elastic · azasypkin · Nov 23, 2020 · Oct 6, 2020 · Nov 20, 2020 · Nov 20, 2020
diff --git a/test/functional/services/common/browser.ts b/test/functional/services/common/browser.ts
@@ -191,6 +191,18 @@ export async function BrowserProvider({ getService }: FtrProviderContext) {
       return await driver.get(url);
     }
 
+    /**
+     * Retrieves the cookie with the given name. Returns null if there is no such cookie. The cookie will be returned as
+     * a JSON object as described by the WebDriver wire protocol.
+     * https://www.selenium.dev/selenium/docs/api/javascript/module/selenium-webdriver/lib/webdriver_exports_Options.html
+     *
+     * @param {string} cookieName
+     * @return {Promise<IWebDriverCookie>}
+     */
+    public async getCookie(cookieName: string) {
+      return await driver.manage().getCookie(cookieName);
+    }
+
     /**
      * Pauses the execution in the browser, similar to setting a breakpoint for debugging.
      * @return {Promise<void>}

diff --git a/x-pack/plugins/security/common/constants.ts b/x-pack/plugins/security/common/constants.ts
@@ -17,3 +17,5 @@ export const UNKNOWN_SPACE = '?';
 export const GLOBAL_RESOURCE = '*';
 export const APPLICATION_PREFIX = 'kibana-';
 export const RESERVED_PRIVILEGES_APPLICATION_WILDCARD = 'kibana-*';
+
+export const AUTH_PROVIDER_HINT_QUERY_STRING_PARAMETER = 'auth_provider_hint';
diff --git a/x-pack/plugins/security/common/model/authenticated_user.test.ts b/x-pack/plugins/security/common/model/authenticated_user.test.ts
@@ -20,6 +20,19 @@ describe('#canUserChangePassword', () => {
         } as AuthenticatedUser)
       ).toEqual(true);
     });
+
+    it(`returns false for users in the ${realm} realm if used for anonymous access`, () => {
+      expect(
+        canUserChangePassword({
+          username: 'foo',
+          authentication_provider: { type: 'anonymous', name: 'does not matter' },
+          authentication_realm: {
+            name: 'the realm name',
+            type: realm,
+          },
+        } as AuthenticatedUser)
+      ).toEqual(false);
+    });
   });
 
   it(`returns false for all other realms`, () => {

diff --git a/x-pack/plugins/security/common/model/authenticated_user.ts b/x-pack/plugins/security/common/model/authenticated_user.ts
@@ -42,5 +42,8 @@ export interface AuthenticatedUser extends User {
 }
 
 export function canUserChangePassword(user: AuthenticatedUser) {
-  return REALMS_ELIGIBLE_FOR_PASSWORD_CHANGE.includes(user.authentication_realm.type);
+  return (
+    REALMS_ELIGIBLE_FOR_PASSWORD_CHANGE.includes(user.authentication_realm.type) &&
+    user.authentication_provider.type !== 'anonymous'
+  );
 }
diff --git a/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap b/x-pack/plugins/security/public/authentication/login/__snapshots__/login_page.test.tsx.snap
diff --git a/...ck/plugins/security/public/authentication/login/components/login_form/login_form.test.tsx b/...ck/plugins/security/public/authentication/login/components/login_form/login_form.test.tsx
@@ -22,23 +22,40 @@ function expectPageMode(wrapper: ReactWrapper, mode: PageMode) {
           ['loginForm', true],
           ['loginSelector', false],
           ['loginHelp', false],
+          ['autoLoginOverlay', false],
         ]
       : mode === PageMode.Selector
       ? [
           ['loginForm', false],
           ['loginSelector', true],
           ['loginHelp', false],
+          ['autoLoginOverlay', false],
         ]
       : [
           ['loginForm', false],
           ['loginSelector', false],
           ['loginHelp', true],
+          ['autoLoginOverlay', false],
         ];
   for (const [selector, exists] of assertions) {
     expect(findTestSubject(wrapper, selector).exists()).toBe(exists);
   }
 }
 
+function expectAutoLoginOverlay(wrapper: ReactWrapper) {
+  // Everything should be hidden except for the overlay
+  for (const selector of [
+    'loginForm',
+    'loginSelector',
+    'loginHelp',
+    'loginHelpLink',
+    'loginAssistanceMessage',
+  ]) {
+    expect(findTestSubject(wrapper, selector).exists()).toBe(false);
+  }
+  expect(findTestSubject(wrapper, 'autoLoginOverlay').exists()).toBe(true);
+}
+
 describe('LoginForm', () => {
   beforeAll(() => {
     Object.defineProperty(window, 'location', {
@@ -591,4 +608,124 @@ describe('LoginForm', () => {
       expect(coreStartMock.notifications.toasts.addError).not.toHaveBeenCalled();
     });
   });
+
+  describe('auto login', () => {
+    it('automatically switches to the Login Form mode if provider suggested by the auth provider hint needs it', () => {
+      const coreStartMock = coreMock.createStart();
+      const wrapper = mountWithIntl(
+        <LoginForm
+          http={coreStartMock.http}
+          notifications={coreStartMock.notifications}
+          loginHelp={'**Hey this is a login help message**'}
+          loginAssistanceMessage="Need assistance?"
+          authProviderHint="basic1"
+          selector={{
+            enabled: true,
+            providers: [
+              { type: 'basic', name: 'basic1', usesLoginForm: true },
+              { type: 'saml', name: 'saml1', usesLoginForm: false },
+            ],
+          }}
+        />
+      );
+
+      expectPageMode(wrapper, PageMode.Form);
+      expect(findTestSubject(wrapper, 'loginHelpLink').text()).toEqual('Need help?');
+      expect(findTestSubject(wrapper, 'loginAssistanceMessage').text()).toEqual('Need assistance?');
+    });
+
+    it('automatically logs in if provider suggested by the auth provider hint does not need login form', async () => {
+      const currentURL = `https://some-host/login?next=${encodeURIComponent(
+        '/some-base-path/app/kibana#/home?_g=()'
+      )}`;
+      const coreStartMock = coreMock.createStart({ basePath: '/some-base-path' });
+      coreStartMock.http.post.mockResolvedValue({
+        location: 'https://external-idp/login?optional-arg=2#optional-hash',
+      });
+
+      window.location.href = currentURL;
+      const wrapper = mountWithIntl(
+        <LoginForm
+          http={coreStartMock.http}
+          notifications={coreStartMock.notifications}
+          loginHelp={'**Hey this is a login help message**'}
+          loginAssistanceMessage="Need assistance?"
+          authProviderHint="saml1"
+          selector={{
+            enabled: true,
+            providers: [
+              { type: 'basic', name: 'basic1', usesLoginForm: true },
+              { type: 'saml', name: 'saml1', usesLoginForm: false },
+            ],
+          }}
+        />
+      );
+
+      expectAutoLoginOverlay(wrapper);
+
+      await act(async () => {
+        await nextTick();
+        wrapper.update();
+      });
+
+      expect(coreStartMock.http.post).toHaveBeenCalledTimes(1);
+      expect(coreStartMock.http.post).toHaveBeenCalledWith('/internal/security/login', {
+        body: JSON.stringify({ providerType: 'saml', providerName: 'saml1', currentURL }),
+      });
+
+      expect(window.location.href).toBe('https://external-idp/login?optional-arg=2#optional-hash');
+      expect(wrapper.find(EuiCallOut).exists()).toBe(false);
+      expect(coreStartMock.notifications.toasts.addError).not.toHaveBeenCalled();
+    });
+
+    it('switches to the login selector if could not login with provider suggested by the auth provider hint', async () => {
+      const currentURL = `https://some-host/login?next=${encodeURIComponent(
+        '/some-base-path/app/kibana#/home?_g=()'
+      )}`;
+
+      const failureReason = new Error('Oh no!');
+      const coreStartMock = coreMock.createStart({ basePath: '/some-base-path' });
+      coreStartMock.http.post.mockRejectedValue(failureReason);
+
+      window.location.href = currentURL;
+      const wrapper = mountWithIntl(
+        <LoginForm
+          http={coreStartMock.http}
+          notifications={coreStartMock.notifications}
+          loginHelp={'**Hey this is a login help message**'}
+          loginAssistanceMessage="Need assistance?"
+          authProviderHint="saml1"
+          selector={{
+            enabled: true,
+            providers: [
+              { type: 'basic', name: 'basic1', usesLoginForm: true },
+              { type: 'saml', name: 'saml1', usesLoginForm: false },
+            ],
+          }}
+        />
+      );
+
+      expectAutoLoginOverlay(wrapper);
+
+      await act(async () => {
+        await nextTick();
+        wrapper.update();
+      });
+
+      expect(coreStartMock.http.post).toHaveBeenCalledTimes(1);
+      expect(coreStartMock.http.post).toHaveBeenCalledWith('/internal/security/login', {
+        body: JSON.stringify({ providerType: 'saml', providerName: 'saml1', currentURL }),
+      });
+
+      expect(window.location.href).toBe(currentURL);
+      expect(coreStartMock.notifications.toasts.addError).toHaveBeenCalledWith(failureReason, {
+        title: 'Could not perform login.',
+        toastMessage: 'Oh no!',
+      });
+
+      expectPageMode(wrapper, PageMode.Selector);
+      expect(findTestSubject(wrapper, 'loginHelpLink').text()).toEqual('Need help?');
+      expect(findTestSubject(wrapper, 'loginAssistanceMessage').text()).toEqual('Need assistance?');
+    });
+  });
 });