-
Notifications
You must be signed in to change notification settings - Fork 163
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add JWT authentication type to MultipleAuthentication (#2107)
* Add JWT authentication type to MultipleAuthentication Signed-off-by: merlinz01 <[email protected]> * clarify comments in AuthenticationType.authHandler Signed-off-by: merlinz01 <[email protected]> * collect additional auth headers from all multi-auth handlers Signed-off-by: merlinz01 <[email protected]> * implement MultipleAuthentication.getCookie Signed-off-by: merlinz01 <[email protected]> * Add test for multiauth with JWT Signed-off-by: merlinz01 <[email protected]> * add explanatory comments in login page Signed-off-by: merlinz01 <[email protected]> * remove logging of JWT in test Signed-off-by: merlinz01 <[email protected]> * add check for empty auth options list in login page Signed-off-by: merlinz01 <[email protected]> * Add comments about getCookie method Signed-off-by: merlinz01 <[email protected]> * remove unneeded comment Signed-off-by: merlinz01 <[email protected]> * Don't load sample data in JWT multiauth test Signed-off-by: merlinz01 <[email protected]> * remove sample data code and unneeded promise handling Signed-off-by: merlinz01 <[email protected]> * update test for missing JWT Signed-off-by: merlinz01 <[email protected]> * ensure JWT signing key consistency Signed-off-by: merlinz01 <[email protected]> --------- Signed-off-by: merlinz01 <[email protected]> Co-authored-by: Derek Ho <[email protected]> (cherry picked from commit 252d8fb) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
- Loading branch information
1 parent
a40fe21
commit e0df82b
Showing
5 changed files
with
240 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,181 @@ | ||
/* | ||
* Copyright OpenSearch Contributors | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"). | ||
* You may not use this file except in compliance with the License. | ||
* A copy of the License is located at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* or in the "license" file accompanying this file. This file is distributed | ||
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either | ||
* express or implied. See the License for the specific language governing | ||
* permissions and limitations under the License. | ||
*/ | ||
|
||
import * as osdTestServer from '../../../../src/core/test_helpers/osd_server'; | ||
import { Root } from '../../../../src/core/server/root'; | ||
import { resolve } from 'path'; | ||
import { describe, it, beforeAll, afterAll } from '@jest/globals'; | ||
import { | ||
ADMIN_CREDENTIALS, | ||
OPENSEARCH_DASHBOARDS_SERVER_USER, | ||
OPENSEARCH_DASHBOARDS_SERVER_PASSWORD, | ||
ADMIN_USER, | ||
JWT_ADMIN_ROLE, | ||
JWT_SIGNING_KEY, | ||
} from '../constant'; | ||
import wreck from '@hapi/wreck'; | ||
import { SignJWT } from 'jose'; | ||
|
||
describe('start OpenSearch Dashboards server', () => { | ||
let root: Root; | ||
let config; | ||
|
||
beforeAll(async () => { | ||
root = osdTestServer.createRootWithSettings( | ||
{ | ||
plugins: { | ||
scanDirs: [resolve(__dirname, '../..')], | ||
}, | ||
home: { disableWelcomeScreen: true }, | ||
server: { | ||
host: 'localhost', | ||
port: 5601, | ||
}, | ||
logging: { | ||
silent: true, | ||
verbose: false, | ||
}, | ||
opensearch: { | ||
hosts: ['https://localhost:9200'], | ||
ignoreVersionMismatch: true, | ||
ssl: { verificationMode: 'none' }, | ||
username: OPENSEARCH_DASHBOARDS_SERVER_USER, | ||
password: OPENSEARCH_DASHBOARDS_SERVER_PASSWORD, | ||
requestHeadersAllowlist: ['securitytenant', 'Authorization'], | ||
}, | ||
opensearch_security: { | ||
auth: { | ||
anonymous_auth_enabled: false, | ||
type: ['basicauth', 'jwt'], | ||
multiple_auth_enabled: true, | ||
}, | ||
jwt: { | ||
url_param: 'token', | ||
}, | ||
multitenancy: { | ||
enabled: true, | ||
tenants: { | ||
enable_global: true, | ||
enable_private: true, | ||
preferred: ['Private', 'Global'], | ||
}, | ||
}, | ||
}, | ||
}, | ||
{ | ||
// to make ignoreVersionMismatch setting work | ||
// can be removed when we have corresponding ES version | ||
dev: true, | ||
} | ||
); | ||
|
||
console.log('Starting OpenSearchDashboards server..'); | ||
await root.setup(); | ||
await root.start(); | ||
|
||
const getConfigResponse = await wreck.get( | ||
'https://localhost:9200/_plugins/_security/api/securityconfig', | ||
{ | ||
rejectUnauthorized: false, | ||
headers: { | ||
authorization: ADMIN_CREDENTIALS, | ||
}, | ||
} | ||
); | ||
const responseBody = (getConfigResponse.payload as Buffer).toString(); | ||
config = JSON.parse(responseBody).config; | ||
const jwtConfig = { | ||
http_enabled: true, | ||
transport_enabled: true, | ||
order: 0, | ||
http_authenticator: { | ||
challenge: false, | ||
type: 'jwt', | ||
config: { | ||
signing_key: btoa(JWT_SIGNING_KEY), | ||
jwt_header: 'Authorization', | ||
jwt_url_parameter: 'token', | ||
jwt_clock_skew_tolerance_seconds: 30, | ||
roles_key: 'roles', | ||
subject_key: 'sub', | ||
}, | ||
}, | ||
authentication_backend: { | ||
type: 'noop', | ||
config: {}, | ||
}, | ||
}; | ||
try { | ||
config.dynamic!.authc!.jwt_auth_domain = jwtConfig; | ||
config.dynamic!.authc!.basic_internal_auth_domain.http_authenticator.challenge = true; | ||
config.dynamic!.http!.anonymous_auth_enabled = false; | ||
await wreck.put('https://localhost:9200/_plugins/_security/api/securityconfig/config', { | ||
payload: config, | ||
rejectUnauthorized: false, | ||
headers: { | ||
'Content-Type': 'application/json', | ||
authorization: ADMIN_CREDENTIALS, | ||
}, | ||
}); | ||
} catch (error) { | ||
console.log('Got an error while updating security config!', error.stack); | ||
fail(error); | ||
} | ||
}); | ||
|
||
afterAll(async () => { | ||
console.log('Remove the Security Config'); | ||
await wreck.patch('https://localhost:9200/_plugins/_security/api/securityconfig', { | ||
payload: [ | ||
{ | ||
op: 'remove', | ||
path: '/config/dynamic/authc/jwt_auth_domain', | ||
}, | ||
], | ||
rejectUnauthorized: false, | ||
headers: { | ||
'Content-Type': 'application/json', | ||
authorization: ADMIN_CREDENTIALS, | ||
}, | ||
}); | ||
// shutdown OpenSearchDashboards server | ||
await root.shutdown(); | ||
}); | ||
|
||
it('Verify JWT access to dashboards', async () => { | ||
console.log('Wreck access home page'); | ||
const adminJWT = await new SignJWT({ | ||
roles: [JWT_ADMIN_ROLE], | ||
sub: ADMIN_USER, | ||
}) | ||
.setProtectedHeader({ alg: 'HS256' }) | ||
.sign(new TextEncoder().encode(JWT_SIGNING_KEY)); | ||
await wreck.get(`http://localhost:5601/app/home?token=${adminJWT}#`, { | ||
rejectUnauthorized: true, | ||
headers: { | ||
'Content-Type': 'application/json', | ||
}, | ||
}); | ||
}); | ||
|
||
it('Verify access to login page without JWT', async () => { | ||
console.log('Wreck access login page without JWT'); | ||
const response = await wreck.get('http://localhost:5601/app/home', { | ||
rejectUnauthorized: true, | ||
}); | ||
expect(response.res.statusCode).toEqual(302); | ||
expect(response.res.headers.location).toEqual('/app/login?nextUrl=%2Fapp%2Fhome'); | ||
}); | ||
}); |