Fix cookie expiry issues from IDP/JWT auth methods, disables keepalive for JWT/IDP

server/auth/types/authentication_type.test.ts

@@ -16,8 +16,12 @@
 import { SecurityPluginConfigType } from '../..';
 import { AuthenticationType } from './authentication_type';
 import { httpServerMock } from '../../../../../src/core/server/mocks';
+import { OpenSearchDashboardsRequest } from '../../../../../src/core/server';
 
 class DummyAuthType extends AuthenticationType {
+ authNotRequired(request: OpenSearchDashboardsRequest): boolean {
+ return false;
+ }
  buildAuthHeaderFromCookie() {}
  getAdditionalAuthHeader() {}
  handleUnauthedRequest() {}

server/auth/types/authentication_type.ts

@@ -160,7 +160,7 @@ export abstract class AuthenticationType implements IAuthenticationType {
 
  // extend session expiration time
  if (this.config.session.keepalive) {
- cookie!.expiryTime = Date.now() + this.config.session.ttl;
+ cookie!.expiryTime = this.getKeepAliveExpiry(cookie!, request);
  this.sessionStorageFactory.asScoped(request).set(cookie!);
  }
  // cookie is valid
@@ -266,6 +266,13 @@ export abstract class AuthenticationType implements IAuthenticationType {
  });
  }
 
+ public getKeepAliveExpiry(
+ cookie: SecuritySessionCookie,
+ request: OpenSearchDashboardsRequest
+ ): number {
+ return Date.now() + this.config.session.ttl;
+ }
+
  isPageRequest(request: OpenSearchDashboardsRequest) {
  const path = request.url.pathname || '/';
  return path.startsWith('/app/') || path === '/' || path.startsWith('/goto/');
@@ -286,5 +293,10 @@ export abstract class AuthenticationType implements IAuthenticationType {
  response: LifecycleResponseFactory,
  toolkit: AuthToolkit
  ): IOpenSearchDashboardsResponse | AuthResult;
+ public abstract requestIncludesAuthInfo(request: OpenSearchDashboardsRequest): boolean;
+ public abstract buildAuthHeaderFromCookie(
+ cookie: SecuritySessionCookie,
+ request: OpenSearchDashboardsRequest
+ ): any;
  public abstract init(): Promise<void>;
 }

server/auth/types/basic/basic_auth.test.ts

@@ -0,0 +1,69 @@
+/*
+ * Copyright OpenSearch Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import { httpServerMock } from '../../../../../../src/core/server/http/http_server.mocks';
+
+import { SecurityPluginConfigType } from '../../../index';
+import { SecuritySessionCookie } from '../../../session/security_cookie';
+import {
+ IRouter,
+ CoreSetup,
+ ILegacyClusterClient,
+ Logger,
+ SessionStorageFactory,
+} from '../../../../../../src/core/server';
+import { BasicAuthentication } from './basic_auth';
+
+describe('Basic auth tests', () => {
+ let router: IRouter;
+ let core: CoreSetup;
+ let esClient: ILegacyClusterClient;
+ let sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>;
+ let logger: Logger;
+
+ const config = {
+ session: {
+ ttl: 1000,
+ },
+ } as SecurityPluginConfigType;
+
+ test('getKeepAliveExpiry', () => {
+ const realDateNow = Date.now.bind(global.Date);
+ const dateNowStub = jest.fn(() => 0);
+ global.Date.now = dateNowStub;
+ const basicAuthentication = new BasicAuthentication(
+ config,
+ sessionStorageFactory,
+ router,
+ esClient,
+ core,
+ logger
+ );
+
+ const cookie: SecuritySessionCookie = {
+ credentials: {
+ authHeaderValueExtra: true,
+ },
+ expiryTime: 0,
+ };
+
+ const request = httpServerMock.createOpenSearchDashboardsRequest({
+ path: '/internal/v1',
+ });
+
+ expect(basicAuthentication.getKeepAliveExpiry(cookie, request)).toBe(1000);
+ global.Date.now = realDateNow;
+ });
+});

server/auth/types/basic/basic_auth.ts

@@ -133,7 +133,10 @@ export class BasicAuthentication extends AuthenticationType {
  }
  }
 
- buildAuthHeaderFromCookie(cookie: SecuritySessionCookie): any {
+ buildAuthHeaderFromCookie(
+ cookie: SecuritySessionCookie,
+ request: OpenSearchDashboardsRequest
+ ): any {
  if (this.config.auth.anonymous_auth_enabled && cookie.isAnonymousAuth) {
  return {};
  }

server/auth/types/jwt/jwt_auth.ts

@@ -35,6 +35,7 @@ import {
  getExtraAuthStorageValue,
  setExtraAuthStorage,
 } from '../../../session/cookie_splitter';
+import { getExpirationDate } from './jwt_helper';
 
 export const JWT_DEFAULT_EXTRA_STORAGE_OPTIONS: ExtraAuthStorageOptions = {
  cookiePrefix: 'security_authentication_jwt',
@@ -154,13 +155,17 @@ export class JwtAuthentication extends AuthenticationType {
  this.getBearerToken(request) || '',
  this.getExtraAuthStorageOptions()
  );
+
  return {
  username: authInfo.user_name,
  credentials: {
  authHeaderValueExtra: true,
  },
  authType: this.type,
- expiryTime: Date.now() + this.config.session.ttl,
+ expiryTime: getExpirationDate(
+ this.getBearerToken(request),
+ Date.now() + this.config.session.ttl
+ ),
  };
  }
 
@@ -175,6 +180,13 @@ export class JwtAuthentication extends AuthenticationType {
  );
  }
 
+ getKeepAliveExpiry(cookie: SecuritySessionCookie, request: OpenSearchDashboardsRequest): number {
+ return getExpirationDate(
+ this.buildAuthHeaderFromCookie(cookie, request)[this.authHeaderName],
+ Date.now() + this.config.session.ttl
+ );
+ }
+
  handleUnauthedRequest(
  request: OpenSearchDashboardsRequest,
  response: LifecycleResponseFactory,