Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allows access via Kibana #62

Open
Alex-At-Home opened this issue Jun 10, 2019 · 4 comments
Open

Allows access via Kibana #62

Alex-At-Home opened this issue Jun 10, 2019 · 4 comments
Labels
enhancement New feature or request

Comments

@Alex-At-Home
Copy link
Owner

2 cases:

  • You have a user/pass but no direct access to Kibana ... in that case it's as simple as just hitting the Kibana URL and using POST /api/console/proxy?path=$ENCODE($endpoint)&method=$method
  • You are using SAML or oauth to authenticate vs Kibana .. in that case the best you can do (leaving aside browser plugins) is to tell people to "copy as curl" a network request to Kibana and then paste that into a box and infer the URL and creds from the header
@Alex-At-Home Alex-At-Home added the enhancement New feature or request label Jun 10, 2019
@Alex-At-Home
Copy link
Owner Author

Alex-At-Home commented Jun 10, 2019
edited
Loading

example:

curl 'https://XXXX.us-east-1.aws.found.io:9243/api/console/proxy?path=.kibana%2F_search&method=GET' \
> -XPOST \
> -H 'Cookie: xxx' \
> -H 'Accept: text/plain, */*; q=0.01' \
> -H 'Origin: https://XXXX.us-east-1.aws.found.io:9243' \
> -H 'Referer: https://XXXX.us-east-1.aws.found.io:9243/app/kibana' \
> -H 'Accept-Encoding: br, gzip, deflate' \
> -H 'Host: XXXX.us-east-1.aws.found.io:9243' \
> -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15' \
> -H 'Content-Length: 0' \
> -H 'Accept-Language: en-us' \
> -H 'Connection: keep-alive' \
> -H 'kbn-version: 6.5.4'

So probably just snagging Cookie: [^']+ and https://[^/]+ would be sufficient?

@Alex-At-Home
Copy link
Owner Author

(v similar logic could allow access via the Cloud user console as well)

@Alex-At-Home
Copy link
Owner Author

OK so it's a bit ugly, currently Kibana CORS only allows you to do * or nothing ... this may be too open for people's taste

I've been looking into what it would look like instead to add direct ES/SAML support ... I think it's doable.... see https://developers.google.com/apps-script/reference/script/script-app (search for usercallback)

You set the callback id to be https://script.google.com/macros/d/{SCRIPT ID}/usercallback and it appears in the callback .. this would then (I guess) set an ES token (not 100% sure where that comes from in this flow) into the user token service, and then the sidebar would go fetch that (instead of the password)

@Alex-At-Home
Copy link
Owner Author

Alex-At-Home commented Nov 22, 2019
edited
Loading

OK some more experimentation into what it would take to get (direct to ES) SAML working

Starting with https://github.com/gsuitedevs/apps-script-oauth2/blob/8c1963ed3eeb74a244e3f306217f536009e86575/dist/OAuth2.gs I added the following test code:

  function getCallbackURL(callbackFunctionName){
    var stateToken = ScriptApp.newStateToken()
        .withMethod(callbackFunctionName)
        .withTimeout(120)
        .createToken();
    return  'https://script.google.com/macros/d/' + encodeURIComponent(ScriptApp.getScriptId()) +
      '/usercallback?state=' + stateToken;
  }
//...
    html.testLink = getCallbackURL("myTestCallback")
//...
function myTestCallback(inVal) {
  Logger.log("in " + JSON.stringify(inVal)
  return true
}

Then using the cookies etc that I get by pasting that link into the browser I did a curl:

curl 'https://script.google.com/macros/d/<<from code above>>/usercallback?state=<<from code above>>' -XGET -H 'Cookie: SIDCC=AN0-TYvLfQNUP8s6tyfnwqLf4jzjo2LpOGXSKjR343kYK_1RqDDT5FXmQG36GnyGnc9r0UbHogc; 1P_JAR=2019-11-22-21; NID=192=xxx-Y92Gq_Np24NL90Fl0iQL23KnMo-xxx-xxx-xxx; S=maestro=xxx-xxx; __utma=23934520.1167527487.1574377313.1574377313.1574458053.2; __utmb=23934520.1.10.1574458053; __utmc=23934520; __utmz=23934520.1574458053.2.2.utmcsr=docs.google.com|utmccn=(referral)|utmcmd=referral|utmcct=/; OTZ=5202405_76_76_104100_72_446760; SID=xxx.; APISID=xxx/xxx; HSID=xxx; SAPISID=xxx/xxx; SSID=xxx; SEARCH_SAMESITE=xxx' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Host: script.google.com' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15' -H 'Accept-Language: en-us' -H 'Accept-Encoding: br, gzip, deflate' -H 'Connection: keep-alive' -H 'Content-Length: 2' -XPOST -d' '

And sure enough looking at the logs for my script I get:

[19-11-22 13:48:21:930 PST] in {"parameter":{" ":"","state":"<<from app>>"},"contextPath":"","contentLength":2,"queryString":"state=<<from app>>","parameters":{" ":[""],"state":["<<from app>>"]},"postData":{"type":"application/x-www-form-urlencoded","length":2,"contents":" ","name":"postData"}}

So in theory I can set the ACS to be that callback (provided I can make it pass in the state= param <- UNVALIDATED, which will work for all users of the script) and then stick the relay state etc into the script properties for a given URL and then hit ES with an ACS to get a token I then use for API calls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Alex-At-Home