-
Notifications
You must be signed in to change notification settings - Fork 8.3k
/
cleanup.ts
254 lines (222 loc) · 9.53 KB
/
cleanup.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import { setTimeout as setTimeoutAsync } from 'timers/promises';
import type { Cookie } from 'tough-cookie';
import { parse as parseCookie } from 'tough-cookie';
import expect from '@kbn/expect';
import {
getSAMLRequestId,
getSAMLResponse,
} from '@kbn/security-api-integration-helpers/saml/saml_tools';
import type { AuthenticationProvider } from '@kbn/security-plugin/common';
import { adminTestUser } from '@kbn/test';
import type { FtrProviderContext } from '../../ftr_provider_context';
export default function ({ getService }: FtrProviderContext) {
const supertest = getService('supertestWithoutAuth');
const esSupertest = getService('esSupertest');
const es = getService('es');
const esDeleteAllIndices = getService('esDeleteAllIndices');
const config = getService('config');
const retry = getService('retry');
const log = getService('log');
const randomness = getService('randomness');
const { username: basicUsername, password: basicPassword } = adminTestUser;
const kibanaServerConfig = config.get('servers.kibana');
async function checkSessionCookie(
sessionCookie: Cookie,
username: string,
provider: AuthenticationProvider
) {
log.debug(`Verifying session cookie for ${username}.`);
const apiResponse = await supertest
.get('/internal/security/me')
.set('kbn-xsrf', 'xxx')
.set('Cookie', sessionCookie.cookieString())
.expect(200);
log.debug(`Session cookie for ${username} is valid.`);
expect(apiResponse.body.username).to.be(username);
expect(apiResponse.body.authentication_provider).to.eql(provider);
return Array.isArray(apiResponse.headers['set-cookie'])
? parseCookie(apiResponse.headers['set-cookie'][0])!
: undefined;
}
async function getNumberOfSessionDocuments() {
await es.indices.refresh({ index: '.kibana_security_session*' });
return (
// @ts-expect-error doesn't handle total as number
(await es.search({ index: '.kibana_security_session*' })).hits.total.value as number
);
}
async function loginWithSAML(providerName: string) {
const handshakeResponse = await supertest
.post('/internal/security/login')
.set('kbn-xsrf', 'xxx')
.send({ providerType: 'saml', providerName, currentURL: '' })
.expect(200);
const authenticationResponse = await supertest
.post('/api/security/saml/callback')
.set('kbn-xsrf', 'xxx')
.set('Cookie', parseCookie(handshakeResponse.headers['set-cookie'][0])!.cookieString())
.send({
SAMLResponse: await getSAMLResponse({
destination: `http://localhost:${kibanaServerConfig.port}/api/security/saml/callback`,
sessionIndex: String(randomness.naturalNumber()),
inResponseTo: await getSAMLRequestId(handshakeResponse.body.location),
}),
})
.expect(302);
const cookie = parseCookie(authenticationResponse.headers['set-cookie'][0])!;
await checkSessionCookie(cookie, '[email protected]', { type: 'saml', name: providerName });
return cookie;
}
async function runCleanupTaskSoon() {
// In most cases, an error would mean the task is currently running so let's run it again
await retry.tryForTime(30000, async () => {
await supertest
.post('/session/_run_cleanup')
.set('kbn-xsrf', 'xxx')
.auth(adminTestUser.username, adminTestUser.password)
.send()
.expect(200);
});
}
async function addESDebugLoggingSettings() {
const addLogging = {
persistent: {
'logger.org.elasticsearch.xpack.security.authc': 'debug',
},
};
await esSupertest.put('/_cluster/settings').send(addLogging).expect(200);
}
describe('Session Idle cleanup', () => {
beforeEach(async () => {
await es.cluster.health({ index: '.kibana_security_session*', wait_for_status: 'green' });
await addESDebugLoggingSettings();
await esDeleteAllIndices('.kibana_security_session*');
});
it('should properly clean up session expired because of idle timeout', async function () {
this.timeout(100000);
log.debug(`Log in as ${basicUsername} using ${basicPassword} password.`);
const response = await supertest
.post('/internal/security/login')
.set('kbn-xsrf', 'xxx')
.send({
providerType: 'basic',
providerName: 'basic1',
currentURL: '/',
params: { username: basicUsername, password: basicPassword },
})
.expect(200);
const sessionCookie = parseCookie(response.headers['set-cookie'][0])!;
await checkSessionCookie(sessionCookie, basicUsername, { type: 'basic', name: 'basic1' });
expect(await getNumberOfSessionDocuments()).to.be(1);
// Poke the background task to run
await runCleanupTaskSoon();
log.debug('Waiting for cleanup job to run...');
// Cleanup routine runs every 20s, and idle timeout threshold is three times larger than 10s
// idle timeout (so, 30s). We just triggered the cleanup, so we'll wait for 40s to make sure
// cleanup routine runs after the idle timeout threshold is exceeded. Then we'll wait for a
// correct response.
await setTimeoutAsync(40000);
await retry.tryForTime(20000, async () => {
// Session info is removed from the index and cookie isn't valid anymore
expect(await getNumberOfSessionDocuments()).to.be(0);
});
log.debug(`Authenticating as ${basicUsername} with invalid session cookie.`);
await supertest
.get('/internal/security/me')
.set('kbn-xsrf', 'xxx')
.set('Cookie', sessionCookie.cookieString())
.expect(401);
});
it('should properly clean up session expired because of idle timeout when providers override global session config', async function () {
this.timeout(100000);
const [samlDisableSessionCookie, samlOverrideSessionCookie, samlFallbackSessionCookie] =
await Promise.all([
loginWithSAML('saml_disable'),
loginWithSAML('saml_override'),
loginWithSAML('saml_fallback'),
]);
const response = await supertest
.post('/internal/security/login')
.set('kbn-xsrf', 'xxx')
.send({
providerType: 'basic',
providerName: 'basic1',
currentURL: '/',
params: { username: basicUsername, password: basicPassword },
})
.expect(200);
const basicSessionCookie = parseCookie(response.headers['set-cookie'][0])!;
await checkSessionCookie(basicSessionCookie, basicUsername, {
type: 'basic',
name: 'basic1',
});
expect(await getNumberOfSessionDocuments()).to.be(4);
// Poke the background task to run
await runCleanupTaskSoon();
log.debug('Waiting for cleanup job to run...');
// Cleanup routine runs every 20s, and idle timeout threshold is three times larger than 10s
// idle timeout (so, 30s). We just triggered the cleanup, so we'll wait for 40s to make sure
// cleanup routine runs after the idle timeout threshold is exceeded. Then we'll wait for a
// correct response.
await setTimeoutAsync(40000);
await retry.tryForTime(20000, async () => {
// Session for basic and SAML that used global session settings should not be valid anymore.
expect(await getNumberOfSessionDocuments()).to.be(2);
});
await supertest
.get('/internal/security/me')
.set('kbn-xsrf', 'xxx')
.set('Cookie', basicSessionCookie.cookieString())
.expect(401);
await supertest
.get('/internal/security/me')
.set('kbn-xsrf', 'xxx')
.set('Cookie', samlFallbackSessionCookie.cookieString())
.expect(401);
// But sessions for the SAML with overridden and disabled lifespan should still be valid.
await checkSessionCookie(samlOverrideSessionCookie, '[email protected]', {
type: 'saml',
name: 'saml_override',
});
await checkSessionCookie(samlDisableSessionCookie, '[email protected]', {
type: 'saml',
name: 'saml_disable',
});
});
it('should not clean up session if user is active', async function () {
this.timeout(100000);
const response = await supertest
.post('/internal/security/login')
.set('kbn-xsrf', 'xxx')
.send({
providerType: 'basic',
providerName: 'basic1',
currentURL: '/',
params: { username: basicUsername, password: basicPassword },
})
.expect(200);
let sessionCookie = parseCookie(response.headers['set-cookie'][0])!;
await checkSessionCookie(sessionCookie, basicUsername, { type: 'basic', name: 'basic1' });
expect(await getNumberOfSessionDocuments()).to.be(1);
// Run 20 consequent requests with 3s delay, during this time cleanup procedure should run at
// least twice.
for (const counter of [...Array(20).keys()]) {
// Session idle timeout is 10s, let's wait 3s and make a new request that would extend the session.
await setTimeoutAsync(3000);
sessionCookie = (await checkSessionCookie(sessionCookie, basicUsername, {
type: 'basic',
name: 'basic1',
}))!;
log.debug(`Session is still valid after ${(counter + 1) * 3}s`);
}
// Session document should still be present.
expect(await getNumberOfSessionDocuments()).to.be(1);
});
});
}