-
Notifications
You must be signed in to change notification settings - Fork 161
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* Add JWT authentication type to MultipleAuthentication * clarify comments in AuthenticationType.authHandler * collect additional auth headers from all multi-auth handlers * implement MultipleAuthentication.getCookie * Add test for multiauth with JWT * add explanatory comments in login page * remove logging of JWT in test * add check for empty auth options list in login page * Add comments about getCookie method * remove unneeded comment * Don't load sample data in JWT multiauth test * remove sample data code and unneeded promise handling * update test for missing JWT * ensure JWT signing key consistency --------- (cherry picked from commit 252d8fb) Signed-off-by: merlinz01 <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Derek Ho <[email protected]>
- Loading branch information
1 parent
a40fe21
commit a58664c
Showing
5 changed files
with
240 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,181 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"). | ||
* You may not use this file except in compliance with the License. | ||
* A copy of the License is located at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* or in the "license" file accompanying this file. This file is distributed | ||
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either | ||
* express or implied. See the License for the specific language governing | ||
* permissions and limitations under the License. | ||
*/ | ||
|
||
import * as osdTestServer from '../../../../src/core/test_helpers/osd_server'; | ||
import { Root } from '../../../../src/core/server/root'; | ||
import { resolve } from 'path'; | ||
import { describe, it, beforeAll, afterAll } from '@jest/globals'; | ||
import { | ||
ADMIN_CREDENTIALS, | ||
OPENSEARCH_DASHBOARDS_SERVER_USER, | ||
OPENSEARCH_DASHBOARDS_SERVER_PASSWORD, | ||
ADMIN_USER, | ||
JWT_ADMIN_ROLE, | ||
JWT_SIGNING_KEY, | ||
} from '../constant'; | ||
import wreck from '@hapi/wreck'; | ||
import { SignJWT } from 'jose'; | ||
|
||
describe('start OpenSearch Dashboards server', () => { | ||
let root: Root; | ||
let config; | ||
|
||
beforeAll(async () => { | ||
root = osdTestServer.createRootWithSettings( | ||
{ | ||
plugins: { | ||
scanDirs: [resolve(__dirname, '../..')], | ||
}, | ||
home: { disableWelcomeScreen: true }, | ||
server: { | ||
host: 'localhost', | ||
port: 5601, | ||
}, | ||
logging: { | ||
silent: true, | ||
verbose: false, | ||
}, | ||
opensearch: { | ||
hosts: ['https://localhost:9200'], | ||
ignoreVersionMismatch: true, | ||
ssl: { verificationMode: 'none' }, | ||
username: OPENSEARCH_DASHBOARDS_SERVER_USER, | ||
password: OPENSEARCH_DASHBOARDS_SERVER_PASSWORD, | ||
requestHeadersAllowlist: ['securitytenant', 'Authorization'], | ||
}, | ||
opensearch_security: { | ||
auth: { | ||
anonymous_auth_enabled: false, | ||
type: ['basicauth', 'jwt'], | ||
multiple_auth_enabled: true, | ||
}, | ||
jwt: { | ||
url_param: 'token', | ||
}, | ||
multitenancy: { | ||
enabled: true, | ||
tenants: { | ||
enable_global: true, | ||
enable_private: true, | ||
preferred: ['Private', 'Global'], | ||
}, | ||
}, | ||
}, | ||
}, | ||
{ | ||
// to make ignoreVersionMismatch setting work | ||
// can be removed when we have corresponding ES version | ||
dev: true, | ||
} | ||
); | ||
|
||
console.log('Starting OpenSearchDashboards server..'); | ||
await root.setup(); | ||
await root.start(); | ||
|
||
const getConfigResponse = await wreck.get( | ||
'https://localhost:9200/_plugins/_security/api/securityconfig', | ||
{ | ||
rejectUnauthorized: false, | ||
headers: { | ||
authorization: ADMIN_CREDENTIALS, | ||
}, | ||
} | ||
); | ||
const responseBody = (getConfigResponse.payload as Buffer).toString(); | ||
config = JSON.parse(responseBody).config; | ||
const jwtConfig = { | ||
http_enabled: true, | ||
transport_enabled: true, | ||
order: 0, | ||
http_authenticator: { | ||
challenge: false, | ||
type: 'jwt', | ||
config: { | ||
signing_key: btoa(JWT_SIGNING_KEY), | ||
jwt_header: 'Authorization', | ||
jwt_url_parameter: 'token', | ||
jwt_clock_skew_tolerance_seconds: 30, | ||
roles_key: 'roles', | ||
subject_key: 'sub', | ||
}, | ||
}, | ||
authentication_backend: { | ||
type: 'noop', | ||
config: {}, | ||
}, | ||
}; | ||
try { | ||
config.dynamic!.authc!.jwt_auth_domain = jwtConfig; | ||
config.dynamic!.authc!.basic_internal_auth_domain.http_authenticator.challenge = true; | ||
config.dynamic!.http!.anonymous_auth_enabled = false; | ||
await wreck.put('https://localhost:9200/_plugins/_security/api/securityconfig/config', { | ||
payload: config, | ||
rejectUnauthorized: false, | ||
headers: { | ||
'Content-Type': 'application/json', | ||
authorization: ADMIN_CREDENTIALS, | ||
}, | ||
}); | ||
} catch (error) { | ||
console.log('Got an error while updating security config!', error.stack); | ||
fail(error); | ||
} | ||
}); | ||
|
||
afterAll(async () => { | ||
console.log('Remove the Security Config'); | ||
await wreck.patch('https://localhost:9200/_plugins/_security/api/securityconfig', { | ||
payload: [ | ||
{ | ||
op: 'remove', | ||
path: '/config/dynamic/authc/jwt_auth_domain', | ||
}, | ||
], | ||
rejectUnauthorized: false, | ||
headers: { | ||
'Content-Type': 'application/json', | ||
authorization: ADMIN_CREDENTIALS, | ||
}, | ||
}); | ||
// shutdown OpenSearchDashboards server | ||
await root.shutdown(); | ||
}); | ||
|
||
it('Verify JWT access to dashboards', async () => { | ||
console.log('Wreck access home page'); | ||
const adminJWT = await new SignJWT({ | ||
roles: [JWT_ADMIN_ROLE], | ||
sub: ADMIN_USER, | ||
}) | ||
.setProtectedHeader({ alg: 'HS256' }) | ||
.sign(new TextEncoder().encode(JWT_SIGNING_KEY)); | ||
await wreck.get(`http://localhost:5601/app/home?token=${adminJWT}#`, { | ||
rejectUnauthorized: true, | ||
headers: { | ||
'Content-Type': 'application/json', | ||
}, | ||
}); | ||
}); | ||
|
||
it('Verify access to login page without JWT', async () => { | ||
console.log('Wreck access login page without JWT'); | ||
const response = await wreck.get('http://localhost:5601/app/home', { | ||
rejectUnauthorized: true, | ||
}); | ||
expect(response.res.statusCode).toEqual(302); | ||
expect(response.res.headers.location).toEqual('/app/login?nextUrl=%2Fapp%2Fhome'); | ||
}); | ||
}); |