common.ts b/x-pack/plugins/security/server/routes/authentication/common.ts index c9856e9dff7f1..8c56e4aa079c5 100644 --- a/x-pack/plugins/security/server/routes/authentication/common.ts +++ b/x-pack/plugins/security/server/routes/authentication/common.ts @@ -5,9 +5,14 @@ */ import { schema } from '@kbn/config-schema'; -import { canRedirectRequest } from '../../authentication'; +import { canRedirectRequest, OIDCLogin, SAMLLogin } from '../../authentication'; import { wrapIntoCustomErrorResponse } from '../../errors'; import { createLicensedRouteHandler } from '../licensed_route_handler'; +import { + OIDCAuthenticationProvider, + SAMLAuthenticationProvider, +} from '../../authentication/providers'; +import { parseNext } from '../../../common/parse_next'; import { RouteDefinitionParams } from '..'; /** @@ -71,4 +76,53 @@ export function defineCommonRoutes({ router, authc, basePath, logger }: RouteDef }) ); } + + function getLoginAttemptForProviderType(providerType: string, next: string) { + if (providerType === SAMLAuthenticationProvider.type) { + return { type: SAMLLogin.LoginInitiatedByUser, redirectURL: next }; + } + + if (providerType === OIDCAuthenticationProvider.type) { + return { type: OIDCLogin.LoginInitiatedByUser, redirectURL: next }; + } + + return undefined; + } + + router.get( + { + path: '/internal/security/login/{providerType}/{providerName}', + validate: { + params: schema.object({ + providerType: schema.string(), + providerName: schema.string(), + }), + query: schema.object({ next: schema.maybe(schema.string()) }), + }, + options: { authRequired: false }, + }, + async (context, request, response) => { + const { providerType, providerName } = request.params; + logger.info(`Logging in in with provider "${providerName}" (${providerType})`); + + try { + const authenticationResult = await authc.login(request, { + provider: { name: providerName }, + value: getLoginAttemptForProviderType( + providerType, + parseNext(request.url?.href ?? '', basePath.serverBasePath) + ), + }); + + if (authenticationResult.redirected()) { + return response.redirected({ headers: { location: authenticationResult.redirectURL! } }); + } + + return response.unauthorized(); + } catch (err) { + logger.error(err); + return response.internalError(); + } + } + ); } diff --git a/x-pack/plugins/security/server/routes/authentication/index.ts b/x-pack/plugins/security/server/routes/authentication/index.ts index a774edfb4ab2c..f3082b089faf5 100644 --- a/x-pack/plugins/security/server/routes/authentication/index.ts +++ b/x-pack/plugins/security/server/routes/authentication/index.ts @@ -27,15 +27,15 @@ export function defineAuthenticationRoutes(params: RouteDefinitionParams) { defineSessionRoutes(params); defineCommonRoutes(params); - if (params.authc.isProviderEnabled('basic') || params.authc.isProviderEnabled('token')) { + if (params.authc.isProviderTypeEnabled('basic') || params.authc.isProviderTypeEnabled('token')) { defineBasicRoutes(params); } - if (params.authc.isProviderEnabled('saml')) { + if (params.authc.isProviderTypeEnabled('saml')) { defineSAMLRoutes(params); } - if (params.authc.isProviderEnabled('oidc')) { + if (params.authc.isProviderTypeEnabled('oidc')) { defineOIDCRoutes(params); } } diff --git a/x-pack/plugins/security/server/routes/authentication/oidc.ts b/x-pack/plugins/security/server/routes/authentication/oidc.ts index 232fdd26f7838..454fd28d76753 100644 --- a/x-pack/plugins/security/server/routes/authentication/oidc.ts +++ b/x-pack/plugins/security/server/routes/authentication/oidc.ts @@ -7,11 +7,14 @@ import { schema } from '@kbn/config-schema'; import { i18n } from '@kbn/i18n'; import { KibanaRequest, KibanaResponseFactory } from '../../../../../../src/core/server'; -import { OIDCAuthenticationFlow } from '../../authentication'; +import { OIDCLogin } from '../../authentication'; import { createCustomResourceResponse } from '.'; import { createLicensedRouteHandler } from '../licensed_route_handler'; import { wrapIntoCustomErrorResponse } from '../../errors'; -import { ProviderLoginAttempt } from '../../authentication/providers/oidc'; +import { + OIDCAuthenticationProvider, + ProviderLoginAttempt, +} from '../../authentication/providers/oidc'; import { RouteDefinitionParams } from '..'; /** @@ -118,7 +121,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route let loginAttempt: ProviderLoginAttempt | undefined; if (request.query.authenticationResponseURI) { loginAttempt = { - flow: OIDCAuthenticationFlow.Implicit, + type: OIDCLogin.LoginWithImplicitFlow, authenticationResponseURI: request.query.authenticationResponseURI, }; } else if (request.query.code || request.query.error) { @@ -133,7 +136,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route // failed) authentication from an OpenID Connect Provider during authorization code authentication flow. // See more details at https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth. loginAttempt = { - flow: OIDCAuthenticationFlow.AuthorizationCode, + type: OIDCLogin.LoginWithAuthorizationCodeFlow, // We pass the path only as we can't be sure of the full URL and Elasticsearch doesn't need it anyway. authenticationResponseURI: request.url.path!, }; @@ -145,7 +148,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route // An HTTP GET request with a query parameter named `iss` as part of a 3rd party initiated authentication. // See more details at https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin loginAttempt = { - flow: OIDCAuthenticationFlow.InitiatedBy3rdParty, + type: OIDCLogin.LoginInitiatedBy3rdParty, iss: request.query.iss, loginHint: request.query.login_hint, }; @@ -181,7 +184,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route { allowUnknowns: true } ), }, - options: { authRequired: false }, + options: { authRequired: false, xsrfRequired: false }, }, createLicensedRouteHandler(async (context, request, response) => { const serverBasePath = basePath.serverBasePath; @@ -193,7 +196,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route } return performOIDCLogin(request, response, { - flow: OIDCAuthenticationFlow.InitiatedBy3rdParty, + type: OIDCLogin.LoginInitiatedBy3rdParty, iss: request.body.iss, loginHint: request.body.login_hint, }); @@ -224,7 +227,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route }, createLicensedRouteHandler(async (context, request, response) => { return performOIDCLogin(request, response, { - flow: OIDCAuthenticationFlow.InitiatedBy3rdParty, + type: OIDCLogin.LoginInitiatedBy3rdParty, iss: request.query.iss, loginHint: request.query.login_hint, }); @@ -240,7 +243,7 @@ export function defineOIDCRoutes({ router, logger, authc, csp, basePath }: Route // We handle the fact that the user might get redirected to Kibana while already having a session // Return an error notifying the user they are already logged in. const authenticationResult = await authc.login(request, { - provider: 'oidc', + provider: { type: OIDCAuthenticationProvider.type }, value: loginAttempt, }); diff --git a/x-pack/plugins/security/server/routes/authentication/saml.test.ts b/x-pack/plugins/security/server/routes/authentication/saml.test.ts index b4434715a72ba..be3628c1a58ce 100644 --- a/x-pack/plugins/security/server/routes/authentication/saml.test.ts +++ b/x-pack/plugins/security/server/routes/authentication/saml.test.ts @@ -5,7 +5,7 @@ */ import { Type } from '@kbn/config-schema'; -import { Authentication, AuthenticationResult, SAMLLoginStep } from '../../authentication'; +import { Authentication, AuthenticationResult, SAMLLogin } from '../../authentication'; import { defineSAMLRoutes } from './saml'; import { IRouter, RequestHandler, RouteConfig } from '../../../../../../src/core/server'; @@ -86,7 +86,7 @@ describe('SAML authentication routes', () => { expect(authc.login).toHaveBeenCalledWith(request, { provider: 'saml', value: { - step: SAMLLoginStep.SAMLResponseReceived, + type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response', }, }); @@ -165,7 +165,7 @@ describe('SAML authentication routes', () => { expect(authc.login).toHaveBeenCalledWith(request, { provider: 'saml', value: { - step: SAMLLoginStep.SAMLResponseReceived, + type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response', }, }); diff --git a/x-pack/plugins/security/server/routes/authentication/saml.ts b/x-pack/plugins/security/server/routes/authentication/saml.ts index 465ea61e12a4e..84f6411c92c48 100644 --- a/x-pack/plugins/security/server/routes/authentication/saml.ts +++ b/x-pack/plugins/security/server/routes/authentication/saml.ts @@ -5,7 +5,8 @@ */ import { schema } from '@kbn/config-schema'; -import { SAMLLoginStep } from '../../authentication'; +import { SAMLLogin } from '../../authentication'; +import { SAMLAuthenticationProvider } from '../../authentication/providers'; import { createCustomResourceResponse } from '.'; import { RouteDefinitionParams } from '..'; @@ -15,7 +16,7 @@ import { RouteDefinitionParams } from '..'; export function defineSAMLRoutes({ router, logger, authc, csp, basePath }: RouteDefinitionParams) { router.get( { - path: '/api/security/saml/capture-url-fragment', + path: '/internal/security/saml/capture-url-fragment', validate: false, options: { authRequired: false }, }, @@ -27,7 +28,7 @@ export function defineSAMLRoutes({ router, logger, authc, csp, basePath }: Route Kibana SAML Login - + `, 'text/html', csp.header @@ -38,7 +39,7 @@ export function defineSAMLRoutes({ router, logger, authc, csp, basePath }: Route router.get( { - path: '/api/security/saml/capture-url-fragment.js', + path: '/internal/security/saml/capture-url-fragment.js', validate: false, options: { authRequired: false }, }, @@ -47,7 +48,7 @@ export function defineSAMLRoutes({ router, logger, authc, csp, basePath }: Route createCustomResourceResponse( ` window.location.replace( - '${basePath.serverBasePath}/api/security/saml/start?redirectURLFragment=' + encodeURIComponent(window.location.hash) + '${basePath.serverBasePath}/internal/security/saml/start?redirectURLFragment=' + encodeURIComponent(window.location.hash) ); `, 'text/javascript', @@ -59,7 +60,7 @@ export function defineSAMLRoutes({ router, logger, authc, csp, basePath }: Route router.get( { - path: '/api/security/saml/start', + path: '/internal/security/saml/start', validate: { query: schema.object({ redirectURLFragment: schema.string() }), }, @@ -68,9 +69,9 @@ export function defineSAMLRoutes({ router, logger, authc, csp, basePath }: Route async (context, request, response) => { try { const authenticationResult = await authc.login(request, { - provider: 'saml', + provider: { type: SAMLAuthenticationProvider.type }, value: { - step: SAMLLoginStep.RedirectURLFragmentCaptured, + type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, redirectURLFragment: request.query.redirectURLFragment, }, }); @@ -97,17 +98,14 @@ export function defineSAMLRoutes({ router, logger, authc, csp, basePath }: Route RelayState: schema.maybe(schema.string()), }), }, - options: { authRequired: false }, + options: { authRequired: false, xsrfRequired: false }, }, async (context, request, response) => { try { - // When authenticating using SAML we _expect_ to redirect to the SAML Identity provider. + // When authenticating using SAML we _expect_ to redirect to the Kibana target location. const authenticationResult = await authc.login(request, { - provider: 'saml', - value: { - step: SAMLLoginStep.SAMLResponseReceived, - samlResponse: request.body.SAMLResponse, - }, + provider: { type: SAMLAuthenticationProvider.type }, + value: { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: request.body.SAMLResponse }, }); if (authenticationResult.redirected()) { diff --git a/x-pack/plugins/security/server/routes/users/change_password.ts b/x-pack/plugins/security/server/routes/users/change_password.ts index fc3ca4573d500..e3a85e0c21967 100644 --- a/x-pack/plugins/security/server/routes/users/change_password.ts +++ b/x-pack/plugins/security/server/routes/users/change_password.ts @@ -73,7 +73,7 @@ export function defineChangeUserPasswordRoutes({ if (isUserChangingOwnPassword && currentSession) { try { const authenticationResult = await authc.login(request, { - provider: currentUser!.authentication_provider, + provider: { name: currentUser!.authentication_provider }, value: { username, password: newPassword }, }); diff --git a/x-pack/plugins/security/server/routes/views/index.test.ts b/x-pack/plugins/security/server/routes/views/index.test.ts index 63e8a518c6198..0e1d33f444e1c 100644 --- a/x-pack/plugins/security/server/routes/views/index.test.ts +++ b/x-pack/plugins/security/server/routes/views/index.test.ts @@ -11,7 +11,7 @@ import { routeDefinitionParamsMock } from '../index.mock'; describe('View routes', () => { it('does not register Login routes if both `basic` and `token` providers are disabled', () => { const routeParamsMock = routeDefinitionParamsMock.create(); - routeParamsMock.authc.isProviderEnabled.mockImplementation( + routeParamsMock.authc.isProviderTypeEnabled.mockImplementation( provider => provider !== 'basic' && provider !== 'token' ); @@ -29,7 +29,7 @@ describe('View routes', () => { it('registers Login routes if `basic` provider is enabled', () => { const routeParamsMock = routeDefinitionParamsMock.create(); - routeParamsMock.authc.isProviderEnabled.mockImplementation(provider => provider !== 'token'); + routeParamsMock.authc.isProviderTypeEnabled.mockImplementation(provider => provider !== 'token'); defineViewRoutes(routeParamsMock); @@ -47,7 +47,7 @@ describe('View routes', () => { it('registers Login routes if `token` provider is enabled', () => { const routeParamsMock = routeDefinitionParamsMock.create(); - routeParamsMock.authc.isProviderEnabled.mockImplementation(provider => provider !== 'basic'); + routeParamsMock.authc.isProviderTypeEnabled.mockImplementation(provider => provider !== 'basic'); defineViewRoutes(routeParamsMock); diff --git a/x-pack/plugins/security/server/routes/views/index.ts b/x-pack/plugins/security/server/routes/views/index.ts index 91e57aed44ab6..255989dfeb90c 100644 --- a/x-pack/plugins/security/server/routes/views/index.ts +++ b/x-pack/plugins/security/server/routes/views/index.ts @@ -12,7 +12,11 @@ import { defineOverwrittenSessionRoutes } from './overwritten_session'; import { RouteDefinitionParams } from '..'; export function defineViewRoutes(params: RouteDefinitionParams) { - if (params.authc.isProviderEnabled('basic') || params.authc.isProviderEnabled('token')) { + if ( + params.config.authc.selector.enabled || + params.authc.isProviderTypeEnabled('basic') || + params.authc.isProviderTypeEnabled('token') + ) { defineLoginRoutes(params); } diff --git a/x-pack/plugins/security/server/routes/views/login.ts b/x-pack/plugins/security/server/routes/views/login.ts index e2e162d298e45..806256504b6b3 100644 --- a/x-pack/plugins/security/server/routes/views/login.ts +++ b/x-pack/plugins/security/server/routes/views/login.ts @@ -6,15 +6,16 @@ import { schema } from '@kbn/config-schema'; import { parseNext } from '../../../common/parse_next'; +import { LoginState } from '../../../common/login_state'; import { RouteDefinitionParams } from '..'; /** * Defines routes required for the Login view. */ export function defineLoginRoutes({ + config, router, logger, - authc, csp, basePath, license, @@ -31,7 +32,7 @@ export function defineLoginRoutes({ { allowUnknowns: true } ), }, - options: { authRequired: false }, + options: { authRequired: 'optional' }, }, async (context, request, response) => { // Default to true if license isn't available or it can't be resolved for some reason. @@ -39,7 +40,7 @@ export function defineLoginRoutes({ // Authentication flow isn't triggered automatically for this route, so we should explicitly // check whether user has an active session already. - const isUserAlreadyLoggedIn = (await authc.getSessionInfo(request)) !== null; + const isUserAlreadyLoggedIn = request.auth.isAuthenticated; if (isUserAlreadyLoggedIn || !shouldShowLogin) { logger.debug('User is already authenticated, redirecting...'); return response.redirected({ @@ -57,8 +58,22 @@ export function defineLoginRoutes({ router.get( { path: '/internal/security/login_state', validate: false, options: { authRequired: false } }, async (context, request, response) => { - const { showLogin, allowLogin, layout = 'form' } = license.getFeatures(); - return response.ok({ body: { showLogin, allowLogin, layout } }); + const { allowLogin, layout = 'form' } = license.getFeatures(); + const { sortedProviders, selector } = config.authc; + const loginState: LoginState = { + allowLogin, + layout, + requiresSecureConnection: config.secureCookies, + showLoginForm: sortedProviders.some(({ type }) => type === 'basic' || type === 'token'), + selector: { + enabled: selector.enabled, + providers: selector.enabled + ? sortedProviders.filter(({ type }) => type !== 'basic' && type !== 'token') + : [], + }, + }; + + return response.ok({ body: loginState }); } ); } diff --git a/x-pack/test/saml_api_integration/apis/security/saml_login.ts b/x-pack/test/saml_api_integration/apis/security/saml_login.ts index e49d95f2ec6c2..8a3f3d7a1c8a5 100644 --- a/x-pack/test/saml_api_integration/apis/security/saml_login.ts +++ b/x-pack/test/saml_api_integration/apis/security/saml_login.ts @@ -108,11 +108,15 @@ export default function({ getService }: FtrProviderContext) { expect(handshakeCookie.path).to.be('/'); expect(handshakeCookie.httpOnly).to.be(true); - expect(handshakeResponse.headers.location).to.be('/api/security/saml/capture-url-fragment'); + expect(handshakeResponse.headers.location).to.be( + '/internal/security/saml/capture-url-fragment' + ); }); it('should return an HTML page that will extract URL fragment', async () => { - const response = await supertest.get('/api/security/saml/capture-url-fragment').expect(200); + const response = await supertest + .get('/internal/security/saml/capture-url-fragment') + .expect(200); const kibanaBaseURL = url.format({ ...config.get('servers.kibana'), auth: false }); const dom = new JSDOM(response.text, { @@ -127,7 +131,7 @@ export default function({ getService }: FtrProviderContext) { Object.defineProperty(window, 'location', { value: { hash: '#/workpad', - href: `${kibanaBaseURL}/api/security/saml/capture-url-fragment#/workpad`, + href: `${kibanaBaseURL}/internal/security/saml/capture-url-fragment#/workpad`, replace(newLocation: string) { this.href = newLocation; resolve(); @@ -149,13 +153,13 @@ export default function({ getService }: FtrProviderContext) { // Check that script that forwards URL fragment worked correctly. expect(dom.window.location.href).to.be( - '/api/security/saml/start?redirectURLFragment=%23%2Fworkpad' + '/internal/security/saml/start?redirectURLFragment=%23%2Fworkpad' ); }); }); describe('initiating handshake', () => { - const initiateHandshakeURL = `/api/security/saml/start?redirectURLFragment=%23%2Fworkpad`; + const initiateHandshakeURL = `/internal/security/saml/start?redirectURLFragment=%23%2Fworkpad`; let captureURLCookie: Cookie; beforeEach(async () => { @@ -222,7 +226,7 @@ export default function({ getService }: FtrProviderContext) { const captureURLCookie = request.cookie(captureURLResponse.headers['set-cookie'][0])!; const handshakeResponse = await supertest - .get(`/api/security/saml/start?redirectURLFragment=%23%2Fworkpad`) + .get(`/internal/security/saml/start?redirectURLFragment=%23%2Fworkpad`) .set('Cookie', captureURLCookie.cookieString()) .expect(302); @@ -360,7 +364,9 @@ export default function({ getService }: FtrProviderContext) { const captureURLCookie = request.cookie(captureURLResponse.headers['set-cookie'][0])!; const handshakeResponse = await supertest - .get(`/api/security/saml/start?redirectURLFragment=${encodeURIComponent('#workpad')}`) + .get( + `/internal/security/saml/start?redirectURLFragment=${encodeURIComponent('#workpad')}` + ) .set('Cookie', captureURLCookie.cookieString()) .expect(302); @@ -515,7 +521,9 @@ export default function({ getService }: FtrProviderContext) { const captureURLCookie = request.cookie(captureURLResponse.headers['set-cookie'][0])!; const handshakeResponse = await supertest - .get(`/api/security/saml/start?redirectURLFragment=${encodeURIComponent('#workpad')}`) + .get( + `/internal/security/saml/start?redirectURLFragment=${encodeURIComponent('#workpad')}` + ) .set('Cookie', captureURLCookie.cookieString()) .expect(302); @@ -603,7 +611,9 @@ export default function({ getService }: FtrProviderContext) { const captureURLCookie = request.cookie(captureURLResponse.headers['set-cookie'][0])!; const handshakeResponse = await supertest - .get(`/api/security/saml/start?redirectURLFragment=${encodeURIComponent('#workpad')}`) + .get( + `/internal/security/saml/start?redirectURLFragment=${encodeURIComponent('#workpad')}` + ) .set('Cookie', captureURLCookie.cookieString()) .expect(302); @@ -647,7 +657,9 @@ export default function({ getService }: FtrProviderContext) { expect(handshakeCookie.path).to.be('/'); expect(handshakeCookie.httpOnly).to.be(true); - expect(handshakeResponse.headers.location).to.be('/api/security/saml/capture-url-fragment'); + expect(handshakeResponse.headers.location).to.be( + '/internal/security/saml/capture-url-fragment' + ); }); }); @@ -662,7 +674,9 @@ export default function({ getService }: FtrProviderContext) { const captureURLCookie = request.cookie(captureURLResponse.headers['set-cookie'][0])!; const handshakeResponse = await supertest - .get(`/api/security/saml/start?redirectURLFragment=${encodeURIComponent('#workpad')}`) + .get( + `/internal/security/saml/start?redirectURLFragment=${encodeURIComponent('#workpad')}` + ) .set('Cookie', captureURLCookie.cookieString()) .expect(302); @@ -798,12 +812,12 @@ export default function({ getService }: FtrProviderContext) { const captureURLCookie = request.cookie(captureURLResponse.headers['set-cookie'][0])!; expect(captureURLResponse.headers.location).to.be( - '/api/security/saml/capture-url-fragment' + '/internal/security/saml/capture-url-fragment' ); // 2. Initiate SAML handshake. const handshakeResponse = await supertest - .get(`/api/security/saml/start?redirectURLFragment=%23%2F${'workpad'.repeat(10)}`) + .get(`/internal/security/saml/start?redirectURLFragment=%23%2F${'workpad'.repeat(10)}`) .set('Cookie', captureURLCookie.cookieString()) .expect(302); From d6d4c2d8de4e645bed34f3508455dd61d11422e0 Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Wed, 18 Mar 2020 14:49:26 +0100 Subject: [PATCH 02/11] Review#1: introduce `showInSelector` config value, properly handle default value of `selector.enabled`, improve redirect URL handling. --- x-pack/plugins/security/common/login_state.ts | 6 +- .../common/model/authenticated_user.mock.ts | 2 +- .../security/common/parse_next.test.ts | 17 ++ x-pack/plugins/security/common/parse_next.ts | 2 +- .../__snapshots__/login_page.test.tsx.snap | 98 +++++++ .../authentication/login/login_app.test.ts | 6 +- .../public/authentication/login/login_app.ts | 1 + .../authentication/login/login_page.test.tsx | 116 +++++++- .../authentication/login/login_page.tsx | 52 +++- .../authentication/authenticator.test.ts | 146 ++++++---- .../server/authentication/authenticator.ts | 2 +- .../server/authentication/index.mock.ts | 2 +- .../server/authentication/index.test.ts | 28 +- .../authentication/providers/base.mock.ts | 3 +- .../authentication/providers/basic.test.ts | 19 +- .../server/authentication/providers/basic.ts | 12 +- .../authentication/providers/http.test.ts | 2 +- .../authentication/providers/kerberos.test.ts | 2 +- .../authentication/providers/kerberos.ts | 20 +- .../authentication/providers/oidc.test.ts | 84 ++++-- .../server/authentication/providers/oidc.ts | 44 +-- .../authentication/providers/pki.test.ts | 2 +- .../server/authentication/providers/pki.ts | 22 +- .../authentication/providers/saml.test.ts | 127 ++++++--- .../server/authentication/providers/saml.ts | 101 +++---- .../authentication/providers/token.test.ts | 45 ++- .../server/authentication/providers/token.ts | 14 +- x-pack/plugins/security/server/config.test.ts | 101 ++++--- x-pack/plugins/security/server/config.ts | 256 ++++++++++++------ x-pack/plugins/security/server/index.ts | 43 +-- x-pack/plugins/security/server/plugin.test.ts | 6 +- x-pack/plugins/security/server/plugin.ts | 13 +- .../routes/authentication/basic.test.ts | 10 +- .../server/routes/authentication/common.ts | 47 ++-- .../server/routes/authentication/saml.test.ts | 6 +- .../server/routes/authentication/saml.ts | 2 +- .../security/server/routes/index.mock.ts | 8 +- .../routes/users/change_password.test.ts | 6 +- .../server/routes/views/index.test.ts | 28 +- .../server/routes/views/login.test.ts | 57 ++-- .../security/server/routes/views/login.ts | 10 +- .../apis/security/saml_login.ts | 3 +- 42 files changed, 1083 insertions(+), 488 deletions(-) diff --git a/x-pack/plugins/security/common/login_state.ts b/x-pack/plugins/security/common/login_state.ts index 9eba6acf2b46f..ad65d36a6c441 100644 --- a/x-pack/plugins/security/common/login_state.ts +++ b/x-pack/plugins/security/common/login_state.ts @@ -8,7 +8,11 @@ import { LoginLayout } from './licensing'; interface LoginSelector { enabled: boolean; - providers: Array<{ type: string; name: string; options: { description: string; order: number } }>; + providers: Array<{ + type: string; + name: string; + options: { description?: string; order: number }; + }>; } export interface LoginState { diff --git a/x-pack/plugins/security/common/model/authenticated_user.mock.ts b/x-pack/plugins/security/common/model/authenticated_user.mock.ts index 220b284e76591..f8b0d27efcbf4 100644 --- a/x-pack/plugins/security/common/model/authenticated_user.mock.ts +++ b/x-pack/plugins/security/common/model/authenticated_user.mock.ts @@ -15,7 +15,7 @@ export function mockAuthenticatedUser(user: Partial = {}) { enabled: true, authentication_realm: { name: 'native1', type: 'native' }, lookup_realm: { name: 'native1', type: 'native' }, - authentication_provider: 'basic', + authentication_provider: 'basic1', ...user, }; } diff --git a/x-pack/plugins/security/common/parse_next.test.ts b/x-pack/plugins/security/common/parse_next.test.ts index b5e6c7dca41d8..11a843d397ded 100644 --- a/x-pack/plugins/security/common/parse_next.test.ts +++ b/x-pack/plugins/security/common/parse_next.test.ts @@ -34,6 +34,15 @@ describe('parseNext', () => { expect(parseNext(href, basePath)).toEqual(`${next}#${hash}`); }); + it('should properly handle multiple next with hash', () => { + const basePath = '/iqf'; + const next1 = `${basePath}/app/kibana`; + const next2 = `${basePath}/app/ml`; + const hash = '/discover/New-Saved-Search'; + const href = `${basePath}/login?next=${next1}&next=${next2}#${hash}`; + expect(parseNext(href, basePath)).toEqual(`${next1}#${hash}`); + }); + it('should properly decode special characters', () => { const basePath = '/iqf'; const next = `${encodeURIComponent(basePath)}%2Fapp%2Fkibana`; @@ -118,6 +127,14 @@ describe('parseNext', () => { expect(parseNext(href)).toEqual(`${next}#${hash}`); }); + it('should properly handle multiple next with hash', () => { + const next1 = '/app/kibana'; + const next2 = '/app/ml'; + const hash = '/discover/New-Saved-Search'; + const href = `/login?next=${next1}&next=${next2}#${hash}`; + expect(parseNext(href)).toEqual(`${next1}#${hash}`); + }); + it('should properly decode special characters', () => { const next = '%2Fapp%2Fkibana'; const hash = '/discover/New-Saved-Search'; diff --git a/x-pack/plugins/security/common/parse_next.ts b/x-pack/plugins/security/common/parse_next.ts index 834acd783abbe..7cbe335825a5a 100644 --- a/x-pack/plugins/security/common/parse_next.ts +++ b/x-pack/plugins/security/common/parse_next.ts @@ -40,5 +40,5 @@ export function parseNext(href: string, basePath = '') { return `${basePath}/`; } - return query.next + (hash || ''); + return next + (hash || ''); } diff --git a/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap b/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap index 30715be1db232..f8dfdadd64259 100644 --- a/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap +++ b/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap @@ -38,6 +38,25 @@ exports[`LoginPage disabled form states renders as expected when an unknown logi /> `; +exports[`LoginPage disabled form states renders as expected when login is not enabled 1`] = ` + + } + title={ + + } +/> +`; + exports[`LoginPage disabled form states renders as expected when secure connection is required but not present 1`] = ` `; +exports[`LoginPage login selector renders as expected with login form 1`] = ` + + + + Login w/SAML + + + Login w/PKI + + + ―――   + +   ――― + + + + + +`; + +exports[`LoginPage login selector renders as expected without login form 1`] = ` + + + + Login w/SAML + + + Login w/PKI + + + +`; + exports[`LoginPage page renders as expected 1`] = `
{ it('properly renders application', async () => { const coreSetupMock = coreMock.createSetup(); const coreStartMock = coreMock.createStart(); - coreStartMock.injectedMetadata.getInjectedVar.mockReturnValue(true); coreSetupMock.getStartServices.mockResolvedValue([coreStartMock, {}]); const containerMock = document.createElement('div'); @@ -55,16 +54,13 @@ describe('loginApp', () => { history: (scopedHistoryMock.create() as unknown) as ScopedHistory, }); - expect(coreStartMock.injectedMetadata.getInjectedVar).toHaveBeenCalledTimes(1); - expect(coreStartMock.injectedMetadata.getInjectedVar).toHaveBeenCalledWith('secureCookies'); - const mockRenderApp = jest.requireMock('./login_page').renderLoginPage; expect(mockRenderApp).toHaveBeenCalledTimes(1); expect(mockRenderApp).toHaveBeenCalledWith(coreStartMock.i18n, containerMock, { http: coreStartMock.http, + notifications: coreStartMock.notifications, fatalErrors: coreStartMock.fatalErrors, loginAssistanceMessage: 'some-message', - requiresSecureConnection: true, }); }); }); diff --git a/x-pack/plugins/security/public/authentication/login/login_app.ts b/x-pack/plugins/security/public/authentication/login/login_app.ts index f462cb0adf783..1642aba51c1ae 100644 --- a/x-pack/plugins/security/public/authentication/login/login_app.ts +++ b/x-pack/plugins/security/public/authentication/login/login_app.ts @@ -31,6 +31,7 @@ export const loginApp = Object.freeze({ ]); return renderLoginPage(coreStart.i18n, element, { http: coreStart.http, + notifications: coreStart.notifications, fatalErrors: coreStart.fatalErrors, loginAssistanceMessage: config.loginAssistanceMessage, }); diff --git a/x-pack/plugins/security/public/authentication/login/login_page.test.tsx b/x-pack/plugins/security/public/authentication/login/login_page.test.tsx index 294434cd08ebc..e191bfa92f9bf 100644 --- a/x-pack/plugins/security/public/authentication/login/login_page.test.tsx +++ b/x-pack/plugins/security/public/authentication/login/login_page.test.tsx @@ -7,8 +7,9 @@ import React from 'react'; import { shallow } from 'enzyme'; import { act } from '@testing-library/react'; +import { EuiFlexGroup } from '@elastic/eui'; import { nextTick } from 'test_utils/enzyme_helpers'; -import { LoginState } from './login_state'; +import { LoginState } from '../../../common/login_state'; import { LoginPage } from './login_page'; import { coreMock } from '../../../../../../src/core/public/mocks'; import { DisabledLoginForm, BasicLoginForm } from './components'; @@ -17,6 +18,9 @@ const createLoginState = (options?: Partial) => { return { allowLogin: true, layout: 'form', + requiresSecureConnection: false, + showLoginForm: true, + selector: { enabled: false, providers: [] }, ...options, } as LoginState; }; @@ -55,9 +59,9 @@ describe('LoginPage', () => { const wrapper = shallow( ); @@ -74,14 +78,14 @@ describe('LoginPage', () => { describe('disabled form states', () => { it('renders as expected when secure connection is required but not present', async () => { const coreStartMock = coreMock.createStart(); - httpMock.get.mockResolvedValue(createLoginState()); + httpMock.get.mockResolvedValue(createLoginState({ requiresSecureConnection: true })); const wrapper = shallow( ); @@ -100,9 +104,9 @@ describe('LoginPage', () => { const wrapper = shallow( ); @@ -121,9 +125,9 @@ describe('LoginPage', () => { const wrapper = shallow( ); @@ -144,9 +148,30 @@ describe('LoginPage', () => { const wrapper = shallow( + ); + + await act(async () => { + await nextTick(); + wrapper.update(); + }); + + expect(wrapper.find(DisabledLoginForm)).toMatchSnapshot(); + }); + + it('renders as expected when login is not enabled', async () => { + const coreStartMock = coreMock.createStart(); + httpMock.get.mockResolvedValue(createLoginState({ showLoginForm: false })); + + const wrapper = shallow( + ); @@ -167,9 +192,9 @@ describe('LoginPage', () => { const wrapper = shallow( ); @@ -190,9 +215,9 @@ describe('LoginPage', () => { const wrapper = shallow( ); @@ -212,9 +237,9 @@ describe('LoginPage', () => { const wrapper = shallow( ); @@ -228,6 +253,73 @@ describe('LoginPage', () => { }); }); + describe('login selector', () => { + it('renders as expected with login form', async () => { + const coreStartMock = coreMock.createStart(); + httpMock.get.mockResolvedValue( + createLoginState({ + selector: { + enabled: true, + providers: [ + { type: 'saml', name: 'saml1', options: { description: 'Login w/SAML', order: 0 } }, + { type: 'pki', name: 'pki1', options: { description: 'Login w/PKI', order: 1 } }, + ], + }, + }) + ); + + const wrapper = shallow( + + ); + + await act(async () => { + await nextTick(); + wrapper.update(); + resetHttpMock(); // so the calls don't show in the BasicLoginForm snapshot + }); + + expect(wrapper.find(EuiFlexGroup)).toMatchSnapshot(); + }); + + it('renders as expected without login form', async () => { + const coreStartMock = coreMock.createStart(); + httpMock.get.mockResolvedValue( + createLoginState({ + showLoginForm: false, + selector: { + enabled: true, + providers: [ + { type: 'saml', name: 'saml1', options: { description: 'Login w/SAML', order: 0 } }, + { type: 'pki', name: 'pki1', options: { description: 'Login w/PKI', order: 1 } }, + ], + }, + }) + ); + + const wrapper = shallow( + + ); + + await act(async () => { + await nextTick(); + wrapper.update(); + resetHttpMock(); // so the calls don't show in the BasicLoginForm snapshot + }); + + expect(wrapper.find(EuiFlexGroup)).toMatchSnapshot(); + }); + }); + describe('API calls', () => { it('GET login_state success', async () => { const coreStartMock = coreMock.createStart(); @@ -236,9 +328,9 @@ describe('LoginPage', () => { const wrapper = shallow( ); @@ -261,9 +353,9 @@ describe('LoginPage', () => { const wrapper = shallow( ); diff --git a/x-pack/plugins/security/public/authentication/login/login_page.tsx b/x-pack/plugins/security/public/authentication/login/login_page.tsx index 1cc10c5ef73de..04e951c96f08c 100644 --- a/x-pack/plugins/security/public/authentication/login/login_page.tsx +++ b/x-pack/plugins/security/public/authentication/login/login_page.tsx @@ -9,15 +9,30 @@ import ReactDOM from 'react-dom'; import classNames from 'classnames'; import { BehaviorSubject } from 'rxjs'; import { parse } from 'url'; -import { EuiButton, EuiIcon, EuiSpacer, EuiText, EuiTitle } from '@elastic/eui'; +import { + EuiFlexGroup, + EuiFlexItem, + EuiButton, + EuiIcon, + EuiSpacer, + EuiText, + EuiTitle, +} from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n/react'; -import { CoreStart, FatalErrorsStart, HttpStart } from 'src/core/public'; +import { + CoreStart, + FatalErrorsStart, + HttpStart, + IHttpFetchError, + NotificationsStart, +} from 'src/core/public'; import { LoginState } from '../../../common/login_state'; import { BasicLoginForm, DisabledLoginForm } from './components'; interface Props { http: HttpStart; + notifications: NotificationsStart; fatalErrors: FatalErrorsStart; loginAssistanceMessage: string; } @@ -42,7 +57,7 @@ const infoMessageMap = new Map([ ]); export class LoginPage extends Component { - state = { loginState: null }; + state = { loginState: null } as State; public async componentDidMount() { const loadingCount$ = new BehaviorSubject(1); @@ -106,7 +121,9 @@ export class LoginPage extends Component {
- {this.getLoginForm({ ...loginState, isSecureConnection })} + + {this.getLoginForm({ ...loginState, isSecureConnection })} +
); @@ -225,7 +242,7 @@ export class LoginPage extends Component { fullWidth={true} onClick={() => this.login(provider.type, provider.name)} > - {provider.options.description} + {provider.options.description ?? `${provider.type}/${provider.name}`} )); @@ -257,17 +274,22 @@ export class LoginPage extends Component { ); }; - private login = (providerType: string, providerName: string) => { - const query = parse(window.location.href, true).query; - const next = - Array.isArray(query.next) && query.next.length > 0 ? query.next[0] : (query.next as string); - const queryString = next ? `?next=${encodeURIComponent(next)}${window.location.hash}` : ''; + private login = async (providerType: string, providerName: string) => { + try { + const { location } = await this.props.http.post<{ location: string }>( + `${this.props.http.basePath.serverBasePath}/internal/security/login_with`, + { body: JSON.stringify({ providerType, providerName, currentURL: window.location.href }) } + ); - window.location.href = `${ - this.props.http.basePath.serverBasePath - }/internal/security/login/${encodeURIComponent(providerType)}/${encodeURIComponent( - providerName - )}${queryString}`; + window.location.href = location; + } catch (err) { + this.props.notifications.toasts.addDanger( + i18n.translate('xpack.security.loginPage.loginSelectorErrorMessage', { + defaultMessage: 'Could not perform login: {message}. Contact your system administrator.', + values: { message: (err as IHttpFetchError).message }, + }) + ); + } }; } diff --git a/x-pack/plugins/security/server/authentication/authenticator.test.ts b/x-pack/plugins/security/server/authentication/authenticator.test.ts index 577bb1c849d9d..03483e66da79d 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.test.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.test.ts @@ -20,6 +20,7 @@ import { sessionStorageMock, } from '../../../../../src/core/server/mocks'; import { mockAuthenticatedUser } from '../../common/model/authenticated_user.mock'; +import { ConfigSchema, createConfig } from '../config'; import { AuthenticationResult } from './authentication_result'; import { Authenticator, AuthenticatorOptions, ProviderSession } from './authenticator'; import { DeauthenticationResult } from './deauthentication_result'; @@ -31,22 +32,18 @@ function getMockOptions({ http = {}, }: { session?: AuthenticatorOptions['config']['session']; - providers?: string[]; + providers?: Record; http?: Partial; } = {}) { return { clusterClient: elasticsearchServiceMock.createClusterClient(), basePath: httpServiceMock.createSetupContract().basePath, loggers: loggingServiceMock.create(), - config: { - session: { idleTimeout: null, lifespan: null, ...(session || {}) }, - authc: { - providers: providers || [], - oidc: {}, - saml: {}, - http: { enabled: true, autoSchemesEnabled: true, schemes: ['apikey'], ...http }, - }, - }, + config: createConfig( + ConfigSchema.validate({ session, authc: { providers, http } }), + loggingServiceMock.create().get(), + { isTLSEnabled: false } + ), sessionStorageFactory: sessionStorageMock.createFactory(), }; } @@ -57,31 +54,35 @@ describe('Authenticator', () => { mockBasicAuthenticationProvider = { login: jest.fn(), authenticate: jest.fn(), - logout: jest.fn(), + logout: jest.fn().mockResolvedValue(DeauthenticationResult.notHandled()), getHTTPAuthenticationScheme: jest.fn(), }; jest.requireMock('./providers/http').HTTPAuthenticationProvider.mockImplementation(() => ({ + type: 'http', authenticate: jest.fn().mockResolvedValue(AuthenticationResult.notHandled()), + logout: jest.fn().mockResolvedValue(DeauthenticationResult.notHandled()), })); - jest - .requireMock('./providers/basic') - .BasicAuthenticationProvider.mockImplementation(() => mockBasicAuthenticationProvider); + jest.requireMock('./providers/basic').BasicAuthenticationProvider.mockImplementation(() => ({ + type: 'basic', + ...mockBasicAuthenticationProvider, + })); + + jest.requireMock('./providers/saml').SAMLAuthenticationProvider.mockImplementation(() => ({ + type: 'saml', + getHTTPAuthenticationScheme: jest.fn(), + })); }); afterEach(() => jest.clearAllMocks()); describe('initialization', () => { it('fails if authentication providers are not configured.', () => { - expect(() => new Authenticator(getMockOptions())).toThrowError( - 'No authentication provider is configured. Verify `xpack.security.authc.providers` config value.' - ); - }); - - it('fails if configured authentication provider is not known.', () => { - expect(() => new Authenticator(getMockOptions({ providers: ['super-basic'] }))).toThrowError( - 'Unsupported authentication provider name: super-basic.' + expect( + () => new Authenticator(getMockOptions({ providers: {}, http: { enabled: false } })) + ).toThrowError( + 'No authentication provider is configured. Verify `xpack.security.authc.*` config value.' ); }); @@ -90,6 +91,7 @@ describe('Authenticator', () => { jest .requireMock('./providers/basic') .BasicAuthenticationProvider.mockImplementation(() => ({ + type: 'basic', getHTTPAuthenticationScheme: jest.fn().mockReturnValue('basic'), })); }); @@ -97,7 +99,7 @@ describe('Authenticator', () => { afterEach(() => jest.resetAllMocks()); it('enabled by default', () => { - const authenticator = new Authenticator(getMockOptions({ providers: ['basic'] })); + const authenticator = new Authenticator(getMockOptions()); expect(authenticator.isProviderTypeEnabled('basic')).toBe(true); expect(authenticator.isProviderTypeEnabled('http')).toBe(true); @@ -110,7 +112,9 @@ describe('Authenticator', () => { it('includes all required schemes if `autoSchemesEnabled` is enabled', () => { const authenticator = new Authenticator( - getMockOptions({ providers: ['basic', 'kerberos'] }) + getMockOptions({ + providers: { basic: { basic1: { order: 0 } }, kerberos: { kerberos1: { order: 1 } } }, + }) ); expect(authenticator.isProviderTypeEnabled('basic')).toBe(true); expect(authenticator.isProviderTypeEnabled('kerberos')).toBe(true); @@ -125,7 +129,10 @@ describe('Authenticator', () => { it('does not include additional schemes if `autoSchemesEnabled` is disabled', () => { const authenticator = new Authenticator( - getMockOptions({ providers: ['basic', 'kerberos'], http: { autoSchemesEnabled: false } }) + getMockOptions({ + providers: { basic: { basic1: { order: 0 } }, kerberos: { kerberos1: { order: 1 } } }, + http: { autoSchemesEnabled: false }, + }) ); expect(authenticator.isProviderTypeEnabled('basic')).toBe(true); expect(authenticator.isProviderTypeEnabled('kerberos')).toBe(true); @@ -138,7 +145,10 @@ describe('Authenticator', () => { it('disabled if explicitly disabled', () => { const authenticator = new Authenticator( - getMockOptions({ providers: ['basic'], http: { enabled: false } }) + getMockOptions({ + providers: { basic: { basic1: { order: 0 } } }, + http: { enabled: false }, + }) ); expect(authenticator.isProviderTypeEnabled('basic')).toBe(true); expect(authenticator.isProviderTypeEnabled('http')).toBe(false); @@ -156,14 +166,14 @@ describe('Authenticator', () => { let mockSessionStorage: jest.Mocked>; let mockSessVal: any; beforeEach(() => { - mockOptions = getMockOptions({ providers: ['basic'] }); + mockOptions = getMockOptions({ providers: { basic: { basic1: { order: 0 } } } }); mockSessionStorage = sessionStorageMock.create(); mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage); mockSessVal = { idleTimeoutExpiration: null, lifespanExpiration: null, state: { authorization: 'Basic xxx' }, - provider: 'basic', + provider: { type: 'basic', name: 'basic1' }, path: mockOptions.basePath.serverBasePath, }; @@ -180,13 +190,13 @@ describe('Authenticator', () => { await expect( authenticator.login(httpServerMock.createKibanaRequest(), undefined as any) ).rejects.toThrowError( - 'Login attempt should be an object with non-empty "provider" property.' + 'Login attempt should be an object with non-empty "provider.type" or "provider.name" property.' ); await expect( authenticator.login(httpServerMock.createKibanaRequest(), {} as any) ).rejects.toThrowError( - 'Login attempt should be an object with non-empty "provider" property.' + 'Login attempt should be an object with non-empty "provider.type" or "provider.name" property.' ); }); @@ -198,9 +208,9 @@ describe('Authenticator', () => { AuthenticationResult.failed(failureReason) ); - await expect(authenticator.login(request, { provider: 'basic', value: {} })).resolves.toEqual( - AuthenticationResult.failed(failureReason) - ); + await expect( + authenticator.login(request, { provider: { type: 'basic' }, value: {} }) + ).resolves.toEqual(AuthenticationResult.failed(failureReason)); }); it('returns user that authentication provider returns.', async () => { @@ -211,7 +221,9 @@ describe('Authenticator', () => { AuthenticationResult.succeeded(user, { authHeaders: { authorization: 'Basic .....' } }) ); - await expect(authenticator.login(request, { provider: 'basic', value: {} })).resolves.toEqual( + await expect( + authenticator.login(request, { provider: { type: 'basic' }, value: {} }) + ).resolves.toEqual( AuthenticationResult.succeeded(user, { authHeaders: { authorization: 'Basic .....' } }) ); }); @@ -225,9 +237,9 @@ describe('Authenticator', () => { AuthenticationResult.succeeded(user, { state: { authorization } }) ); - await expect(authenticator.login(request, { provider: 'basic', value: {} })).resolves.toEqual( - AuthenticationResult.succeeded(user, { state: { authorization } }) - ); + await expect( + authenticator.login(request, { provider: { type: 'basic' }, value: {} }) + ).resolves.toEqual(AuthenticationResult.succeeded(user, { state: { authorization } })); expect(mockSessionStorage.set).toHaveBeenCalledTimes(1); expect(mockSessionStorage.set).toHaveBeenCalledWith({ @@ -238,9 +250,9 @@ describe('Authenticator', () => { it('returns `notHandled` if login attempt is targeted to not configured provider.', async () => { const request = httpServerMock.createKibanaRequest(); - await expect(authenticator.login(request, { provider: 'token', value: {} })).resolves.toEqual( - AuthenticationResult.notHandled() - ); + await expect( + authenticator.login(request, { provider: { type: 'token' }, value: {} }) + ).resolves.toEqual(AuthenticationResult.notHandled()); }); it('clears session if it belongs to a different provider.', async () => { @@ -252,7 +264,7 @@ describe('Authenticator', () => { mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, provider: 'token' }); await expect( - authenticator.login(request, { provider: 'basic', value: credentials }) + authenticator.login(request, { provider: { type: 'basic' }, value: credentials }) ).resolves.toEqual(AuthenticationResult.succeeded(user)); expect(mockBasicAuthenticationProvider.login).toHaveBeenCalledWith( @@ -273,9 +285,9 @@ describe('Authenticator', () => { AuthenticationResult.succeeded(user, { state: null }) ); - await expect(authenticator.login(request, { provider: 'basic', value: {} })).resolves.toEqual( - AuthenticationResult.succeeded(user, { state: null }) - ); + await expect( + authenticator.login(request, { provider: { type: 'basic' }, value: {} }) + ).resolves.toEqual(AuthenticationResult.succeeded(user, { state: null })); expect(mockSessionStorage.set).not.toHaveBeenCalled(); expect(mockSessionStorage.clear).toHaveBeenCalled(); @@ -288,14 +300,14 @@ describe('Authenticator', () => { let mockSessionStorage: jest.Mocked>; let mockSessVal: any; beforeEach(() => { - mockOptions = getMockOptions({ providers: ['basic'] }); + mockOptions = getMockOptions({ providers: { basic: { basic1: { order: 0 } } } }); mockSessionStorage = sessionStorageMock.create(); mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage); mockSessVal = { idleTimeoutExpiration: null, lifespanExpiration: null, state: { authorization: 'Basic xxx' }, - provider: 'basic', + provider: { type: 'basic', name: 'basic1' }, path: mockOptions.basePath.serverBasePath, }; @@ -430,7 +442,7 @@ describe('Authenticator', () => { idleTimeout: duration(3600 * 24), lifespan: null, }, - providers: ['basic'], + providers: { basic: { basic1: { order: 0 } } }, }); mockSessionStorage = sessionStorageMock.create(); @@ -469,7 +481,7 @@ describe('Authenticator', () => { idleTimeout: duration(hr * 2), lifespan: duration(hr * 8), }, - providers: ['basic'], + providers: { basic: { basic1: { order: 0 } } }, }); mockSessionStorage = sessionStorageMock.create(); @@ -521,7 +533,7 @@ describe('Authenticator', () => { idleTimeout: null, lifespan, }, - providers: ['basic'], + providers: { basic: { basic1: { order: 0 } } }, }); mockSessionStorage = sessionStorageMock.create(); @@ -782,14 +794,14 @@ describe('Authenticator', () => { let mockSessionStorage: jest.Mocked>; let mockSessVal: any; beforeEach(() => { - mockOptions = getMockOptions({ providers: ['basic'] }); + mockOptions = getMockOptions({ providers: { basic: { basic1: { order: 0 } } } }); mockSessionStorage = sessionStorageMock.create(); mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage); mockSessVal = { idleTimeoutExpiration: null, lifespanExpiration: null, state: { authorization: 'Basic xxx' }, - provider: 'basic', + provider: { type: 'basic', name: 'basic1' }, path: mockOptions.basePath.serverBasePath, }; @@ -805,6 +817,7 @@ describe('Authenticator', () => { it('returns `notHandled` if session does not exist.', async () => { const request = httpServerMock.createKibanaRequest(); mockSessionStorage.get.mockResolvedValue(null); + mockBasicAuthenticationProvider.logout.mockResolvedValue(DeauthenticationResult.notHandled()); await expect(authenticator.logout(request)).resolves.toEqual( DeauthenticationResult.notHandled() @@ -829,7 +842,7 @@ describe('Authenticator', () => { }); it('if session does not exist but provider name is valid, returns whatever authentication provider returns.', async () => { - const request = httpServerMock.createKibanaRequest({ query: { provider: 'basic' } }); + const request = httpServerMock.createKibanaRequest({ query: { provider: 'basic1' } }); mockSessionStorage.get.mockResolvedValue(null); mockBasicAuthenticationProvider.logout.mockResolvedValue( @@ -855,16 +868,20 @@ describe('Authenticator', () => { expect(mockSessionStorage.clear).not.toHaveBeenCalled(); }); - it('only clears session if it belongs to not configured provider.', async () => { + it('clears session if it belongs to not configured provider.', async () => { const request = httpServerMock.createKibanaRequest(); const state = { authorization: 'Bearer xxx' }; - mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, state, provider: 'token' }); + mockSessionStorage.get.mockResolvedValue({ + ...mockSessVal, + state, + provider: { type: 'token', name: 'token1' }, + }); await expect(authenticator.logout(request)).resolves.toEqual( DeauthenticationResult.notHandled() ); - expect(mockBasicAuthenticationProvider.logout).not.toHaveBeenCalled(); + expect(mockBasicAuthenticationProvider.logout).toHaveBeenCalledTimes(1); expect(mockSessionStorage.clear).toHaveBeenCalled(); }); }); @@ -874,7 +891,7 @@ describe('Authenticator', () => { let mockOptions: ReturnType; let mockSessionStorage: jest.Mocked>; beforeEach(() => { - mockOptions = getMockOptions({ providers: ['basic'] }); + mockOptions = getMockOptions({ providers: { basic: { basic1: { order: 0 } } } }); mockSessionStorage = sessionStorageMock.create(); mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage); @@ -889,13 +906,13 @@ describe('Authenticator', () => { now: currentDate, idleTimeoutExpiration: currentDate + 60000, lifespanExpiration: currentDate + 120000, - provider: 'basic', + provider: 'basic1', }; mockSessionStorage.get.mockResolvedValue({ idleTimeoutExpiration: mockInfo.idleTimeoutExpiration, lifespanExpiration: mockInfo.lifespanExpiration, state, - provider: mockInfo.provider, + provider: { type: 'basic', name: mockInfo.provider }, path: mockOptions.basePath.serverBasePath, }); jest.spyOn(Date, 'now').mockImplementation(() => currentDate); @@ -917,11 +934,20 @@ describe('Authenticator', () => { describe('`isProviderEnabled` method', () => { it('returns `true` only if specified provider is enabled', () => { - let authenticator = new Authenticator(getMockOptions({ providers: ['basic'] })); + let authenticator = new Authenticator( + getMockOptions({ providers: { basic: { basic1: { order: 0 } } } }) + ); expect(authenticator.isProviderTypeEnabled('basic')).toBe(true); expect(authenticator.isProviderTypeEnabled('saml')).toBe(false); - authenticator = new Authenticator(getMockOptions({ providers: ['basic', 'saml'] })); + authenticator = new Authenticator( + getMockOptions({ + providers: { + basic: { basic1: { order: 0 } }, + saml: { saml1: { order: 1, realm: 'test' } }, + }, + }) + ); expect(authenticator.isProviderTypeEnabled('basic')).toBe(true); expect(authenticator.isProviderTypeEnabled('saml')).toBe(true); }); diff --git a/x-pack/plugins/security/server/authentication/authenticator.ts b/x-pack/plugins/security/server/authentication/authenticator.ts index 2d0517fefcf13..6be2ff67bd1f1 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.ts @@ -508,7 +508,7 @@ export class Authenticator { // If for some reason we have a session stored for the provider that is not available // (e.g. when user was logged in with one provider, but then configuration has changed // and that provider is no longer available), then we should clear session entirely. - const sessionProvider = sessionValue && this.providers.get(sessionValue.provider.name); + const sessionProvider = sessionValue && this.providers.get(sessionValue.provider?.name); if ( sessionValue && (!sessionProvider || sessionProvider.type !== sessionValue?.provider.type) diff --git a/x-pack/plugins/security/server/authentication/index.mock.ts b/x-pack/plugins/security/server/authentication/index.mock.ts index c634e2c80c299..0fe1e0afaa9af 100644 --- a/x-pack/plugins/security/server/authentication/index.mock.ts +++ b/x-pack/plugins/security/server/authentication/index.mock.ts @@ -10,7 +10,7 @@ export const authenticationMock = { create: (): jest.Mocked => ({ login: jest.fn(), logout: jest.fn(), - isProviderEnabled: jest.fn(), + isProviderTypeEnabled: jest.fn(), createAPIKey: jest.fn(), getCurrentUser: jest.fn(), invalidateAPIKey: jest.fn(), diff --git a/x-pack/plugins/security/server/authentication/index.test.ts b/x-pack/plugins/security/server/authentication/index.test.ts index 30929ba98d33b..6a4455289e8b9 100644 --- a/x-pack/plugins/security/server/authentication/index.test.ts +++ b/x-pack/plugins/security/server/authentication/index.test.ts @@ -10,7 +10,6 @@ jest.mock('./api_keys'); jest.mock('./authenticator'); import Boom from 'boom'; -import { first } from 'rxjs/operators'; import { loggingServiceMock, @@ -31,7 +30,7 @@ import { ScopedClusterClient, } from '../../../../../src/core/server'; import { AuthenticatedUser } from '../../common/model'; -import { ConfigType, createConfig$ } from '../config'; +import { ConfigSchema, ConfigType, createConfig } from '../config'; import { AuthenticationResult } from './authentication_result'; import { setupAuthentication } from '.'; import { @@ -51,23 +50,18 @@ describe('setupAuthentication()', () => { license: jest.Mocked; }; let mockScopedClusterClient: jest.Mocked>; - beforeEach(async () => { - const mockConfig$ = createConfig$( - coreMock.createPluginInitializerContext({ - encryptionKey: 'ab'.repeat(16), - secureCookies: true, - session: { - idleTimeout: null, - lifespan: null, - }, - cookieName: 'my-sid-cookie', - authc: { providers: ['basic'], http: { enabled: true } }, - }), - true - ); + beforeEach(() => { mockSetupAuthenticationParams = { http: coreMock.createSetup().http, - config: await mockConfig$.pipe(first()).toPromise(), + config: createConfig( + ConfigSchema.validate({ + encryptionKey: 'ab'.repeat(16), + secureCookies: true, + cookieName: 'my-sid-cookie', + }), + loggingServiceMock.create().get(), + { isTLSEnabled: false } + ), clusterClient: elasticsearchServiceMock.createClusterClient(), license: licenseMock.create(), loggers: loggingServiceMock.create(), diff --git a/x-pack/plugins/security/server/authentication/providers/base.mock.ts b/x-pack/plugins/security/server/authentication/providers/base.mock.ts index 0781608f8bc4c..1dcd2885f66dc 100644 --- a/x-pack/plugins/security/server/authentication/providers/base.mock.ts +++ b/x-pack/plugins/security/server/authentication/providers/base.mock.ts @@ -14,7 +14,7 @@ export type MockAuthenticationProviderOptions = ReturnType< typeof mockAuthenticationProviderOptions >; -export function mockAuthenticationProviderOptions() { +export function mockAuthenticationProviderOptions(options?: { name: string }) { const basePath = httpServiceMock.createSetupContract().basePath; basePath.get.mockReturnValue('/base-path'); @@ -23,5 +23,6 @@ export function mockAuthenticationProviderOptions() { logger: loggingServiceMock.create().get(), basePath, tokens: { refresh: jest.fn(), invalidate: jest.fn() }, + name: options?.name ?? 'basic1', }; } diff --git a/x-pack/plugins/security/server/authentication/providers/basic.test.ts b/x-pack/plugins/security/server/authentication/providers/basic.test.ts index b7bdff0531fc2..97ca4e46d3eb5 100644 --- a/x-pack/plugins/security/server/authentication/providers/basic.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/basic.test.ts @@ -91,6 +91,12 @@ describe('BasicAuthenticationProvider', () => { ).resolves.toEqual(AuthenticationResult.notHandled()); }); + it('does not redirect requests that do not require authentication to the login page.', async () => { + await expect( + provider.authenticate(httpServerMock.createKibanaRequest({ routeAuthRequired: false })) + ).resolves.toEqual(AuthenticationResult.notHandled()); + }); + it('redirects non-AJAX requests that can not be authenticated to the login page.', async () => { await expect( provider.authenticate( @@ -172,8 +178,14 @@ describe('BasicAuthenticationProvider', () => { }); describe('`logout` method', () => { - it('always redirects to the login page.', async () => { + it('does not handle logout if state is not present', async () => { await expect(provider.logout(httpServerMock.createKibanaRequest())).resolves.toEqual( + DeauthenticationResult.notHandled() + ); + }); + + it('always redirects to the login page.', async () => { + await expect(provider.logout(httpServerMock.createKibanaRequest(), {})).resolves.toEqual( DeauthenticationResult.redirectTo('/base-path/login?msg=LOGGED_OUT') ); }); @@ -181,7 +193,10 @@ describe('BasicAuthenticationProvider', () => { it('passes query string parameters to the login page.', async () => { await expect( provider.logout( - httpServerMock.createKibanaRequest({ query: { next: '/app/ml', msg: 'SESSION_EXPIRED' } }) + httpServerMock.createKibanaRequest({ + query: { next: '/app/ml', msg: 'SESSION_EXPIRED' }, + }), + {} ) ).resolves.toEqual( DeauthenticationResult.redirectTo('/base-path/login?next=%2Fapp%2Fml&msg=SESSION_EXPIRED') diff --git a/x-pack/plugins/security/server/authentication/providers/basic.ts b/x-pack/plugins/security/server/authentication/providers/basic.ts index a1eea84e17319..77941dfc9e65d 100644 --- a/x-pack/plugins/security/server/authentication/providers/basic.ts +++ b/x-pack/plugins/security/server/authentication/providers/basic.ts @@ -31,6 +31,16 @@ interface ProviderState { authorization?: string; } +/** + * Checks whether current request can initiate new session. + * @param request Request instance. + */ +function canStartNewSession(request: KibanaRequest) { + // We should try to establish new session only if request requires authentication and client + // can be redirected to the login page where they can enter username and password. + return canRedirectRequest(request) && request.route.options.authRequired === true; +} + /** * Provider that supports request authentication via Basic HTTP Authentication. */ @@ -86,7 +96,7 @@ export class BasicAuthenticationProvider extends BaseAuthenticationProvider { } // If state isn't present let's redirect user to the login page. - if (canRedirectRequest(request)) { + if (canStartNewSession(request)) { this.logger.debug('Redirecting request to Login page.'); const basePath = this.options.basePath.get(request); return AuthenticationResult.redirectTo( diff --git a/x-pack/plugins/security/server/authentication/providers/http.test.ts b/x-pack/plugins/security/server/authentication/providers/http.test.ts index 65fbd7cd9f4ad..47715670e4697 100644 --- a/x-pack/plugins/security/server/authentication/providers/http.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/http.test.ts @@ -32,7 +32,7 @@ function expectAuthenticateCall( describe('HTTPAuthenticationProvider', () => { let mockOptions: MockAuthenticationProviderOptions; beforeEach(() => { - mockOptions = mockAuthenticationProviderOptions(); + mockOptions = mockAuthenticationProviderOptions({ name: 'http' }); }); it('throws if `schemes` are not specified', () => { diff --git a/x-pack/plugins/security/server/authentication/providers/kerberos.test.ts b/x-pack/plugins/security/server/authentication/providers/kerberos.test.ts index 955805296e2bd..3eaa8fcee0d9c 100644 --- a/x-pack/plugins/security/server/authentication/providers/kerberos.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/kerberos.test.ts @@ -36,7 +36,7 @@ describe('KerberosAuthenticationProvider', () => { let provider: KerberosAuthenticationProvider; let mockOptions: MockAuthenticationProviderOptions; beforeEach(() => { - mockOptions = mockAuthenticationProviderOptions(); + mockOptions = mockAuthenticationProviderOptions({ name: 'kerberos' }); provider = new KerberosAuthenticationProvider(mockOptions); }); diff --git a/x-pack/plugins/security/server/authentication/providers/kerberos.ts b/x-pack/plugins/security/server/authentication/providers/kerberos.ts index a0818da90e5a3..963543fae47cb 100644 --- a/x-pack/plugins/security/server/authentication/providers/kerberos.ts +++ b/x-pack/plugins/security/server/authentication/providers/kerberos.ts @@ -27,6 +27,15 @@ type ProviderState = TokenPair; */ const WWWAuthenticateHeaderName = 'WWW-Authenticate'; +/** + * Checks whether current request can initiate new session. + * @param request Request instance. + */ +function canStartNewSession(request: KibanaRequest) { + // We should try to establish new session only if request requires authentication. + return request.route.options.authRequired === true; +} + /** * Provider that supports Kerberos request authentication. */ @@ -42,6 +51,11 @@ export class KerberosAuthenticationProvider extends BaseAuthenticationProvider { */ public async login(request: KibanaRequest) { this.logger.debug('Trying to perform a login.'); + + if (getHTTPAuthenticationScheme(request) === 'negotiate') { + return await this.authenticateWithNegotiateScheme(request); + } + return await this.authenticateViaSPNEGO(request); } @@ -75,7 +89,7 @@ export class KerberosAuthenticationProvider extends BaseAuthenticationProvider { // If we couldn't authenticate by means of all methods above, let's try to check if Elasticsearch can // start authentication mechanism negotiation, otherwise just return authentication result we have. - return authenticationResult.notHandled() + return authenticationResult.notHandled() && canStartNewSession(request) ? await this.authenticateViaSPNEGO(request, state) : authenticationResult; } @@ -247,7 +261,9 @@ export class KerberosAuthenticationProvider extends BaseAuthenticationProvider { this.logger.debug( 'Both access and refresh tokens are expired. Re-initiating SPNEGO handshake.' ); - return this.authenticateViaSPNEGO(request, state); + return canStartNewSession(request) + ? this.authenticateViaSPNEGO(request, state) + : AuthenticationResult.notHandled(); } try { diff --git a/x-pack/plugins/security/server/authentication/providers/oidc.test.ts b/x-pack/plugins/security/server/authentication/providers/oidc.test.ts index 8091afe2f44bb..52f695f538688 100644 --- a/x-pack/plugins/security/server/authentication/providers/oidc.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/oidc.test.ts @@ -36,7 +36,7 @@ describe('OIDCAuthenticationProvider', () => { let provider: OIDCAuthenticationProvider; let mockOptions: MockAuthenticationProviderOptions; beforeEach(() => { - mockOptions = mockAuthenticationProviderOptions(); + mockOptions = mockAuthenticationProviderOptions({ name: 'oidc' }); provider = new OIDCAuthenticationProvider(mockOptions, { realm: 'oidc1' }); }); @@ -84,7 +84,14 @@ describe('OIDCAuthenticationProvider', () => { '&state=statevalue' + '&redirect_uri=https%3A%2F%2Ftest-hostname:1234%2Ftest-base-path%2Fapi%2Fsecurity%2Fv1%2F/oidc' + '&login_hint=loginhint', - { state: { state: 'statevalue', nonce: 'noncevalue', nextURL: '/base-path/' } } + { + state: { + state: 'statevalue', + nonce: 'noncevalue', + nextURL: '/mock-server-basepath/', + realm: 'oidc1', + }, + } ) ); @@ -113,10 +120,15 @@ describe('OIDCAuthenticationProvider', () => { state: 'statevalue', nonce: 'noncevalue', nextURL: '/base-path/some-path', + realm: 'oidc1', }) ).resolves.toEqual( AuthenticationResult.redirectTo('/base-path/some-path', { - state: { accessToken: 'some-token', refreshToken: 'some-refresh-token' }, + state: { + accessToken: 'some-token', + refreshToken: 'some-refresh-token', + realm: 'oidc1', + }, }) ); @@ -137,7 +149,7 @@ describe('OIDCAuthenticationProvider', () => { const { request, attempt } = getMocks(); await expect( - provider.login(request, attempt, { nextURL: '/base-path/some-path' }) + provider.login(request, attempt, { nextURL: '/base-path/some-path', realm: 'oidc1' }) ).resolves.toEqual( AuthenticationResult.failed( Boom.badRequest( @@ -153,7 +165,11 @@ describe('OIDCAuthenticationProvider', () => { const { request, attempt } = getMocks(); await expect( - provider.login(request, attempt, { state: 'statevalue', nonce: 'noncevalue' }) + provider.login(request, attempt, { + state: 'statevalue', + nonce: 'noncevalue', + realm: 'oidc1', + }) ).resolves.toEqual( AuthenticationResult.failed( Boom.badRequest( @@ -168,7 +184,7 @@ describe('OIDCAuthenticationProvider', () => { it('fails if session state is not presented.', async () => { const { request, attempt } = getMocks(); - await expect(provider.login(request, attempt, {})).resolves.toEqual( + await expect(provider.login(request, attempt, {} as any)).resolves.toEqual( AuthenticationResult.failed( Boom.badRequest( 'Response session state does not have corresponding state or nonce parameters or redirect URL.' @@ -192,6 +208,7 @@ describe('OIDCAuthenticationProvider', () => { state: 'statevalue', nonce: 'noncevalue', nextURL: '/base-path/some-path', + realm: 'oidc1', }) ).resolves.toEqual(AuthenticationResult.failed(failureReason)); @@ -272,6 +289,7 @@ describe('OIDCAuthenticationProvider', () => { state: 'statevalue', nonce: 'noncevalue', nextURL: '/base-path/s/foo/some-path', + realm: 'oidc1', }, } ) @@ -310,7 +328,9 @@ describe('OIDCAuthenticationProvider', () => { mockScopedClusterClient.callAsCurrentUser.mockResolvedValue(user); mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); - await expect(provider.authenticate(request, tokenPair)).resolves.toEqual( + await expect( + provider.authenticate(request, { ...tokenPair, realm: 'oidc1' }) + ).resolves.toEqual( AuthenticationResult.succeeded( { ...user, authentication_provider: 'oidc' }, { authHeaders: { authorization } } @@ -344,6 +364,7 @@ describe('OIDCAuthenticationProvider', () => { provider.authenticate(request, { accessToken: 'some-valid-token', refreshToken: 'some-valid-refresh-token', + realm: 'oidc1', }) ).resolves.toEqual(AuthenticationResult.notHandled()); @@ -364,9 +385,9 @@ describe('OIDCAuthenticationProvider', () => { mockScopedClusterClient.callAsCurrentUser.mockRejectedValue(failureReason); mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); - await expect(provider.authenticate(request, tokenPair)).resolves.toEqual( - AuthenticationResult.failed(failureReason) - ); + await expect( + provider.authenticate(request, { ...tokenPair, realm: 'oidc1' }) + ).resolves.toEqual(AuthenticationResult.failed(failureReason)); expectAuthenticateCall(mockOptions.client, { headers: { authorization } }); @@ -401,12 +422,18 @@ describe('OIDCAuthenticationProvider', () => { refreshToken: 'new-refresh-token', }); - await expect(provider.authenticate(request, tokenPair)).resolves.toEqual( + await expect( + provider.authenticate(request, { ...tokenPair, realm: 'oidc1' }) + ).resolves.toEqual( AuthenticationResult.succeeded( { ...user, authentication_provider: 'oidc' }, { authHeaders: { authorization: 'Bearer new-access-token' }, - state: { accessToken: 'new-access-token', refreshToken: 'new-refresh-token' }, + state: { + accessToken: 'new-access-token', + refreshToken: 'new-refresh-token', + realm: 'oidc1', + }, } ) ); @@ -434,9 +461,9 @@ describe('OIDCAuthenticationProvider', () => { }; mockOptions.tokens.refresh.mockRejectedValue(refreshFailureReason); - await expect(provider.authenticate(request, tokenPair)).resolves.toEqual( - AuthenticationResult.failed(refreshFailureReason as any) - ); + await expect( + provider.authenticate(request, { ...tokenPair, realm: 'oidc1' }) + ).resolves.toEqual(AuthenticationResult.failed(refreshFailureReason as any)); expect(mockOptions.tokens.refresh).toHaveBeenCalledTimes(1); expect(mockOptions.tokens.refresh).toHaveBeenCalledWith(tokenPair.refreshToken); @@ -470,7 +497,9 @@ describe('OIDCAuthenticationProvider', () => { mockOptions.tokens.refresh.mockResolvedValue(null); - await expect(provider.authenticate(request, tokenPair)).resolves.toEqual( + await expect( + provider.authenticate(request, { ...tokenPair, realm: 'oidc1' }) + ).resolves.toEqual( AuthenticationResult.redirectTo( 'https://op-host/path/login?response_type=code' + '&scope=openid%20profile%20email' + @@ -482,6 +511,7 @@ describe('OIDCAuthenticationProvider', () => { state: 'statevalue', nonce: 'noncevalue', nextURL: '/base-path/s/foo/some-path', + realm: 'oidc1', }, } ) @@ -515,7 +545,9 @@ describe('OIDCAuthenticationProvider', () => { mockOptions.tokens.refresh.mockResolvedValue(null); - await expect(provider.authenticate(request, tokenPair)).resolves.toEqual( + await expect( + provider.authenticate(request, { ...tokenPair, realm: 'oidc1' }) + ).resolves.toEqual( AuthenticationResult.failed(Boom.badRequest('Both access and refresh tokens are expired.')) ); @@ -538,11 +570,11 @@ describe('OIDCAuthenticationProvider', () => { DeauthenticationResult.notHandled() ); - await expect(provider.logout(request, {})).resolves.toEqual( + await expect(provider.logout(request, {} as any)).resolves.toEqual( DeauthenticationResult.notHandled() ); - await expect(provider.logout(request, { nonce: 'x' })).resolves.toEqual( + await expect(provider.logout(request, { nonce: 'x', realm: 'oidc1' })).resolves.toEqual( DeauthenticationResult.notHandled() ); @@ -557,9 +589,9 @@ describe('OIDCAuthenticationProvider', () => { const failureReason = new Error('Realm is misconfigured!'); mockOptions.client.callAsInternalUser.mockRejectedValue(failureReason); - await expect(provider.logout(request, { accessToken, refreshToken })).resolves.toEqual( - DeauthenticationResult.failed(failureReason) - ); + await expect( + provider.logout(request, { accessToken, refreshToken, realm: 'oidc1' }) + ).resolves.toEqual(DeauthenticationResult.failed(failureReason)); expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledTimes(1); expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledWith('shield.oidcLogout', { @@ -574,7 +606,9 @@ describe('OIDCAuthenticationProvider', () => { mockOptions.client.callAsInternalUser.mockResolvedValue({ redirect: null }); - await expect(provider.logout(request, { accessToken, refreshToken })).resolves.toEqual( + await expect( + provider.logout(request, { accessToken, refreshToken, realm: 'oidc1' }) + ).resolves.toEqual( DeauthenticationResult.redirectTo('/mock-server-basepath/security/logged_out') ); @@ -593,7 +627,9 @@ describe('OIDCAuthenticationProvider', () => { redirect: 'http://fake-idp/logout&id_token_hint=thehint', }); - await expect(provider.logout(request, { accessToken, refreshToken })).resolves.toEqual( + await expect( + provider.logout(request, { accessToken, refreshToken, realm: 'oidc1' }) + ).resolves.toEqual( DeauthenticationResult.redirectTo('http://fake-idp/logout&id_token_hint=thehint') ); diff --git a/x-pack/plugins/security/server/authentication/providers/oidc.ts b/x-pack/plugins/security/server/authentication/providers/oidc.ts index a6fa3c7dabf9b..1793cf5eedc3b 100644 --- a/x-pack/plugins/security/server/authentication/providers/oidc.ts +++ b/x-pack/plugins/security/server/authentication/providers/oidc.ts @@ -32,7 +32,7 @@ export enum OIDCLogin { * Describes the parameters that are required by the provider to process the initial login request. */ export type ProviderLoginAttempt = - | { type: OIDCLogin.LoginInitiatedByUser; redirectURL?: string } + | { type: OIDCLogin.LoginInitiatedByUser; redirectURLPath?: string } | { type: OIDCLogin.LoginWithImplicitFlow | OIDCLogin.LoginWithAuthorizationCodeFlow; authenticationResponseURI: string; @@ -66,6 +66,16 @@ interface ProviderState extends Partial { realm: string; } +/** + * Checks whether current request can initiate new session. + * @param request Request instance. + */ +function canStartNewSession(request: KibanaRequest) { + // We should try to establish new session only if request requires authentication and client + // can be redirected to the Identity Provider where they can authenticate. + return canRedirectRequest(request) && request.route.options.authRequired === true; +} + /** * Provider that supports authentication using an OpenID Connect realm in Elasticsearch. */ @@ -129,10 +139,18 @@ export class OIDCAuthenticationProvider extends BaseAuthenticationProvider { oidcPrepareParams, `${this.options.basePath.serverBasePath}/` ); - } else if (attempt.type === OIDCLogin.LoginInitiatedByUser) { + } + + if (attempt.type === OIDCLogin.LoginInitiatedByUser) { this.logger.debug(`Login has been initiated by a user.`); - return this.initiateOIDCAuthentication(request, { realm: this.realm }, attempt.redirectURL); - } else if (attempt.type === OIDCLogin.LoginWithImplicitFlow) { + return this.initiateOIDCAuthentication( + request, + { realm: this.realm }, + attempt.redirectURLPath + ); + } + + if (attempt.type === OIDCLogin.LoginWithImplicitFlow) { this.logger.debug('OpenID Connect Implicit Authentication flow is used.'); } else { this.logger.debug('OpenID Connect Authorization Code Authentication flow is used.'); @@ -181,7 +199,7 @@ export class OIDCAuthenticationProvider extends BaseAuthenticationProvider { // initiate an OpenID Connect based authentication, otherwise just return the authentication result we have. // We might already have a state and nonce generated by Elasticsearch (from an unfinished authentication in // another tab) - return authenticationResult.notHandled() + return authenticationResult.notHandled() && canStartNewSession(request) ? await this.initiateOIDCAuthentication(request, { realm: this.realm }) : authenticationResult; } @@ -254,22 +272,16 @@ export class OIDCAuthenticationProvider extends BaseAuthenticationProvider { * * @param request Request instance. * @param params OIDC authentication parameters. - * @param [redirectURL] Optional URL user is supposed to be redirected to after successful login. - * If not provided the URL of the specified request is used. + * @param [redirectURLPath] Optional URL user is supposed to be redirected to after successful + * login. If not provided the URL of the specified request is used. */ private async initiateOIDCAuthentication( request: KibanaRequest, params: { realm: string } | { iss: string; login_hint?: string }, - redirectURL = `${this.options.basePath.get(request)}${request.url.path}` + redirectURLPath = `${this.options.basePath.get(request)}${request.url.path}` ) { this.logger.debug('Trying to initiate OpenID Connect authentication.'); - // If client can't handle redirect response, we shouldn't initiate OpenID Connect authentication. - if (!canRedirectRequest(request)) { - this.logger.debug('OpenID Connect authentication can not be initiated by AJAX requests.'); - return AuthenticationResult.notHandled(); - } - try { // This operation should be performed on behalf of the user with a privilege that normal // user usually doesn't have `cluster:admin/xpack/security/oidc/prepare`. @@ -283,7 +295,7 @@ export class OIDCAuthenticationProvider extends BaseAuthenticationProvider { return AuthenticationResult.redirectTo( redirect, // Store the state and nonce parameters in the session state of the user - { state: { state, nonce, nextURL: redirectURL, realm: this.realm } } + { state: { state, nonce, nextURL: redirectURLPath, realm: this.realm } } ); } catch (err) { this.logger.debug(`Failed to initiate OpenID Connect authentication: ${err.message}`); @@ -349,7 +361,7 @@ export class OIDCAuthenticationProvider extends BaseAuthenticationProvider { // seems logical to do the same on Kibana side and `401` would force user to logout and do full SLO if it's // supported. if (refreshedTokenPair === null) { - if (canRedirectRequest(request)) { + if (canStartNewSession(request)) { this.logger.debug( 'Both elasticsearch access and refresh tokens are expired. Re-initiating OpenID Connect authentication.' ); diff --git a/x-pack/plugins/security/server/authentication/providers/pki.test.ts b/x-pack/plugins/security/server/authentication/providers/pki.test.ts index 044416032a4c3..b1d1e249984de 100644 --- a/x-pack/plugins/security/server/authentication/providers/pki.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/pki.test.ts @@ -78,7 +78,7 @@ describe('PKIAuthenticationProvider', () => { let provider: PKIAuthenticationProvider; let mockOptions: MockAuthenticationProviderOptions; beforeEach(() => { - mockOptions = mockAuthenticationProviderOptions(); + mockOptions = mockAuthenticationProviderOptions({ name: 'pki' }); provider = new PKIAuthenticationProvider(mockOptions); }); diff --git a/x-pack/plugins/security/server/authentication/providers/pki.ts b/x-pack/plugins/security/server/authentication/providers/pki.ts index 9bd599eb0ba74..37046afb1ce2a 100644 --- a/x-pack/plugins/security/server/authentication/providers/pki.ts +++ b/x-pack/plugins/security/server/authentication/providers/pki.ts @@ -28,6 +28,15 @@ interface ProviderState { peerCertificateFingerprint256: string; } +/** + * Checks whether current request can initiate new session. + * @param request Request instance. + */ +function canStartNewSession(request: KibanaRequest) { + // We should try to establish new session only if request requires authentication. + return request.route.options.authRequired === true; +} + /** * Provider that supports PKI request authentication. */ @@ -64,12 +73,12 @@ export class PKIAuthenticationProvider extends BaseAuthenticationProvider { authenticationResult = await this.authenticateViaState(request, state); // If access token expired or doesn't match to the certificate fingerprint we should try to get - // a new one in exchange to peer certificate chain. - if ( + // a new one in exchange to peer certificate chain assuming request can initiate new session. + const invalidAccessToken = authenticationResult.notHandled() || (authenticationResult.failed() && - Tokens.isAccessTokenExpiredError(authenticationResult.error)) - ) { + Tokens.isAccessTokenExpiredError(authenticationResult.error)); + if (invalidAccessToken && canStartNewSession(request)) { authenticationResult = await this.authenticateViaPeerCertificate(request); // If we have an active session that we couldn't use to authenticate user and at the same time // we couldn't use peer's certificate to establish a new one, then we should respond with 401 @@ -77,12 +86,15 @@ export class PKIAuthenticationProvider extends BaseAuthenticationProvider { if (authenticationResult.notHandled()) { return AuthenticationResult.failed(Boom.unauthorized()); } + } else if (invalidAccessToken) { + return AuthenticationResult.notHandled(); } } // If we couldn't authenticate by means of all methods above, let's try to check if we can authenticate // request using its peer certificate chain, otherwise just return authentication result we have. - return authenticationResult.notHandled() + // We shouldn't establish new session if authentication isn't required for this particular request. + return authenticationResult.notHandled() && canStartNewSession(request) ? await this.authenticateViaPeerCertificate(request) : authenticationResult; } diff --git a/x-pack/plugins/security/server/authentication/providers/saml.test.ts b/x-pack/plugins/security/server/authentication/providers/saml.test.ts index 46e503f2700d1..5cf4ada09e838 100644 --- a/x-pack/plugins/security/server/authentication/providers/saml.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/saml.test.ts @@ -36,7 +36,7 @@ describe('SAMLAuthenticationProvider', () => { let provider: SAMLAuthenticationProvider; let mockOptions: MockAuthenticationProviderOptions; beforeEach(() => { - mockOptions = mockAuthenticationProviderOptions(); + mockOptions = mockAuthenticationProviderOptions({ name: 'saml' }); provider = new SAMLAuthenticationProvider(mockOptions, { realm: 'test-realm', maxRedirectURLSize: new ByteSizeValue(100), @@ -87,7 +87,11 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, - { requestId: 'some-request-id', redirectURL: '/test-base-path/some-path#some-app' } + { + requestId: 'some-request-id', + redirectURL: '/test-base-path/some-path#some-app', + realm: 'test-realm', + } ) ).resolves.toEqual( AuthenticationResult.redirectTo('/test-base-path/some-path#some-app', { @@ -95,6 +99,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'some-token', refreshToken: 'some-refresh-token', + realm: 'test-realm', }, }) ); @@ -112,7 +117,7 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, - {} + {} as any ) ).resolves.toEqual( AuthenticationResult.failed( @@ -135,13 +140,14 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, - { requestId: 'some-request-id', redirectURL: '' } + { requestId: 'some-request-id', redirectURL: '', realm: 'test-realm' } ) ).resolves.toEqual( AuthenticationResult.redirectTo('/base-path/', { state: { accessToken: 'user-initiated-login-token', refreshToken: 'user-initiated-login-refresh-token', + realm: 'test-realm', }, }) ); @@ -170,6 +176,7 @@ describe('SAMLAuthenticationProvider', () => { state: { accessToken: 'idp-initiated-login-token', refreshToken: 'idp-initiated-login-refresh-token', + realm: 'test-realm', }, }) ); @@ -190,7 +197,11 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, - { requestId: 'some-request-id', redirectURL: '/test-base-path/some-path' } + { + requestId: 'some-request-id', + redirectURL: '/test-base-path/some-path', + realm: 'test-realm', + } ) ).resolves.toEqual(AuthenticationResult.failed(failureReason)); @@ -201,7 +212,7 @@ describe('SAMLAuthenticationProvider', () => { }); describe('IdP initiated login with existing session', () => { - it('fails if new SAML Response is rejected.', async () => { + it('returns `notHandled` if new SAML Response is rejected.', async () => { const request = httpServerMock.createKibanaRequest({ headers: {} }); const authorization = 'Bearer some-valid-token'; @@ -221,9 +232,10 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'some-valid-token', refreshToken: 'some-valid-refresh-token', + realm: 'test-realm', } ) - ).resolves.toEqual(AuthenticationResult.failed(failureReason)); + ).resolves.toEqual(AuthenticationResult.notHandled()); expectAuthenticateCall(mockOptions.client, { headers: { authorization } }); @@ -241,6 +253,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'existing-valid-token', refreshToken: 'existing-valid-refresh-token', + realm: 'test-realm', }; const authorization = `Bearer ${state.accessToken}`; @@ -288,6 +301,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'existing-valid-token', refreshToken: 'existing-valid-refresh-token', + realm: 'test-realm', }; const authorization = `Bearer ${state.accessToken}`; @@ -316,6 +330,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'new-valid-token', refreshToken: 'new-valid-refresh-token', + realm: 'test-realm', }, }) ); @@ -342,6 +357,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'existing-valid-token', refreshToken: 'existing-valid-refresh-token', + realm: 'test-realm', }; const authorization = `Bearer ${state.accessToken}`; @@ -370,6 +386,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'new-user', accessToken: 'new-valid-token', refreshToken: 'new-valid-refresh-token', + realm: 'test-realm', }, }) ); @@ -397,36 +414,19 @@ describe('SAMLAuthenticationProvider', () => { await expect( provider.login(request, { - type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, + type: SAMLLogin.LoginInitiatedByUser, redirectURLFragment: '#some-fragment', }) ).resolves.toEqual( AuthenticationResult.failed( - Boom.badRequest('State does not include URL path to redirect to.') + Boom.badRequest('State or login attempt does not include URL path to redirect to.') ) ); expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); }); - it('does not handle AJAX requests.', async () => { - const request = httpServerMock.createKibanaRequest({ headers: { 'kbn-xsrf': 'xsrf' } }); - - await expect( - provider.login( - request, - { - type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, - redirectURLFragment: '#some-fragment', - }, - { redirectURL: '/test-base-path/some-path' } - ) - ).resolves.toEqual(AuthenticationResult.notHandled()); - - expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); - }); - - it('redirects non-AJAX requests to the IdP remembering combined redirect URL.', async () => { + it('redirects requests to the IdP remembering combined redirect URL.', async () => { const request = httpServerMock.createKibanaRequest(); mockOptions.client.callAsInternalUser.mockResolvedValue({ @@ -438,10 +438,10 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { - type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, + type: SAMLLogin.LoginInitiatedByUser, redirectURLFragment: '#some-fragment', }, - { redirectURL: '/test-base-path/some-path' } + { redirectURL: '/test-base-path/some-path', realm: 'test-realm' } ) ).resolves.toEqual( AuthenticationResult.redirectTo( @@ -450,6 +450,7 @@ describe('SAMLAuthenticationProvider', () => { state: { requestId: 'some-request-id', redirectURL: '/test-base-path/some-path#some-fragment', + realm: 'test-realm', }, } ) @@ -474,10 +475,10 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { - type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, + type: SAMLLogin.LoginInitiatedByUser, redirectURLFragment: '../some-fragment', }, - { redirectURL: '/test-base-path/some-path' } + { redirectURL: '/test-base-path/some-path', realm: 'test-realm' } ) ).resolves.toEqual( AuthenticationResult.redirectTo( @@ -486,6 +487,7 @@ describe('SAMLAuthenticationProvider', () => { state: { requestId: 'some-request-id', redirectURL: '/test-base-path/some-path#../some-fragment', + realm: 'test-realm', }, } ) @@ -513,10 +515,10 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { - type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, + type: SAMLLogin.LoginInitiatedByUser, redirectURLFragment: '#some-fragment'.repeat(10), }, - { redirectURL: '/test-base-path/some-path' } + { redirectURL: '/test-base-path/some-path', realm: 'test-realm' } ) ).resolves.toEqual( AuthenticationResult.redirectTo( @@ -525,6 +527,7 @@ describe('SAMLAuthenticationProvider', () => { state: { requestId: 'some-request-id', redirectURL: '/test-base-path/some-path', + realm: 'test-realm', }, } ) @@ -550,10 +553,10 @@ describe('SAMLAuthenticationProvider', () => { provider.login( request, { - type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, + type: SAMLLogin.LoginInitiatedByUser, redirectURLFragment: '#some-fragment', }, - { redirectURL: '/test-base-path/some-path' } + { redirectURL: '/test-base-path/some-path', realm: 'test-realm' } ) ).resolves.toEqual(AuthenticationResult.failed(failureReason)); @@ -596,6 +599,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'some-valid-token', refreshToken: 'some-valid-refresh-token', + realm: 'test-realm', }) ).resolves.toEqual(AuthenticationResult.notHandled()); @@ -614,7 +618,7 @@ describe('SAMLAuthenticationProvider', () => { await expect(provider.authenticate(request)).resolves.toEqual( AuthenticationResult.redirectTo( '/mock-server-basepath/internal/security/saml/capture-url-fragment', - { state: { redirectURL: '/base-path/s/foo/some-path' } } + { state: { redirectURL: '/base-path/s/foo/some-path', realm: 'test-realm' } } ) ); @@ -634,7 +638,7 @@ describe('SAMLAuthenticationProvider', () => { await expect(provider.authenticate(request)).resolves.toEqual( AuthenticationResult.redirectTo( 'https://idp-host/path/login?SAMLRequest=some%20request%20', - { state: { requestId: 'some-request-id', redirectURL: '' } } + { state: { requestId: 'some-request-id', redirectURL: '', realm: 'test-realm' } } ) ); @@ -672,6 +676,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'some-valid-token', refreshToken: 'some-valid-refresh-token', + realm: 'test-realm', }; const authorization = `Bearer ${state.accessToken}`; @@ -697,6 +702,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'some-valid-token', refreshToken: 'some-valid-refresh-token', + realm: 'test-realm', }; const authorization = `Bearer ${state.accessToken}`; @@ -721,6 +727,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'expired-token', refreshToken: 'valid-refresh-token', + realm: 'test-realm', }; mockOptions.client.asScoped.mockImplementation(scopeableRequest => { @@ -755,6 +762,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'new-access-token', refreshToken: 'new-refresh-token', + realm: 'test-realm', }, } ) @@ -772,6 +780,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'expired-token', refreshToken: 'invalid-refresh-token', + realm: 'test-realm', }; const authorization = `Bearer ${state.accessToken}`; @@ -805,6 +814,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'expired-token', refreshToken: 'expired-refresh-token', + realm: 'test-realm', }; const authorization = `Bearer ${state.accessToken}`; @@ -836,6 +846,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'expired-token', refreshToken: 'expired-refresh-token', + realm: 'test-realm', }; const authorization = `Bearer ${state.accessToken}`; @@ -850,7 +861,7 @@ describe('SAMLAuthenticationProvider', () => { await expect(provider.authenticate(request, state)).resolves.toEqual( AuthenticationResult.redirectTo( '/mock-server-basepath/internal/security/saml/capture-url-fragment', - { state: { redirectURL: '/base-path/s/foo/some-path' } } + { state: { redirectURL: '/base-path/s/foo/some-path', realm: 'test-realm' } } ) ); @@ -871,6 +882,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'expired-token', refreshToken: 'expired-refresh-token', + realm: 'test-realm', }; const authorization = `Bearer ${state.accessToken}`; @@ -890,7 +902,7 @@ describe('SAMLAuthenticationProvider', () => { await expect(provider.authenticate(request, state)).resolves.toEqual( AuthenticationResult.redirectTo( 'https://idp-host/path/login?SAMLRequest=some%20request%20', - { state: { requestId: 'some-request-id', redirectURL: '' } } + { state: { requestId: 'some-request-id', redirectURL: '', realm: 'test-realm' } } ) ); @@ -934,7 +946,12 @@ describe('SAMLAuthenticationProvider', () => { mockOptions.client.callAsInternalUser.mockRejectedValue(failureReason); await expect( - provider.logout(request, { username: 'user', accessToken, refreshToken }) + provider.logout(request, { + username: 'user', + accessToken, + refreshToken, + realm: 'test-realm', + }) ).resolves.toEqual(DeauthenticationResult.failed(failureReason)); expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledTimes(1); @@ -967,7 +984,12 @@ describe('SAMLAuthenticationProvider', () => { mockOptions.client.callAsInternalUser.mockResolvedValue({ redirect: null }); await expect( - provider.logout(request, { username: 'user', accessToken, refreshToken }) + provider.logout(request, { + username: 'user', + accessToken, + refreshToken, + realm: 'test-realm', + }) ).resolves.toEqual( DeauthenticationResult.redirectTo('/mock-server-basepath/security/logged_out') ); @@ -986,7 +1008,12 @@ describe('SAMLAuthenticationProvider', () => { mockOptions.client.callAsInternalUser.mockResolvedValue({ redirect: undefined }); await expect( - provider.logout(request, { username: 'user', accessToken, refreshToken }) + provider.logout(request, { + username: 'user', + accessToken, + refreshToken, + realm: 'test-realm', + }) ).resolves.toEqual( DeauthenticationResult.redirectTo('/mock-server-basepath/security/logged_out') ); @@ -1007,7 +1034,12 @@ describe('SAMLAuthenticationProvider', () => { mockOptions.client.callAsInternalUser.mockResolvedValue({ redirect: null }); await expect( - provider.logout(request, { username: 'user', accessToken, refreshToken }) + provider.logout(request, { + username: 'user', + accessToken, + refreshToken, + realm: 'test-realm', + }) ).resolves.toEqual( DeauthenticationResult.redirectTo('/mock-server-basepath/security/logged_out') ); @@ -1028,6 +1060,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'x-saml-token', refreshToken: 'x-saml-refresh-token', + realm: 'test-realm', }) ).resolves.toEqual( DeauthenticationResult.redirectTo('/mock-server-basepath/security/logged_out') @@ -1079,7 +1112,12 @@ describe('SAMLAuthenticationProvider', () => { }); await expect( - provider.logout(request, { username: 'user', accessToken, refreshToken }) + provider.logout(request, { + username: 'user', + accessToken, + refreshToken, + realm: 'test-realm', + }) ).resolves.toEqual( DeauthenticationResult.redirectTo('http://fake-idp/SLO?SAMLRequest=7zlH37H') ); @@ -1099,6 +1137,7 @@ describe('SAMLAuthenticationProvider', () => { username: 'user', accessToken: 'x-saml-token', refreshToken: 'x-saml-refresh-token', + realm: 'test-realm', }) ).resolves.toEqual( DeauthenticationResult.redirectTo('http://fake-idp/SLO?SAMLRequest=7zlH37H') diff --git a/x-pack/plugins/security/server/authentication/providers/saml.ts b/x-pack/plugins/security/server/authentication/providers/saml.ts index e1b6664191483..acd7748c7b748 100644 --- a/x-pack/plugins/security/server/authentication/providers/saml.ts +++ b/x-pack/plugins/security/server/authentication/providers/saml.ts @@ -52,18 +52,13 @@ export enum SAMLLogin { * Login or IdP initiated Login). */ LoginWithSAMLResponse = 'login-saml-response', - /** - * The login flow when we've captured user URL fragment and ready to start SAML handshake. - */ - LoginWithRedirectURLFragmentCaptured = 'login-redirect-url-fragment-captured', } /** * Describes the parameters that are required by the provider to process the initial login request. */ type ProviderLoginAttempt = - | { type: SAMLLogin.LoginInitiatedByUser; redirectURL?: string } - | { type: SAMLLogin.LoginWithRedirectURLFragmentCaptured; redirectURLFragment: string } + | { type: SAMLLogin.LoginInitiatedByUser; redirectURLPath?: string; redirectURLFragment?: string } | { type: SAMLLogin.LoginWithSAMLResponse; samlResponse: string }; /** @@ -74,6 +69,16 @@ function isSAMLRequestQuery(query: any): query is { SAMLRequest: string } { return query && query.SAMLRequest; } +/** + * Checks whether current request can initiate new session. + * @param request Request instance. + */ +function canStartNewSession(request: KibanaRequest) { + // We should try to establish new session only if request requires authentication and client + // can be redirected to the Identity Provider where they can authenticate. + return canRedirectRequest(request) && request.route.options.authRequired === true; +} + /** * Provider that supports SAML request authentication. */ @@ -132,35 +137,15 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { return AuthenticationResult.failed(Boom.unauthorized(message)); } - if (attempt.type === SAMLLogin.LoginWithRedirectURLFragmentCaptured) { - if (!state || !state.redirectURL) { - const message = 'State does not include URL path to redirect to.'; + if (attempt.type === SAMLLogin.LoginInitiatedByUser) { + const redirectURLPath = attempt.redirectURLPath || state?.redirectURL; + if (!redirectURLPath) { + const message = 'State or login attempt does not include URL path to redirect to.'; this.logger.debug(message); return AuthenticationResult.failed(Boom.badRequest(message)); } - let redirectURLFragment = attempt.redirectURLFragment; - if (redirectURLFragment.length > 0 && !redirectURLFragment.startsWith('#')) { - this.logger.warn('Redirect URL fragment does not start with `#`.'); - redirectURLFragment = `#${redirectURLFragment}`; - } - - let redirectURL = `${state.redirectURL}${redirectURLFragment}`; - const redirectURLSize = new ByteSizeValue(Buffer.byteLength(redirectURL)); - if (this.maxRedirectURLSize.isLessThan(redirectURLSize)) { - this.logger.warn( - `Max URL size should not exceed ${this.maxRedirectURLSize.toString()} but it was ${redirectURLSize.toString()}. Only URL path is captured.` - ); - redirectURL = state.redirectURL; - } else { - this.logger.debug('Captured redirect URL.'); - } - - return this.authenticateViaHandshake(request, redirectURL); - } - - if (attempt.type === SAMLLogin.LoginInitiatedByUser) { - return this.captureRedirectURL(request, attempt.redirectURL); + return this.captureRedirectURL(request, redirectURLPath, attempt.redirectURLFragment); } const { samlResponse } = attempt; @@ -230,7 +215,7 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { // If we couldn't authenticate by means of all methods above, let's try to capture user URL and // initiate SAML handshake, otherwise just return authentication result we have. - return authenticationResult.notHandled() && canRedirectRequest(request) + return authenticationResult.notHandled() && canStartNewSession(request) ? this.captureRedirectURL(request) : authenticationResult; } @@ -478,7 +463,7 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { // There are two reasons for `400` and not `401`: Elasticsearch search responds with `400` so it seems logical // to do the same on Kibana side and `401` would force user to logout and do full SLO if it's supported. if (refreshedTokenPair === null) { - if (canRedirectRequest(request)) { + if (canStartNewSession(request)) { this.logger.debug( 'Both access and refresh tokens are expired. Capturing redirect URL and re-initiating SAML handshake.' ); @@ -515,12 +500,6 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { private async authenticateViaHandshake(request: KibanaRequest, redirectURL: string) { this.logger.debug('Trying to initiate SAML handshake.'); - // If client can't handle redirect response, we shouldn't initiate SAML handshake. - if (!canRedirectRequest(request)) { - this.logger.debug('SAML handshake can not be initiated by AJAX requests.'); - return AuthenticationResult.notHandled(); - } - try { // This operation should be performed on behalf of the user with a privilege that normal // user usually doesn't have `cluster:admin/xpack/security/saml/prepare`. @@ -586,20 +565,23 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { } /** - * Redirects user to the client-side page that will grab URL fragment and redirect user back to Kibana - * to initiate SAML handshake. + * Tries to capture full redirect URL (both path and fragment) and initiate SAML handshake. * @param request Request instance. - * @param [redirectURL] Optional URL user is supposed to be redirected to after successful login. - * If not provided the URL of the specified request is used. + * @param [redirectURLPath] Optional URL path user is supposed to be redirected to after successful + * login. If not provided the URL path of the specified request is used. + * @param [redirectURLFragment] Optional URL fragment of the URL user is supposed to be redirected + * to after successful login. If not provided user will be redirected to the client-side page that + * will grab it and redirect user back to Kibana to initiate SAML handshake. */ private captureRedirectURL( request: KibanaRequest, - redirectURL = `${this.options.basePath.get(request)}${request.url.path}` + redirectURLPath = `${this.options.basePath.get(request)}${request.url.path}`, + redirectURLFragment?: string ) { // If the size of the path already exceeds the maximum allowed size of the URL to store in the // session there is no reason to try to capture URL fragment and we start handshake immediately. // In this case user will be redirected to the Kibana home/root after successful login. - const redirectURLSize = new ByteSizeValue(Buffer.byteLength(redirectURL)); + let redirectURLSize = new ByteSizeValue(Buffer.byteLength(redirectURLPath)); if (this.maxRedirectURLSize.isLessThan(redirectURLSize)) { this.logger.warn( `Max URL path size should not exceed ${this.maxRedirectURLSize.toString()} but it was ${redirectURLSize.toString()}. URL is not captured.` @@ -607,9 +589,30 @@ export class SAMLAuthenticationProvider extends BaseAuthenticationProvider { return this.authenticateViaHandshake(request, ''); } - return AuthenticationResult.redirectTo( - `${this.options.basePath.serverBasePath}/internal/security/saml/capture-url-fragment`, - { state: { redirectURL, realm: this.realm } } - ); + // If URL fragment wasn't specified at all, let's try to capture it. + if (redirectURLFragment === undefined) { + return AuthenticationResult.redirectTo( + `${this.options.basePath.serverBasePath}/internal/security/saml/capture-url-fragment`, + { state: { redirectURL: redirectURLPath, realm: this.realm } } + ); + } + + if (redirectURLFragment.length > 0 && !redirectURLFragment.startsWith('#')) { + this.logger.warn('Redirect URL fragment does not start with `#`.'); + redirectURLFragment = `#${redirectURLFragment}`; + } + + let redirectURL = `${redirectURLPath}${redirectURLFragment}`; + redirectURLSize = new ByteSizeValue(Buffer.byteLength(redirectURL)); + if (this.maxRedirectURLSize.isLessThan(redirectURLSize)) { + this.logger.warn( + `Max URL size should not exceed ${this.maxRedirectURLSize.toString()} but it was ${redirectURLSize.toString()}. Only URL path is captured.` + ); + redirectURL = redirectURLPath; + } else { + this.logger.debug('Captured redirect URL.'); + } + + return this.authenticateViaHandshake(request, redirectURL); } } diff --git a/x-pack/plugins/security/server/authentication/providers/token.test.ts b/x-pack/plugins/security/server/authentication/providers/token.test.ts index e81d14e8bf9f3..7472adb30307c 100644 --- a/x-pack/plugins/security/server/authentication/providers/token.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/token.test.ts @@ -36,7 +36,7 @@ describe('TokenAuthenticationProvider', () => { let provider: TokenAuthenticationProvider; let mockOptions: MockAuthenticationProviderOptions; beforeEach(() => { - mockOptions = mockAuthenticationProviderOptions(); + mockOptions = mockAuthenticationProviderOptions({ name: 'token' }); provider = new TokenAuthenticationProvider(mockOptions); }); @@ -163,6 +163,12 @@ describe('TokenAuthenticationProvider', () => { ).resolves.toEqual(AuthenticationResult.notHandled()); }); + it('does not redirect requests that do not require authentication to the login page.', async () => { + await expect( + provider.authenticate(httpServerMock.createKibanaRequest({ routeAuthRequired: false })) + ).resolves.toEqual(AuthenticationResult.notHandled()); + }); + it('redirects non-AJAX requests that can not be authenticated to the login page.', async () => { await expect( provider.authenticate( @@ -346,6 +352,35 @@ describe('TokenAuthenticationProvider', () => { expect(request.headers).not.toHaveProperty('authorization'); }); + it('does not redirect non-AJAX requests that do not require authentication if token token cannot be refreshed', async () => { + const request = httpServerMock.createKibanaRequest({ + headers: {}, + routeAuthRequired: false, + path: '/some-path', + }); + const tokenPair = { accessToken: 'foo', refreshToken: 'bar' }; + const authorization = `Bearer ${tokenPair.accessToken}`; + + const mockScopedClusterClient = elasticsearchServiceMock.createScopedClusterClient(); + mockScopedClusterClient.callAsCurrentUser.mockRejectedValue( + ElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()) + ); + mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); + + mockOptions.tokens.refresh.mockResolvedValue(null); + + await expect(provider.authenticate(request, tokenPair)).resolves.toEqual( + AuthenticationResult.failed(Boom.badRequest('Both access and refresh tokens are expired.')) + ); + + expect(mockOptions.tokens.refresh).toHaveBeenCalledTimes(1); + expect(mockOptions.tokens.refresh).toHaveBeenCalledWith(tokenPair.refreshToken); + + expectAuthenticateCall(mockOptions.client, { headers: { authorization } }); + + expect(request.headers).not.toHaveProperty('authorization'); + }); + it('fails if new access token is rejected after successful refresh', async () => { const request = httpServerMock.createKibanaRequest(); const tokenPair = { accessToken: 'foo', refreshToken: 'bar' }; @@ -386,15 +421,13 @@ describe('TokenAuthenticationProvider', () => { }); describe('`logout` method', () => { - it('returns `redirected` if state is not presented.', async () => { + it('returns `notHandled` if state is not presented.', async () => { const request = httpServerMock.createKibanaRequest(); - await expect(provider.logout(request)).resolves.toEqual( - DeauthenticationResult.redirectTo('/base-path/login?msg=LOGGED_OUT') - ); + await expect(provider.logout(request)).resolves.toEqual(DeauthenticationResult.notHandled()); await expect(provider.logout(request, null)).resolves.toEqual( - DeauthenticationResult.redirectTo('/base-path/login?msg=LOGGED_OUT') + DeauthenticationResult.notHandled() ); expect(mockOptions.tokens.invalidate).not.toHaveBeenCalled(); diff --git a/x-pack/plugins/security/server/authentication/providers/token.ts b/x-pack/plugins/security/server/authentication/providers/token.ts index 920ac5b69ebb5..e49769c148eba 100644 --- a/x-pack/plugins/security/server/authentication/providers/token.ts +++ b/x-pack/plugins/security/server/authentication/providers/token.ts @@ -26,6 +26,16 @@ interface ProviderLoginAttempt { */ type ProviderState = TokenPair; +/** + * Checks whether current request can initiate new session. + * @param request Request instance. + */ +function canStartNewSession(request: KibanaRequest) { + // We should try to establish new session only if request requires authentication and client + // can be redirected to the login page where they can enter username and password. + return canRedirectRequest(request) && request.route.options.authRequired === true; +} + /** * Provider that supports token-based request authentication. */ @@ -100,7 +110,7 @@ export class TokenAuthenticationProvider extends BaseAuthenticationProvider { // finally, if authentication still can not be handled for this // request/state combination, redirect to the login page if appropriate - if (authenticationResult.notHandled() && canRedirectRequest(request)) { + if (authenticationResult.notHandled() && canStartNewSession(request)) { this.logger.debug('Redirecting request to Login page.'); authenticationResult = AuthenticationResult.redirectTo(this.getLoginPageURL(request)); } @@ -187,7 +197,7 @@ export class TokenAuthenticationProvider extends BaseAuthenticationProvider { // If refresh token is no longer valid, then we should clear session and redirect user to the // login page to re-authenticate, or fail if redirect isn't possible. if (refreshedTokenPair === null) { - if (canRedirectRequest(request)) { + if (canStartNewSession(request)) { this.logger.debug('Clearing session since both access and refresh tokens are expired.'); // Set state to `null` to let `Authenticator` know that we want to clear current session. diff --git a/x-pack/plugins/security/server/config.test.ts b/x-pack/plugins/security/server/config.test.ts index 03285184d6572..34390a32dd9d3 100644 --- a/x-pack/plugins/security/server/config.test.ts +++ b/x-pack/plugins/security/server/config.test.ts @@ -6,9 +6,8 @@ jest.mock('crypto', () => ({ randomBytes: jest.fn() })); -import { first } from 'rxjs/operators'; -import { loggingServiceMock, coreMock } from '../../../../src/core/server/mocks'; -import { createConfig$, ConfigSchema } from './config'; +import { loggingServiceMock } from '../../../../src/core/server/mocks'; +import { createConfig, ConfigSchema } from './config'; describe('config schema', () => { it('generates proper defaults', () => { @@ -25,9 +24,22 @@ describe('config schema', () => { "apikey", ], }, - "providers": Array [ - "basic", - ], + "providers": Object { + "basic": Object { + "basic": Object { + "description": undefined, + "enabled": true, + "order": 0, + "showInSelector": true, + }, + }, + "kerberos": undefined, + "oidc": undefined, + "pki": undefined, + "saml": undefined, + "token": undefined, + }, + "selector": Object {}, }, "cookieName": "sid", "enabled": true, @@ -54,9 +66,22 @@ describe('config schema', () => { "apikey", ], }, - "providers": Array [ - "basic", - ], + "providers": Object { + "basic": Object { + "basic": Object { + "description": undefined, + "enabled": true, + "order": 0, + "showInSelector": true, + }, + }, + "kerberos": undefined, + "oidc": undefined, + "pki": undefined, + "saml": undefined, + "token": undefined, + }, + "selector": Object {}, }, "cookieName": "sid", "enabled": true, @@ -83,9 +108,22 @@ describe('config schema', () => { "apikey", ], }, - "providers": Array [ - "basic", - ], + "providers": Object { + "basic": Object { + "basic": Object { + "description": undefined, + "enabled": true, + "order": 0, + "showInSelector": true, + }, + }, + "kerberos": undefined, + "oidc": undefined, + "pki": undefined, + "saml": undefined, + "token": undefined, + }, + "selector": Object {}, }, "cookieName": "sid", "enabled": true, @@ -148,6 +186,7 @@ describe('config schema', () => { "providers": Array [ "oidc", ], + "selector": Object {}, } `); }); @@ -181,6 +220,7 @@ describe('config schema', () => { "oidc", "basic", ], + "selector": Object {}, } `); }); @@ -228,6 +268,7 @@ describe('config schema', () => { }, "realm": "realm-1", }, + "selector": Object {}, } `); }); @@ -307,25 +348,18 @@ describe('config schema', () => { }); }); -describe('createConfig$()', () => { - const mockAndCreateConfig = async (isTLSEnabled: boolean, value = {}, context?: any) => { - const contextMock = coreMock.createPluginInitializerContext( - // we must use validate to avoid errors in `createConfig$` - ConfigSchema.validate(value, context) - ); - return await createConfig$(contextMock, isTLSEnabled) - .pipe(first()) - .toPromise() - .then(config => ({ contextMock, config })); - }; +describe('createConfig()', () => { it('should log a warning and set xpack.security.encryptionKey if not set', async () => { const mockRandomBytes = jest.requireMock('crypto').randomBytes; mockRandomBytes.mockReturnValue('ab'.repeat(16)); - const { contextMock, config } = await mockAndCreateConfig(true, {}, { dist: true }); + const logger = loggingServiceMock.create().get(); + const config = createConfig(ConfigSchema.validate({}, { dist: true }), logger, { + isTLSEnabled: true, + }); expect(config.encryptionKey).toEqual('ab'.repeat(16)); - expect(loggingServiceMock.collect(contextMock.logger).warn).toMatchInlineSnapshot(` + expect(loggingServiceMock.collect(logger).warn).toMatchInlineSnapshot(` Array [ Array [ "Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml", @@ -335,10 +369,11 @@ describe('createConfig$()', () => { }); it('should log a warning if SSL is not configured', async () => { - const { contextMock, config } = await mockAndCreateConfig(false, {}); + const logger = loggingServiceMock.create().get(); + const config = createConfig(ConfigSchema.validate({}), logger, { isTLSEnabled: false }); expect(config.secureCookies).toEqual(false); - expect(loggingServiceMock.collect(contextMock.logger).warn).toMatchInlineSnapshot(` + expect(loggingServiceMock.collect(logger).warn).toMatchInlineSnapshot(` Array [ Array [ "Session cookies will be transmitted over insecure connections. This is not recommended.", @@ -348,10 +383,13 @@ describe('createConfig$()', () => { }); it('should log a warning if SSL is not configured yet secure cookies are being used', async () => { - const { contextMock, config } = await mockAndCreateConfig(false, { secureCookies: true }); + const logger = loggingServiceMock.create().get(); + const config = createConfig(ConfigSchema.validate({ secureCookies: true }), logger, { + isTLSEnabled: false, + }); expect(config.secureCookies).toEqual(true); - expect(loggingServiceMock.collect(contextMock.logger).warn).toMatchInlineSnapshot(` + expect(loggingServiceMock.collect(logger).warn).toMatchInlineSnapshot(` Array [ Array [ "Using secure cookies, but SSL is not enabled inside Kibana. SSL must be configured outside of Kibana to function properly.", @@ -361,9 +399,10 @@ describe('createConfig$()', () => { }); it('should set xpack.security.secureCookies if SSL is configured', async () => { - const { contextMock, config } = await mockAndCreateConfig(true, {}); + const logger = loggingServiceMock.create().get(); + const config = createConfig(ConfigSchema.validate({}), logger, { isTLSEnabled: true }); expect(config.secureCookies).toEqual(true); - expect(loggingServiceMock.collect(contextMock.logger).warn).toEqual([]); + expect(loggingServiceMock.collect(logger).warn).toEqual([]); }); }); diff --git a/x-pack/plugins/security/server/config.ts b/x-pack/plugins/security/server/config.ts index f8cedbe92a14a..e143e3d6b1b25 100644 --- a/x-pack/plugins/security/server/config.ts +++ b/x-pack/plugins/security/server/config.ts @@ -5,50 +5,90 @@ */ import crypto from 'crypto'; -import { Observable } from 'rxjs'; -import { map } from 'rxjs/operators'; -import { schema, TypeOf } from '@kbn/config-schema'; -import { PluginInitializerContext } from '../../../../src/core/server'; +import { schema, Type, TypeOf } from '@kbn/config-schema'; +import { Logger } from '../../../../src/core/server'; -export type ConfigType = ReturnType extends Observable - ? P - : ReturnType; +export type ConfigType = ReturnType; -function getCommonProviderSchemaProperties(providerType: string) { +const providerOptionsSchema = (providerType: string, optionsSchema: Type) => + schema.conditional( + schema.siblingRef('providers'), + schema.arrayOf(schema.string(), { + validate: providers => (!providers.includes(providerType) ? 'error' : undefined), + }), + optionsSchema, + schema.never() + ); + +type ProvidersCommonConfigType = Record< + 'enabled' | 'showInSelector' | 'order' | 'description', + Type +>; +function getCommonProviderSchemaProperties(overrides: Partial = {}) { return { enabled: schema.boolean({ defaultValue: true }), + showInSelector: schema.boolean({ defaultValue: true }), order: schema.number({ min: 0 }), - description: schema.string({ defaultValue: providerType }), + description: schema.maybe(schema.string()), + ...overrides, }; } -function getUniqueProviderSchema(providerType: string) { +function getUniqueProviderSchema( + providerType: string, + overrides?: Partial +) { return schema.maybe( - schema.recordOf( - schema.string(), - schema.object(getCommonProviderSchemaProperties(providerType)), - { - validate(config) { - if (Object.values(config).filter(provider => provider.enabled).length > 1) { - return `Only one "${providerType}" provider can be configured.`; - } - }, - } - ) + schema.recordOf(schema.string(), schema.object(getCommonProviderSchemaProperties(overrides)), { + validate(config) { + if (Object.values(config).filter(provider => provider.enabled).length > 1) { + return `Only one "${providerType}" provider can be configured.`; + } + }, + }) ); } +type ProvidersConfigType = TypeOf; const providersConfigSchema = schema.object( { - basic: getUniqueProviderSchema('basic'), - token: getUniqueProviderSchema('token'), + basic: getUniqueProviderSchema('basic', { + description: schema.maybe( + schema.any({ + validate: () => '`basic` provider does not support custom description.', + }) + ), + showInSelector: schema.boolean({ + defaultValue: true, + validate: value => { + if (!value) { + return '`basic` provider only supports `true` in `showInSelector`.'; + } + }, + }), + }), + token: getUniqueProviderSchema('token', { + description: schema.maybe( + schema.any({ + validate: () => '`token` provider does not support custom description.', + }) + ), + showInSelector: schema.boolean({ + defaultValue: true, + validate: value => { + if (!value) { + return '`token` provider only supports `true` in `showInSelector`.'; + } + }, + }), + }), kerberos: getUniqueProviderSchema('kerberos'), pki: getUniqueProviderSchema('pki'), saml: schema.maybe( schema.recordOf( schema.string(), schema.object({ - ...getCommonProviderSchemaProperties('saml'), + ...getCommonProviderSchemaProperties(), realm: schema.string(), maxRedirectURLSize: schema.byteSize({ defaultValue: '2kb' }), }) @@ -57,19 +97,11 @@ const providersConfigSchema = schema.object( oidc: schema.maybe( schema.recordOf( schema.string(), - schema.object({ ...getCommonProviderSchemaProperties('oidc'), realm: schema.string() }) + schema.object({ ...getCommonProviderSchemaProperties(), realm: schema.string() }) ) ), }, { - defaultValue: { - basic: { basic: { enabled: true, order: 0, description: 'basic' } }, - token: undefined, - saml: undefined, - oidc: undefined, - pki: undefined, - kerberos: undefined, - }, validate(config) { const checks = { sameOrder: new Map(), sameName: new Map() }; for (const [providerType, providerGroup] of Object.entries(config)) { @@ -112,8 +144,25 @@ export const ConfigSchema = schema.object({ }), secureCookies: schema.boolean({ defaultValue: false }), authc: schema.object({ - selector: schema.object({ enabled: schema.boolean({ defaultValue: false }) }), - providers: providersConfigSchema, + selector: schema.object({ enabled: schema.maybe(schema.boolean()) }), + providers: schema.oneOf([schema.arrayOf(schema.string()), providersConfigSchema], { + defaultValue: { + basic: { basic: { enabled: true, showInSelector: true, order: 0, description: undefined } }, + token: undefined, + saml: undefined, + oidc: undefined, + pki: undefined, + kerberos: undefined, + }, + }), + oidc: providerOptionsSchema('oidc', schema.object({ realm: schema.string() })), + saml: providerOptionsSchema( + 'saml', + schema.object({ + realm: schema.string(), + maxRedirectURLSize: schema.byteSize({ defaultValue: '2kb' }), + }) + ), http: schema.object({ enabled: schema.boolean({ defaultValue: true }), autoSchemesEnabled: schema.boolean({ defaultValue: true }), @@ -125,63 +174,96 @@ export const ConfigSchema = schema.object({ }), }); -export function createConfig$(context: PluginInitializerContext, isTLSEnabled: boolean) { - return context.config.create>().pipe( - map(config => { - const logger = context.logger.get('config'); +export function createConfig( + config: TypeOf, + logger: Logger, + { isTLSEnabled }: { isTLSEnabled: boolean } +) { + let encryptionKey = config.encryptionKey; + if (encryptionKey === undefined) { + logger.warn( + 'Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on ' + + 'restart, please set xpack.security.encryptionKey in kibana.yml' + ); + + encryptionKey = crypto.randomBytes(16).toString('hex'); + } - let encryptionKey = config.encryptionKey; - if (encryptionKey === undefined) { - logger.warn( - 'Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on ' + - 'restart, please set xpack.security.encryptionKey in kibana.yml' - ); + let secureCookies = config.secureCookies; + if (!isTLSEnabled) { + if (secureCookies) { + logger.warn( + 'Using secure cookies, but SSL is not enabled inside Kibana. SSL must be configured outside of Kibana to ' + + 'function properly.' + ); + } else { + logger.warn( + 'Session cookies will be transmitted over insecure connections. This is not recommended.' + ); + } + } else if (!secureCookies) { + secureCookies = true; + } - encryptionKey = crypto.randomBytes(16).toString('hex'); - } + const isUsingLegacyProvidersFormat = Array.isArray(config.authc.providers); + const providers = (isUsingLegacyProvidersFormat + ? [...new Set(config.authc.providers as Array)].reduce( + (legacyProviders, providerType, order) => { + legacyProviders[providerType] = { + [providerType]: + providerType === 'saml' || providerType === 'oidc' + ? { enabled: true, showInSelector: true, order, ...config.authc[providerType] } + : { enabled: true, showInSelector: true, order }, + }; + return legacyProviders; + }, + {} as Record + ) + : config.authc.providers) as ProvidersConfigType; - let secureCookies = config.secureCookies; - if (!isTLSEnabled) { - if (secureCookies) { - logger.warn( - 'Using secure cookies, but SSL is not enabled inside Kibana. SSL must be configured outside of Kibana to ' + - 'function properly.' - ); - } else { - logger.warn( - 'Session cookies will be transmitted over insecure connections. This is not recommended.' - ); - } - } else if (!secureCookies) { - secureCookies = true; + // Remove disabled providers and sort the rest. + const sortedProviders: Array<{ + type: keyof ProvidersConfigType; + name: string; + options: { order: number; showInSelector: boolean; description?: string }; + }> = []; + for (const [type, providerGroup] of Object.entries(providers)) { + for (const [name, { enabled, showInSelector, order, description }] of Object.entries( + providerGroup ?? {} + )) { + if (!enabled) { + delete providerGroup![name]; + } else { + sortedProviders.push({ + type: type as any, + name, + options: { order, showInSelector, description }, + }); } + } + } - // Remove disabled providers and sort the rest. - const sortedProviders: Array<{ - type: keyof TypeOf; - name: string; - options: { order: number; description: string }; - }> = []; - for (const [type, providerGroup] of Object.entries(config.authc.providers)) { - for (const [name, { enabled, order, description }] of Object.entries(providerGroup ?? {})) { - if (!enabled) { - delete providerGroup![name]; - } else { - sortedProviders.push({ type: type as any, name, options: { order, description } }); - } - } - } + sortedProviders.sort(({ options: { order: orderA } }, { options: { order: orderB } }) => + orderA < orderB ? -1 : orderA > orderB ? 1 : 0 + ); - sortedProviders.sort(({ options: { order: orderA } }, { options: { order: orderB } }) => - orderA < orderB ? -1 : orderA > orderB ? 1 : 0 - ); + // We enable Login Selector by default if a) it's not explicitly disabled, b) new config + // format of providers is used and c) we have more than one provider enabled. + const isLoginSelectorEnabled = + typeof config.authc.selector.enabled === 'boolean' + ? config.authc.selector.enabled + : !isUsingLegacyProvidersFormat && + sortedProviders.filter(provider => provider.options.showInSelector).length > 1; - return { - ...config, - authc: { ...config.authc, sortedProviders: Object.freeze(sortedProviders) }, - encryptionKey, - secureCookies, - }; - }) - ); + return { + ...config, + authc: { + ...config.authc, + selector: { ...config.authc.selector, enabled: isLoginSelectorEnabled }, + providers, + sortedProviders: Object.freeze(sortedProviders), + }, + encryptionKey, + secureCookies, + }; } diff --git a/x-pack/plugins/security/server/index.ts b/x-pack/plugins/security/server/index.ts index 0563f417428aa..caeb06e6f3153 100644 --- a/x-pack/plugins/security/server/index.ts +++ b/x-pack/plugins/security/server/index.ts @@ -34,43 +34,26 @@ export const config: PluginConfigDescriptor> = { deprecations: ({ rename, unused }) => [ rename('sessionTimeout', 'session.idleTimeout'), unused('authorization.legacyFallback.enabled'), - // Deprecation transformation for the old array-based format of `xpack.security.authc.providers`. + // Deprecation warning for the old array-based format of `xpack.security.authc.providers`. (settings, fromPath, log) => { - const authcConfig = settings?.xpack?.security?.authc; - if (!Array.isArray(authcConfig?.providers)) { - return settings; - } - - log( - 'Defining `xpack.security.authc.providers` as an array of provider types is deprecated. Use extended `object` format.' - ); - - const providerTypes = new Set(authcConfig.providers as string[]); - authcConfig.providers = {}; - - let order = 0; - for (const providerType of providerTypes) { - const isProviderWithAdditionalConfig = providerType === 'saml' || providerType === 'oidc'; - authcConfig.providers[providerType] = { - [providerType]: isProviderWithAdditionalConfig - ? { enabled: true, order, ...authcConfig[providerType] } - : { enabled: true, order }, - }; - - if (isProviderWithAdditionalConfig) { - delete authcConfig[providerType]; - } - - order++; + if (Array.isArray(settings?.xpack?.security?.authc?.providers)) { + log( + 'Defining `xpack.security.authc.providers` as an array of provider types is deprecated. Use extended `object` format instead.' + ); } return settings; }, (settings, fromPath, log) => { const hasProviderType = (providerType: string) => { - return Object.values( - settings?.xpack?.security?.authc?.providers?.[providerType] || {} - ).some(provider => (provider as { enabled: boolean | undefined })?.enabled !== false); + const providers = settings?.xpack?.security?.authc?.providers; + if (Array.isArray(providers)) { + return providers.includes(providerType); + } + + return Object.values(providers?.[providerType] || {}).some( + provider => (provider as { enabled: boolean | undefined })?.enabled !== false + ); }; if (hasProviderType('basic') && hasProviderType('token')) { diff --git a/x-pack/plugins/security/server/plugin.test.ts b/x-pack/plugins/security/server/plugin.test.ts index a1ef352056d6a..142fc11b5457d 100644 --- a/x-pack/plugins/security/server/plugin.test.ts +++ b/x-pack/plugins/security/server/plugin.test.ts @@ -26,6 +26,7 @@ describe('Security Plugin', () => { lifespan: null, }, authc: { + selector: { enabled: false }, providers: ['saml', 'token'], saml: { realm: 'saml1', maxRedirectURLSize: new ByteSizeValue(2048) }, http: { enabled: true, autoSchemesEnabled: true, schemes: ['apikey'] }, @@ -49,9 +50,6 @@ describe('Security Plugin', () => { await expect(plugin.setup(mockCoreSetup, mockDependencies)).resolves.toMatchInlineSnapshot(` Object { "__legacyCompat": Object { - "config": Object { - "secureCookies": true, - }, "license": Object { "features$": Observable { "_isScalar": false, @@ -76,7 +74,7 @@ describe('Security Plugin', () => { "getSessionInfo": [Function], "invalidateAPIKey": [Function], "isAuthenticated": [Function], - "isProviderEnabled": [Function], + "isProviderTypeEnabled": [Function], "login": [Function], "logout": [Function], }, diff --git a/x-pack/plugins/security/server/plugin.ts b/x-pack/plugins/security/server/plugin.ts index 52483c3500aa3..032d231fe798f 100644 --- a/x-pack/plugins/security/server/plugin.ts +++ b/x-pack/plugins/security/server/plugin.ts @@ -5,7 +5,8 @@ */ import { combineLatest } from 'rxjs'; -import { first } from 'rxjs/operators'; +import { first, map } from 'rxjs/operators'; +import { TypeOf } from '@kbn/config-schema'; import { ICustomClusterClient, CoreSetup, @@ -19,7 +20,7 @@ import { LicensingPluginSetup } from '../../licensing/server'; import { Authentication, setupAuthentication } from './authentication'; import { Authorization, setupAuthorization } from './authorization'; -import { createConfig$ } from './config'; +import { ConfigSchema, createConfig } from './config'; import { defineRoutes } from './routes'; import { SecurityLicenseService, SecurityLicense } from '../common/licensing'; import { setupSavedObjects } from './saved_objects'; @@ -104,7 +105,13 @@ export class Plugin { public async setup(core: CoreSetup, { features, licensing }: PluginSetupDependencies) { const [config, legacyConfig] = await combineLatest([ - createConfig$(this.initializerContext, core.http.isTlsEnabled), + this.initializerContext.config.create>().pipe( + map(rawConfig => + createConfig(rawConfig, this.initializerContext.logger.get('config'), { + isTLSEnabled: core.http.isTlsEnabled, + }) + ) + ), this.initializerContext.config.legacy.globalConfig$, ]) .pipe(first()) diff --git a/x-pack/plugins/security/server/routes/authentication/basic.test.ts b/x-pack/plugins/security/server/routes/authentication/basic.test.ts index 6e5f99b5c0517..3c114978f26d2 100644 --- a/x-pack/plugins/security/server/routes/authentication/basic.test.ts +++ b/x-pack/plugins/security/server/routes/authentication/basic.test.ts @@ -108,7 +108,7 @@ describe('Basic authentication routes', () => { expect(response.status).toBe(500); expect(response.payload).toEqual(unhandledException); expect(authc.login).toHaveBeenCalledWith(mockRequest, { - provider: 'basic', + provider: { type: 'basic' }, value: { username: 'user', password: 'password' }, }); }); @@ -122,7 +122,7 @@ describe('Basic authentication routes', () => { expect(response.status).toBe(401); expect(response.payload).toEqual(failureReason); expect(authc.login).toHaveBeenCalledWith(mockRequest, { - provider: 'basic', + provider: { type: 'basic' }, value: { username: 'user', password: 'password' }, }); }); @@ -135,7 +135,7 @@ describe('Basic authentication routes', () => { expect(response.status).toBe(401); expect(response.payload).toEqual('Unauthorized'); expect(authc.login).toHaveBeenCalledWith(mockRequest, { - provider: 'basic', + provider: { type: 'basic' }, value: { username: 'user', password: 'password' }, }); }); @@ -149,7 +149,7 @@ describe('Basic authentication routes', () => { expect(response.status).toBe(204); expect(response.payload).toBeUndefined(); expect(authc.login).toHaveBeenCalledWith(mockRequest, { - provider: 'basic', + provider: { type: 'basic' }, value: { username: 'user', password: 'password' }, }); }); @@ -165,7 +165,7 @@ describe('Basic authentication routes', () => { expect(response.status).toBe(204); expect(response.payload).toBeUndefined(); expect(authc.login).toHaveBeenCalledWith(mockRequest, { - provider: 'token', + provider: { type: 'token' }, value: { username: 'user', password: 'password' }, }); }); diff --git a/x-pack/plugins/security/server/routes/authentication/common.ts b/x-pack/plugins/security/server/routes/authentication/common.ts index d8797362d62ea..30a8f2ce5bb0a 100644 --- a/x-pack/plugins/security/server/routes/authentication/common.ts +++ b/x-pack/plugins/security/server/routes/authentication/common.ts @@ -5,6 +5,7 @@ */ import { schema } from '@kbn/config-schema'; +import { parseNext } from '../../../common/parse_next'; import { canRedirectRequest, OIDCLogin, SAMLLogin } from '../../authentication'; import { wrapIntoCustomErrorResponse } from '../../errors'; import { createLicensedRouteHandler } from '../licensed_route_handler'; @@ -12,7 +13,6 @@ import { OIDCAuthenticationProvider, SAMLAuthenticationProvider, } from '../../authentication/providers'; -import { parseNext } from '../../../common/parse_next'; import { RouteDefinitionParams } from '..'; /** @@ -77,52 +77,61 @@ export function defineCommonRoutes({ router, authc, basePath, logger }: RouteDef ); } - function getLoginAttemptForProviderType(providerType: string, next: string) { + function getLoginAttemptForProviderType(providerType: string, redirectURL: string) { + const [redirectURLPath] = redirectURL.split('#'); + const redirectURLFragment = + redirectURL.length > redirectURLPath.length + ? redirectURL.substring(redirectURLPath.length) + : ''; + if (providerType === SAMLAuthenticationProvider.type) { - return { type: SAMLLogin.LoginInitiatedByUser, redirectURL: next }; + return { type: SAMLLogin.LoginInitiatedByUser, redirectURLPath, redirectURLFragment }; } if (providerType === OIDCAuthenticationProvider.type) { - return { type: OIDCLogin.LoginInitiatedByUser, redirectURL: next }; + return { type: OIDCLogin.LoginInitiatedByUser, redirectURLPath }; } return undefined; } - router.get( + router.post( { - path: '/internal/security/login/{providerType}/{providerName}', + path: '/internal/security/login_with', validate: { - params: schema.object({ + body: schema.object({ providerType: schema.string(), providerName: schema.string(), + currentURL: schema.string(), }), - query: schema.object({ next: schema.maybe(schema.string()) }), }, options: { authRequired: false }, }, - async (context, request, response) => { - const { providerType, providerName } = request.params; - logger.info(`Logging in in with provider "${providerName}" (${providerType})`); + createLicensedRouteHandler(async (context, request, response) => { + const { providerType, providerName, currentURL } = request.body; + logger.info(`Logging in with provider "${providerName}" (${providerType})`); + const redirectURL = parseNext(currentURL ?? '', basePath.serverBasePath); try { const authenticationResult = await authc.login(request, { provider: { name: providerName }, - value: getLoginAttemptForProviderType( - providerType, - parseNext(request.url?.href ?? '', basePath.serverBasePath) - ), + value: getLoginAttemptForProviderType(providerType, redirectURL), }); - if (authenticationResult.redirected()) { - return response.redirected({ headers: { location: authenticationResult.redirectURL! } }); + if (authenticationResult.redirected() || authenticationResult.succeeded()) { + return response.ok({ + body: { location: authenticationResult.redirectURL || redirectURL }, + }); } - return response.unauthorized(); + return response.unauthorized({ + body: authenticationResult.error, + headers: authenticationResult.authResponseHeaders, + }); } catch (err) { logger.error(err); return response.internalError(); } - } + }) ); } diff --git a/x-pack/plugins/security/server/routes/authentication/saml.test.ts b/x-pack/plugins/security/server/routes/authentication/saml.test.ts index be3628c1a58ce..af63dfa2f4471 100644 --- a/x-pack/plugins/security/server/routes/authentication/saml.test.ts +++ b/x-pack/plugins/security/server/routes/authentication/saml.test.ts @@ -37,7 +37,7 @@ describe('SAML authentication routes', () => { }); it('correctly defines route.', () => { - expect(routeConfig.options).toEqual({ authRequired: false }); + expect(routeConfig.options).toEqual({ authRequired: false, xsrfRequired: false }); expect(routeConfig.validate).toEqual({ body: expect.any(Type), query: undefined, @@ -84,7 +84,7 @@ describe('SAML authentication routes', () => { ); expect(authc.login).toHaveBeenCalledWith(request, { - provider: 'saml', + provider: { type: 'saml' }, value: { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response', @@ -163,7 +163,7 @@ describe('SAML authentication routes', () => { ); expect(authc.login).toHaveBeenCalledWith(request, { - provider: 'saml', + provider: { type: 'saml' }, value: { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response', diff --git a/x-pack/plugins/security/server/routes/authentication/saml.ts b/x-pack/plugins/security/server/routes/authentication/saml.ts index 84f6411c92c48..8f08f250a1c75 100644 --- a/x-pack/plugins/security/server/routes/authentication/saml.ts +++ b/x-pack/plugins/security/server/routes/authentication/saml.ts @@ -71,7 +71,7 @@ export function defineSAMLRoutes({ router, logger, authc, csp, basePath }: Route const authenticationResult = await authc.login(request, { provider: { type: SAMLAuthenticationProvider.type }, value: { - type: SAMLLogin.LoginWithRedirectURLFragmentCaptured, + type: SAMLLogin.LoginInitiatedByUser, redirectURLFragment: request.query.redirectURLFragment, }, }); diff --git a/x-pack/plugins/security/server/routes/index.mock.ts b/x-pack/plugins/security/server/routes/index.mock.ts index 0821ed8b96af9..aaefdad6c221a 100644 --- a/x-pack/plugins/security/server/routes/index.mock.ts +++ b/x-pack/plugins/security/server/routes/index.mock.ts @@ -11,17 +11,19 @@ import { } from '../../../../../src/core/server/mocks'; import { authenticationMock } from '../authentication/index.mock'; import { authorizationMock } from '../authorization/index.mock'; -import { ConfigSchema } from '../config'; +import { ConfigSchema, createConfig } from '../config'; import { licenseMock } from '../../common/licensing/index.mock'; export const routeDefinitionParamsMock = { - create: () => ({ + create: (config: Record = {}) => ({ router: httpServiceMock.createRouter(), basePath: httpServiceMock.createBasePath(), csp: httpServiceMock.createSetupContract().csp, logger: loggingServiceMock.create().get(), clusterClient: elasticsearchServiceMock.createClusterClient(), - config: { ...ConfigSchema.validate({}), encryptionKey: 'some-enc-key' }, + config: createConfig(ConfigSchema.validate(config), loggingServiceMock.create().get(), { + isTLSEnabled: false, + }), authc: authenticationMock.create(), authz: authorizationMock.create(), license: licenseMock.create(), diff --git a/x-pack/plugins/security/server/routes/users/change_password.test.ts b/x-pack/plugins/security/server/routes/users/change_password.test.ts index c2db34dc3c33c..bac40202ee6ef 100644 --- a/x-pack/plugins/security/server/routes/users/change_password.test.ts +++ b/x-pack/plugins/security/server/routes/users/change_password.test.ts @@ -188,7 +188,7 @@ describe('Change password', () => { expect(authc.login).toHaveBeenCalledTimes(1); expect(authc.login).toHaveBeenCalledWith(mockRequest, { - provider: 'basic', + provider: { name: 'basic1' }, value: { username, password: 'new-password' }, }); }); @@ -196,7 +196,7 @@ describe('Change password', () => { it('successfully changes own password if provided old password is correct for non-basic provider.', async () => { const mockUser = mockAuthenticatedUser({ username: 'user', - authentication_provider: 'token', + authentication_provider: 'token1', }); authc.getCurrentUser.mockReturnValue(mockUser); authc.login.mockResolvedValue(AuthenticationResult.succeeded(mockUser)); @@ -215,7 +215,7 @@ describe('Change password', () => { expect(authc.login).toHaveBeenCalledTimes(1); expect(authc.login).toHaveBeenCalledWith(mockRequest, { - provider: 'token', + provider: { name: 'token1' }, value: { username, password: 'new-password' }, }); }); diff --git a/x-pack/plugins/security/server/routes/views/index.test.ts b/x-pack/plugins/security/server/routes/views/index.test.ts index 0e1d33f444e1c..80f7f62a5ff43 100644 --- a/x-pack/plugins/security/server/routes/views/index.test.ts +++ b/x-pack/plugins/security/server/routes/views/index.test.ts @@ -29,7 +29,9 @@ describe('View routes', () => { it('registers Login routes if `basic` provider is enabled', () => { const routeParamsMock = routeDefinitionParamsMock.create(); - routeParamsMock.authc.isProviderTypeEnabled.mockImplementation(provider => provider !== 'token'); + routeParamsMock.authc.isProviderTypeEnabled.mockImplementation( + provider => provider !== 'token' + ); defineViewRoutes(routeParamsMock); @@ -47,7 +49,29 @@ describe('View routes', () => { it('registers Login routes if `token` provider is enabled', () => { const routeParamsMock = routeDefinitionParamsMock.create(); - routeParamsMock.authc.isProviderTypeEnabled.mockImplementation(provider => provider !== 'basic'); + routeParamsMock.authc.isProviderTypeEnabled.mockImplementation( + provider => provider !== 'basic' + ); + + defineViewRoutes(routeParamsMock); + + expect(routeParamsMock.router.get.mock.calls.map(([{ path }]) => path)).toMatchInlineSnapshot(` + Array [ + "/login", + "/internal/security/login_state", + "/security/account", + "/security/logged_out", + "/logout", + "/security/overwritten_session", + ] + `); + }); + + it('registers Login routes if Login Selector is enabled even if both `token` and `basic` providers are not enabled', () => { + const routeParamsMock = routeDefinitionParamsMock.create({ + authc: { selector: { enabled: true } }, + }); + routeParamsMock.authc.isProviderTypeEnabled.mockReturnValue(false); defineViewRoutes(routeParamsMock); diff --git a/x-pack/plugins/security/server/routes/views/login.test.ts b/x-pack/plugins/security/server/routes/views/login.test.ts index d14aa226e17ba..382e5462f7de6 100644 --- a/x-pack/plugins/security/server/routes/views/login.test.ts +++ b/x-pack/plugins/security/server/routes/views/login.test.ts @@ -13,19 +13,16 @@ import { IRouter, } from '../../../../../../src/core/server'; import { SecurityLicense } from '../../../common/licensing'; -import { Authentication } from '../../authentication'; import { defineLoginRoutes } from './login'; import { coreMock, httpServerMock } from '../../../../../../src/core/server/mocks'; import { routeDefinitionParamsMock } from '../index.mock'; describe('Login view routes', () => { - let authc: jest.Mocked; let router: jest.Mocked; let license: jest.Mocked; beforeEach(() => { const routeParamsMock = routeDefinitionParamsMock.create(); - authc = routeParamsMock.authc; router = routeParamsMock.router; license = routeParamsMock.license; @@ -45,7 +42,7 @@ describe('Login view routes', () => { }); it('correctly defines route.', () => { - expect(routeConfig.options).toEqual({ authRequired: false }); + expect(routeConfig.options).toEqual({ authRequired: 'optional' }); expect(routeConfig.validate).toEqual({ body: undefined, @@ -73,7 +70,7 @@ describe('Login view routes', () => { ); }); - it('redirects user to the root page if they have a session already or login is disabled.', async () => { + it('redirects user to the root page if they are authenticated or login is disabled.', async () => { for (const { query, expectedLocation } of [ { query: {}, expectedLocation: '/mock-server-basepath/' }, { @@ -85,27 +82,27 @@ describe('Login view routes', () => { expectedLocation: '/mock-server-basepath/', }, ]) { - const request = httpServerMock.createKibanaRequest({ query }); + // Redirect if user is authenticated even if `showLogin` is `true`. + let request = httpServerMock.createKibanaRequest({ + query, + auth: { isAuthenticated: true }, + }); (request as any).url = new URL( `${request.url.path}${request.url.search}`, 'https://kibana.co' ); - - // Redirect if user has an active session even if `showLogin` is `true`. - authc.getSessionInfo.mockResolvedValue({ - provider: 'basic', - now: 0, - idleTimeoutExpiration: null, - lifespanExpiration: null, - }); license.getFeatures.mockReturnValue({ showLogin: true } as any); await expect(routeHandler({} as any, request, kibanaResponseFactory)).resolves.toEqual({ options: { headers: { location: `${expectedLocation}` } }, status: 302, }); - // Redirect if `showLogin` is `false` even if user doesn't have an active session even. - authc.getSessionInfo.mockResolvedValue(null); + // Redirect if `showLogin` is `false` even if user is not authenticated. + request = httpServerMock.createKibanaRequest({ query, auth: { isAuthenticated: false } }); + (request as any).url = new URL( + `${request.url.path}${request.url.search}`, + 'https://kibana.co' + ); license.getFeatures.mockReturnValue({ showLogin: false } as any); await expect(routeHandler({} as any, request, kibanaResponseFactory)).resolves.toEqual({ options: { headers: { location: `${expectedLocation}` } }, @@ -114,11 +111,10 @@ describe('Login view routes', () => { } }); - it('renders view if user does not have an active session and login page can be shown.', async () => { - authc.getSessionInfo.mockResolvedValue(null); + it('renders view if user is not authenticated and login page can be shown.', async () => { license.getFeatures.mockReturnValue({ showLogin: true } as any); - const request = httpServerMock.createKibanaRequest(); + const request = httpServerMock.createKibanaRequest({ auth: { isAuthenticated: false } }); const contextMock = coreMock.createRequestHandlerContext(); await expect( @@ -133,7 +129,6 @@ describe('Login view routes', () => { status: 200, }); - expect(authc.getSessionInfo).toHaveBeenCalledWith(request); expect(contextMock.rendering.render).toHaveBeenCalledWith({ includeUserSettings: false }); }); }); @@ -170,11 +165,18 @@ describe('Login view routes', () => { const request = httpServerMock.createKibanaRequest(); const contextMock = coreMock.createRequestHandlerContext(); + const expectedPayload = { + allowLogin: true, + layout: 'error-es-unavailable', + showLoginForm: true, + requiresSecureConnection: false, + selector: { enabled: false, providers: [] }, + }; await expect( routeHandler({ core: contextMock } as any, request, kibanaResponseFactory) ).resolves.toEqual({ - options: { body: { allowLogin: true, layout: 'error-es-unavailable', showLogin: true } }, - payload: { allowLogin: true, layout: 'error-es-unavailable', showLogin: true }, + options: { body: expectedPayload }, + payload: expectedPayload, status: 200, }); }); @@ -185,11 +187,18 @@ describe('Login view routes', () => { const request = httpServerMock.createKibanaRequest(); const contextMock = coreMock.createRequestHandlerContext(); + const expectedPayload = { + allowLogin: true, + layout: 'form', + showLoginForm: true, + requiresSecureConnection: false, + selector: { enabled: false, providers: [] }, + }; await expect( routeHandler({ core: contextMock } as any, request, kibanaResponseFactory) ).resolves.toEqual({ - options: { body: { allowLogin: true, layout: 'form', showLogin: true } }, - payload: { allowLogin: true, layout: 'form', showLogin: true }, + options: { body: expectedPayload }, + payload: expectedPayload, status: 200, }); }); diff --git a/x-pack/plugins/security/server/routes/views/login.ts b/x-pack/plugins/security/server/routes/views/login.ts index f97a45c371d98..a8f669551d710 100644 --- a/x-pack/plugins/security/server/routes/views/login.ts +++ b/x-pack/plugins/security/server/routes/views/login.ts @@ -64,11 +64,17 @@ export function defineLoginRoutes({ allowLogin, layout, requiresSecureConnection: config.secureCookies, - showLoginForm: sortedProviders.some(({ type }) => type === 'basic' || type === 'token'), + showLoginForm: sortedProviders.some( + ({ type, options: { showInSelector } }) => + showInSelector && (type === 'basic' || type === 'token') + ), selector: { enabled: selector.enabled, providers: selector.enabled - ? sortedProviders.filter(({ type }) => type !== 'basic' && type !== 'token') + ? sortedProviders.filter( + ({ type, options: { showInSelector } }) => + showInSelector && type !== 'basic' && type !== 'token' + ) : [], }, }; diff --git a/x-pack/test/saml_api_integration/apis/security/saml_login.ts b/x-pack/test/saml_api_integration/apis/security/saml_login.ts index 8a3f3d7a1c8a5..a4cb34c13c0e1 100644 --- a/x-pack/test/saml_api_integration/apis/security/saml_login.ts +++ b/x-pack/test/saml_api_integration/apis/security/saml_login.ts @@ -206,9 +206,8 @@ export default function({ getService }: FtrProviderContext) { it('AJAX requests should not initiate handshake', async () => { const ajaxResponse = await supertest - .get(initiateHandshakeURL) + .get('/abc/xyz/handshake?one=two three') .set('kbn-xsrf', 'xxx') - .set('Cookie', captureURLCookie.cookieString()) .expect(401); expect(ajaxResponse.headers['set-cookie']).to.be(undefined); From a572c520cdbb4452de22c0cf36349b31ff9e6e22 Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Wed, 18 Mar 2020 17:19:17 +0100 Subject: [PATCH 03/11] Review#2: new unit tests, return response headers from login_with if provided by the authentication result, make `redirectURLPath` required in user initiated OIDC login attempt, handle part of the review feedback. --- x-pack/plugins/security/common/login_state.ts | 6 +- .../__snapshots__/login_page.test.tsx.snap | 2 +- .../authentication/login/login_page.test.tsx | 8 +- .../authentication/login/login_page.tsx | 34 +- .../authentication/authenticator.test.ts | 234 ++++++- .../authentication/providers/kerberos.test.ts | 176 +++-- .../authentication/providers/kerberos.ts | 4 +- .../authentication/providers/oidc.test.ts | 103 +++ .../server/authentication/providers/oidc.ts | 2 +- .../authentication/providers/pki.test.ts | 311 +++++---- .../authentication/providers/saml.test.ts | 146 +++- x-pack/plugins/security/server/config.test.ts | 656 ++++++++++++++++++ x-pack/plugins/security/server/config.ts | 2 +- .../routes/authentication/common.test.ts | 264 ++++++- .../server/routes/authentication/common.ts | 1 + .../server/routes/views/login.test.ts | 140 ++++ .../security/server/routes/views/login.ts | 28 +- 17 files changed, 1859 insertions(+), 258 deletions(-) diff --git a/x-pack/plugins/security/common/login_state.ts b/x-pack/plugins/security/common/login_state.ts index ad65d36a6c441..35c468a6784e5 100644 --- a/x-pack/plugins/security/common/login_state.ts +++ b/x-pack/plugins/security/common/login_state.ts @@ -8,11 +8,7 @@ import { LoginLayout } from './licensing'; interface LoginSelector { enabled: boolean; - providers: Array<{ - type: string; - name: string; - options: { description?: string; order: number }; - }>; + providers: Array<{ type: string; name: string; description?: string }>; } export interface LoginState { diff --git a/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap b/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap index f8dfdadd64259..2dadfd7e69ce2 100644 --- a/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap +++ b/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap @@ -23,7 +23,7 @@ exports[`LoginPage disabled form states renders as expected when an unknown logi diff --git a/x-pack/plugins/security/public/authentication/login/login_page.test.tsx b/x-pack/plugins/security/public/authentication/login/login_page.test.tsx index e191bfa92f9bf..c4a66014e567f 100644 --- a/x-pack/plugins/security/public/authentication/login/login_page.test.tsx +++ b/x-pack/plugins/security/public/authentication/login/login_page.test.tsx @@ -261,8 +261,8 @@ describe('LoginPage', () => { selector: { enabled: true, providers: [ - { type: 'saml', name: 'saml1', options: { description: 'Login w/SAML', order: 0 } }, - { type: 'pki', name: 'pki1', options: { description: 'Login w/PKI', order: 1 } }, + { type: 'saml', name: 'saml1', description: 'Login w/SAML' }, + { type: 'pki', name: 'pki1', description: 'Login w/PKI' }, ], }, }) @@ -294,8 +294,8 @@ describe('LoginPage', () => { selector: { enabled: true, providers: [ - { type: 'saml', name: 'saml1', options: { description: 'Login w/SAML', order: 0 } }, - { type: 'pki', name: 'pki1', options: { description: 'Login w/PKI', order: 1 } }, + { type: 'saml', name: 'saml1', description: 'Login w/SAML' }, + { type: 'pki', name: 'pki1', description: 'Login w/PKI' }, ], }, }) diff --git a/x-pack/plugins/security/public/authentication/login/login_page.tsx b/x-pack/plugins/security/public/authentication/login/login_page.tsx index 04e951c96f08c..ab18396706797 100644 --- a/x-pack/plugins/security/public/authentication/login/login_page.tsx +++ b/x-pack/plugins/security/public/authentication/login/login_page.tsx @@ -20,13 +20,7 @@ import { } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n/react'; -import { - CoreStart, - FatalErrorsStart, - HttpStart, - IHttpFetchError, - NotificationsStart, -} from 'src/core/public'; +import { CoreStart, FatalErrorsStart, HttpStart, NotificationsStart } from 'src/core/public'; import { LoginState } from '../../../common/login_state'; import { BasicLoginForm, DisabledLoginForm } from './components'; @@ -225,7 +219,7 @@ export class LoginPage extends Component { message={ } /> @@ -242,7 +236,16 @@ export class LoginPage extends Component { fullWidth={true} onClick={() => this.login(provider.type, provider.name)} > - {provider.options.description ?? `${provider.type}/${provider.name}`} + {provider.description ?? ( + + )} )); @@ -277,18 +280,17 @@ export class LoginPage extends Component { private login = async (providerType: string, providerName: string) => { try { const { location } = await this.props.http.post<{ location: string }>( - `${this.props.http.basePath.serverBasePath}/internal/security/login_with`, + '/internal/security/login_with', { body: JSON.stringify({ providerType, providerName, currentURL: window.location.href }) } ); window.location.href = location; } catch (err) { - this.props.notifications.toasts.addDanger( - i18n.translate('xpack.security.loginPage.loginSelectorErrorMessage', { - defaultMessage: 'Could not perform login: {message}. Contact your system administrator.', - values: { message: (err as IHttpFetchError).message }, - }) - ); + this.props.notifications.toasts.addError(err, { + title: i18n.translate('xpack.security.loginPage.loginSelectorErrorMessage', { + defaultMessage: 'Could not perform login.', + }), + }); } }; } diff --git a/x-pack/plugins/security/server/authentication/authenticator.test.ts b/x-pack/plugins/security/server/authentication/authenticator.test.ts index 03483e66da79d..5dc971c8fc6f0 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.test.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.test.ts @@ -5,6 +5,7 @@ */ jest.mock('./providers/basic'); +jest.mock('./providers/token'); jest.mock('./providers/saml'); jest.mock('./providers/http'); @@ -24,7 +25,7 @@ import { ConfigSchema, createConfig } from '../config'; import { AuthenticationResult } from './authentication_result'; import { Authenticator, AuthenticatorOptions, ProviderSession } from './authenticator'; import { DeauthenticationResult } from './deauthentication_result'; -import { BasicAuthenticationProvider } from './providers'; +import { BasicAuthenticationProvider, SAMLAuthenticationProvider } from './providers'; function getMockOptions({ session, @@ -32,7 +33,7 @@ function getMockOptions({ http = {}, }: { session?: AuthenticatorOptions['config']['session']; - providers?: Record; + providers?: Record | string[]; http?: Partial; } = {}) { return { @@ -86,6 +87,19 @@ describe('Authenticator', () => { ); }); + it('fails if configured authentication provider is not known.', () => { + expect(() => new Authenticator(getMockOptions({ providers: ['super-basic'] }))).toThrowError( + 'Unsupported authentication provider name: super-basic.' + ); + }); + + it('fails if any of the user specified provider uses reserved __http__ name.', () => { + expect( + () => + new Authenticator(getMockOptions({ providers: { basic: { __http__: { order: 0 } } } })) + ).toThrowError('Provider name "__http__" is reserved.'); + }); + describe('HTTP authentication provider', () => { beforeEach(() => { jest @@ -186,7 +200,7 @@ describe('Authenticator', () => { ); }); - it('fails if login attempt is not provided.', async () => { + it('fails if login attempt is not provided or invalid.', async () => { await expect( authenticator.login(httpServerMock.createKibanaRequest(), undefined as any) ).rejects.toThrowError( @@ -198,6 +212,15 @@ describe('Authenticator', () => { ).rejects.toThrowError( 'Login attempt should be an object with non-empty "provider.type" or "provider.name" property.' ); + + await expect( + authenticator.login(httpServerMock.createKibanaRequest(), { + provider: 'basic', + value: {}, + } as any) + ).rejects.toThrowError( + 'Login attempt should be an object with non-empty "provider.type" or "provider.name" property.' + ); }); it('fails if an authentication provider fails.', async () => { @@ -253,6 +276,167 @@ describe('Authenticator', () => { await expect( authenticator.login(request, { provider: { type: 'token' }, value: {} }) ).resolves.toEqual(AuthenticationResult.notHandled()); + + await expect( + authenticator.login(request, { provider: { name: 'basic2' }, value: {} }) + ).resolves.toEqual(AuthenticationResult.notHandled()); + }); + + describe('multi-provider scenarios', () => { + let mockSAMLAuthenticationProvider1: jest.Mocked>; + let mockSAMLAuthenticationProvider2: jest.Mocked>; + + beforeEach(() => { + mockSAMLAuthenticationProvider1 = { + login: jest.fn().mockResolvedValue(AuthenticationResult.notHandled()), + authenticate: jest.fn(), + logout: jest.fn(), + getHTTPAuthenticationScheme: jest.fn(), + }; + + mockSAMLAuthenticationProvider2 = { + login: jest.fn().mockResolvedValue(AuthenticationResult.notHandled()), + authenticate: jest.fn(), + logout: jest.fn(), + getHTTPAuthenticationScheme: jest.fn(), + }; + + jest + .requireMock('./providers/saml') + .SAMLAuthenticationProvider.mockImplementationOnce(() => ({ + type: 'saml', + ...mockSAMLAuthenticationProvider1, + })) + .mockImplementationOnce(() => ({ + type: 'saml', + ...mockSAMLAuthenticationProvider2, + })); + + mockOptions = getMockOptions({ + providers: { + basic: { basic1: { order: 0 } }, + saml: { + saml1: { realm: 'saml1-realm', order: 1 }, + saml2: { realm: 'saml2-realm', order: 2 }, + }, + }, + }); + mockSessionStorage = sessionStorageMock.create(); + mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage); + + authenticator = new Authenticator(mockOptions); + }); + + it('tries to login only with the provider that has specified name', async () => { + const user = mockAuthenticatedUser(); + const request = httpServerMock.createKibanaRequest(); + + mockSAMLAuthenticationProvider2.login.mockResolvedValue( + AuthenticationResult.succeeded(user, { state: { token: 'access-token' } }) + ); + + await expect( + authenticator.login(request, { provider: { name: 'saml2' }, value: {} }) + ).resolves.toEqual( + AuthenticationResult.succeeded(user, { state: { token: 'access-token' } }) + ); + + expect(mockSessionStorage.set).toHaveBeenCalledTimes(1); + expect(mockSessionStorage.set).toHaveBeenCalledWith({ + ...mockSessVal, + provider: { type: 'saml', name: 'saml2' }, + state: { token: 'access-token' }, + }); + + expect(mockBasicAuthenticationProvider.login).not.toHaveBeenCalled(); + expect(mockSAMLAuthenticationProvider1.login).not.toHaveBeenCalled(); + }); + + it('tries to login only with the provider that has specified type', async () => { + const request = httpServerMock.createKibanaRequest(); + + await expect( + authenticator.login(request, { provider: { type: 'saml' }, value: {} }) + ).resolves.toEqual(AuthenticationResult.notHandled()); + + expect(mockSessionStorage.set).not.toHaveBeenCalled(); + + expect(mockBasicAuthenticationProvider.login).not.toHaveBeenCalled(); + expect(mockSAMLAuthenticationProvider1.login).toHaveBeenCalledTimes(1); + expect(mockSAMLAuthenticationProvider2.login).toHaveBeenCalledTimes(1); + expect(mockSAMLAuthenticationProvider1.login.mock.invocationCallOrder[0]).toBeLessThan( + mockSAMLAuthenticationProvider2.login.mock.invocationCallOrder[0] + ); + }); + + it('returns as soon as provider handles request', async () => { + const request = httpServerMock.createKibanaRequest(); + + const authenticationResults = [ + AuthenticationResult.failed(new Error('Fail')), + AuthenticationResult.succeeded(mockAuthenticatedUser(), { state: { result: '200' } }), + AuthenticationResult.redirectTo('/some/url', { state: { result: '302' } }), + ]; + + for (const result of authenticationResults) { + mockSAMLAuthenticationProvider1.login.mockResolvedValue(result); + + await expect( + authenticator.login(request, { provider: { type: 'saml' }, value: {} }) + ).resolves.toEqual(result); + } + + expect(mockSessionStorage.set).toHaveBeenCalledTimes(2); + expect(mockSessionStorage.set).toHaveBeenCalledWith({ + ...mockSessVal, + provider: { type: 'saml', name: 'saml1' }, + state: { result: '200' }, + }); + expect(mockSessionStorage.set).toHaveBeenCalledWith({ + ...mockSessVal, + provider: { type: 'saml', name: 'saml1' }, + state: { result: '302' }, + }); + + expect(mockBasicAuthenticationProvider.login).not.toHaveBeenCalled(); + expect(mockSAMLAuthenticationProvider2.login).not.toHaveBeenCalled(); + expect(mockSAMLAuthenticationProvider1.login).toHaveBeenCalledTimes(3); + }); + + it('provides session only if provider name matches', async () => { + const request = httpServerMock.createKibanaRequest(); + + mockSessionStorage.get.mockResolvedValue({ + ...mockSessVal, + provider: { type: 'saml', name: 'saml2' }, + }); + + const loginAttemptValue = Symbol('attempt'); + await expect( + authenticator.login(request, { provider: { type: 'saml' }, value: loginAttemptValue }) + ).resolves.toEqual(AuthenticationResult.notHandled()); + + expect(mockBasicAuthenticationProvider.login).not.toHaveBeenCalled(); + + expect(mockSAMLAuthenticationProvider1.login).toHaveBeenCalledTimes(1); + expect(mockSAMLAuthenticationProvider1.login).toHaveBeenCalledWith( + request, + loginAttemptValue, + null + ); + + expect(mockSAMLAuthenticationProvider2.login).toHaveBeenCalledTimes(1); + expect(mockSAMLAuthenticationProvider2.login).toHaveBeenCalledWith( + request, + loginAttemptValue, + mockSessVal.state + ); + + // Presence of the session has precedence over order. + expect(mockSAMLAuthenticationProvider2.login.mock.invocationCallOrder[0]).toBeLessThan( + mockSAMLAuthenticationProvider1.login.mock.invocationCallOrder[0] + ); + }); }); it('clears session if it belongs to a different provider.', async () => { @@ -261,7 +445,10 @@ describe('Authenticator', () => { const request = httpServerMock.createKibanaRequest(); mockBasicAuthenticationProvider.login.mockResolvedValue(AuthenticationResult.succeeded(user)); - mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, provider: 'token' }); + mockSessionStorage.get.mockResolvedValue({ + ...mockSessVal, + provider: { type: 'token', name: 'token1' }, + }); await expect( authenticator.login(request, { provider: { type: 'basic' }, value: credentials }) @@ -277,6 +464,35 @@ describe('Authenticator', () => { expect(mockSessionStorage.clear).toHaveBeenCalled(); }); + it('clears session if it belongs to a provider with the name that is registered but has different type.', async () => { + const user = mockAuthenticatedUser(); + const credentials = { username: 'user', password: 'password' }; + const request = httpServerMock.createKibanaRequest(); + + // Re-configure authenticator with `token` provider that uses the name of `basic`. + const loginMock = jest.fn().mockResolvedValue(AuthenticationResult.succeeded(user)); + jest.requireMock('./providers/token').TokenAuthenticationProvider.mockImplementation(() => ({ + type: 'token', + login: loginMock, + getHTTPAuthenticationScheme: jest.fn(), + })); + mockOptions = getMockOptions({ providers: { token: { basic1: { order: 0 } } } }); + mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage); + authenticator = new Authenticator(mockOptions); + + mockBasicAuthenticationProvider.login.mockResolvedValue(AuthenticationResult.succeeded(user)); + mockSessionStorage.get.mockResolvedValue(mockSessVal); + + await expect( + authenticator.login(request, { provider: { name: 'basic1' }, value: credentials }) + ).resolves.toEqual(AuthenticationResult.succeeded(user)); + + expect(loginMock).toHaveBeenCalledWith(request, credentials, null); + + expect(mockSessionStorage.set).not.toHaveBeenCalled(); + expect(mockSessionStorage.clear).toHaveBeenCalled(); + }); + it('clears session if provider asked to do so.', async () => { const user = mockAuthenticatedUser(); const request = httpServerMock.createKibanaRequest(); @@ -759,7 +975,10 @@ describe('Authenticator', () => { mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.notHandled() ); - mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, provider: 'token' }); + mockSessionStorage.get.mockResolvedValue({ + ...mockSessVal, + provider: { type: 'token', name: 'token1' }, + }); await expect(authenticator.authenticate(request)).resolves.toEqual( AuthenticationResult.notHandled() @@ -777,7 +996,10 @@ describe('Authenticator', () => { mockBasicAuthenticationProvider.authenticate.mockResolvedValue( AuthenticationResult.notHandled() ); - mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, provider: 'token' }); + mockSessionStorage.get.mockResolvedValue({ + ...mockSessVal, + provider: { type: 'token', name: 'token1' }, + }); await expect(authenticator.authenticate(request)).resolves.toEqual( AuthenticationResult.notHandled() diff --git a/x-pack/plugins/security/server/authentication/providers/kerberos.test.ts b/x-pack/plugins/security/server/authentication/providers/kerberos.test.ts index 3eaa8fcee0d9c..6eb47cfa83e32 100644 --- a/x-pack/plugins/security/server/authentication/providers/kerberos.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/kerberos.test.ts @@ -14,6 +14,7 @@ import { MockAuthenticationProviderOptions, mockAuthenticationProviderOptions } import { ElasticsearchErrorHelpers, IClusterClient, + KibanaRequest, ScopeableRequest, } from '../../../../../../src/core/server'; import { AuthenticationResult } from '../authentication_result'; @@ -40,39 +41,9 @@ describe('KerberosAuthenticationProvider', () => { provider = new KerberosAuthenticationProvider(mockOptions); }); - describe('`authenticate` method', () => { - it('does not handle authentication via `authorization` header with non-negotiate scheme.', async () => { - const request = httpServerMock.createKibanaRequest({ - headers: { authorization: 'Bearer some-token' }, - }); - - await expect(provider.authenticate(request)).resolves.toEqual( - AuthenticationResult.notHandled() - ); - - expect(mockOptions.client.asScoped).not.toHaveBeenCalled(); - expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); - expect(request.headers.authorization).toBe('Bearer some-token'); - }); - - it('does not handle authentication via `authorization` header with non-negotiate scheme even if state contains a valid token.', async () => { - const request = httpServerMock.createKibanaRequest({ - headers: { authorization: 'Bearer some-token' }, - }); - const tokenPair = { - accessToken: 'some-valid-token', - refreshToken: 'some-valid-refresh-token', - }; - - await expect(provider.authenticate(request, tokenPair)).resolves.toEqual( - AuthenticationResult.notHandled() - ); - - expect(mockOptions.client.asScoped).not.toHaveBeenCalled(); - expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); - expect(request.headers.authorization).toBe('Bearer some-token'); - }); - + function defineCommonLoginAndAuthenticateTests( + operation: (request: KibanaRequest) => Promise + ) { it('does not handle requests that can be authenticated without `Negotiate` header.', async () => { const request = httpServerMock.createKibanaRequest({ headers: {} }); @@ -80,9 +51,7 @@ describe('KerberosAuthenticationProvider', () => { mockScopedClusterClient.callAsCurrentUser.mockResolvedValue({}); mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); - await expect(provider.authenticate(request, null)).resolves.toEqual( - AuthenticationResult.notHandled() - ); + await expect(operation(request)).resolves.toEqual(AuthenticationResult.notHandled()); expectAuthenticateCall(mockOptions.client, { headers: { authorization: `Negotiate ${Buffer.from('__fake__').toString('base64')}` }, @@ -98,33 +67,13 @@ describe('KerberosAuthenticationProvider', () => { ); mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); - await expect(provider.authenticate(request, null)).resolves.toEqual( - AuthenticationResult.notHandled() - ); + await expect(operation(request)).resolves.toEqual(AuthenticationResult.notHandled()); expectAuthenticateCall(mockOptions.client, { headers: { authorization: `Negotiate ${Buffer.from('__fake__').toString('base64')}` }, }); }); - it('fails if state is present, but backend does not support Kerberos.', async () => { - const request = httpServerMock.createKibanaRequest(); - const tokenPair = { accessToken: 'token', refreshToken: 'refresh-token' }; - - const failureReason = ElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()); - const mockScopedClusterClient = elasticsearchServiceMock.createScopedClusterClient(); - mockScopedClusterClient.callAsCurrentUser.mockRejectedValue(failureReason); - mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); - mockOptions.tokens.refresh.mockResolvedValue(null); - - await expect(provider.authenticate(request, tokenPair)).resolves.toEqual( - AuthenticationResult.failed(failureReason) - ); - - expect(mockOptions.tokens.refresh).toHaveBeenCalledTimes(1); - expect(mockOptions.tokens.refresh).toHaveBeenCalledWith(tokenPair.refreshToken); - }); - it('fails with `Negotiate` challenge if backend supports Kerberos.', async () => { const request = httpServerMock.createKibanaRequest({ headers: {} }); @@ -137,7 +86,7 @@ describe('KerberosAuthenticationProvider', () => { mockScopedClusterClient.callAsCurrentUser.mockRejectedValue(failureReason); mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); - await expect(provider.authenticate(request, null)).resolves.toEqual( + await expect(operation(request)).resolves.toEqual( AuthenticationResult.failed(failureReason, { authResponseHeaders: { 'WWW-Authenticate': 'Negotiate' }, }) @@ -156,9 +105,7 @@ describe('KerberosAuthenticationProvider', () => { mockScopedClusterClient.callAsCurrentUser.mockRejectedValue(failureReason); mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); - await expect(provider.authenticate(request, null)).resolves.toEqual( - AuthenticationResult.failed(failureReason) - ); + await expect(operation(request)).resolves.toEqual(AuthenticationResult.failed(failureReason)); expectAuthenticateCall(mockOptions.client, { headers: { authorization: `Negotiate ${Buffer.from('__fake__').toString('base64')}` }, @@ -179,7 +126,7 @@ describe('KerberosAuthenticationProvider', () => { refresh_token: 'some-refresh-token', }); - await expect(provider.authenticate(request)).resolves.toEqual( + await expect(operation(request)).resolves.toEqual( AuthenticationResult.succeeded( { ...user, authentication_provider: 'kerberos' }, { @@ -215,7 +162,7 @@ describe('KerberosAuthenticationProvider', () => { kerberos_authentication_response_token: 'response-token', }); - await expect(provider.authenticate(request)).resolves.toEqual( + await expect(operation(request)).resolves.toEqual( AuthenticationResult.succeeded( { ...user, authentication_provider: 'kerberos' }, { @@ -249,7 +196,7 @@ describe('KerberosAuthenticationProvider', () => { ); mockOptions.client.callAsInternalUser.mockRejectedValue(failureReason); - await expect(provider.authenticate(request)).resolves.toEqual( + await expect(operation(request)).resolves.toEqual( AuthenticationResult.failed(Boom.unauthorized(), { authResponseHeaders: { 'WWW-Authenticate': 'Negotiate response-token' }, }) @@ -274,7 +221,7 @@ describe('KerberosAuthenticationProvider', () => { ); mockOptions.client.callAsInternalUser.mockRejectedValue(failureReason); - await expect(provider.authenticate(request)).resolves.toEqual( + await expect(operation(request)).resolves.toEqual( AuthenticationResult.failed(Boom.unauthorized(), { authResponseHeaders: { 'WWW-Authenticate': 'Negotiate' }, }) @@ -295,9 +242,7 @@ describe('KerberosAuthenticationProvider', () => { const failureReason = ElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()); mockOptions.client.callAsInternalUser.mockRejectedValue(failureReason); - await expect(provider.authenticate(request)).resolves.toEqual( - AuthenticationResult.failed(failureReason) - ); + await expect(operation(request)).resolves.toEqual(AuthenticationResult.failed(failureReason)); expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledWith('shield.getAccessToken', { body: { grant_type: '_kerberos', kerberos_ticket: 'spnego' }, @@ -320,9 +265,7 @@ describe('KerberosAuthenticationProvider', () => { refresh_token: 'some-refresh-token', }); - await expect(provider.authenticate(request)).resolves.toEqual( - AuthenticationResult.failed(failureReason) - ); + await expect(operation(request)).resolves.toEqual(AuthenticationResult.failed(failureReason)); expectAuthenticateCall(mockOptions.client, { headers: { authorization: 'Bearer some-token' }, @@ -334,6 +277,74 @@ describe('KerberosAuthenticationProvider', () => { expect(request.headers.authorization).toBe('negotiate spnego'); }); + } + + describe('`login` method', () => { + defineCommonLoginAndAuthenticateTests(request => provider.login(request)); + }); + + describe('`authenticate` method', () => { + defineCommonLoginAndAuthenticateTests(request => provider.authenticate(request, null)); + + it('does not handle authentication via `authorization` header with non-negotiate scheme.', async () => { + const request = httpServerMock.createKibanaRequest({ + headers: { authorization: 'Bearer some-token' }, + }); + + await expect(provider.authenticate(request)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + + expect(mockOptions.client.asScoped).not.toHaveBeenCalled(); + expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); + expect(request.headers.authorization).toBe('Bearer some-token'); + }); + + it('does not handle authentication via `authorization` header with non-negotiate scheme even if state contains a valid token.', async () => { + const request = httpServerMock.createKibanaRequest({ + headers: { authorization: 'Bearer some-token' }, + }); + const tokenPair = { + accessToken: 'some-valid-token', + refreshToken: 'some-valid-refresh-token', + }; + + await expect(provider.authenticate(request, tokenPair)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + + expect(mockOptions.client.asScoped).not.toHaveBeenCalled(); + expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); + expect(request.headers.authorization).toBe('Bearer some-token'); + }); + + it('fails if state is present, but backend does not support Kerberos.', async () => { + const request = httpServerMock.createKibanaRequest(); + const tokenPair = { accessToken: 'token', refreshToken: 'refresh-token' }; + + const failureReason = ElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()); + const mockScopedClusterClient = elasticsearchServiceMock.createScopedClusterClient(); + mockScopedClusterClient.callAsCurrentUser.mockRejectedValue(failureReason); + mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); + mockOptions.tokens.refresh.mockResolvedValue(null); + + await expect(provider.authenticate(request, tokenPair)).resolves.toEqual( + AuthenticationResult.failed(failureReason) + ); + + expect(mockOptions.tokens.refresh).toHaveBeenCalledTimes(1); + expect(mockOptions.tokens.refresh).toHaveBeenCalledWith(tokenPair.refreshToken); + }); + + it('does not start SPNEGO if request does not require authentication.', async () => { + const request = httpServerMock.createKibanaRequest({ routeAuthRequired: false }); + await expect(provider.authenticate(request)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + + expect(mockOptions.client.asScoped).not.toHaveBeenCalled(); + expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); + }); it('succeeds if state contains a valid token.', async () => { const user = mockAuthenticatedUser(); @@ -454,6 +465,29 @@ describe('KerberosAuthenticationProvider', () => { expect(mockOptions.tokens.refresh).toHaveBeenCalledTimes(1); expect(mockOptions.tokens.refresh).toHaveBeenCalledWith(tokenPair.refreshToken); }); + + it('does not re-start SPNEGO if both access and refresh tokens from the state are expired.', async () => { + const request = httpServerMock.createKibanaRequest({ routeAuthRequired: false }); + const tokenPair = { accessToken: 'expired-token', refreshToken: 'some-valid-refresh-token' }; + + const failureReason = ElasticsearchErrorHelpers.decorateNotAuthorizedError( + new (errors.AuthenticationException as any)('Unauthorized', { + body: { error: { header: { 'WWW-Authenticate': 'Negotiate' } } }, + }) + ); + const mockScopedClusterClient = elasticsearchServiceMock.createScopedClusterClient(); + mockScopedClusterClient.callAsCurrentUser.mockRejectedValue(failureReason); + mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); + + mockOptions.tokens.refresh.mockResolvedValue(null); + + await expect(provider.authenticate(request, tokenPair)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + + expect(mockOptions.tokens.refresh).toHaveBeenCalledTimes(1); + expect(mockOptions.tokens.refresh).toHaveBeenCalledWith(tokenPair.refreshToken); + }); }); describe('`logout` method', () => { diff --git a/x-pack/plugins/security/server/authentication/providers/kerberos.ts b/x-pack/plugins/security/server/authentication/providers/kerberos.ts index 963543fae47cb..54c162391dbd0 100644 --- a/x-pack/plugins/security/server/authentication/providers/kerberos.ts +++ b/x-pack/plugins/security/server/authentication/providers/kerberos.ts @@ -258,9 +258,7 @@ export class KerberosAuthenticationProvider extends BaseAuthenticationProvider { // If refresh token is no longer valid, then we should clear session and renegotiate using SPNEGO. if (refreshedTokenPair === null) { - this.logger.debug( - 'Both access and refresh tokens are expired. Re-initiating SPNEGO handshake.' - ); + this.logger.debug('Both access and refresh tokens are expired.'); return canStartNewSession(request) ? this.authenticateViaSPNEGO(request, state) : AuthenticationResult.notHandled(); diff --git a/x-pack/plugins/security/server/authentication/providers/oidc.test.ts b/x-pack/plugins/security/server/authentication/providers/oidc.test.ts index 52f695f538688..14fe42aac7599 100644 --- a/x-pack/plugins/security/server/authentication/providers/oidc.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/oidc.test.ts @@ -100,6 +100,50 @@ describe('OIDCAuthenticationProvider', () => { }); }); + it('redirects user initiated login attempts to the OpenId Connect Provider.', async () => { + const request = httpServerMock.createKibanaRequest(); + + mockOptions.client.callAsInternalUser.mockResolvedValue({ + state: 'statevalue', + nonce: 'noncevalue', + redirect: + 'https://op-host/path/login?response_type=code' + + '&scope=openid%20profile%20email' + + '&client_id=s6BhdRkqt3' + + '&state=statevalue' + + '&redirect_uri=https%3A%2F%2Ftest-hostname:1234%2Ftest-base-path%2Fapi%2Fsecurity%2Fv1%2F/oidc' + + '&login_hint=loginhint', + }); + + await expect( + provider.login(request, { + type: OIDCLogin.LoginInitiatedByUser, + redirectURLPath: '/mock-server-basepath/app/super-kibana', + }) + ).resolves.toEqual( + AuthenticationResult.redirectTo( + 'https://op-host/path/login?response_type=code' + + '&scope=openid%20profile%20email' + + '&client_id=s6BhdRkqt3' + + '&state=statevalue' + + '&redirect_uri=https%3A%2F%2Ftest-hostname:1234%2Ftest-base-path%2Fapi%2Fsecurity%2Fv1%2F/oidc' + + '&login_hint=loginhint', + { + state: { + state: 'statevalue', + nonce: 'noncevalue', + nextURL: '/mock-server-basepath/app/super-kibana', + realm: 'oidc1', + }, + } + ) + ); + + expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledWith('shield.oidcPrepare', { + body: { realm: 'oidc1' }, + }); + }); + function defineAuthenticationFlowTests( getMocks: () => { request: KibanaRequest; @@ -224,6 +268,20 @@ describe('OIDCAuthenticationProvider', () => { } ); }); + + it('fails if realm from state is different from the realm provider is configured with.', async () => { + const { request, attempt } = getMocks(); + + await expect(provider.login(request, attempt, { realm: 'other-realm' })).resolves.toEqual( + AuthenticationResult.failed( + Boom.unauthorized( + 'State based on realm "other-realm", but provider with the name "oidc" is configured to use realm "oidc1".' + ) + ) + ); + + expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); + }); } describe('authorization code flow', () => { @@ -263,6 +321,13 @@ describe('OIDCAuthenticationProvider', () => { ); }); + it('does not handle non-AJAX request that does not require authentication.', async () => { + const request = httpServerMock.createKibanaRequest({ routeAuthRequired: false }); + await expect(provider.authenticate(request)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + }); + it('redirects non-AJAX request that can not be authenticated to the OpenId Connect Provider.', async () => { const request = httpServerMock.createKibanaRequest({ path: '/s/foo/some-path' }); @@ -560,6 +625,44 @@ describe('OIDCAuthenticationProvider', () => { expect(request.headers).not.toHaveProperty('authorization'); }); + + it('fails for non-AJAX requests that do not require authentication with user friendly message if refresh token is expired.', async () => { + const request = httpServerMock.createKibanaRequest({ routeAuthRequired: false, headers: {} }); + const tokenPair = { accessToken: 'expired-token', refreshToken: 'expired-refresh-token' }; + const authorization = `Bearer ${tokenPair.accessToken}`; + + const mockScopedClusterClient = elasticsearchServiceMock.createScopedClusterClient(); + mockScopedClusterClient.callAsCurrentUser.mockRejectedValue( + ElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()) + ); + mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); + + mockOptions.tokens.refresh.mockResolvedValue(null); + + await expect( + provider.authenticate(request, { ...tokenPair, realm: 'oidc1' }) + ).resolves.toEqual( + AuthenticationResult.failed(Boom.badRequest('Both access and refresh tokens are expired.')) + ); + + expect(mockOptions.tokens.refresh).toHaveBeenCalledTimes(1); + expect(mockOptions.tokens.refresh).toHaveBeenCalledWith(tokenPair.refreshToken); + + expectAuthenticateCall(mockOptions.client, { headers: { authorization } }); + + expect(request.headers).not.toHaveProperty('authorization'); + }); + + it('fails if realm from state is different from the realm provider is configured with.', async () => { + const request = httpServerMock.createKibanaRequest(); + await expect(provider.authenticate(request, { realm: 'other-realm' })).resolves.toEqual( + AuthenticationResult.failed( + Boom.unauthorized( + 'State based on realm "other-realm", but provider with the name "oidc" is configured to use realm "oidc1".' + ) + ) + ); + }); }); describe('`logout` method', () => { diff --git a/x-pack/plugins/security/server/authentication/providers/oidc.ts b/x-pack/plugins/security/server/authentication/providers/oidc.ts index 1793cf5eedc3b..7904c406e42a5 100644 --- a/x-pack/plugins/security/server/authentication/providers/oidc.ts +++ b/x-pack/plugins/security/server/authentication/providers/oidc.ts @@ -32,7 +32,7 @@ export enum OIDCLogin { * Describes the parameters that are required by the provider to process the initial login request. */ export type ProviderLoginAttempt = - | { type: OIDCLogin.LoginInitiatedByUser; redirectURLPath?: string } + | { type: OIDCLogin.LoginInitiatedByUser; redirectURLPath: string } | { type: OIDCLogin.LoginWithImplicitFlow | OIDCLogin.LoginWithAuthorizationCodeFlow; authenticationResponseURI: string; diff --git a/x-pack/plugins/security/server/authentication/providers/pki.test.ts b/x-pack/plugins/security/server/authentication/providers/pki.test.ts index b1d1e249984de..638bb5732f3c0 100644 --- a/x-pack/plugins/security/server/authentication/providers/pki.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/pki.test.ts @@ -19,6 +19,7 @@ import { MockAuthenticationProviderOptions, mockAuthenticationProviderOptions } import { ElasticsearchErrorHelpers, IClusterClient, + KibanaRequest, ScopeableRequest, } from '../../../../../../src/core/server'; import { AuthenticationResult } from '../authentication_result'; @@ -84,47 +85,15 @@ describe('PKIAuthenticationProvider', () => { afterEach(() => jest.clearAllMocks()); - describe('`authenticate` method', () => { - it('does not handle authentication via `authorization` header.', async () => { - const request = httpServerMock.createKibanaRequest({ - headers: { authorization: 'Bearer some-token' }, - }); - - await expect(provider.authenticate(request)).resolves.toEqual( - AuthenticationResult.notHandled() - ); - - expect(mockOptions.client.asScoped).not.toHaveBeenCalled(); - expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); - expect(request.headers.authorization).toBe('Bearer some-token'); - }); - - it('does not handle authentication via `authorization` header even if state contains a valid token.', async () => { - const request = httpServerMock.createKibanaRequest({ - headers: { authorization: 'Bearer some-token' }, - }); - const state = { - accessToken: 'some-valid-token', - peerCertificateFingerprint256: '2A:7A:C2:DD', - }; - - await expect(provider.authenticate(request, state)).resolves.toEqual( - AuthenticationResult.notHandled() - ); - - expect(mockOptions.client.asScoped).not.toHaveBeenCalled(); - expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); - expect(request.headers.authorization).toBe('Bearer some-token'); - }); - + function defineCommonLoginAndAuthenticateTests( + operation: (request: KibanaRequest) => Promise + ) { it('does not handle requests without certificate.', async () => { const request = httpServerMock.createKibanaRequest({ socket: getMockSocket({ authorized: true }), }); - await expect(provider.authenticate(request, null)).resolves.toEqual( - AuthenticationResult.notHandled() - ); + await expect(operation(request)).resolves.toEqual(AuthenticationResult.notHandled()); expect(mockOptions.client.asScoped).not.toHaveBeenCalled(); expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); @@ -135,58 +104,12 @@ describe('PKIAuthenticationProvider', () => { socket: getMockSocket({ peerCertificate: getMockPeerCertificate('2A:7A:C2:DD') }), }); - await expect(provider.authenticate(request, null)).resolves.toEqual( - AuthenticationResult.notHandled() - ); + await expect(operation(request)).resolves.toEqual(AuthenticationResult.notHandled()); expect(mockOptions.client.asScoped).not.toHaveBeenCalled(); expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); }); - it('fails with non-401 error if state is available, peer is authorized, but certificate is not available.', async () => { - const request = httpServerMock.createKibanaRequest({ - socket: getMockSocket({ authorized: true }), - }); - - const state = { accessToken: 'token', peerCertificateFingerprint256: '2A:7A:C2:DD' }; - - await expect(provider.authenticate(request, state)).resolves.toEqual( - AuthenticationResult.failed(new Error('Peer certificate is not available')) - ); - - expect(mockOptions.tokens.invalidate).not.toHaveBeenCalled(); - }); - - it('invalidates token and fails with 401 if state is present, but peer certificate is not.', async () => { - const request = httpServerMock.createKibanaRequest({ socket: getMockSocket() }); - const state = { accessToken: 'token', peerCertificateFingerprint256: '2A:7A:C2:DD' }; - - await expect(provider.authenticate(request, state)).resolves.toEqual( - AuthenticationResult.failed(Boom.unauthorized()) - ); - - expect(mockOptions.tokens.invalidate).toHaveBeenCalledTimes(1); - expect(mockOptions.tokens.invalidate).toHaveBeenCalledWith({ - accessToken: state.accessToken, - }); - }); - - it('invalidates token and fails with 401 if new certificate is present, but not authorized.', async () => { - const request = httpServerMock.createKibanaRequest({ - socket: getMockSocket({ peerCertificate: getMockPeerCertificate('2A:7A:C2:DD') }), - }); - const state = { accessToken: 'token', peerCertificateFingerprint256: '2A:7A:C2:DD' }; - - await expect(provider.authenticate(request, state)).resolves.toEqual( - AuthenticationResult.failed(Boom.unauthorized()) - ); - - expect(mockOptions.tokens.invalidate).toHaveBeenCalledTimes(1); - expect(mockOptions.tokens.invalidate).toHaveBeenCalledWith({ - accessToken: state.accessToken, - }); - }); - it('gets an access token in exchange to peer certificate chain and stores it in the state.', async () => { const user = mockAuthenticatedUser(); const request = httpServerMock.createKibanaRequest({ @@ -202,7 +125,7 @@ describe('PKIAuthenticationProvider', () => { mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); mockOptions.client.callAsInternalUser.mockResolvedValue({ access_token: 'access-token' }); - await expect(provider.authenticate(request)).resolves.toEqual( + await expect(operation(request)).resolves.toEqual( AuthenticationResult.succeeded( { ...user, authentication_provider: 'pki' }, { @@ -244,7 +167,7 @@ describe('PKIAuthenticationProvider', () => { mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); mockOptions.client.callAsInternalUser.mockResolvedValue({ access_token: 'access-token' }); - await expect(provider.authenticate(request)).resolves.toEqual( + await expect(operation(request)).resolves.toEqual( AuthenticationResult.succeeded( { ...user, authentication_provider: 'pki' }, { @@ -266,6 +189,156 @@ describe('PKIAuthenticationProvider', () => { expect(request.headers).not.toHaveProperty('authorization'); }); + it('fails if could not retrieve an access token in exchange to peer certificate chain.', async () => { + const request = httpServerMock.createKibanaRequest({ + socket: getMockSocket({ + authorized: true, + peerCertificate: getMockPeerCertificate('2A:7A:C2:DD'), + }), + }); + + const failureReason = ElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()); + mockOptions.client.callAsInternalUser.mockRejectedValue(failureReason); + + await expect(operation(request)).resolves.toEqual(AuthenticationResult.failed(failureReason)); + + expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledTimes(1); + expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledWith('shield.delegatePKI', { + body: { x509_certificate_chain: ['fingerprint:2A:7A:C2:DD:base64'] }, + }); + + expect(request.headers).not.toHaveProperty('authorization'); + }); + + it('fails if could not retrieve user using the new access token.', async () => { + const request = httpServerMock.createKibanaRequest({ + headers: {}, + socket: getMockSocket({ + authorized: true, + peerCertificate: getMockPeerCertificate('2A:7A:C2:DD'), + }), + }); + + const failureReason = ElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()); + const mockScopedClusterClient = elasticsearchServiceMock.createScopedClusterClient(); + mockScopedClusterClient.callAsCurrentUser.mockRejectedValue(failureReason); + mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); + mockOptions.client.callAsInternalUser.mockResolvedValue({ access_token: 'access-token' }); + + await expect(operation(request)).resolves.toEqual(AuthenticationResult.failed(failureReason)); + + expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledTimes(1); + expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledWith('shield.delegatePKI', { + body: { x509_certificate_chain: ['fingerprint:2A:7A:C2:DD:base64'] }, + }); + + expectAuthenticateCall(mockOptions.client, { + headers: { authorization: 'Bearer access-token' }, + }); + + expect(request.headers).not.toHaveProperty('authorization'); + }); + } + + describe('`login` method', () => { + defineCommonLoginAndAuthenticateTests(request => provider.login(request)); + }); + + describe('`authenticate` method', () => { + defineCommonLoginAndAuthenticateTests(request => provider.authenticate(request, null)); + + it('does not handle authentication via `authorization` header.', async () => { + const request = httpServerMock.createKibanaRequest({ + headers: { authorization: 'Bearer some-token' }, + }); + + await expect(provider.authenticate(request)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + + expect(mockOptions.client.asScoped).not.toHaveBeenCalled(); + expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); + expect(request.headers.authorization).toBe('Bearer some-token'); + }); + + it('does not handle authentication via `authorization` header even if state contains a valid token.', async () => { + const request = httpServerMock.createKibanaRequest({ + headers: { authorization: 'Bearer some-token' }, + }); + const state = { + accessToken: 'some-valid-token', + peerCertificateFingerprint256: '2A:7A:C2:DD', + }; + + await expect(provider.authenticate(request, state)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + + expect(mockOptions.client.asScoped).not.toHaveBeenCalled(); + expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); + expect(request.headers.authorization).toBe('Bearer some-token'); + }); + + it('does not exchange peer certificate to access token if request does not require authentication.', async () => { + const request = httpServerMock.createKibanaRequest({ + routeAuthRequired: false, + socket: getMockSocket({ + authorized: true, + peerCertificate: getMockPeerCertificate(['2A:7A:C2:DD', '3B:8B:D3:EE']), + }), + }); + await expect(provider.authenticate(request)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + + expect(mockOptions.client.asScoped).not.toHaveBeenCalled(); + expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); + }); + + it('fails with non-401 error if state is available, peer is authorized, but certificate is not available.', async () => { + const request = httpServerMock.createKibanaRequest({ + socket: getMockSocket({ authorized: true }), + }); + + const state = { accessToken: 'token', peerCertificateFingerprint256: '2A:7A:C2:DD' }; + + await expect(provider.authenticate(request, state)).resolves.toEqual( + AuthenticationResult.failed(new Error('Peer certificate is not available')) + ); + + expect(mockOptions.tokens.invalidate).not.toHaveBeenCalled(); + }); + + it('invalidates token and fails with 401 if state is present, but peer certificate is not.', async () => { + const request = httpServerMock.createKibanaRequest({ socket: getMockSocket() }); + const state = { accessToken: 'token', peerCertificateFingerprint256: '2A:7A:C2:DD' }; + + await expect(provider.authenticate(request, state)).resolves.toEqual( + AuthenticationResult.failed(Boom.unauthorized()) + ); + + expect(mockOptions.tokens.invalidate).toHaveBeenCalledTimes(1); + expect(mockOptions.tokens.invalidate).toHaveBeenCalledWith({ + accessToken: state.accessToken, + }); + }); + + it('invalidates token and fails with 401 if new certificate is present, but not authorized.', async () => { + const request = httpServerMock.createKibanaRequest({ + socket: getMockSocket({ peerCertificate: getMockPeerCertificate('2A:7A:C2:DD') }), + }); + const state = { accessToken: 'token', peerCertificateFingerprint256: '2A:7A:C2:DD' }; + + await expect(provider.authenticate(request, state)).resolves.toEqual( + AuthenticationResult.failed(Boom.unauthorized()) + ); + + expect(mockOptions.tokens.invalidate).toHaveBeenCalledTimes(1); + expect(mockOptions.tokens.invalidate).toHaveBeenCalledWith({ + accessToken: state.accessToken, + }); + }); + it('invalidates existing token and gets a new one if fingerprints do not match.', async () => { const user = mockAuthenticatedUser(); const request = httpServerMock.createKibanaRequest({ @@ -351,75 +424,45 @@ describe('PKIAuthenticationProvider', () => { expect(request.headers).not.toHaveProperty('authorization'); }); - it('fails with 401 if existing token is expired, but certificate is not present.', async () => { - const request = httpServerMock.createKibanaRequest({ socket: getMockSocket() }); + it('does not exchange peer certificate to a new access token even if existing token is expired and request does not require authentication.', async () => { + const request = httpServerMock.createKibanaRequest({ + routeAuthRequired: false, + socket: getMockSocket({ + authorized: true, + peerCertificate: getMockPeerCertificate(['2A:7A:C2:DD', '3B:8B:D3:EE']), + }), + }); const state = { accessToken: 'existing-token', peerCertificateFingerprint256: '2A:7A:C2:DD' }; const mockScopedClusterClient = elasticsearchServiceMock.createScopedClusterClient(); - mockScopedClusterClient.callAsCurrentUser.mockRejectedValue( + mockScopedClusterClient.callAsCurrentUser.mockRejectedValueOnce( ElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()) ); mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); await expect(provider.authenticate(request, state)).resolves.toEqual( - AuthenticationResult.failed(Boom.unauthorized()) + AuthenticationResult.notHandled() ); expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); - - expect(request.headers).not.toHaveProperty('authorization'); - }); - - it('fails if could not retrieve an access token in exchange to peer certificate chain.', async () => { - const request = httpServerMock.createKibanaRequest({ - socket: getMockSocket({ - authorized: true, - peerCertificate: getMockPeerCertificate('2A:7A:C2:DD'), - }), - }); - - const failureReason = ElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()); - mockOptions.client.callAsInternalUser.mockRejectedValue(failureReason); - - await expect(provider.authenticate(request)).resolves.toEqual( - AuthenticationResult.failed(failureReason) - ); - - expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledTimes(1); - expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledWith('shield.delegatePKI', { - body: { x509_certificate_chain: ['fingerprint:2A:7A:C2:DD:base64'] }, - }); - expect(request.headers).not.toHaveProperty('authorization'); }); - it('fails if could not retrieve user using the new access token.', async () => { - const request = httpServerMock.createKibanaRequest({ - headers: {}, - socket: getMockSocket({ - authorized: true, - peerCertificate: getMockPeerCertificate('2A:7A:C2:DD'), - }), - }); + it('fails with 401 if existing token is expired, but certificate is not present.', async () => { + const request = httpServerMock.createKibanaRequest({ socket: getMockSocket() }); + const state = { accessToken: 'existing-token', peerCertificateFingerprint256: '2A:7A:C2:DD' }; - const failureReason = ElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()); const mockScopedClusterClient = elasticsearchServiceMock.createScopedClusterClient(); - mockScopedClusterClient.callAsCurrentUser.mockRejectedValue(failureReason); + mockScopedClusterClient.callAsCurrentUser.mockRejectedValue( + ElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()) + ); mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); - mockOptions.client.callAsInternalUser.mockResolvedValue({ access_token: 'access-token' }); - await expect(provider.authenticate(request)).resolves.toEqual( - AuthenticationResult.failed(failureReason) + await expect(provider.authenticate(request, state)).resolves.toEqual( + AuthenticationResult.failed(Boom.unauthorized()) ); - expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledTimes(1); - expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledWith('shield.delegatePKI', { - body: { x509_certificate_chain: ['fingerprint:2A:7A:C2:DD:base64'] }, - }); - - expectAuthenticateCall(mockOptions.client, { - headers: { authorization: 'Bearer access-token' }, - }); + expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); expect(request.headers).not.toHaveProperty('authorization'); }); diff --git a/x-pack/plugins/security/server/authentication/providers/saml.test.ts b/x-pack/plugins/security/server/authentication/providers/saml.test.ts index 5cf4ada09e838..a7a43a3031571 100644 --- a/x-pack/plugins/security/server/authentication/providers/saml.test.ts +++ b/x-pack/plugins/security/server/authentication/providers/saml.test.ts @@ -128,6 +128,26 @@ describe('SAMLAuthenticationProvider', () => { expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); }); + it('fails if realm from state is different from the realm provider is configured with.', async () => { + const request = httpServerMock.createKibanaRequest(); + + await expect( + provider.login( + request, + { type: SAMLLogin.LoginWithSAMLResponse, samlResponse: 'saml-response-xml' }, + { realm: 'other-realm' } + ) + ).resolves.toEqual( + AuthenticationResult.failed( + Boom.unauthorized( + 'State based on realm "other-realm", but provider with the name "saml" is configured to use realm "test-realm".' + ) + ) + ); + + expect(mockOptions.client.callAsInternalUser).not.toHaveBeenCalled(); + }); + it('redirects to the default location if state contains empty redirect URL.', async () => { const request = httpServerMock.createKibanaRequest(); @@ -409,7 +429,7 @@ describe('SAMLAuthenticationProvider', () => { }); describe('User initiated login with captured redirect URL', () => { - it('fails if state is not available', async () => { + it('fails if redirectURLPath is not available', async () => { const request = httpServerMock.createKibanaRequest(); await expect( @@ -463,6 +483,44 @@ describe('SAMLAuthenticationProvider', () => { expect(mockOptions.logger.warn).not.toHaveBeenCalled(); }); + it('redirects requests to the IdP remembering combined redirect URL if path is provided in attempt.', async () => { + const request = httpServerMock.createKibanaRequest(); + + mockOptions.client.callAsInternalUser.mockResolvedValue({ + id: 'some-request-id', + redirect: 'https://idp-host/path/login?SAMLRequest=some%20request%20', + }); + + await expect( + provider.login( + request, + { + type: SAMLLogin.LoginInitiatedByUser, + redirectURLPath: '/test-base-path/some-path', + redirectURLFragment: '#some-fragment', + }, + null + ) + ).resolves.toEqual( + AuthenticationResult.redirectTo( + 'https://idp-host/path/login?SAMLRequest=some%20request%20', + { + state: { + requestId: 'some-request-id', + redirectURL: '/test-base-path/some-path#some-fragment', + realm: 'test-realm', + }, + } + ) + ); + + expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledWith('shield.samlPrepare', { + body: { realm: 'test-realm' }, + }); + + expect(mockOptions.logger.warn).not.toHaveBeenCalled(); + }); + it('prepends redirect URL fragment with `#` if it does not have one.', async () => { const request = httpServerMock.createKibanaRequest(); @@ -503,7 +561,7 @@ describe('SAMLAuthenticationProvider', () => { ); }); - it('redirects non-AJAX requests to the IdP remembering only redirect URL path if fragment is too large.', async () => { + it('redirects requests to the IdP remembering only redirect URL path if fragment is too large.', async () => { const request = httpServerMock.createKibanaRequest(); mockOptions.client.callAsInternalUser.mockResolvedValue({ @@ -543,6 +601,40 @@ describe('SAMLAuthenticationProvider', () => { ); }); + it('redirects requests to the IdP remembering base path if redirect URL path in attempt is too large.', async () => { + const request = httpServerMock.createKibanaRequest(); + mockOptions.client.callAsInternalUser.mockResolvedValue({ + id: 'some-request-id', + redirect: 'https://idp-host/path/login?SAMLRequest=some%20request%20', + }); + + await expect( + provider.login( + request, + { + type: SAMLLogin.LoginInitiatedByUser, + redirectURLPath: `/s/foo/${'some-path'.repeat(11)}`, + redirectURLFragment: '#some-fragment', + }, + null + ) + ).resolves.toEqual( + AuthenticationResult.redirectTo( + 'https://idp-host/path/login?SAMLRequest=some%20request%20', + { state: { requestId: 'some-request-id', redirectURL: '', realm: 'test-realm' } } + ) + ); + + expect(mockOptions.client.callAsInternalUser).toHaveBeenCalledWith('shield.samlPrepare', { + body: { realm: 'test-realm' }, + }); + + expect(mockOptions.logger.warn).toHaveBeenCalledTimes(1); + expect(mockOptions.logger.warn).toHaveBeenCalledWith( + 'Max URL path size should not exceed 100b but it was 106b. URL is not captured.' + ); + }); + it('fails if SAML request preparation fails.', async () => { const request = httpServerMock.createKibanaRequest(); @@ -576,6 +668,13 @@ describe('SAMLAuthenticationProvider', () => { ); }); + it('does not handle non-AJAX request that does not require authentication.', async () => { + const request = httpServerMock.createKibanaRequest({ routeAuthRequired: false }); + await expect(provider.authenticate(request)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + }); + it('does not handle authentication via `authorization` header.', async () => { const request = httpServerMock.createKibanaRequest({ headers: { authorization: 'Bearer some-token' }, @@ -840,6 +939,38 @@ describe('SAMLAuthenticationProvider', () => { expect(request.headers).not.toHaveProperty('authorization'); }); + it('fails for non-AJAX requests that do not require authentication with user friendly message if refresh token is expired.', async () => { + const request = httpServerMock.createKibanaRequest({ routeAuthRequired: false, headers: {} }); + const state = { + username: 'user', + accessToken: 'expired-token', + refreshToken: 'expired-refresh-token', + realm: 'test-realm', + }; + const authorization = `Bearer ${state.accessToken}`; + + const mockScopedClusterClient = elasticsearchServiceMock.createScopedClusterClient(); + mockScopedClusterClient.callAsCurrentUser.mockRejectedValue( + ElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()) + ); + mockOptions.client.asScoped.mockReturnValue(mockScopedClusterClient); + + mockOptions.tokens.refresh.mockResolvedValue(null); + + await expect(provider.authenticate(request, state)).resolves.toEqual( + AuthenticationResult.failed(Boom.badRequest('Both access and refresh tokens are expired.')) + ); + + expect(mockOptions.tokens.refresh).toHaveBeenCalledTimes(1); + expect(mockOptions.tokens.refresh).toHaveBeenCalledWith(state.refreshToken); + + expectAuthenticateCall(mockOptions.client, { + headers: { authorization }, + }); + + expect(request.headers).not.toHaveProperty('authorization'); + }); + it('re-capture URL for non-AJAX requests if refresh token is expired.', async () => { const request = httpServerMock.createKibanaRequest({ path: '/s/foo/some-path', headers: {} }); const state = { @@ -920,6 +1051,17 @@ describe('SAMLAuthenticationProvider', () => { 'Max URL path size should not exceed 100b but it was 107b. URL is not captured.' ); }); + + it('fails if realm from state is different from the realm provider is configured with.', async () => { + const request = httpServerMock.createKibanaRequest(); + await expect(provider.authenticate(request, { realm: 'other-realm' })).resolves.toEqual( + AuthenticationResult.failed( + Boom.unauthorized( + 'State based on realm "other-realm", but provider with the name "saml" is configured to use realm "test-realm".' + ) + ) + ); + }); }); describe('`logout` method', () => { diff --git a/x-pack/plugins/security/server/config.test.ts b/x-pack/plugins/security/server/config.test.ts index 34390a32dd9d3..46a7ee79ee60c 100644 --- a/x-pack/plugins/security/server/config.test.ts +++ b/x-pack/plugins/security/server/config.test.ts @@ -346,6 +346,462 @@ describe('config schema', () => { `); }); }); + + describe('authc.providers (extended format)', () => { + describe('`basic` provider', () => { + it('requires `order`', () => { + expect(() => + ConfigSchema.validate({ + authc: { providers: { basic: { basic1: { enabled: true } } } }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.basic.basic1.order]: expected value of type [number] but got [undefined]" +`); + }); + + it('does not allow custom description', () => { + expect(() => + ConfigSchema.validate({ + authc: { + providers: { basic: { basic1: { order: 0, description: 'Some description' } } }, + }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.basic.basic1.description]: \`basic\` provider does not support custom description." +`); + }); + + it('cannot be hidden from selector', () => { + expect(() => + ConfigSchema.validate({ + authc: { + providers: { basic: { basic1: { order: 0, showInSelector: false } } }, + }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.basic.basic1.showInSelector]: \`basic\` provider only supports \`true\` in \`showInSelector\`." +`); + }); + + it('can have only provider of this type', () => { + expect(() => + ConfigSchema.validate({ + authc: { providers: { basic: { basic1: { order: 0 }, basic2: { order: 1 } } } }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.basic]: Only one \\"basic\\" provider can be configured." +`); + }); + + it('can be successfully validated', () => { + expect( + ConfigSchema.validate({ + authc: { providers: { basic: { basic1: { order: 0 } } } }, + }).authc.providers + ).toMatchInlineSnapshot(` + Object { + "basic": Object { + "basic1": Object { + "enabled": true, + "order": 0, + "showInSelector": true, + }, + }, + } + `); + }); + }); + + describe('`token` provider', () => { + it('requires `order`', () => { + expect(() => + ConfigSchema.validate({ + authc: { providers: { token: { token1: { enabled: true } } } }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.token.token1.order]: expected value of type [number] but got [undefined]" +`); + }); + + it('does not allow custom description', () => { + expect(() => + ConfigSchema.validate({ + authc: { + providers: { token: { token1: { order: 0, description: 'Some description' } } }, + }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.token.token1.description]: \`token\` provider does not support custom description." +`); + }); + + it('cannot be hidden from selector', () => { + expect(() => + ConfigSchema.validate({ + authc: { + providers: { token: { token1: { order: 0, showInSelector: false } } }, + }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.token.token1.showInSelector]: \`token\` provider only supports \`true\` in \`showInSelector\`." +`); + }); + + it('can have only provider of this type', () => { + expect(() => + ConfigSchema.validate({ + authc: { providers: { token: { token1: { order: 0 }, token2: { order: 1 } } } }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.token]: Only one \\"token\\" provider can be configured." +`); + }); + + it('can be successfully validated', () => { + expect( + ConfigSchema.validate({ + authc: { providers: { token: { token1: { order: 0 } } } }, + }).authc.providers + ).toMatchInlineSnapshot(` + Object { + "token": Object { + "token1": Object { + "enabled": true, + "order": 0, + "showInSelector": true, + }, + }, + } + `); + }); + }); + + describe('`pki` provider', () => { + it('requires `order`', () => { + expect(() => + ConfigSchema.validate({ + authc: { providers: { pki: { pki1: { enabled: true } } } }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.pki.pki1.order]: expected value of type [number] but got [undefined]" +`); + }); + + it('can have only provider of this type', () => { + expect(() => + ConfigSchema.validate({ + authc: { providers: { pki: { pki1: { order: 0 }, pki2: { order: 1 } } } }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.pki]: Only one \\"pki\\" provider can be configured." +`); + }); + + it('can be successfully validated', () => { + expect( + ConfigSchema.validate({ + authc: { providers: { pki: { pki1: { order: 0 } } } }, + }).authc.providers + ).toMatchInlineSnapshot(` + Object { + "pki": Object { + "pki1": Object { + "enabled": true, + "order": 0, + "showInSelector": true, + }, + }, + } + `); + }); + }); + + describe('`kerberos` provider', () => { + it('requires `order`', () => { + expect(() => + ConfigSchema.validate({ + authc: { providers: { kerberos: { kerberos1: { enabled: true } } } }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.kerberos.kerberos1.order]: expected value of type [number] but got [undefined]" +`); + }); + + it('can have only provider of this type', () => { + expect(() => + ConfigSchema.validate({ + authc: { + providers: { kerberos: { kerberos1: { order: 0 }, kerberos2: { order: 1 } } }, + }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.kerberos]: Only one \\"kerberos\\" provider can be configured." +`); + }); + + it('can be successfully validated', () => { + expect( + ConfigSchema.validate({ + authc: { providers: { kerberos: { kerberos1: { order: 0 } } } }, + }).authc.providers + ).toMatchInlineSnapshot(` + Object { + "kerberos": Object { + "kerberos1": Object { + "enabled": true, + "order": 0, + "showInSelector": true, + }, + }, + } + `); + }); + }); + + describe('`oidc` provider', () => { + it('requires `order`', () => { + expect(() => + ConfigSchema.validate({ + authc: { providers: { oidc: { oidc1: { enabled: true } } } }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.oidc.oidc1.order]: expected value of type [number] but got [undefined]" +`); + }); + + it('requires `realm`', () => { + expect(() => + ConfigSchema.validate({ + authc: { providers: { oidc: { oidc1: { order: 0 } } } }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.oidc.oidc1.realm]: expected value of type [string] but got [undefined]" +`); + }); + + it('can be successfully validated', () => { + expect( + ConfigSchema.validate({ + authc: { + providers: { + oidc: { oidc1: { order: 0, realm: 'oidc1' }, oidc2: { order: 1, realm: 'oidc2' } }, + }, + }, + }).authc.providers + ).toMatchInlineSnapshot(` + Object { + "oidc": Object { + "oidc1": Object { + "enabled": true, + "order": 0, + "realm": "oidc1", + "showInSelector": true, + }, + "oidc2": Object { + "enabled": true, + "order": 1, + "realm": "oidc2", + "showInSelector": true, + }, + }, + } + `); + }); + }); + + describe('`saml` provider', () => { + it('requires `order`', () => { + expect(() => + ConfigSchema.validate({ + authc: { providers: { saml: { saml1: { enabled: true } } } }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.saml.saml1.order]: expected value of type [number] but got [undefined]" +`); + }); + + it('requires `realm`', () => { + expect(() => + ConfigSchema.validate({ + authc: { providers: { saml: { saml1: { order: 0 } } } }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1.saml.saml1.realm]: expected value of type [string] but got [undefined]" +`); + }); + + it('can be successfully validated', () => { + expect( + ConfigSchema.validate({ + authc: { + providers: { + saml: { + saml1: { order: 0, realm: 'saml1' }, + saml2: { order: 1, realm: 'saml2', maxRedirectURLSize: '1kb' }, + }, + }, + }, + }).authc.providers + ).toMatchInlineSnapshot(` + Object { + "saml": Object { + "saml1": Object { + "enabled": true, + "maxRedirectURLSize": ByteSizeValue { + "valueInBytes": 2048, + }, + "order": 0, + "realm": "saml1", + "showInSelector": true, + }, + "saml2": Object { + "enabled": true, + "maxRedirectURLSize": ByteSizeValue { + "valueInBytes": 1024, + }, + "order": 1, + "realm": "saml2", + "showInSelector": true, + }, + }, + } + `); + }); + }); + + it('`name` should be unique across all provider types', () => { + expect(() => + ConfigSchema.validate({ + authc: { + providers: { + basic: { provider1: { order: 0 } }, + saml: { + provider2: { order: 1, realm: 'saml1' }, + provider1: { order: 2, realm: 'saml2' }, + }, + }, + }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1]: Found multiple providers configured with the same name \\"provider1\\": [xpack.security.authc.providers.basic.provider1, xpack.security.authc.providers.saml.provider1]" +`); + }); + + it('`order` should be unique across all provider types', () => { + expect(() => + ConfigSchema.validate({ + authc: { + providers: { + basic: { provider1: { order: 0 } }, + saml: { + provider2: { order: 0, realm: 'saml1' }, + provider3: { order: 2, realm: 'saml2' }, + }, + }, + }, + }) + ).toThrowErrorMatchingInlineSnapshot(` +"[authc.providers]: types that failed validation: +- [authc.providers.0]: expected value of type [array] but got [Object] +- [authc.providers.1]: Found multiple providers configured with the same order \\"0\\": [xpack.security.authc.providers.basic.provider1, xpack.security.authc.providers.saml.provider2]" +`); + }); + + it('can be successfully validated with multiple providers ignoring uniqueness violations in disabled ones', () => { + expect( + ConfigSchema.validate({ + authc: { + providers: { + basic: { basic1: { order: 0 }, basic2: { enabled: false, order: 1 } }, + saml: { + saml1: { order: 1, realm: 'saml1' }, + saml2: { order: 2, realm: 'saml2' }, + basic1: { order: 3, realm: 'saml3', enabled: false }, + }, + }, + }, + }).authc.providers + ).toMatchInlineSnapshot(` + Object { + "basic": Object { + "basic1": Object { + "enabled": true, + "order": 0, + "showInSelector": true, + }, + "basic2": Object { + "enabled": false, + "order": 1, + "showInSelector": true, + }, + }, + "saml": Object { + "basic1": Object { + "enabled": false, + "maxRedirectURLSize": ByteSizeValue { + "valueInBytes": 2048, + }, + "order": 3, + "realm": "saml3", + "showInSelector": true, + }, + "saml1": Object { + "enabled": true, + "maxRedirectURLSize": ByteSizeValue { + "valueInBytes": 2048, + }, + "order": 1, + "realm": "saml1", + "showInSelector": true, + }, + "saml2": Object { + "enabled": true, + "maxRedirectURLSize": ByteSizeValue { + "valueInBytes": 2048, + }, + "order": 2, + "realm": "saml2", + "showInSelector": true, + }, + }, + } + `); + }); + }); }); describe('createConfig()', () => { @@ -405,4 +861,204 @@ describe('createConfig()', () => { expect(loggingServiceMock.collect(logger).warn).toEqual([]); }); + + it('transforms legacy `authc.providers` into new format', () => { + const logger = loggingServiceMock.create().get(); + + expect( + createConfig( + ConfigSchema.validate({ + authc: { + providers: ['saml', 'basic'], + saml: { realm: 'saml-realm' }, + }, + }), + logger, + { isTLSEnabled: true } + ).authc + ).toMatchInlineSnapshot(` + Object { + "http": Object { + "autoSchemesEnabled": true, + "enabled": true, + "schemes": Array [ + "apikey", + ], + }, + "providers": Object { + "basic": Object { + "basic": Object { + "enabled": true, + "order": 1, + "showInSelector": true, + }, + }, + "saml": Object { + "saml": Object { + "enabled": true, + "maxRedirectURLSize": ByteSizeValue { + "valueInBytes": 2048, + }, + "order": 0, + "realm": "saml-realm", + "showInSelector": true, + }, + }, + }, + "selector": Object { + "enabled": false, + }, + "sortedProviders": Array [ + Object { + "name": "saml", + "options": Object { + "description": undefined, + "order": 0, + "showInSelector": true, + }, + "type": "saml", + }, + Object { + "name": "basic", + "options": Object { + "description": undefined, + "order": 1, + "showInSelector": true, + }, + "type": "basic", + }, + ], + } + `); + }); + + it('does not automatically set `authc.selector.enabled` to `true` if legacy `authc.providers` format is used', () => { + expect( + createConfig( + ConfigSchema.validate({ + authc: { providers: ['saml', 'basic'], saml: { realm: 'saml-realm' } }, + }), + loggingServiceMock.create().get(), + { isTLSEnabled: true } + ).authc.selector.enabled + ).toBe(false); + + // But keep it as `true` if it's explicitly set. + expect( + createConfig( + ConfigSchema.validate({ + authc: { + selector: { enabled: true }, + providers: ['saml', 'basic'], + saml: { realm: 'saml-realm' }, + }, + }), + loggingServiceMock.create().get(), + { isTLSEnabled: true } + ).authc.selector.enabled + ).toBe(true); + }); + + it('does not automatically set `authc.selector.enabled` to `true` if less than 2 providers must be shown there', () => { + expect( + createConfig( + ConfigSchema.validate({ + authc: { + providers: { + basic: { basic1: { order: 0 } }, + saml: { + saml1: { order: 1, realm: 'saml1', showInSelector: false }, + saml2: { enabled: false, order: 2, realm: 'saml2' }, + }, + }, + }, + }), + loggingServiceMock.create().get(), + { isTLSEnabled: true } + ).authc.selector.enabled + ).toBe(false); + }); + + it('automatically set `authc.selector.enabled` to `true` if more than 1 provider must be shown there', () => { + expect( + createConfig( + ConfigSchema.validate({ + authc: { + providers: { + basic: { basic1: { order: 0 } }, + saml: { saml1: { order: 1, realm: 'saml1' }, saml2: { order: 2, realm: 'saml2' } }, + }, + }, + }), + loggingServiceMock.create().get(), + { isTLSEnabled: true } + ).authc.selector.enabled + ).toBe(true); + }); + + it('correctly sorts providers based on the `order`', () => { + expect( + createConfig( + ConfigSchema.validate({ + authc: { + providers: { + basic: { basic1: { order: 3 } }, + saml: { saml1: { order: 2, realm: 'saml1' }, saml2: { order: 1, realm: 'saml2' } }, + oidc: { oidc1: { order: 0, realm: 'oidc1' }, oidc2: { order: 4, realm: 'oidc2' } }, + }, + }, + }), + loggingServiceMock.create().get(), + { isTLSEnabled: true } + ).authc.sortedProviders + ).toMatchInlineSnapshot(` + Array [ + Object { + "name": "oidc1", + "options": Object { + "description": undefined, + "order": 0, + "showInSelector": true, + }, + "type": "oidc", + }, + Object { + "name": "saml2", + "options": Object { + "description": undefined, + "order": 1, + "showInSelector": true, + }, + "type": "saml", + }, + Object { + "name": "saml1", + "options": Object { + "description": undefined, + "order": 2, + "showInSelector": true, + }, + "type": "saml", + }, + Object { + "name": "basic1", + "options": Object { + "description": undefined, + "order": 3, + "showInSelector": true, + }, + "type": "basic", + }, + Object { + "name": "oidc2", + "options": Object { + "description": undefined, + "order": 4, + "showInSelector": true, + }, + "type": "oidc", + }, + ] + `); + }); }); diff --git a/x-pack/plugins/security/server/config.ts b/x-pack/plugins/security/server/config.ts index e143e3d6b1b25..97ff7d00a4336 100644 --- a/x-pack/plugins/security/server/config.ts +++ b/x-pack/plugins/security/server/config.ts @@ -258,10 +258,10 @@ export function createConfig( return { ...config, authc: { - ...config.authc, selector: { ...config.authc.selector, enabled: isLoginSelectorEnabled }, providers, sortedProviders: Object.freeze(sortedProviders), + http: config.authc.http, }, encryptionKey, secureCookies, diff --git a/x-pack/plugins/security/server/routes/authentication/common.test.ts b/x-pack/plugins/security/server/routes/authentication/common.test.ts index b611ffffee935..e2f9593bc09ee 100644 --- a/x-pack/plugins/security/server/routes/authentication/common.test.ts +++ b/x-pack/plugins/security/server/routes/authentication/common.test.ts @@ -13,7 +13,13 @@ import { RouteConfig, } from '../../../../../../src/core/server'; import { LICENSE_CHECK_STATE } from '../../../../licensing/server'; -import { Authentication, DeauthenticationResult } from '../../authentication'; +import { + Authentication, + AuthenticationResult, + DeauthenticationResult, + OIDCLogin, + SAMLLogin, +} from '../../authentication'; import { defineCommonRoutes } from './common'; import { httpServerMock } from '../../../../../../src/core/server/mocks'; @@ -172,4 +178,260 @@ describe('Common authentication routes', () => { expect(authc.getCurrentUser).toHaveBeenCalledWith(mockRequest); }); }); + + describe('login_with', () => { + let routeHandler: RequestHandler; + let routeConfig: RouteConfig; + beforeEach(() => { + const [acsRouteConfig, acsRouteHandler] = router.post.mock.calls.find( + ([{ path }]) => path === '/internal/security/login_with' + )!; + + routeConfig = acsRouteConfig; + routeHandler = acsRouteHandler; + }); + + it('correctly defines route.', () => { + expect(routeConfig.options).toEqual({ authRequired: false }); + expect(routeConfig.validate).toEqual({ + body: expect.any(Type), + query: undefined, + params: undefined, + }); + + const bodyValidator = (routeConfig.validate as any).body as Type; + expect( + bodyValidator.validate({ + providerType: 'saml', + providerName: 'saml1', + currentURL: '/some-url', + }) + ).toEqual({ + providerType: 'saml', + providerName: 'saml1', + currentURL: '/some-url', + }); + + expect( + bodyValidator.validate({ + providerType: 'saml', + providerName: 'saml1', + currentURL: '', + }) + ).toEqual({ + providerType: 'saml', + providerName: 'saml1', + currentURL: '', + }); + + expect(() => bodyValidator.validate({})).toThrowErrorMatchingInlineSnapshot( + `"[providerType]: expected value of type [string] but got [undefined]"` + ); + + expect(() => + bodyValidator.validate({ providerType: 'saml' }) + ).toThrowErrorMatchingInlineSnapshot( + `"[providerName]: expected value of type [string] but got [undefined]"` + ); + + expect(() => + bodyValidator.validate({ providerType: 'saml', providerName: 'saml1' }) + ).toThrowErrorMatchingInlineSnapshot( + `"[currentURL]: expected value of type [string] but got [undefined]"` + ); + + expect(() => + bodyValidator.validate({ + providerType: 'saml', + providerName: 'saml1', + currentURL: '/some-url', + UnknownArg: 'arg', + }) + ).toThrowErrorMatchingInlineSnapshot(`"[UnknownArg]: definition for this key is missing"`); + }); + + it('returns 500 if login throws unhandled exception.', async () => { + const unhandledException = new Error('Something went wrong.'); + authc.login.mockRejectedValue(unhandledException); + + const request = httpServerMock.createKibanaRequest({ + body: { providerType: 'saml', providerName: 'saml1', currentURL: '/some-url' }, + }); + + await expect(routeHandler(mockContext, request, kibanaResponseFactory)).resolves.toEqual({ + status: 500, + payload: 'Internal Error', + options: {}, + }); + }); + + it('returns 401 if login fails.', async () => { + const failureReason = new Error('Something went wrong.'); + authc.login.mockResolvedValue( + AuthenticationResult.failed(failureReason, { + authResponseHeaders: { 'WWW-Something': 'something' }, + }) + ); + + const request = httpServerMock.createKibanaRequest({ + body: { providerType: 'saml', providerName: 'saml1', currentURL: '/some-url' }, + }); + + await expect(routeHandler(mockContext, request, kibanaResponseFactory)).resolves.toEqual({ + status: 401, + payload: failureReason, + options: { body: failureReason, headers: { 'WWW-Something': 'something' } }, + }); + }); + + it('returns 401 if login is not handled.', async () => { + authc.login.mockResolvedValue(AuthenticationResult.notHandled()); + + const request = httpServerMock.createKibanaRequest({ + body: { providerType: 'saml', providerName: 'saml1', currentURL: '/some-url' }, + }); + + await expect(routeHandler(mockContext, request, kibanaResponseFactory)).resolves.toEqual({ + status: 401, + payload: 'Unauthorized', + options: {}, + }); + }); + + it('returns redirect location from authentication result if any.', async () => { + authc.login.mockResolvedValue(AuthenticationResult.redirectTo('http://redirect-to/path')); + + const request = httpServerMock.createKibanaRequest({ + body: { providerType: 'saml', providerName: 'saml1', currentURL: '/some-url' }, + }); + + await expect(routeHandler(mockContext, request, kibanaResponseFactory)).resolves.toEqual({ + status: 200, + payload: { location: 'http://redirect-to/path' }, + options: { body: { location: 'http://redirect-to/path' } }, + }); + }); + + it('returns location extracted from `next` parameter if authentication result does not specify any.', async () => { + authc.login.mockResolvedValue(AuthenticationResult.succeeded(mockAuthenticatedUser())); + + const request = httpServerMock.createKibanaRequest({ + body: { + providerType: 'saml', + providerName: 'saml1', + currentURL: 'https://kibana.com/?next=/mock-server-basepath/some-url#/app/nav', + }, + }); + + await expect(routeHandler(mockContext, request, kibanaResponseFactory)).resolves.toEqual({ + status: 200, + payload: { location: '/mock-server-basepath/some-url#/app/nav' }, + options: { body: { location: '/mock-server-basepath/some-url#/app/nav' } }, + }); + }); + + it('returns base path if location cannot be extracted from `currentURL` parameter and authentication result does not specify any.', async () => { + authc.login.mockResolvedValue(AuthenticationResult.succeeded(mockAuthenticatedUser())); + + const invalidCurrentURLs = [ + 'https://kibana.com/?next=https://evil.com/mock-server-basepath/some-url#/app/nav', + 'https://kibana.com/?next=https://kibana.com:9000/mock-server-basepath/some-url#/app/nav', + 'https://kibana.com/?next=kibana.com/mock-server-basepath/some-url#/app/nav', + 'https://kibana.com/?next=//mock-server-basepath/some-url#/app/nav', + 'https://kibana.com/?next=../mock-server-basepath/some-url#/app/nav', + 'https://kibana.com/?next=/some-url#/app/nav', + '', + ]; + + for (const currentURL of invalidCurrentURLs) { + const request = httpServerMock.createKibanaRequest({ + body: { providerType: 'saml', providerName: 'saml1', currentURL }, + }); + + await expect(routeHandler(mockContext, request, kibanaResponseFactory)).resolves.toEqual({ + status: 200, + payload: { location: '/mock-server-basepath/' }, + options: { body: { location: '/mock-server-basepath/' } }, + }); + } + }); + + it('correctly performs SAML login.', async () => { + authc.login.mockResolvedValue(AuthenticationResult.redirectTo('http://redirect-to/path')); + + const request = httpServerMock.createKibanaRequest({ + body: { + providerType: 'saml', + providerName: 'saml1', + currentURL: 'https://kibana.com/?next=/mock-server-basepath/some-url#/app/nav', + }, + }); + + await expect(routeHandler(mockContext, request, kibanaResponseFactory)).resolves.toEqual({ + status: 200, + payload: { location: 'http://redirect-to/path' }, + options: { body: { location: 'http://redirect-to/path' } }, + }); + + expect(authc.login).toHaveBeenCalledTimes(1); + expect(authc.login).toHaveBeenCalledWith(request, { + provider: { name: 'saml1' }, + value: { + type: SAMLLogin.LoginInitiatedByUser, + redirectURLPath: '/mock-server-basepath/some-url', + redirectURLFragment: '#/app/nav', + }, + }); + }); + + it('correctly performs OIDC login.', async () => { + authc.login.mockResolvedValue(AuthenticationResult.redirectTo('http://redirect-to/path')); + + const request = httpServerMock.createKibanaRequest({ + body: { + providerType: 'oidc', + providerName: 'oidc1', + currentURL: 'https://kibana.com/?next=/mock-server-basepath/some-url#/app/nav', + }, + }); + + await expect(routeHandler(mockContext, request, kibanaResponseFactory)).resolves.toEqual({ + status: 200, + payload: { location: 'http://redirect-to/path' }, + options: { body: { location: 'http://redirect-to/path' } }, + }); + + expect(authc.login).toHaveBeenCalledTimes(1); + expect(authc.login).toHaveBeenCalledWith(request, { + provider: { name: 'oidc1' }, + value: { + type: OIDCLogin.LoginInitiatedByUser, + redirectURLPath: '/mock-server-basepath/some-url', + }, + }); + }); + + it('correctly performs generic login.', async () => { + authc.login.mockResolvedValue(AuthenticationResult.redirectTo('http://redirect-to/path')); + + const request = httpServerMock.createKibanaRequest({ + body: { + providerType: 'some-type', + providerName: 'some-name', + currentURL: 'https://kibana.com/?next=/mock-server-basepath/some-url#/app/nav', + }, + }); + + await expect(routeHandler(mockContext, request, kibanaResponseFactory)).resolves.toEqual({ + status: 200, + payload: { location: 'http://redirect-to/path' }, + options: { body: { location: 'http://redirect-to/path' } }, + }); + + expect(authc.login).toHaveBeenCalledTimes(1); + expect(authc.login).toHaveBeenCalledWith(request, { + provider: { name: 'some-name' }, + }); + }); + }); }); diff --git a/x-pack/plugins/security/server/routes/authentication/common.ts b/x-pack/plugins/security/server/routes/authentication/common.ts index 30a8f2ce5bb0a..f0f33d6624cc1 100644 --- a/x-pack/plugins/security/server/routes/authentication/common.ts +++ b/x-pack/plugins/security/server/routes/authentication/common.ts @@ -121,6 +121,7 @@ export function defineCommonRoutes({ router, authc, basePath, logger }: RouteDef if (authenticationResult.redirected() || authenticationResult.succeeded()) { return response.ok({ body: { location: authenticationResult.redirectURL || redirectURL }, + headers: authenticationResult.authResponseHeaders, }); } diff --git a/x-pack/plugins/security/server/routes/views/login.test.ts b/x-pack/plugins/security/server/routes/views/login.test.ts index 382e5462f7de6..9217d5a437f9c 100644 --- a/x-pack/plugins/security/server/routes/views/login.test.ts +++ b/x-pack/plugins/security/server/routes/views/login.test.ts @@ -13,6 +13,8 @@ import { IRouter, } from '../../../../../../src/core/server'; import { SecurityLicense } from '../../../common/licensing'; +import { LoginState } from '../../../common/login_state'; +import { ConfigType } from '../../config'; import { defineLoginRoutes } from './login'; import { coreMock, httpServerMock } from '../../../../../../src/core/server/mocks'; @@ -21,10 +23,12 @@ import { routeDefinitionParamsMock } from '../index.mock'; describe('Login view routes', () => { let router: jest.Mocked; let license: jest.Mocked; + let config: ConfigType; beforeEach(() => { const routeParamsMock = routeDefinitionParamsMock.create(); router = routeParamsMock.router; license = routeParamsMock.license; + config = routeParamsMock.config; defineLoginRoutes(routeParamsMock); }); @@ -202,5 +206,141 @@ describe('Login view routes', () => { status: 200, }); }); + + it('returns `requiresSecureConnection: true` if `secureCookies` is enabled in config.', async () => { + license.getFeatures.mockReturnValue({ allowLogin: true, showLogin: true } as any); + + const request = httpServerMock.createKibanaRequest(); + const contextMock = coreMock.createRequestHandlerContext(); + + config.secureCookies = true; + + const expectedPayload = expect.objectContaining({ requiresSecureConnection: true }); + await expect( + routeHandler({ core: contextMock } as any, request, kibanaResponseFactory) + ).resolves.toEqual({ + options: { body: expectedPayload }, + payload: expectedPayload, + status: 200, + }); + }); + + it('returns `showLoginForm: true` only if either `basic` or `token` provider is enabled.', async () => { + license.getFeatures.mockReturnValue({ allowLogin: true, showLogin: true } as any); + + const request = httpServerMock.createKibanaRequest(); + const contextMock = coreMock.createRequestHandlerContext(); + + const cases: Array<[boolean, ConfigType['authc']['sortedProviders']]> = [ + [false, []], + [true, [{ type: 'basic', name: 'basic1', options: { order: 0, showInSelector: true } }]], + [true, [{ type: 'token', name: 'token1', options: { order: 0, showInSelector: true } }]], + ]; + + for (const [showLoginForm, sortedProviders] of cases) { + config.authc.sortedProviders = sortedProviders; + + const expectedPayload = expect.objectContaining({ showLoginForm }); + await expect( + routeHandler({ core: contextMock } as any, request, kibanaResponseFactory) + ).resolves.toEqual({ + options: { body: expectedPayload }, + payload: expectedPayload, + status: 200, + }); + } + }); + + it('correctly returns `selector` information.', async () => { + license.getFeatures.mockReturnValue({ allowLogin: true, showLogin: true } as any); + + const request = httpServerMock.createKibanaRequest(); + const contextMock = coreMock.createRequestHandlerContext(); + + const cases: Array<[ + boolean, + ConfigType['authc']['sortedProviders'], + LoginState['selector']['providers'] + ]> = [ + // selector is disabled, providers shouldn't be returned. + [ + false, + [ + { type: 'basic', name: 'basic1', options: { order: 0, showInSelector: true } }, + { type: 'saml', name: 'saml1', options: { order: 1, showInSelector: true } }, + ], + [], + ], + // selector is enabled, but only basic/token is available, providers shouldn't be returned. + [ + true, + [{ type: 'basic', name: 'basic1', options: { order: 0, showInSelector: true } }], + [], + ], + // selector is enabled, non-basic/token providers should be returned + [ + true, + [ + { + type: 'basic', + name: 'basic1', + options: { order: 0, showInSelector: true, description: 'some-desc1' }, + }, + { + type: 'saml', + name: 'saml1', + options: { order: 1, showInSelector: true, description: 'some-desc2' }, + }, + { + type: 'saml', + name: 'saml2', + options: { order: 2, showInSelector: true, description: 'some-desc3' }, + }, + ], + [ + { type: 'saml', name: 'saml1', description: 'some-desc2' }, + { type: 'saml', name: 'saml2', description: 'some-desc3' }, + ], + ], + // selector is enabled, only non-basic/token providers that are enabled in selector should be returned. + [ + true, + [ + { + type: 'basic', + name: 'basic1', + options: { order: 0, showInSelector: true, description: 'some-desc1' }, + }, + { + type: 'saml', + name: 'saml1', + options: { order: 1, showInSelector: false, description: 'some-desc2' }, + }, + { + type: 'saml', + name: 'saml2', + options: { order: 2, showInSelector: true, description: 'some-desc3' }, + }, + ], + [{ type: 'saml', name: 'saml2', description: 'some-desc3' }], + ], + ]; + + for (const [selectorEnabled, sortedProviders, expectedProviders] of cases) { + config.authc.selector.enabled = selectorEnabled; + config.authc.sortedProviders = sortedProviders; + + const expectedPayload = expect.objectContaining({ + selector: { enabled: selectorEnabled, providers: expectedProviders }, + }); + await expect( + routeHandler({ core: contextMock } as any, request, kibanaResponseFactory) + ).resolves.toEqual({ + options: { body: expectedPayload }, + payload: expectedPayload, + status: 200, + }); + } + }); }); }); diff --git a/x-pack/plugins/security/server/routes/views/login.ts b/x-pack/plugins/security/server/routes/views/login.ts index a8f669551d710..f37411c301dbd 100644 --- a/x-pack/plugins/security/server/routes/views/login.ts +++ b/x-pack/plugins/security/server/routes/views/login.ts @@ -60,23 +60,25 @@ export function defineLoginRoutes({ async (context, request, response) => { const { allowLogin, layout = 'form' } = license.getFeatures(); const { sortedProviders, selector } = config.authc; + + let showLoginForm = false; + const providers = []; + for (const { type, name, options } of sortedProviders) { + if (options.showInSelector) { + if (type === 'basic' || type === 'token') { + showLoginForm = true; + } else if (selector.enabled) { + providers.push({ type, name, description: options.description }); + } + } + } + const loginState: LoginState = { allowLogin, layout, requiresSecureConnection: config.secureCookies, - showLoginForm: sortedProviders.some( - ({ type, options: { showInSelector } }) => - showInSelector && (type === 'basic' || type === 'token') - ), - selector: { - enabled: selector.enabled, - providers: selector.enabled - ? sortedProviders.filter( - ({ type, options: { showInSelector } }) => - showInSelector && type !== 'basic' && type !== 'token' - ) - : [], - }, + showLoginForm, + selector: { enabled: selector.enabled, providers }, }; return response.ok({ body: loginState }); From 5b189c248d59fa56882a5970b1a81ba51da7c28e Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Fri, 20 Mar 2020 09:36:43 +0100 Subject: [PATCH 04/11] Review#3: move Login selector logic into `LoginForm` component. --- x-pack/plugins/security/common/login_state.ts | 2 +- .../__snapshots__/login_page.test.tsx.snap | 159 +++++----- .../basic_login_form.test.tsx.snap | 154 +++++++++- .../basic_login_form.test.tsx | 149 +++++++++- .../basic_login_form/basic_login_form.tsx | 277 +++++++++++++----- .../authentication/login/login_page.test.tsx | 68 ----- .../authentication/login/login_page.tsx | 79 +---- 7 files changed, 568 insertions(+), 320 deletions(-) diff --git a/x-pack/plugins/security/common/login_state.ts b/x-pack/plugins/security/common/login_state.ts index 35c468a6784e5..4342e82d2f90b 100644 --- a/x-pack/plugins/security/common/login_state.ts +++ b/x-pack/plugins/security/common/login_state.ts @@ -6,7 +6,7 @@ import { LoginLayout } from './licensing'; -interface LoginSelector { +export interface LoginSelector { enabled: boolean; providers: Array<{ type: string; name: string; description?: string }>; } diff --git a/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap b/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap index 2dadfd7e69ce2..37c5c635851a0 100644 --- a/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap +++ b/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap @@ -104,6 +104,26 @@ exports[`LoginPage enabled form state renders as expected 1`] = ` } } loginAssistanceMessage="" + notifications={ + Object { + "toasts": Object { + "add": [MockFunction], + "addDanger": [MockFunction], + "addError": [MockFunction], + "addSuccess": [MockFunction], + "addWarning": [MockFunction], + "get$": [MockFunction], + "remove": [MockFunction], + }, + } + } + selector={ + Object { + "enabled": false, + "providers": Array [], + } + } + showLoginForm={true} /> `; @@ -117,6 +137,26 @@ exports[`LoginPage enabled form state renders as expected when info message is s } infoMessage="Your session has timed out. Please log in again." loginAssistanceMessage="" + notifications={ + Object { + "toasts": Object { + "add": [MockFunction], + "addDanger": [MockFunction], + "addError": [MockFunction], + "addSuccess": [MockFunction], + "addWarning": [MockFunction], + "get$": [MockFunction], + "remove": [MockFunction], + }, + } + } + selector={ + Object { + "enabled": false, + "providers": Array [], + } + } + showLoginForm={true} /> `; @@ -130,88 +170,29 @@ exports[`LoginPage enabled form state renders as expected when loginAssistanceMe } infoMessage="Your session has timed out. Please log in again." loginAssistanceMessage="This is an *important* message" + notifications={ + Object { + "toasts": Object { + "add": [MockFunction], + "addDanger": [MockFunction], + "addError": [MockFunction], + "addSuccess": [MockFunction], + "addWarning": [MockFunction], + "get$": [MockFunction], + "remove": [MockFunction], + }, + } + } + selector={ + Object { + "enabled": false, + "providers": Array [], + } + } + showLoginForm={true} /> `; -exports[`LoginPage login selector renders as expected with login form 1`] = ` - - - - Login w/SAML - - - Login w/PKI - - - ―――   - -   ――― - - - - - -`; - -exports[`LoginPage login selector renders as expected without login form 1`] = ` - - - - Login w/SAML - - - Login w/PKI - - - -`; - exports[`LoginPage page renders as expected 1`] = `
diff --git a/x-pack/plugins/security/public/authentication/login/components/basic_login_form/__snapshots__/basic_login_form.test.tsx.snap b/x-pack/plugins/security/public/authentication/login/components/basic_login_form/__snapshots__/basic_login_form.test.tsx.snap index b09f398ed5ed9..c1f90cd591908 100644 --- a/x-pack/plugins/security/public/authentication/login/components/basic_login_form/__snapshots__/basic_login_form.test.tsx.snap +++ b/x-pack/plugins/security/public/authentication/login/components/basic_login_form/__snapshots__/basic_login_form.test.tsx.snap @@ -1,21 +1,152 @@ // Jest Snapshot v1, https://goo.gl/fbAQLP -exports[`BasicLoginForm renders as expected 1`] = ` +exports[`BasicLoginForm login selector renders as expected with login form 1`] = ` + + Login w/SAML + + + Login w/PKI + - +   ――― + + +
+ + } + labelType="label" + > + + + + } + labelType="label" + > + + + + + +
+
+
+`; + +exports[`BasicLoginForm login selector renders as expected without login form 1`] = ` + + + Login w/SAML + + + Login w/PKI + + +`; + +exports[`BasicLoginForm renders as expected 1`] = ` +
{ }); it('renders as expected', () => { + const coreStartMock = coreMock.createStart(); expect( shallowWithIntl( - + ) ).toMatchSnapshot(); }); it('renders an info message when provided.', () => { + const coreStartMock = coreMock.createStart(); const wrapper = shallowWithIntl( ); @@ -45,10 +56,18 @@ describe('BasicLoginForm', () => { }); it('renders an invalid credentials message', async () => { - const mockHTTP = coreMock.createStart({ basePath: '/some-base-path' }).http; - mockHTTP.post.mockRejectedValue({ response: { status: 401 } }); + const coreStartMock = coreMock.createStart({ basePath: '/some-base-path' }); + coreStartMock.http.post.mockRejectedValue({ response: { status: 401 } }); - const wrapper = mountWithIntl(); + const wrapper = mountWithIntl( + + ); wrapper.find('input[name="username"]').simulate('change', { target: { value: 'username' } }); wrapper.find('input[name="password"]').simulate('change', { target: { value: 'password' } }); @@ -65,10 +84,18 @@ describe('BasicLoginForm', () => { }); it('renders unknown error message', async () => { - const mockHTTP = coreMock.createStart({ basePath: '/some-base-path' }).http; - mockHTTP.post.mockRejectedValue({ response: { status: 500 } }); + const coreStartMock = coreMock.createStart({ basePath: '/some-base-path' }); + coreStartMock.http.post.mockRejectedValue({ response: { status: 500 } }); - const wrapper = mountWithIntl(); + const wrapper = mountWithIntl( + + ); wrapper.find('input[name="username"]').simulate('change', { target: { value: 'username' } }); wrapper.find('input[name="password"]').simulate('change', { target: { value: 'password' } }); @@ -86,10 +113,18 @@ describe('BasicLoginForm', () => { window.location.href = `https://some-host/login?next=${encodeURIComponent( '/some-base-path/app/kibana#/home?_g=()' )}`; - const mockHTTP = coreMock.createStart({ basePath: '/some-base-path' }).http; - mockHTTP.post.mockResolvedValue({}); + const coreStartMock = coreMock.createStart({ basePath: '/some-base-path' }); + coreStartMock.http.post.mockResolvedValue({}); - const wrapper = mountWithIntl(); + const wrapper = mountWithIntl( + + ); wrapper.find('input[name="username"]').simulate('change', { target: { value: 'username1' } }); wrapper.find('input[name="password"]').simulate('change', { target: { value: 'password1' } }); @@ -100,12 +135,100 @@ describe('BasicLoginForm', () => { wrapper.update(); }); - expect(mockHTTP.post).toHaveBeenCalledTimes(1); - expect(mockHTTP.post).toHaveBeenCalledWith('/internal/security/login', { + expect(coreStartMock.http.post).toHaveBeenCalledTimes(1); + expect(coreStartMock.http.post).toHaveBeenCalledWith('/internal/security/login', { body: JSON.stringify({ username: 'username1', password: 'password1' }), }); expect(window.location.href).toBe('/some-base-path/app/kibana#/home?_g=()'); expect(wrapper.find(EuiCallOut).exists()).toBe(false); }); + + describe('login selector', () => { + it('renders as expected with login form', async () => { + const coreStartMock = coreMock.createStart(); + expect( + shallowWithIntl( + + ) + ).toMatchSnapshot(); + }); + + it('renders as expected without login form', async () => { + const coreStartMock = coreMock.createStart(); + expect( + shallowWithIntl( + + ) + ).toMatchSnapshot(); + }); + + it('properly redirects after successful login', async () => { + const currentURL = `https://some-host/login?next=${encodeURIComponent( + '/some-base-path/app/kibana#/home?_g=()' + )}`; + + const coreStartMock = coreMock.createStart({ basePath: '/some-base-path' }); + coreStartMock.http.post.mockResolvedValue({ + location: 'https://external-idp/login?optional-arg=2#optional-hash', + }); + + window.location.href = currentURL; + const wrapper = mountWithIntl( + + ); + + wrapper.findWhere(node => node.key() === 'saml1').simulate('click'); + + await act(async () => { + await nextTick(); + wrapper.update(); + }); + + expect(coreStartMock.http.post).toHaveBeenCalledTimes(1); + expect(coreStartMock.http.post).toHaveBeenCalledWith('/internal/security/login_with', { + body: JSON.stringify({ providerType: 'saml', providerName: 'saml1', currentURL }), + }); + + expect(window.location.href).toBe('https://external-idp/login?optional-arg=2#optional-hash'); + expect(wrapper.find(EuiCallOut).exists()).toBe(false); + expect(coreStartMock.notifications.toasts.addError).not.toHaveBeenCalled(); + }); + }); }); diff --git a/x-pack/plugins/security/public/authentication/login/components/basic_login_form/basic_login_form.tsx b/x-pack/plugins/security/public/authentication/login/components/basic_login_form/basic_login_form.tsx index 7302ee9bf9851..0dcc266eb4b81 100644 --- a/x-pack/plugins/security/public/authentication/login/components/basic_login_form/basic_login_form.tsx +++ b/x-pack/plugins/security/public/authentication/login/components/basic_login_form/basic_login_form.tsx @@ -17,30 +17,51 @@ import { } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n/react'; -import { HttpStart, IHttpFetchError } from 'src/core/public'; +import { HttpStart, IHttpFetchError, NotificationsStart } from 'src/core/public'; import { parseNext } from '../../../../../common/parse_next'; +import { LoginSelector } from '../../../../../common/login_state'; interface Props { http: HttpStart; + notifications: NotificationsStart; + selector: LoginSelector; + showLoginForm: boolean; infoMessage?: string; loginAssistanceMessage: string; } interface State { - hasError: boolean; - isLoading: boolean; + loadingState: + | { type: LoadingStateType.None } + | { type: LoadingStateType.Form } + | { type: LoadingStateType.Selector; providerName: string }; username: string; password: string; - message: string; + message: + | { type: MessageType.None } + | { type: MessageType.Danger | MessageType.Info; content: string }; +} + +enum LoadingStateType { + None, + Form, + Selector, +} + +enum MessageType { + None, + Info, + Danger, } export class BasicLoginForm extends Component { - public state = { - hasError: false, - isLoading: false, + public state: State = { + loadingState: { type: LoadingStateType.None }, username: '', password: '', - message: '', + message: this.props.infoMessage + ? { type: MessageType.Info, content: this.props.infoMessage } + : { type: MessageType.None }, }; public render() { @@ -48,71 +69,87 @@ export class BasicLoginForm extends Component { {this.renderLoginAssistanceMessage()} {this.renderMessage()} - - - - } - > - - - - - } - > - + ); + } + + private renderLoginForm = () => { + if (!this.props.showLoginForm) { + return null; + } + + return ( + + + - - - + } + > + + + + - - - - + } + > + + + + + + + +
); - } + }; private renderLoginAssistanceMessage = () => { + if (!this.props.loginAssistanceMessage) { + return null; + } + return ( @@ -123,14 +160,15 @@ export class BasicLoginForm extends Component { }; private renderMessage = () => { - if (this.state.message) { + const { message } = this.state; + if (message.type === MessageType.Danger) { return ( @@ -138,14 +176,14 @@ export class BasicLoginForm extends Component { ); } - if (this.props.infoMessage) { + if (message.type === MessageType.Info) { return ( @@ -156,6 +194,53 @@ export class BasicLoginForm extends Component { return null; }; + private renderSelector = () => { + const showLoginSelector = + this.props.selector.enabled && this.props.selector.providers.length > 0; + if (!showLoginSelector) { + return null; + } + + const loginSelectorAndLoginFormSeparator = showLoginSelector && this.props.showLoginForm && ( + <> + + ―――   + +   ――― + + + + ); + + return ( + <> + {this.props.selector.providers.map(provider => ( + this.loginWithSelector(provider.type, provider.name)} + > + {provider.description ?? ( + + )} + + ))} + {loginSelectorAndLoginFormSeparator} + + ); + }; + private setUsernameInputRef(ref: HTMLInputElement) { if (ref) { ref.focus(); @@ -180,7 +265,9 @@ export class BasicLoginForm extends Component { }); }; - private submit = async (e: MouseEvent | FormEvent) => { + private submitLoginForm = async ( + e: MouseEvent | FormEvent + ) => { e.preventDefault(); if (!this.isFormValid()) { @@ -188,8 +275,8 @@ export class BasicLoginForm extends Component { } this.setState({ - isLoading: true, - message: '', + loadingState: { type: LoadingStateType.Form }, + message: { type: MessageType.None }, }); const { http } = this.props; @@ -210,10 +297,46 @@ export class BasicLoginForm extends Component { }); this.setState({ - hasError: true, - message, - isLoading: false, + message: { type: MessageType.Danger, content: message }, + loadingState: { type: LoadingStateType.None }, + }); + } + }; + + private loginWithSelector = async (providerType: string, providerName: string) => { + this.setState({ + loadingState: { type: LoadingStateType.Selector, providerName }, + message: { type: MessageType.None }, + }); + + try { + const { location } = await this.props.http.post<{ location: string }>( + '/internal/security/login_with', + { body: JSON.stringify({ providerType, providerName, currentURL: window.location.href }) } + ); + + window.location.href = location; + } catch (err) { + this.props.notifications.toasts.addError(err, { + title: i18n.translate('xpack.security.loginPage.loginSelectorErrorMessage', { + defaultMessage: 'Could not perform login.', + }), }); + + this.setState({ loadingState: { type: LoadingStateType.None } }); } }; + + private isLoadingState(type: LoadingStateType.None | LoadingStateType.Form): boolean; + private isLoadingState(type: LoadingStateType.Selector, providerName: string): boolean; + private isLoadingState(type: LoadingStateType, providerName?: string) { + const { loadingState } = this.state; + if (loadingState.type !== type) { + return false; + } + + return ( + loadingState.type !== LoadingStateType.Selector || loadingState.providerName === providerName + ); + } } diff --git a/x-pack/plugins/security/public/authentication/login/login_page.test.tsx b/x-pack/plugins/security/public/authentication/login/login_page.test.tsx index c4a66014e567f..17038df18ab07 100644 --- a/x-pack/plugins/security/public/authentication/login/login_page.test.tsx +++ b/x-pack/plugins/security/public/authentication/login/login_page.test.tsx @@ -7,7 +7,6 @@ import React from 'react'; import { shallow } from 'enzyme'; import { act } from '@testing-library/react'; -import { EuiFlexGroup } from '@elastic/eui'; import { nextTick } from 'test_utils/enzyme_helpers'; import { LoginState } from '../../../common/login_state'; import { LoginPage } from './login_page'; @@ -253,73 +252,6 @@ describe('LoginPage', () => { }); }); - describe('login selector', () => { - it('renders as expected with login form', async () => { - const coreStartMock = coreMock.createStart(); - httpMock.get.mockResolvedValue( - createLoginState({ - selector: { - enabled: true, - providers: [ - { type: 'saml', name: 'saml1', description: 'Login w/SAML' }, - { type: 'pki', name: 'pki1', description: 'Login w/PKI' }, - ], - }, - }) - ); - - const wrapper = shallow( - - ); - - await act(async () => { - await nextTick(); - wrapper.update(); - resetHttpMock(); // so the calls don't show in the BasicLoginForm snapshot - }); - - expect(wrapper.find(EuiFlexGroup)).toMatchSnapshot(); - }); - - it('renders as expected without login form', async () => { - const coreStartMock = coreMock.createStart(); - httpMock.get.mockResolvedValue( - createLoginState({ - showLoginForm: false, - selector: { - enabled: true, - providers: [ - { type: 'saml', name: 'saml1', description: 'Login w/SAML' }, - { type: 'pki', name: 'pki1', description: 'Login w/PKI' }, - ], - }, - }) - ); - - const wrapper = shallow( - - ); - - await act(async () => { - await nextTick(); - wrapper.update(); - resetHttpMock(); // so the calls don't show in the BasicLoginForm snapshot - }); - - expect(wrapper.find(EuiFlexGroup)).toMatchSnapshot(); - }); - }); - describe('API calls', () => { it('GET login_state success', async () => { const coreStartMock = coreMock.createStart(); diff --git a/x-pack/plugins/security/public/authentication/login/login_page.tsx b/x-pack/plugins/security/public/authentication/login/login_page.tsx index ab18396706797..fedbb693f1b39 100644 --- a/x-pack/plugins/security/public/authentication/login/login_page.tsx +++ b/x-pack/plugins/security/public/authentication/login/login_page.tsx @@ -9,15 +9,7 @@ import ReactDOM from 'react-dom'; import classNames from 'classnames'; import { BehaviorSubject } from 'rxjs'; import { parse } from 'url'; -import { - EuiFlexGroup, - EuiFlexItem, - EuiButton, - EuiIcon, - EuiSpacer, - EuiText, - EuiTitle, -} from '@elastic/eui'; +import { EuiFlexGroup, EuiFlexItem, EuiIcon, EuiSpacer, EuiText, EuiTitle } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n/react'; import { CoreStart, FatalErrorsStart, HttpStart, NotificationsStart } from 'src/core/public'; @@ -130,8 +122,9 @@ export class LoginPage extends Component { selector, showLoginForm, }: LoginState & { isSecureConnection: boolean }) => { - const showLoginSelector = selector.providers.length > 0; - if (!showLoginSelector && !showLoginForm) { + const isLoginExplicitlyDisabled = + !showLoginForm && (!selector.enabled || selector.providers.length === 0); + if (isLoginExplicitlyDisabled) { return ( { ); } - const loginSelector = - showLoginSelector && - selector.providers.map((provider, index) => ( - this.login(provider.type, provider.name)} - > - {provider.description ?? ( - - )} - - )); - - const loginSelectorAndLoginFormSeparator = showLoginSelector && showLoginForm && ( - <> - - ―――   - -   ――― - - - - ); - - const loginForm = showLoginForm && ( + return ( ); - - return ( - <> - {loginSelector} - {loginSelectorAndLoginFormSeparator} - {loginForm} - - ); - }; - - private login = async (providerType: string, providerName: string) => { - try { - const { location } = await this.props.http.post<{ location: string }>( - '/internal/security/login_with', - { body: JSON.stringify({ providerType, providerName, currentURL: window.location.href }) } - ); - - window.location.href = location; - } catch (err) { - this.props.notifications.toasts.addError(err, { - title: i18n.translate('xpack.security.loginPage.loginSelectorErrorMessage', { - defaultMessage: 'Could not perform login.', - }), - }); - } }; } From db2f4b30f1058e098b178ecfbbb4f00b62354cc3 Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Fri, 20 Mar 2020 09:56:40 +0100 Subject: [PATCH 05/11] Review#3: rename `BasicLoginForm` to `LoginForm` component. --- .../__snapshots__/login_page.test.tsx.snap | 8 ++++---- .../authentication/login/components/index.ts | 2 +- .../__snapshots__/login_form.test.tsx.snap} | 6 +++--- .../{basic_login_form => login_form}/index.ts | 2 +- .../login_form.test.tsx} | 20 +++++++++---------- .../login_form.tsx} | 2 +- .../authentication/login/login_page.test.tsx | 8 ++++---- .../authentication/login/login_page.tsx | 4 ++-- 8 files changed, 26 insertions(+), 26 deletions(-) rename x-pack/plugins/security/public/authentication/login/components/{basic_login_form/__snapshots__/basic_login_form.test.tsx.snap => login_form/__snapshots__/login_form.test.tsx.snap} (95%) rename x-pack/plugins/security/public/authentication/login/components/{basic_login_form => login_form}/index.ts (82%) rename x-pack/plugins/security/public/authentication/login/components/{basic_login_form/basic_login_form.test.tsx => login_form/login_form.test.tsx} (96%) rename x-pack/plugins/security/public/authentication/login/components/{basic_login_form/basic_login_form.tsx => login_form/login_form.tsx} (99%) diff --git a/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap b/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap index 37c5c635851a0..0eccd4692d26e 100644 --- a/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap +++ b/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap @@ -96,7 +96,7 @@ exports[`LoginPage disabled form states renders as expected when xpack is not av `; exports[`LoginPage enabled form state renders as expected 1`] = ` - - `; -exports[`BasicLoginForm login selector renders as expected without login form 1`] = ` +exports[`LoginForm login selector renders as expected without login form 1`] = ` `; -exports[`BasicLoginForm renders as expected 1`] = ` +exports[`LoginForm renders as expected 1`] = `
{ +describe('LoginForm', () => { beforeAll(() => { Object.defineProperty(window, 'location', { value: { href: 'https://some-host/bar' }, @@ -28,7 +28,7 @@ describe('BasicLoginForm', () => { const coreStartMock = coreMock.createStart(); expect( shallowWithIntl( - { it('renders an info message when provided.', () => { const coreStartMock = coreMock.createStart(); const wrapper = shallowWithIntl( - { coreStartMock.http.post.mockRejectedValue({ response: { status: 401 } }); const wrapper = mountWithIntl( - { coreStartMock.http.post.mockRejectedValue({ response: { status: 500 } }); const wrapper = mountWithIntl( - { coreStartMock.http.post.mockResolvedValue({}); const wrapper = mountWithIntl( - { const coreStartMock = coreMock.createStart(); expect( shallowWithIntl( - { const coreStartMock = coreMock.createStart(); expect( shallowWithIntl( - { window.location.href = currentURL; const wrapper = mountWithIntl( - { +export class LoginForm extends Component { public state: State = { loadingState: { type: LoadingStateType.None }, username: '', diff --git a/x-pack/plugins/security/public/authentication/login/login_page.test.tsx b/x-pack/plugins/security/public/authentication/login/login_page.test.tsx index 17038df18ab07..c4be57d8d7db7 100644 --- a/x-pack/plugins/security/public/authentication/login/login_page.test.tsx +++ b/x-pack/plugins/security/public/authentication/login/login_page.test.tsx @@ -11,7 +11,7 @@ import { nextTick } from 'test_utils/enzyme_helpers'; import { LoginState } from '../../../common/login_state'; import { LoginPage } from './login_page'; import { coreMock } from '../../../../../../src/core/public/mocks'; -import { DisabledLoginForm, BasicLoginForm } from './components'; +import { DisabledLoginForm, LoginForm } from './components'; const createLoginState = (options?: Partial) => { return { @@ -203,7 +203,7 @@ describe('LoginPage', () => { resetHttpMock(); // so the calls don't show in the BasicLoginForm snapshot }); - expect(wrapper.find(BasicLoginForm)).toMatchSnapshot(); + expect(wrapper.find(LoginForm)).toMatchSnapshot(); }); it('renders as expected when info message is set', async () => { @@ -226,7 +226,7 @@ describe('LoginPage', () => { resetHttpMock(); // so the calls don't show in the BasicLoginForm snapshot }); - expect(wrapper.find(BasicLoginForm)).toMatchSnapshot(); + expect(wrapper.find(LoginForm)).toMatchSnapshot(); }); it('renders as expected when loginAssistanceMessage is set', async () => { @@ -248,7 +248,7 @@ describe('LoginPage', () => { resetHttpMock(); // so the calls don't show in the BasicLoginForm snapshot }); - expect(wrapper.find(BasicLoginForm)).toMatchSnapshot(); + expect(wrapper.find(LoginForm)).toMatchSnapshot(); }); }); diff --git a/x-pack/plugins/security/public/authentication/login/login_page.tsx b/x-pack/plugins/security/public/authentication/login/login_page.tsx index fedbb693f1b39..70f8f76ee0a9c 100644 --- a/x-pack/plugins/security/public/authentication/login/login_page.tsx +++ b/x-pack/plugins/security/public/authentication/login/login_page.tsx @@ -14,7 +14,7 @@ import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n/react'; import { CoreStart, FatalErrorsStart, HttpStart, NotificationsStart } from 'src/core/public'; import { LoginState } from '../../../common/login_state'; -import { BasicLoginForm, DisabledLoginForm } from './components'; +import { LoginForm, DisabledLoginForm } from './components'; interface Props { http: HttpStart; @@ -220,7 +220,7 @@ export class LoginPage extends Component { } return ( - Date: Fri, 20 Mar 2020 12:52:09 +0100 Subject: [PATCH 06/11] Review#3: add initial set of Login Selector API integration tests. --- .../security/server/routes/views/login.ts | 3 - x-pack/scripts/functional_tests.js | 1 + .../apis/security/kerberos_login.ts | 10 +- .../fixtures/kerberos_tools.ts | 13 + .../apis/index.ts | 14 + .../apis/login_selector.ts | 505 ++++++++++++++++++ .../login_selector_api_integration/config.ts | 141 +++++ .../ftr_provider_context.d.ts | 11 + .../services.ts | 14 + .../apis/security/pki_auth.ts | 1 - x-pack/test/pki_api_integration/config.ts | 1 - x-pack/test/saml_api_integration/config.ts | 2 +- .../fixtures/idp_metadata.xml | 2 +- .../fixtures/idp_metadata_2.xml | 41 ++ .../fixtures/saml_tools.ts | 17 +- 15 files changed, 762 insertions(+), 14 deletions(-) create mode 100644 x-pack/test/kerberos_api_integration/fixtures/kerberos_tools.ts create mode 100644 x-pack/test/login_selector_api_integration/apis/index.ts create mode 100644 x-pack/test/login_selector_api_integration/apis/login_selector.ts create mode 100644 x-pack/test/login_selector_api_integration/config.ts create mode 100644 x-pack/test/login_selector_api_integration/ftr_provider_context.d.ts create mode 100644 x-pack/test/login_selector_api_integration/services.ts create mode 100644 x-pack/test/saml_api_integration/fixtures/idp_metadata_2.xml diff --git a/x-pack/plugins/security/server/routes/views/login.ts b/x-pack/plugins/security/server/routes/views/login.ts index f37411c301dbd..4cabd4337971c 100644 --- a/x-pack/plugins/security/server/routes/views/login.ts +++ b/x-pack/plugins/security/server/routes/views/login.ts @@ -37,9 +37,6 @@ export function defineLoginRoutes({ async (context, request, response) => { // Default to true if license isn't available or it can't be resolved for some reason. const shouldShowLogin = license.isEnabled() ? license.getFeatures().showLogin : true; - - // Authentication flow isn't triggered automatically for this route, so we should explicitly - // check whether user has an active session already. const isUserAlreadyLoggedIn = request.auth.isAuthenticated; if (isUserAlreadyLoggedIn || !shouldShowLogin) { logger.debug('User is already authenticated, redirecting...'); diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js index c1f8047c8a5cc..65e22713b778c 100644 --- a/x-pack/scripts/functional_tests.js +++ b/x-pack/scripts/functional_tests.js @@ -25,6 +25,7 @@ const onlyNotInCoverageTests = [ require.resolve('../test/oidc_api_integration/config.ts'), require.resolve('../test/oidc_api_integration/implicit_flow.config.ts'), require.resolve('../test/pki_api_integration/config.ts'), + require.resolve('../test/login_selector_api_integration/config.ts'), require.resolve('../test/spaces_api_integration/spaces_only/config.ts'), require.resolve('../test/spaces_api_integration/security_and_spaces/config_trial.ts'), require.resolve('../test/spaces_api_integration/security_and_spaces/config_basic.ts'), diff --git a/x-pack/test/kerberos_api_integration/apis/security/kerberos_login.ts b/x-pack/test/kerberos_api_integration/apis/security/kerberos_login.ts index b561c9ea47513..81999826adbb1 100644 --- a/x-pack/test/kerberos_api_integration/apis/security/kerberos_login.ts +++ b/x-pack/test/kerberos_api_integration/apis/security/kerberos_login.ts @@ -8,10 +8,14 @@ import expect from '@kbn/expect'; import request, { Cookie } from 'request'; import { delay } from 'bluebird'; import { FtrProviderContext } from '../../ftr_provider_context'; +import { + getMutualAuthenticationResponseToken, + getSPNEGOToken, +} from '../../fixtures/kerberos_tools'; export default function({ getService }: FtrProviderContext) { - const spnegoToken = - 'YIIChwYGKwYBBQUCoIICezCCAnegDTALBgkqhkiG9xIBAgKiggJkBIICYGCCAlwGCSqGSIb3EgECAgEAboICSzCCAkegAwIBBaEDAgEOogcDBQAAAAAAo4IBW2GCAVcwggFToAMCAQWhERsPVEVTVC5FTEFTVElDLkNPohwwGqADAgEDoRMwERsESFRUUBsJbG9jYWxob3N0o4IBGTCCARWgAwIBEqEDAgECooIBBwSCAQNBN2a1Rso+KEJsDwICYLCt7ACLzdlbhEZF5YNsehO109b/WiZR1VTK6kCQyDdBdQFefyvV8EiC35mz7XnTb239nWz6xBGbdmtjSfF0XzpXKbL/zGzLEKkEXQuqFLPUN6qEJXsh0OoNdj9OWwmTr93FVyugs1hO/E5wjlAe2SDYpBN6uZICXu6dFg9nLQKkb/XgbgKM7ZZvgA/UElWDgHav4nPO1VWppCCLKHqXTRnvpr/AsxeON4qeJLaukxBigfIaJlLFMNQal5H7MyXa0j3Y1sckbURnWoBt6r4XE7c8F8cz0rYoGwoCO+Cs5tNutKY6XcsAFbLh59hjgIkhVBhhyTeypIHSMIHPoAMCARKigccEgcSsXqIRAcHfZivrbHfsnvbFgmzmnrKVPFNtJ9Hl23KunCsNW49nP4VF2dEf9n12prDaIguJDV5LPHpTew9rmCj1GCahKJ9bJbRKIgImLFd+nelm3E2zxRqAhrgM1469oDg0ksE3+5lJBuJlVEECMp0F/gxvEiL7DhasICqw+FOJ/jD9QUYvg+E6BIxWgZyPszaxerzBBszAhIF1rxCHRRL1KLjskNeJlBhH77DkAO6AEmsYGdsgEq7b7uCov9PKPiiPAuFF'; + const spnegoToken = getSPNEGOToken(); + const supertest = getService('supertestWithoutAuth'); const config = getService('config'); @@ -105,7 +109,7 @@ export default function({ getService }: FtrProviderContext) { // Verify that mutual authentication works. expect(response.headers['www-authenticate']).to.be( - 'Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==' + `Negotiate ${getMutualAuthenticationResponseToken()}` ); const cookies = response.headers['set-cookie']; diff --git a/x-pack/test/kerberos_api_integration/fixtures/kerberos_tools.ts b/x-pack/test/kerberos_api_integration/fixtures/kerberos_tools.ts new file mode 100644 index 0000000000000..2fed5d475cd5c --- /dev/null +++ b/x-pack/test/kerberos_api_integration/fixtures/kerberos_tools.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +export function getSPNEGOToken() { + return 'YIIChwYGKwYBBQUCoIICezCCAnegDTALBgkqhkiG9xIBAgKiggJkBIICYGCCAlwGCSqGSIb3EgECAgEAboICSzCCAkegAwIBBaEDAgEOogcDBQAAAAAAo4IBW2GCAVcwggFToAMCAQWhERsPVEVTVC5FTEFTVElDLkNPohwwGqADAgEDoRMwERsESFRUUBsJbG9jYWxob3N0o4IBGTCCARWgAwIBEqEDAgECooIBBwSCAQNBN2a1Rso+KEJsDwICYLCt7ACLzdlbhEZF5YNsehO109b/WiZR1VTK6kCQyDdBdQFefyvV8EiC35mz7XnTb239nWz6xBGbdmtjSfF0XzpXKbL/zGzLEKkEXQuqFLPUN6qEJXsh0OoNdj9OWwmTr93FVyugs1hO/E5wjlAe2SDYpBN6uZICXu6dFg9nLQKkb/XgbgKM7ZZvgA/UElWDgHav4nPO1VWppCCLKHqXTRnvpr/AsxeON4qeJLaukxBigfIaJlLFMNQal5H7MyXa0j3Y1sckbURnWoBt6r4XE7c8F8cz0rYoGwoCO+Cs5tNutKY6XcsAFbLh59hjgIkhVBhhyTeypIHSMIHPoAMCARKigccEgcSsXqIRAcHfZivrbHfsnvbFgmzmnrKVPFNtJ9Hl23KunCsNW49nP4VF2dEf9n12prDaIguJDV5LPHpTew9rmCj1GCahKJ9bJbRKIgImLFd+nelm3E2zxRqAhrgM1469oDg0ksE3+5lJBuJlVEECMp0F/gxvEiL7DhasICqw+FOJ/jD9QUYvg+E6BIxWgZyPszaxerzBBszAhIF1rxCHRRL1KLjskNeJlBhH77DkAO6AEmsYGdsgEq7b7uCov9PKPiiPAuFF'; +} + +export function getMutualAuthenticationResponseToken() { + return 'oRQwEqADCgEAoQsGCSqGSIb3EgECAg=='; +} diff --git a/x-pack/test/login_selector_api_integration/apis/index.ts b/x-pack/test/login_selector_api_integration/apis/index.ts new file mode 100644 index 0000000000000..35f83733a7105 --- /dev/null +++ b/x-pack/test/login_selector_api_integration/apis/index.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { FtrProviderContext } from '../ftr_provider_context'; + +export default function({ loadTestFile }: FtrProviderContext) { + describe('apis', function() { + this.tags('ciGroup6'); + loadTestFile(require.resolve('./login_selector')); + }); +} diff --git a/x-pack/test/login_selector_api_integration/apis/login_selector.ts b/x-pack/test/login_selector_api_integration/apis/login_selector.ts new file mode 100644 index 0000000000000..489f0265da57a --- /dev/null +++ b/x-pack/test/login_selector_api_integration/apis/login_selector.ts @@ -0,0 +1,505 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import request, { Cookie } from 'request'; +import { readFileSync } from 'fs'; +import { resolve } from 'path'; +import url from 'url'; +import { CA_CERT_PATH } from '@kbn/dev-utils'; +import expect from '@kbn/expect'; +import { getStateAndNonce } from '../../oidc_api_integration/fixtures/oidc_tools'; +import { + getMutualAuthenticationResponseToken, + getSPNEGOToken, +} from '../../kerberos_api_integration/fixtures/kerberos_tools'; +import { getSAMLRequestId, getSAMLResponse } from '../../saml_api_integration/fixtures/saml_tools'; +import { FtrProviderContext } from '../ftr_provider_context'; + +export default function({ getService }: FtrProviderContext) { + const randomness = getService('randomness'); + const supertest = getService('supertestWithoutAuth'); + const config = getService('config'); + + const kibanaServerConfig = config.get('servers.kibana'); + const validUsername = kibanaServerConfig.username; + const validPassword = kibanaServerConfig.password; + + const CA_CERT = readFileSync(CA_CERT_PATH); + const CLIENT_CERT = readFileSync( + resolve(__dirname, '../../pki_api_integration/fixtures/first_client.p12') + ); + + async function checkSessionCookie(sessionCookie: Cookie, username: string, providerName: string) { + expect(sessionCookie.key).to.be('sid'); + expect(sessionCookie.value).to.not.be.empty(); + expect(sessionCookie.path).to.be('/'); + expect(sessionCookie.httpOnly).to.be(true); + + const apiResponse = await supertest + .get('/internal/security/me') + .ca(CA_CERT) + .pfx(CLIENT_CERT) + .set('kbn-xsrf', 'xxx') + .set('Cookie', sessionCookie.cookieString()) + .expect(200); + + expect(apiResponse.body).to.only.have.keys([ + 'username', + 'full_name', + 'email', + 'roles', + 'metadata', + 'enabled', + 'authentication_realm', + 'lookup_realm', + 'authentication_provider', + ]); + + expect(apiResponse.body.username).to.be(username); + expect(apiResponse.body.authentication_provider).to.be(providerName); + } + + describe('Login Selector', () => { + it('should redirect user to a login selector', async () => { + const response = await supertest + .get('/abc/xyz/handshake?one=two three') + .ca(CA_CERT) + .expect(302); + expect(response.headers['set-cookie']).to.be(undefined); + expect(response.headers.location).to.be( + '/login?next=%2Fabc%2Fxyz%2Fhandshake%3Fone%3Dtwo%2520three' + ); + }); + + it('should allow access to login selector with intermediate authentication cookie', async () => { + const handshakeResponse = await supertest + .post('/internal/security/login_with') + .ca(CA_CERT) + .set('kbn-xsrf', 'xxx') + .send({ providerType: 'saml', providerName: 'saml1', currentURL: 'https://kibana.com/' }) + .expect(200); + + // The cookie that includes some state of the in-progress authentication, that doesn't allow + // to fully authenticate user yet. + const intermediateAuthCookie = request.cookie(handshakeResponse.headers['set-cookie'][0])!; + + await supertest + .get('/login') + .ca(CA_CERT) + .set('Cookie', intermediateAuthCookie.cookieString()) + .expect(200); + }); + + describe('SAML', () => { + function createSAMLResponse(options = {}) { + return getSAMLResponse({ + destination: `http://localhost:${kibanaServerConfig.port}/api/security/saml/callback`, + sessionIndex: String(randomness.naturalNumber()), + ...options, + }); + } + + it('should be able to log in via IdP initiated login for any configured realm', async () => { + for (const providerName of ['saml1', 'saml2']) { + const authenticationResponse = await supertest + .post('/api/security/saml/callback') + .ca(CA_CERT) + .send({ + SAMLResponse: await createSAMLResponse({ + issuer: `http://www.elastic.co/${providerName}`, + }), + }) + .expect(302); + + // User should be redirected to the base URL. + expect(authenticationResponse.headers.location).to.be('/'); + + const cookies = authenticationResponse.headers['set-cookie']; + expect(cookies).to.have.length(1); + + await checkSessionCookie(request.cookie(cookies[0])!, 'a@b.c', providerName); + } + }); + + it('should be able to log in via IdP initiated login even if session with other provider type exists', async () => { + const basicAuthenticationResponse = await supertest + .post('/internal/security/login') + .ca(CA_CERT) + .set('kbn-xsrf', 'xxx') + .send({ username: validUsername, password: validPassword }) + .expect(204); + + const basicSessionCookie = request.cookie( + basicAuthenticationResponse.headers['set-cookie'][0] + )!; + await checkSessionCookie(basicSessionCookie, 'elastic', 'basic1'); + + for (const providerName of ['saml1', 'saml2']) { + const authenticationResponse = await supertest + .post('/api/security/saml/callback') + .ca(CA_CERT) + .set('Cookie', basicSessionCookie.cookieString()) + .send({ + SAMLResponse: await createSAMLResponse({ + issuer: `http://www.elastic.co/${providerName}`, + }), + }) + .expect(302); + + // It should be `/overwritten_session` instead of `/` once it's generalized. + expect(authenticationResponse.headers.location).to.be('/'); + + const cookies = authenticationResponse.headers['set-cookie']; + expect(cookies).to.have.length(1); + + await checkSessionCookie(request.cookie(cookies[0])!, 'a@b.c', providerName); + } + }); + + it('should be able to log in via IdP initiated login even if session with other SAML provider exists', async () => { + // First login with `saml1`. + const saml1AuthenticationResponse = await supertest + .post('/api/security/saml/callback') + .ca(CA_CERT) + .send({ + SAMLResponse: await createSAMLResponse({ issuer: `http://www.elastic.co/saml1` }), + }) + .expect(302); + + const saml1SessionCookie = request.cookie( + saml1AuthenticationResponse.headers['set-cookie'][0] + )!; + await checkSessionCookie(saml1SessionCookie, 'a@b.c', 'saml1'); + + // And now try to login with `saml2`. + const saml2AuthenticationResponse = await supertest + .post('/api/security/saml/callback') + .ca(CA_CERT) + .set('Cookie', saml1SessionCookie.cookieString()) + .send({ + SAMLResponse: await createSAMLResponse({ issuer: `http://www.elastic.co/saml2` }), + }) + .expect(302); + + // It should be `/overwritten_session` instead of `/` once it's generalized. + expect(saml2AuthenticationResponse.headers.location).to.be('/'); + + const saml2SessionCookie = request.cookie( + saml2AuthenticationResponse.headers['set-cookie'][0] + )!; + await checkSessionCookie(saml2SessionCookie, 'a@b.c', 'saml2'); + }); + + // Ideally we should be able to abandon intermediate session and let user log in, but for the + // time being we cannot distinguish errors coming from Elasticsearch for the case when SAML + // response just doesn't correspond to request ID we have in intermediate cookie and the case + // when something else has happened. + it('should fail for IdP initiated login if intermediate session with other SAML provider exists', async () => { + // First start authentication flow with `saml1`. + const saml1HandshakeResponse = await supertest + .post('/internal/security/login_with') + .ca(CA_CERT) + .set('kbn-xsrf', 'xxx') + .send({ + providerType: 'saml', + providerName: 'saml1', + currentURL: 'https://kibana.com/login?next=/abc/xyz/handshake?one=two%20three#/workpad', + }) + .expect(200); + + expect( + saml1HandshakeResponse.body.location.startsWith(`https://elastic.co/sso/saml`) + ).to.be(true); + + const saml1HandshakeCookie = request.cookie( + saml1HandshakeResponse.headers['set-cookie'][0] + )!; + + // And now try to login with `saml2`. + await supertest + .post('/api/security/saml/callback') + .ca(CA_CERT) + .set('Cookie', saml1HandshakeCookie.cookieString()) + .send({ + SAMLResponse: await createSAMLResponse({ issuer: `http://www.elastic.co/saml2` }), + }) + .expect(401); + }); + + it('should be able to log in via SP initiated login with any configured realm', async () => { + for (const providerName of ['saml1', 'saml2']) { + const handshakeResponse = await supertest + .post('/internal/security/login_with') + .ca(CA_CERT) + .set('kbn-xsrf', 'xxx') + .send({ + providerType: 'saml', + providerName, + currentURL: + 'https://kibana.com/login?next=/abc/xyz/handshake?one=two%20three#/workpad', + }) + .expect(200); + + expect(handshakeResponse.body.location.startsWith(`https://elastic.co/sso/saml`)).to.be( + true + ); + + const handshakeCookie = request.cookie(handshakeResponse.headers['set-cookie'][0])!; + const samlRequestId = await getSAMLRequestId(handshakeResponse.body.location); + + const authenticationResponse = await supertest + .post('/api/security/saml/callback') + .ca(CA_CERT) + .set('kbn-xsrf', 'xxx') + .set('Cookie', handshakeCookie.cookieString()) + .send({ + SAMLResponse: await createSAMLResponse({ + inResponseTo: samlRequestId, + issuer: `http://www.elastic.co/${providerName}`, + }), + }) + .expect(302); + + // User should be redirected to the URL that initiated handshake. + expect(authenticationResponse.headers.location).to.be( + '/abc/xyz/handshake?one=two three#/workpad' + ); + + const cookies = authenticationResponse.headers['set-cookie']; + expect(cookies).to.have.length(1); + + await checkSessionCookie(request.cookie(cookies[0])!, 'a@b.c', providerName); + } + }); + + // Ideally we should be able to abandon intermediate session and let user log in, but for the + // time being we cannot distinguish errors coming from Elasticsearch for the case when SAML + // response just doesn't correspond to request ID we have in intermediate cookie and the case + // when something else has happened. + it('should be able to log in via SP initiated login even if intermediate session with other SAML provider exists', async () => { + // First start authentication flow with `saml1`. + const saml1HandshakeResponse = await supertest + .post('/internal/security/login_with') + .ca(CA_CERT) + .set('kbn-xsrf', 'xxx') + .send({ + providerType: 'saml', + providerName: 'saml1', + currentURL: 'https://kibana.com/login?next=/abc/xyz/handshake?one=two%20three#/saml1', + }) + .expect(200); + + expect( + saml1HandshakeResponse.body.location.startsWith(`https://elastic.co/sso/saml`) + ).to.be(true); + + const saml1HandshakeCookie = request.cookie( + saml1HandshakeResponse.headers['set-cookie'][0] + )!; + + // And now try to login with `saml2`. + const saml2HandshakeResponse = await supertest + .post('/internal/security/login_with') + .ca(CA_CERT) + .set('kbn-xsrf', 'xxx') + .set('Cookie', saml1HandshakeCookie.cookieString()) + .send({ + providerType: 'saml', + providerName: 'saml2', + currentURL: 'https://kibana.com/login?next=/abc/xyz/handshake?one=two%20three#/saml2', + }) + .expect(200); + + expect( + saml2HandshakeResponse.body.location.startsWith(`https://elastic.co/sso/saml`) + ).to.be(true); + + const saml2HandshakeCookie = request.cookie( + saml2HandshakeResponse.headers['set-cookie'][0] + )!; + + const saml2AuthenticationResponse = await supertest + .post('/api/security/saml/callback') + .ca(CA_CERT) + .set('Cookie', saml2HandshakeCookie.cookieString()) + .send({ + SAMLResponse: await createSAMLResponse({ issuer: `http://www.elastic.co/saml2` }), + }) + .expect(302); + + expect(saml2AuthenticationResponse.headers.location).to.be( + '/abc/xyz/handshake?one=two three#/saml2' + ); + + const saml2SessionCookie = request.cookie( + saml2AuthenticationResponse.headers['set-cookie'][0] + )!; + await checkSessionCookie(saml2SessionCookie, 'a@b.c', 'saml2'); + }); + }); + + describe('Kerberos', () => { + it('should be able to log in from Login Selector', async () => { + const spnegoResponse = await supertest + .post('/internal/security/login_with') + .ca(CA_CERT) + .set('kbn-xsrf', 'xxx') + .send({ + providerType: 'kerberos', + providerName: 'kerberos1', + currentURL: 'https://kibana.com/login?next=/abc/xyz/handshake?one=two%20three#/workpad', + }) + .expect(401); + + expect(spnegoResponse.headers['set-cookie']).to.be(undefined); + expect(spnegoResponse.headers['www-authenticate']).to.be('Negotiate'); + + const authenticationResponse = await supertest + .post('/internal/security/login_with') + .ca(CA_CERT) + .set('kbn-xsrf', 'xxx') + .set('Authorization', `Negotiate ${getSPNEGOToken()}`) + .send({ + providerType: 'kerberos', + providerName: 'kerberos1', + currentURL: 'https://kibana.com/login?next=/abc/xyz/handshake?one=two%20three#/workpad', + }) + .expect(200); + + // Verify that mutual authentication works. + expect(authenticationResponse.headers['www-authenticate']).to.be( + `Negotiate ${getMutualAuthenticationResponseToken()}` + ); + + const cookies = authenticationResponse.headers['set-cookie']; + expect(cookies).to.have.length(1); + + await checkSessionCookie( + request.cookie(cookies[0])!, + 'tester@TEST.ELASTIC.CO', + 'kerberos1' + ); + }); + }); + + describe('OpenID Connect', () => { + it('should be able to log in via IdP initiated login', async () => { + const handshakeResponse = await supertest + .get('/api/security/oidc/initiate_login?iss=https://test-op.elastic.co') + .ca(CA_CERT) + .expect(302); + const handshakeCookie = request.cookie(handshakeResponse.headers['set-cookie'][0])!; + + // Set the nonce in our mock OIDC Provider so that it can generate the ID Tokens + const { state, nonce } = getStateAndNonce(handshakeResponse.headers.location); + await supertest + .post('/api/oidc_provider/setup') + .ca(CA_CERT) + .set('kbn-xsrf', 'xxx') + .send({ nonce }) + .expect(200); + + const authenticationResponse = await supertest + .get(`/api/security/oidc/callback?code=code2&state=${state}`) + .ca(CA_CERT) + .set('Cookie', handshakeCookie.cookieString()) + .expect(302); + + // User should be redirected to the base URL. + expect(authenticationResponse.headers.location).to.be('/'); + + const cookies = authenticationResponse.headers['set-cookie']; + expect(cookies).to.have.length(1); + + await checkSessionCookie(request.cookie(cookies[0])!, 'user2', 'oidc1'); + }); + + it('should be able to log in via SP initiated login', async () => { + const handshakeResponse = await supertest + .post('/internal/security/login_with') + .ca(CA_CERT) + .set('kbn-xsrf', 'xxx') + .send({ + providerType: 'oidc', + providerName: 'oidc1', + currentURL: 'https://kibana.com/login?next=/abc/xyz/handshake?one=two%20three', + }) + .expect(200); + + const handshakeCookie = request.cookie(handshakeResponse.headers['set-cookie'][0])!; + const redirectURL = url.parse(handshakeResponse.body.location, true /* parseQueryString */); + expect( + handshakeResponse.body.location.startsWith( + `https://test-op.elastic.co/oauth2/v1/authorize` + ) + ).to.be(true); + + expect(redirectURL.query.scope).to.not.be.empty(); + expect(redirectURL.query.response_type).to.not.be.empty(); + expect(redirectURL.query.client_id).to.not.be.empty(); + expect(redirectURL.query.redirect_uri).to.not.be.empty(); + expect(redirectURL.query.state).to.not.be.empty(); + expect(redirectURL.query.nonce).to.not.be.empty(); + + // Set the nonce in our mock OIDC Provider so that it can generate the ID Tokens + const { state, nonce } = redirectURL.query; + await supertest + .post('/api/oidc_provider/setup') + .ca(CA_CERT) + .set('kbn-xsrf', 'xxx') + .send({ nonce }) + .expect(200); + + const authenticationResponse = await supertest + .get(`/api/security/oidc/callback?code=code1&state=${state}`) + .ca(CA_CERT) + .set('Cookie', handshakeCookie.cookieString()) + .expect(302); + + // User should be redirected to the URL that initiated handshake. + expect(authenticationResponse.headers.location).to.be('/abc/xyz/handshake?one=two three'); + + const cookies = authenticationResponse.headers['set-cookie']; + expect(cookies).to.have.length(1); + + await checkSessionCookie(request.cookie(cookies[0])!, 'user1', 'oidc1'); + }); + }); + + describe('PKI', () => { + it('should redirect user to a login selector even if client provides certificate', async () => { + const response = await supertest + .get('/abc/xyz/handshake?one=two three') + .ca(CA_CERT) + .pfx(CLIENT_CERT) + .expect(302); + expect(response.headers['set-cookie']).to.be(undefined); + expect(response.headers.location).to.be( + '/login?next=%2Fabc%2Fxyz%2Fhandshake%3Fone%3Dtwo%2520three' + ); + }); + + it('should be able to log in from Login Selector', async () => { + const authenticationResponse = await supertest + .post('/internal/security/login_with') + .ca(CA_CERT) + .pfx(CLIENT_CERT) + .set('kbn-xsrf', 'xxx') + .send({ + providerType: 'pki', + providerName: 'pki1', + currentURL: 'https://kibana.com/login?next=/abc/xyz/handshake?one=two%20three#/workpad', + }) + .expect(200); + + const cookies = authenticationResponse.headers['set-cookie']; + expect(cookies).to.have.length(1); + + await checkSessionCookie(request.cookie(cookies[0])!, 'first_client', 'pki1'); + }); + }); + }); +} diff --git a/x-pack/test/login_selector_api_integration/config.ts b/x-pack/test/login_selector_api_integration/config.ts new file mode 100644 index 0000000000000..6ca9d19b74c17 --- /dev/null +++ b/x-pack/test/login_selector_api_integration/config.ts @@ -0,0 +1,141 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { resolve } from 'path'; +import { CA_CERT_PATH, KBN_CERT_PATH, KBN_KEY_PATH } from '@kbn/dev-utils'; +import { FtrConfigProviderContext } from '@kbn/test/types/ftr'; + +export default async function({ readConfigFile }: FtrConfigProviderContext) { + const kibanaAPITestsConfig = await readConfigFile( + require.resolve('../../../test/api_integration/config.js') + ); + const xPackAPITestsConfig = await readConfigFile(require.resolve('../api_integration/config.js')); + const kibanaPort = xPackAPITestsConfig.get('servers.kibana.port'); + + const kerberosKeytabPath = resolve(__dirname, '../kerberos_api_integration/fixtures/krb5.keytab'); + const kerberosConfigPath = resolve(__dirname, '../kerberos_api_integration/fixtures/krb5.conf'); + + const oidcJWKSPath = resolve(__dirname, '../oidc_api_integration/fixtures/jwks.json'); + const oidcIdPPlugin = resolve(__dirname, '../oidc_api_integration/fixtures/oidc_provider'); + + const pkiKibanaCAPath = resolve(__dirname, '../pki_api_integration/fixtures/kibana_ca.crt'); + + const saml1IdPMetadataPath = resolve( + __dirname, + '../saml_api_integration/fixtures/idp_metadata.xml' + ); + const saml2IdPMetadataPath = resolve( + __dirname, + '../saml_api_integration/fixtures/idp_metadata_2.xml' + ); + + const servers = { + ...xPackAPITestsConfig.get('servers'), + elasticsearch: { + ...xPackAPITestsConfig.get('servers.elasticsearch'), + protocol: 'https', + }, + kibana: { + ...xPackAPITestsConfig.get('servers.kibana'), + protocol: 'https', + }, + }; + + return { + testFiles: [require.resolve('./apis')], + servers, + security: { disableTestUser: true }, + services: { + randomness: kibanaAPITestsConfig.get('services.randomness'), + legacyEs: kibanaAPITestsConfig.get('services.legacyEs'), + supertestWithoutAuth: xPackAPITestsConfig.get('services.supertestWithoutAuth'), + }, + junit: { + reportName: 'X-Pack Login Selector API Integration Tests', + }, + + esTestCluster: { + ...xPackAPITestsConfig.get('esTestCluster'), + ssl: true, + serverArgs: [ + ...xPackAPITestsConfig.get('esTestCluster.serverArgs'), + 'xpack.security.authc.token.enabled=true', + 'xpack.security.authc.token.timeout=15s', + 'xpack.security.http.ssl.client_authentication=optional', + 'xpack.security.http.ssl.verification_mode=certificate', + 'xpack.security.authc.realms.native.native1.order=0', + 'xpack.security.authc.realms.kerberos.kerb1.order=1', + `xpack.security.authc.realms.kerberos.kerb1.keytab.path=${kerberosKeytabPath}`, + 'xpack.security.authc.realms.pki.pki1.order=2', + 'xpack.security.authc.realms.pki.pki1.delegation.enabled=true', + `xpack.security.authc.realms.pki.pki1.certificate_authorities=${CA_CERT_PATH}`, + 'xpack.security.authc.realms.saml.saml1.order=3', + `xpack.security.authc.realms.saml.saml1.idp.metadata.path=${saml1IdPMetadataPath}`, + 'xpack.security.authc.realms.saml.saml1.idp.entity_id=http://www.elastic.co/saml1', + `xpack.security.authc.realms.saml.saml1.sp.entity_id=http://localhost:${kibanaPort}`, + `xpack.security.authc.realms.saml.saml1.sp.logout=http://localhost:${kibanaPort}/logout`, + `xpack.security.authc.realms.saml.saml1.sp.acs=http://localhost:${kibanaPort}/api/security/saml/callback`, + 'xpack.security.authc.realms.saml.saml1.attributes.principal=urn:oid:0.0.7', + 'xpack.security.authc.realms.oidc.oidc1.order=4', + `xpack.security.authc.realms.oidc.oidc1.rp.client_id=0oa8sqpov3TxMWJOt356`, + `xpack.security.authc.realms.oidc.oidc1.rp.client_secret=0oa8sqpov3TxMWJOt356`, + `xpack.security.authc.realms.oidc.oidc1.rp.response_type=code`, + `xpack.security.authc.realms.oidc.oidc1.rp.redirect_uri=https://localhost:${kibanaPort}/api/security/oidc/callback`, + `xpack.security.authc.realms.oidc.oidc1.op.authorization_endpoint=https://test-op.elastic.co/oauth2/v1/authorize`, + `xpack.security.authc.realms.oidc.oidc1.op.endsession_endpoint=https://test-op.elastic.co/oauth2/v1/endsession`, + `xpack.security.authc.realms.oidc.oidc1.op.token_endpoint=https://localhost:${kibanaPort}/api/oidc_provider/token_endpoint`, + `xpack.security.authc.realms.oidc.oidc1.op.userinfo_endpoint=https://localhost:${kibanaPort}/api/oidc_provider/userinfo_endpoint`, + `xpack.security.authc.realms.oidc.oidc1.op.issuer=https://test-op.elastic.co`, + `xpack.security.authc.realms.oidc.oidc1.op.jwkset_path=${oidcJWKSPath}`, + `xpack.security.authc.realms.oidc.oidc1.claims.principal=sub`, + `xpack.security.authc.realms.oidc.oidc1.ssl.certificate_authorities=${CA_CERT_PATH}`, + 'xpack.security.authc.realms.saml.saml2.order=5', + `xpack.security.authc.realms.saml.saml2.idp.metadata.path=${saml2IdPMetadataPath}`, + 'xpack.security.authc.realms.saml.saml2.idp.entity_id=http://www.elastic.co/saml2', + `xpack.security.authc.realms.saml.saml2.sp.entity_id=http://localhost:${kibanaPort}`, + `xpack.security.authc.realms.saml.saml2.sp.logout=http://localhost:${kibanaPort}/logout`, + `xpack.security.authc.realms.saml.saml2.sp.acs=http://localhost:${kibanaPort}/api/security/saml/callback`, + 'xpack.security.authc.realms.saml.saml2.attributes.principal=urn:oid:0.0.7', + ], + serverEnvVars: { + // We're going to use the same TGT multiple times and during a short period of time, so we + // have to disable replay cache so that ES doesn't complain about that. + ES_JAVA_OPTS: `-Djava.security.krb5.conf=${kerberosConfigPath} -Dsun.security.krb5.rcache=none`, + }, + }, + + kbnTestServer: { + ...xPackAPITestsConfig.get('kbnTestServer'), + serverArgs: [ + ...xPackAPITestsConfig.get('kbnTestServer.serverArgs'), + `--plugin-path=${oidcIdPPlugin}`, + '--optimize.enabled=false', + '--server.ssl.enabled=true', + `--server.ssl.key=${KBN_KEY_PATH}`, + `--server.ssl.certificate=${KBN_CERT_PATH}`, + `--server.ssl.certificateAuthorities=${JSON.stringify([CA_CERT_PATH, pkiKibanaCAPath])}`, + `--server.ssl.clientAuthentication=optional`, + `--elasticsearch.hosts=${servers.elasticsearch.protocol}://${servers.elasticsearch.hostname}:${servers.elasticsearch.port}`, + `--elasticsearch.ssl.certificateAuthorities=${CA_CERT_PATH}`, + `--xpack.security.authc.providers=${JSON.stringify({ + basic: { basic1: { order: 0 } }, + kerberos: { kerberos1: { order: 4 } }, + pki: { pki1: { order: 2 } }, + oidc: { oidc1: { order: 3, realm: 'oidc1' } }, + saml: { + saml1: { order: 1, realm: 'saml1' }, + saml2: { order: 5, realm: 'saml2', maxRedirectURLSize: '100b' }, + }, + })}`, + '--server.xsrf.whitelist', + JSON.stringify([ + '/api/oidc_provider/token_endpoint', + '/api/oidc_provider/userinfo_endpoint', + ]), + ], + }, + }; +} diff --git a/x-pack/test/login_selector_api_integration/ftr_provider_context.d.ts b/x-pack/test/login_selector_api_integration/ftr_provider_context.d.ts new file mode 100644 index 0000000000000..e3add3748f56d --- /dev/null +++ b/x-pack/test/login_selector_api_integration/ftr_provider_context.d.ts @@ -0,0 +1,11 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { GenericFtrProviderContext } from '@kbn/test/types/ftr'; + +import { services } from './services'; + +export type FtrProviderContext = GenericFtrProviderContext; diff --git a/x-pack/test/login_selector_api_integration/services.ts b/x-pack/test/login_selector_api_integration/services.ts new file mode 100644 index 0000000000000..8bb2dae90bf59 --- /dev/null +++ b/x-pack/test/login_selector_api_integration/services.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +import { services as commonServices } from '../common/services'; +import { services as apiIntegrationServices } from '../api_integration/services'; + +export const services = { + ...commonServices, + randomness: apiIntegrationServices.randomness, + supertestWithoutAuth: apiIntegrationServices.supertestWithoutAuth, +}; diff --git a/x-pack/test/pki_api_integration/apis/security/pki_auth.ts b/x-pack/test/pki_api_integration/apis/security/pki_auth.ts index fe772a3b1d460..ac16335b7f466 100644 --- a/x-pack/test/pki_api_integration/apis/security/pki_auth.ts +++ b/x-pack/test/pki_api_integration/apis/security/pki_auth.ts @@ -9,7 +9,6 @@ import request, { Cookie } from 'request'; import { delay } from 'bluebird'; import { readFileSync } from 'fs'; import { resolve } from 'path'; -// @ts-ignore import { CA_CERT_PATH } from '@kbn/dev-utils'; import { FtrProviderContext } from '../../ftr_provider_context'; diff --git a/x-pack/test/pki_api_integration/config.ts b/x-pack/test/pki_api_integration/config.ts index 21ae1b40efa16..8177e4aa1afba 100644 --- a/x-pack/test/pki_api_integration/config.ts +++ b/x-pack/test/pki_api_integration/config.ts @@ -6,7 +6,6 @@ import { resolve } from 'path'; import { FtrConfigProviderContext } from '@kbn/test/types/ftr'; -// @ts-ignore import { CA_CERT_PATH, KBN_CERT_PATH, KBN_KEY_PATH } from '@kbn/dev-utils'; import { services } from './services'; diff --git a/x-pack/test/saml_api_integration/config.ts b/x-pack/test/saml_api_integration/config.ts index 502d34d4c9e5d..0580c28555d16 100644 --- a/x-pack/test/saml_api_integration/config.ts +++ b/x-pack/test/saml_api_integration/config.ts @@ -37,7 +37,7 @@ export default async function({ readConfigFile }: FtrConfigProviderContext) { 'xpack.security.authc.token.timeout=15s', 'xpack.security.authc.realms.saml.saml1.order=0', `xpack.security.authc.realms.saml.saml1.idp.metadata.path=${idpPath}`, - 'xpack.security.authc.realms.saml.saml1.idp.entity_id=http://www.elastic.co', + 'xpack.security.authc.realms.saml.saml1.idp.entity_id=http://www.elastic.co/saml1', `xpack.security.authc.realms.saml.saml1.sp.entity_id=http://localhost:${kibanaPort}`, `xpack.security.authc.realms.saml.saml1.sp.logout=http://localhost:${kibanaPort}/logout`, `xpack.security.authc.realms.saml.saml1.sp.acs=http://localhost:${kibanaPort}/api/security/saml/callback`, diff --git a/x-pack/test/saml_api_integration/fixtures/idp_metadata.xml b/x-pack/test/saml_api_integration/fixtures/idp_metadata.xml index a890fe812987b..57b9e824c9d53 100644 --- a/x-pack/test/saml_api_integration/fixtures/idp_metadata.xml +++ b/x-pack/test/saml_api_integration/fixtures/idp_metadata.xml @@ -1,6 +1,6 @@ + entityID="http://www.elastic.co/saml1"> diff --git a/x-pack/test/saml_api_integration/fixtures/idp_metadata_2.xml b/x-pack/test/saml_api_integration/fixtures/idp_metadata_2.xml new file mode 100644 index 0000000000000..ff67779d7732c --- /dev/null +++ b/x-pack/test/saml_api_integration/fixtures/idp_metadata_2.xml @@ -0,0 +1,41 @@ + + + + + + + + MIIDOTCCAiGgAwIBAgIVANNWkg9lzNiLqNkMFhFKHcXyaZmqMA0GCSqGSIb3DQEB +CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu +ZXJhdGVkIENBMCAXDTE5MTIyNzE3MDM0MloYDzIwNjkxMjE0MTcwMzQyWjARMQ8w +DQYDVQQDEwZraWJhbmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQ +wYYbQtbRBKJ4uNZc2+IgRU+7NNL21ZebQlEIMgK7jAqOMrsW2b5DATz41Fd+GQFU +FUYYjwo+PQj6sJHshOJo/gNb32HrydvMI7YPvevkszkuEGCfXxQ3Dw2RTACLgD0Q +OCkwHvn3TMf0loloV/ePGWaZDYZaXi3a5DdWi/HFFoJysgF0JV2f6XyKhJkGaEfJ +s9pWX269zH/XQvGNx4BEimJpYB8h4JnDYPFIiQdqj+sl2b+kS1hH9kL5gBAMXjFU +vcNnX+PmyTjyJrGo75k0ku+spBf1bMwuQt3uSmM+TQIXkvFDmS0DOVESrpA5EC1T +BUGRz6o/I88Xx4Mud771AgMBAAGjYzBhMB0GA1UdDgQWBBQLB1Eo23M3Ss8MsFaz +V+Twcb3PmDAfBgNVHSMEGDAWgBQa7SYOe8NGcF00EbwPHA91YCsHSTAUBgNVHREE +DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAnEl/ +z5IElIjvkK4AgMPrNcRlvIGDt2orEik7b6Jsq6/RiJQ7cSsYTZf7xbqyxNsUOTxv ++frj47MEN448H2nRvUxH29YR3XygV5aEwADSAhwaQWn0QfWTCZbJTmSoNEDtDOzX +TGDlAoCD9s9Xz9S1JpxY4H+WWRZrBSDM6SC1c6CzuEeZRuScNAjYD5mh2v6fOlSy +b8xJWSg0AFlJPCa3ZsA2SKbNqI0uNfJTnkXRm88Z2NHcgtlADbOLKauWfCrpgsCk +cZgo6yAYkOM148h/8wGla1eX+iE1R72NUABGydu8MSQKvc0emWJkGsC1/KqPlf/O +eOUsdwn1yDKHRxDHyA== + + + + + + + + + + diff --git a/x-pack/test/saml_api_integration/fixtures/saml_tools.ts b/x-pack/test/saml_api_integration/fixtures/saml_tools.ts index bbe0df7ff3a2c..a924d0964c245 100644 --- a/x-pack/test/saml_api_integration/fixtures/saml_tools.ts +++ b/x-pack/test/saml_api_integration/fixtures/saml_tools.ts @@ -45,14 +45,21 @@ export async function getSAMLResponse({ inResponseTo, sessionIndex, username = 'a@b.c', -}: { destination?: string; inResponseTo?: string; sessionIndex?: string; username?: string } = {}) { + issuer = 'http://www.elastic.co/saml1', +}: { + destination?: string; + inResponseTo?: string; + sessionIndex?: string; + username?: string; + issuer?: string; +} = {}) { const issueInstant = new Date().toISOString(); const notOnOrAfter = new Date(Date.now() + 3600 * 1000).toISOString(); const samlAssertionTemplateXML = ` - http://www.elastic.co + ${issuer} a@b.c @@ -99,7 +106,7 @@ export async function getSAMLResponse({ ${inResponseTo ? `InResponseTo="${inResponseTo}"` : ''} Version="2.0" IssueInstant="${issueInstant}" Destination="${destination}"> - http://www.elastic.co + ${issuer} ${signature.getSignedXml()} @@ -111,9 +118,11 @@ export async function getSAMLResponse({ export async function getLogoutRequest({ destination, sessionIndex, + issuer = 'http://www.elastic.co/saml1', }: { destination: string; sessionIndex: string; + issuer?: string; }) { const issueInstant = new Date().toISOString(); const logoutRequestTemplateXML = ` @@ -121,7 +130,7 @@ export async function getLogoutRequest({ Destination="${destination}" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> - http://www.elastic.co + ${issuer} a@b.c ${sessionIndex} From 1204619ef221eb451c048b5b2cf1f83beba658ec Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Fri, 20 Mar 2020 14:03:50 +0100 Subject: [PATCH 07/11] Review#3: rely on serverBasePath provided by the core for the consistency sake. --- x-pack/plugins/security/server/authentication/authenticator.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security/server/authentication/authenticator.ts b/x-pack/plugins/security/server/authentication/authenticator.ts index 6be2ff67bd1f1..22abfb0f05967 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.ts @@ -342,7 +342,7 @@ export class Authenticator { if (useLoginSelector) { this.logger.debug('Redirecting request to Login Selector.'); return AuthenticationResult.redirectTo( - `${this.serverBasePath}login?next=${encodeURIComponent( + `${this.options.basePath.serverBasePath}/login?next=${encodeURIComponent( `${this.options.basePath.get(request)}${request.url.path}` )}` ); From 37c64894bc93b6efe2f332df80d928a18512f58f Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Mon, 23 Mar 2020 09:33:20 +0100 Subject: [PATCH 08/11] Review#4: remove wrong test comment, add more tests for the `LoginForm` component and `Authenticator`, add additional integration test for Keberos when client provides certificate, fix other nits. --- .../__snapshots__/login_page.test.tsx.snap | 4 + .../__snapshots__/login_form.test.tsx.snap | 13 +- .../components/login_form/login_form.test.tsx | 42 +++++- .../authentication/authenticator.test.ts | 128 ++++++++++++++++-- .../server/authentication/authenticator.ts | 24 +++- .../server/routes/authentication/common.ts | 2 +- .../apis/login_selector.ts | 48 ++++++- 7 files changed, 231 insertions(+), 30 deletions(-) diff --git a/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap b/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap index 0eccd4692d26e..ecbdfedac1dd3 100644 --- a/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap +++ b/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap @@ -110,6 +110,7 @@ exports[`LoginPage enabled form state renders as expected 1`] = ` "add": [MockFunction], "addDanger": [MockFunction], "addError": [MockFunction], + "addInfo": [MockFunction], "addSuccess": [MockFunction], "addWarning": [MockFunction], "get$": [MockFunction], @@ -143,6 +144,7 @@ exports[`LoginPage enabled form state renders as expected when info message is s "add": [MockFunction], "addDanger": [MockFunction], "addError": [MockFunction], + "addInfo": [MockFunction], "addSuccess": [MockFunction], "addWarning": [MockFunction], "get$": [MockFunction], @@ -176,6 +178,7 @@ exports[`LoginPage enabled form state renders as expected when loginAssistanceMe "add": [MockFunction], "addDanger": [MockFunction], "addError": [MockFunction], + "addInfo": [MockFunction], "addSuccess": [MockFunction], "addWarning": [MockFunction], "get$": [MockFunction], @@ -265,6 +268,7 @@ exports[`LoginPage page renders as expected 1`] = ` "add": [MockFunction], "addDanger": [MockFunction], "addError": [MockFunction], + "addInfo": [MockFunction], "addSuccess": [MockFunction], "addWarning": [MockFunction], "get$": [MockFunction], diff --git a/x-pack/plugins/security/public/authentication/login/components/login_form/__snapshots__/login_form.test.tsx.snap b/x-pack/plugins/security/public/authentication/login/components/login_form/__snapshots__/login_form.test.tsx.snap index 2bd99f2c6afe6..9fd32c2d64310 100644 --- a/x-pack/plugins/security/public/authentication/login/components/login_form/__snapshots__/login_form.test.tsx.snap +++ b/x-pack/plugins/security/public/authentication/login/components/login_form/__snapshots__/login_form.test.tsx.snap @@ -118,7 +118,7 @@ exports[`LoginForm login selector renders as expected with login form 1`] = ` `; -exports[`LoginForm login selector renders as expected without login form 1`] = ` +exports[`LoginForm login selector renders as expected without login form for providers with and without description 1`] = ` - Login w/PKI + `; diff --git a/x-pack/plugins/security/public/authentication/login/components/login_form/login_form.test.tsx b/x-pack/plugins/security/public/authentication/login/components/login_form/login_form.test.tsx index cff41f5d26d2d..c17c10a2c5148 100644 --- a/x-pack/plugins/security/public/authentication/login/components/login_form/login_form.test.tsx +++ b/x-pack/plugins/security/public/authentication/login/components/login_form/login_form.test.tsx @@ -166,7 +166,7 @@ describe('LoginForm', () => { ).toMatchSnapshot(); }); - it('renders as expected without login form', async () => { + it('renders as expected without login form for providers with and without description', async () => { const coreStartMock = coreMock.createStart(); expect( shallowWithIntl( @@ -179,7 +179,7 @@ describe('LoginForm', () => { enabled: true, providers: [ { type: 'saml', name: 'saml1', description: 'Login w/SAML' }, - { type: 'pki', name: 'pki1', description: 'Login w/PKI' }, + { type: 'pki', name: 'pki1' }, ], }} /> @@ -230,5 +230,43 @@ describe('LoginForm', () => { expect(wrapper.find(EuiCallOut).exists()).toBe(false); expect(coreStartMock.notifications.toasts.addError).not.toHaveBeenCalled(); }); + + it('shows error toast if login fails', async () => { + const currentURL = `https://some-host/login?next=${encodeURIComponent( + '/some-base-path/app/kibana#/home?_g=()' + )}`; + + const failureReason = new Error('Oh no!'); + const coreStartMock = coreMock.createStart({ basePath: '/some-base-path' }); + coreStartMock.http.post.mockRejectedValue(failureReason); + + window.location.href = currentURL; + const wrapper = mountWithIntl( + + ); + + wrapper.findWhere(node => node.key() === 'saml1').simulate('click'); + + await act(async () => { + await nextTick(); + wrapper.update(); + }); + + expect(coreStartMock.http.post).toHaveBeenCalledTimes(1); + expect(coreStartMock.http.post).toHaveBeenCalledWith('/internal/security/login_with', { + body: JSON.stringify({ providerType: 'saml', providerName: 'saml1', currentURL }), + }); + + expect(window.location.href).toBe(currentURL); + expect(coreStartMock.notifications.toasts.addError).toHaveBeenCalledWith(failureReason, { + title: 'Could not perform login.', + }); + }); }); }); diff --git a/x-pack/plugins/security/server/authentication/authenticator.test.ts b/x-pack/plugins/security/server/authentication/authenticator.test.ts index 5dc971c8fc6f0..a595b63faaf9b 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.test.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.test.ts @@ -31,17 +31,19 @@ function getMockOptions({ session, providers, http = {}, + selector, }: { session?: AuthenticatorOptions['config']['session']; providers?: Record | string[]; http?: Partial; + selector?: AuthenticatorOptions['config']['authc']['selector']; } = {}) { return { clusterClient: elasticsearchServiceMock.createClusterClient(), basePath: httpServiceMock.createSetupContract().basePath, loggers: loggingServiceMock.create(), config: createConfig( - ConfigSchema.validate({ session, authc: { providers, http } }), + ConfigSchema.validate({ session, authc: { selector, providers, http } }), loggingServiceMock.create().get(), { isTLSEnabled: false } ), @@ -54,7 +56,7 @@ describe('Authenticator', () => { beforeEach(() => { mockBasicAuthenticationProvider = { login: jest.fn(), - authenticate: jest.fn(), + authenticate: jest.fn().mockResolvedValue(AuthenticationResult.notHandled()), logout: jest.fn().mockResolvedValue(DeauthenticationResult.notHandled()), getHTTPAuthenticationScheme: jest.fn(), }; @@ -182,6 +184,7 @@ describe('Authenticator', () => { beforeEach(() => { mockOptions = getMockOptions({ providers: { basic: { basic1: { order: 0 } } } }); mockSessionStorage = sessionStorageMock.create(); + mockSessionStorage.get.mockResolvedValue(null); mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage); mockSessVal = { idleTimeoutExpiration: null, @@ -322,6 +325,7 @@ describe('Authenticator', () => { }, }); mockSessionStorage = sessionStorageMock.create(); + mockSessionStorage.get.mockResolvedValue(null); mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage); authenticator = new Authenticator(mockOptions); @@ -496,6 +500,7 @@ describe('Authenticator', () => { it('clears session if provider asked to do so.', async () => { const user = mockAuthenticatedUser(); const request = httpServerMock.createKibanaRequest(); + mockSessionStorage.get.mockResolvedValue(mockSessVal); mockBasicAuthenticationProvider.login.mockResolvedValue( AuthenticationResult.succeeded(user, { state: null }) @@ -508,6 +513,26 @@ describe('Authenticator', () => { expect(mockSessionStorage.set).not.toHaveBeenCalled(); expect(mockSessionStorage.clear).toHaveBeenCalled(); }); + + it('clears legacy session.', async () => { + const user = mockAuthenticatedUser(); + const request = httpServerMock.createKibanaRequest(); + + // Use string format for the `provider` session value field to emulate legacy session. + mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, provider: 'basic' }); + + mockBasicAuthenticationProvider.login.mockResolvedValue(AuthenticationResult.succeeded(user)); + + await expect( + authenticator.login(request, { provider: { type: 'basic' }, value: {} }) + ).resolves.toEqual(AuthenticationResult.succeeded(user)); + + expect(mockBasicAuthenticationProvider.login).toHaveBeenCalledTimes(1); + expect(mockBasicAuthenticationProvider.login).toHaveBeenCalledWith(request, {}, null); + + expect(mockSessionStorage.set).not.toHaveBeenCalled(); + expect(mockSessionStorage.clear).toHaveBeenCalled(); + }); }); describe('`authenticate` method', () => { @@ -518,6 +543,7 @@ describe('Authenticator', () => { beforeEach(() => { mockOptions = getMockOptions({ providers: { basic: { basic1: { order: 0 } } } }); mockSessionStorage = sessionStorageMock.create(); + mockSessionStorage.get.mockResolvedValue(null); mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage); mockSessVal = { idleTimeoutExpiration: null, @@ -931,14 +957,33 @@ describe('Authenticator', () => { expect(mockSessionStorage.clear).toHaveBeenCalled(); }); + it('clears legacy session.', async () => { + const user = mockAuthenticatedUser(); + const request = httpServerMock.createKibanaRequest(); + + // Use string format for the `provider` session value field to emulate legacy session. + mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, provider: 'basic' }); + + mockBasicAuthenticationProvider.authenticate.mockResolvedValue( + AuthenticationResult.succeeded(user) + ); + + await expect(authenticator.authenticate(request)).resolves.toEqual( + AuthenticationResult.succeeded(user) + ); + + expect(mockBasicAuthenticationProvider.authenticate).toHaveBeenCalledTimes(1); + expect(mockBasicAuthenticationProvider.authenticate).toHaveBeenCalledWith(request, null); + + expect(mockSessionStorage.set).not.toHaveBeenCalled(); + expect(mockSessionStorage.clear).toHaveBeenCalled(); + }); + it('does not clear session if provider can not handle system API request authentication with active session.', async () => { const request = httpServerMock.createKibanaRequest({ headers: { 'kbn-system-request': 'true' }, }); - mockBasicAuthenticationProvider.authenticate.mockResolvedValue( - AuthenticationResult.notHandled() - ); mockSessionStorage.get.mockResolvedValue(mockSessVal); await expect(authenticator.authenticate(request)).resolves.toEqual( @@ -954,9 +999,6 @@ describe('Authenticator', () => { headers: { 'kbn-system-request': 'false' }, }); - mockBasicAuthenticationProvider.authenticate.mockResolvedValue( - AuthenticationResult.notHandled() - ); mockSessionStorage.get.mockResolvedValue(mockSessVal); await expect(authenticator.authenticate(request)).resolves.toEqual( @@ -972,9 +1014,6 @@ describe('Authenticator', () => { headers: { 'kbn-system-request': 'true' }, }); - mockBasicAuthenticationProvider.authenticate.mockResolvedValue( - AuthenticationResult.notHandled() - ); mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, provider: { type: 'token', name: 'token1' }, @@ -993,9 +1032,6 @@ describe('Authenticator', () => { headers: { 'kbn-system-request': 'false' }, }); - mockBasicAuthenticationProvider.authenticate.mockResolvedValue( - AuthenticationResult.notHandled() - ); mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, provider: { type: 'token', name: 'token1' }, @@ -1008,6 +1044,70 @@ describe('Authenticator', () => { expect(mockSessionStorage.set).not.toHaveBeenCalled(); expect(mockSessionStorage.clear).toHaveBeenCalled(); }); + + describe('with Login Selector', () => { + beforeEach(() => { + mockOptions = getMockOptions({ + selector: { enabled: true }, + providers: { basic: { basic1: { order: 0 } } }, + }); + mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage); + + authenticator = new Authenticator(mockOptions); + }); + + it('does not redirect to Login Selector if there is an active session', async () => { + const request = httpServerMock.createKibanaRequest(); + mockSessionStorage.get.mockResolvedValue(mockSessVal); + + await expect(authenticator.authenticate(request)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + expect(mockBasicAuthenticationProvider.authenticate).toHaveBeenCalled(); + }); + + it('does not redirect AJAX requests to Login Selector', async () => { + const request = httpServerMock.createKibanaRequest({ headers: { 'kbn-xsrf': 'xsrf' } }); + + await expect(authenticator.authenticate(request)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + expect(mockBasicAuthenticationProvider.authenticate).toHaveBeenCalled(); + }); + + it('does not redirect to Login Selector if request has `Authorization` header', async () => { + const request = httpServerMock.createKibanaRequest({ + headers: { authorization: 'Basic ***' }, + }); + + await expect(authenticator.authenticate(request)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + expect(mockBasicAuthenticationProvider.authenticate).toHaveBeenCalled(); + }); + + it('does not redirect to Login Selector if it is not enabled', async () => { + mockOptions = getMockOptions({ providers: { basic: { basic1: { order: 0 } } } }); + mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage); + authenticator = new Authenticator(mockOptions); + + const request = httpServerMock.createKibanaRequest(); + await expect(authenticator.authenticate(request)).resolves.toEqual( + AuthenticationResult.notHandled() + ); + expect(mockBasicAuthenticationProvider.authenticate).toHaveBeenCalled(); + }); + + it('redirects to the Login Selector when needed.', async () => { + const request = httpServerMock.createKibanaRequest(); + await expect(authenticator.authenticate(request)).resolves.toEqual( + AuthenticationResult.redirectTo( + '/mock-server-basepath/login?next=%2Fmock-server-basepath%2Fpath' + ) + ); + expect(mockBasicAuthenticationProvider.authenticate).not.toHaveBeenCalled(); + }); + }); }); describe('`logout` method', () => { diff --git a/x-pack/plugins/security/server/authentication/authenticator.ts b/x-pack/plugins/security/server/authentication/authenticator.ts index 22abfb0f05967..2f96d6fa7a00f 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.ts @@ -143,6 +143,15 @@ function isLoginAttemptWithProviderType( ); } +/** + * Determines if session value was created by the previous Kibana versions which had a different + * session value format. + * @param sessionValue The session value to check. + */ +function isLegacyProviderSession(sessionValue: any) { + return typeof sessionValue?.provider === 'string'; +} + /** * Instantiates authentication provider based on the provider key from config. * @param providerType Provider type key. @@ -503,18 +512,19 @@ export class Authenticator { * @param sessionStorage Session storage instance. */ private async getSessionValue(sessionStorage: SessionStorage) { - let sessionValue = await sessionStorage.get(); + const sessionValue = await sessionStorage.get(); - // If for some reason we have a session stored for the provider that is not available - // (e.g. when user was logged in with one provider, but then configuration has changed - // and that provider is no longer available), then we should clear session entirely. - const sessionProvider = sessionValue && this.providers.get(sessionValue.provider?.name); + // If we detect that session is in incompatible format or for some reason we have a session + // stored for the provider that is not available anymore (e.g. when user was logged in with one + // provider, but then configuration has changed and that provider is no longer available), then + // we should clear session entirely. if ( sessionValue && - (!sessionProvider || sessionProvider.type !== sessionValue?.provider.type) + (isLegacyProviderSession(sessionValue) || + this.providers.get(sessionValue.provider.name)?.type !== sessionValue.provider.type) ) { sessionStorage.clear(); - sessionValue = null; + return null; } return sessionValue; diff --git a/x-pack/plugins/security/server/routes/authentication/common.ts b/x-pack/plugins/security/server/routes/authentication/common.ts index f0f33d6624cc1..abab67c9cd1d2 100644 --- a/x-pack/plugins/security/server/routes/authentication/common.ts +++ b/x-pack/plugins/security/server/routes/authentication/common.ts @@ -111,7 +111,7 @@ export function defineCommonRoutes({ router, authc, basePath, logger }: RouteDef const { providerType, providerName, currentURL } = request.body; logger.info(`Logging in with provider "${providerName}" (${providerType})`); - const redirectURL = parseNext(currentURL ?? '', basePath.serverBasePath); + const redirectURL = parseNext(currentURL, basePath.serverBasePath); try { const authenticationResult = await authc.login(request, { provider: { name: providerName }, diff --git a/x-pack/test/login_selector_api_integration/apis/login_selector.ts b/x-pack/test/login_selector_api_integration/apis/login_selector.ts index 489f0265da57a..3be96d27186d9 100644 --- a/x-pack/test/login_selector_api_integration/apis/login_selector.ts +++ b/x-pack/test/login_selector_api_integration/apis/login_selector.ts @@ -275,10 +275,6 @@ export default function({ getService }: FtrProviderContext) { } }); - // Ideally we should be able to abandon intermediate session and let user log in, but for the - // time being we cannot distinguish errors coming from Elasticsearch for the case when SAML - // response just doesn't correspond to request ID we have in intermediate cookie and the case - // when something else has happened. it('should be able to log in via SP initiated login even if intermediate session with other SAML provider exists', async () => { // First start authentication flow with `saml1`. const saml1HandshakeResponse = await supertest @@ -383,6 +379,50 @@ export default function({ getService }: FtrProviderContext) { 'kerberos1' ); }); + + it('should be able to log in from Login Selector even if client provides certificate and PKI is enabled', async () => { + const spnegoResponse = await supertest + .post('/internal/security/login_with') + .ca(CA_CERT) + .pfx(CLIENT_CERT) + .set('kbn-xsrf', 'xxx') + .send({ + providerType: 'kerberos', + providerName: 'kerberos1', + currentURL: 'https://kibana.com/login?next=/abc/xyz/handshake?one=two%20three#/workpad', + }) + .expect(401); + + expect(spnegoResponse.headers['set-cookie']).to.be(undefined); + expect(spnegoResponse.headers['www-authenticate']).to.be('Negotiate'); + + const authenticationResponse = await supertest + .post('/internal/security/login_with') + .ca(CA_CERT) + .pfx(CLIENT_CERT) + .set('kbn-xsrf', 'xxx') + .set('Authorization', `Negotiate ${getSPNEGOToken()}`) + .send({ + providerType: 'kerberos', + providerName: 'kerberos1', + currentURL: 'https://kibana.com/login?next=/abc/xyz/handshake?one=two%20three#/workpad', + }) + .expect(200); + + // Verify that mutual authentication works. + expect(authenticationResponse.headers['www-authenticate']).to.be( + `Negotiate ${getMutualAuthenticationResponseToken()}` + ); + + const cookies = authenticationResponse.headers['set-cookie']; + expect(cookies).to.have.length(1); + + await checkSessionCookie( + request.cookie(cookies[0])!, + 'tester@TEST.ELASTIC.CO', + 'kerberos1' + ); + }); }); describe('OpenID Connect', () => { From f6b1d4fa17aa691f22cf794977797b2a5852e535 Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Mon, 23 Mar 2020 17:26:36 +0100 Subject: [PATCH 09/11] Review#5: use `EuiSpacer` instead of CSS margin. --- .../authentication/login/_login_page.scss | 4 -- .../__snapshots__/login_form.test.tsx.snap | 16 +++++-- .../components/login_form/login_form.tsx | 44 ++++++++++--------- 3 files changed, 35 insertions(+), 29 deletions(-) diff --git a/x-pack/plugins/security/public/authentication/login/_login_page.scss b/x-pack/plugins/security/public/authentication/login/_login_page.scss index 33d66e1d93eed..cdfad55ee064a 100644 --- a/x-pack/plugins/security/public/authentication/login/_login_page.scss +++ b/x-pack/plugins/security/public/authentication/login/_login_page.scss @@ -27,7 +27,3 @@ max-width: 700px; } } - -.loginWelcome__selectorButton { - margin-bottom: $euiSize; -} diff --git a/x-pack/plugins/security/public/authentication/login/components/login_form/__snapshots__/login_form.test.tsx.snap b/x-pack/plugins/security/public/authentication/login/components/login_form/__snapshots__/login_form.test.tsx.snap index 9fd32c2d64310..84565b91d6d73 100644 --- a/x-pack/plugins/security/public/authentication/login/components/login_form/__snapshots__/login_form.test.tsx.snap +++ b/x-pack/plugins/security/public/authentication/login/components/login_form/__snapshots__/login_form.test.tsx.snap @@ -3,7 +3,6 @@ exports[`LoginForm login selector renders as expected with login form 1`] = ` Login w/SAML + Login w/PKI + Login w/SAML + + `; diff --git a/x-pack/plugins/security/public/authentication/login/components/login_form/login_form.tsx b/x-pack/plugins/security/public/authentication/login/components/login_form/login_form.tsx index a8a1f3b534625..417bb121637f3 100644 --- a/x-pack/plugins/security/public/authentication/login/components/login_form/login_form.tsx +++ b/x-pack/plugins/security/public/authentication/login/components/login_form/login_form.tsx @@ -214,27 +214,29 @@ export class LoginForm extends Component { return ( <> - {this.props.selector.providers.map(provider => ( - this.loginWithSelector(provider.type, provider.name)} - > - {provider.description ?? ( - - )} - + {this.props.selector.providers.map((provider, index) => ( + + this.loginWithSelector(provider.type, provider.name)} + > + {provider.description ?? ( + + )} + + + ))} {loginSelectorAndLoginFormSeparator} From aed4521643f36e6d1cce691520af8ca41addd4dc Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Mon, 23 Mar 2020 20:51:21 +0100 Subject: [PATCH 10/11] Integrate latest upstream changes after master merge. --- .../plugins/security/server/authentication/authenticator.ts | 4 ++-- .../security/server/authentication/providers/kerberos.ts | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/security/server/authentication/authenticator.ts b/x-pack/plugins/security/server/authentication/authenticator.ts index 2f96d6fa7a00f..caf5b485d05e3 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.ts @@ -34,7 +34,7 @@ import { DeauthenticationResult } from './deauthentication_result'; import { Tokens } from './tokens'; import { SessionInfo } from '../../public'; import { canRedirectRequest } from './can_redirect_request'; -import { getHTTPAuthenticationScheme } from './get_http_authentication_scheme'; +import { HTTPAuthorizationHeader } from './http_authentication'; /** * The shape of the session that is actually stored in the cookie. @@ -347,7 +347,7 @@ export class Authenticator { !existingSession && this.options.config.authc.selector.enabled && canRedirectRequest(request) && - getHTTPAuthenticationScheme(request) == null; + HTTPAuthorizationHeader.parseFromRequest(request) == null; if (useLoginSelector) { this.logger.debug('Redirecting request to Login Selector.'); return AuthenticationResult.redirectTo( diff --git a/x-pack/plugins/security/server/authentication/providers/kerberos.ts b/x-pack/plugins/security/server/authentication/providers/kerberos.ts index ee09f7ec00e2e..c4bbe554a3da1 100644 --- a/x-pack/plugins/security/server/authentication/providers/kerberos.ts +++ b/x-pack/plugins/security/server/authentication/providers/kerberos.ts @@ -52,7 +52,7 @@ export class KerberosAuthenticationProvider extends BaseAuthenticationProvider { public async login(request: KibanaRequest) { this.logger.debug('Trying to perform a login.'); - if (getHTTPAuthenticationScheme(request) === 'negotiate') { + if (HTTPAuthorizationHeader.parseFromRequest(request)?.scheme.toLowerCase() === 'negotiate') { return await this.authenticateWithNegotiateScheme(request); } From ceba57b46ba5164ca3257c0fe269457a099b903b Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Mon, 23 Mar 2020 20:52:33 +0100 Subject: [PATCH 11/11] Review#5: remove redundant user icon from login selector button. --- .../login_form/__snapshots__/login_form.test.tsx.snap | 4 ---- .../authentication/login/components/login_form/login_form.tsx | 1 - 2 files changed, 5 deletions(-) diff --git a/x-pack/plugins/security/public/authentication/login/components/login_form/__snapshots__/login_form.test.tsx.snap b/x-pack/plugins/security/public/authentication/login/components/login_form/__snapshots__/login_form.test.tsx.snap index 84565b91d6d73..a25498a637c2f 100644 --- a/x-pack/plugins/security/public/authentication/login/components/login_form/__snapshots__/login_form.test.tsx.snap +++ b/x-pack/plugins/security/public/authentication/login/components/login_form/__snapshots__/login_form.test.tsx.snap @@ -4,7 +4,6 @@ exports[`LoginForm login selector renders as expected with login form 1`] = ` {