[Backport 2.x] SAML Integration Tests

.github/workflows/integration-test.yml

@@ -42,7 +42,7 @@ jobs:
           WORKDIR /opensearch/
           ENTRYPOINT /docker-host/os-ep.sh
           EOF
-          docker run -d -p 9200:9200 -p 9600:9600 -i opensearch-test:latest
+          docker run -d --network=host -i opensearch-test:latest
 
       - name: Checkout OpenSearch Dashboard
         uses: actions/checkout@v2
@@ -103,6 +103,7 @@ jobs:
         run: |
           cd ./OpenSearch-Dashboards
           yarn osd bootstrap
+          node scripts/build_opensearch_dashboards_platform_plugins.js
 
       - name: Run integration tests
         run: |

DEVELOPER_GUIDE.md

@@ -55,6 +55,7 @@ plugins.security.allow_default_init_securityindex: true
 plugins.security.authcz.admin_dn:
 - CN=kirk,OU=client,O=client,L=test, C=de
 
+plugins.security.unsupported.restapi.allow_securityconfig_modification: true
 plugins.security.audit.type: internal_opensearch
 plugins.security.enable_snapshot_restore_privilege: true
 plugins.security.check_snapshot_restore_write_privileges: true
@@ -117,6 +118,8 @@ Next, go to the base directory and run `yarn osd bootstrap` to install any addit
 
 Now, from the base directory and run `yarn start`. This should start dashboard UI successfully. `Cmd+click` the url in the console output (It should look something like `http://0:5601/omf`). Once the page loads, you should be able to log in with user `admin` and password `admin`.
 
+To run selenium based integration tests, download and export the firefox web-driver to your PATH. Also, run `node scripts/build_opensearch_dashboards_platform_plugins.js` or `yarn start` before running the tests. This is essential to generate the bundles.  
+
 ## Submitting Changes
 
 See [CONTRIBUTING](CONTRIBUTING.md).

package.json

@@ -17,19 +17,23 @@
     "lint:es": "node ../../scripts/eslint",
     "lint:style": "node ../../scripts/stylelint",
     "lint": "yarn run lint:es && yarn run lint:style",
+    "pretest:jest_server": "node ./test/jest_integration/runIdpServer.js &",
     "test:jest_server": "node ./test/run_jest_tests.js --config ./test/jest.config.server.js",
     "test:jest_ui": "node ./test/run_jest_tests.js --config ./test/jest.config.ui.js"
   },
   "devDependencies": {
     "@elastic/eslint-import-resolver-kibana": "link:../../packages/osd-eslint-import-resolver-opensearch-dashboards",
-    "typescript": "4.0.2",
-    "gulp-rename": "2.0.0",
     "@testing-library/react-hooks": "^7.0.2",
-    "@types/hapi__wreck": "^15.0.1"
+    "@types/hapi__wreck": "^15.0.1",
+    "gulp-rename": "2.0.0",
+    "saml-idp": "^1.2.1",
+    "selenium-webdriver": "^4.0.0-alpha.7",
+    "selfsigned": "^2.0.1",
+    "typescript": "4.0.2"
   },
   "dependencies": {
-    "@hapi/wreck": "^17.1.0",
     "@hapi/cryptiles": "5.0.0",
+    "@hapi/wreck": "^17.1.0",
     "html-entities": "1.3.1"
   }
 }

public/apps/account/account-nav-button.tsx

@@ -93,7 +93,11 @@ export function AccountNavButton(props: {
           <EuiListGroupItem
             color="subdued"
             key="tenant"
-            label={<EuiText size="xs">{resolveTenantName(props.tenant || '', username)}</EuiText>}
+            label={
+              <EuiText size="xs" id="tenantName">
+                {resolveTenantName(props.tenant || '', username)}
+              </EuiText>
+            }
           />
         </EuiFlexItem>
       </EuiFlexGroup>
@@ -140,7 +144,7 @@ export function AccountNavButton(props: {
     </div>
   );
   return (
-    <EuiHeaderSectionItemButton>
+    <EuiHeaderSectionItemButton id="user-icon-btn">
       <EuiPopover
         data-test-subj="account-popover"
         id="actionsMenu"

public/apps/account/test/__snapshots__/account-nav-button.test.tsx.snap

@@ -1,7 +1,9 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
 exports[`Account navigation button renders 1`] = `
-<EuiHeaderSectionItemButton>
+<EuiHeaderSectionItemButton
+  id="user-icon-btn"
+>
   <EuiPopover
     anchorPosition="downCenter"
     button={
@@ -63,6 +65,7 @@ exports[`Account navigation button renders 1`] = `
               key="tenant"
               label={
                 <EuiText
+                  id="tenantName"
                   size="xs"
                 >
                   tenant1

server/auth/types/saml/saml_auth.ts

@@ -97,6 +97,7 @@ export class SamlAuthentication extends AuthenticationType {
     };
   }
 
+  // Can be improved to check if the token is expiring.
   async isValidCookie(cookie: SecuritySessionCookie): Promise<boolean> {
     return (
       cookie.authType === this.type &&

server/backend/opensearch_security_client.ts

@@ -157,6 +157,7 @@ export class SecurityClient {
       //     location="https://<your-auth-domain.com>/api/saml2/v1/sso?SAMLRequest=<some-encoded-string>"
       //     requestId="<request_id>"
       //   '
+
       if (!error.wwwAuthenticateDirective) {
         throw error;
       }

test/helper/cookie.ts

@@ -20,7 +20,7 @@ import { AUTHORIZATION_HEADER_NAME } from '../constant';
 
 export function extractAuthCookie(response: Response) {
   const setCookieHeaders = response.header['set-cookie'] as string[];
-  let securityAuthCookie: string;
+  let securityAuthCookie: string | null = null;
   for (const setCookie of setCookieHeaders) {
     if (setCookie.startsWith('security_authentication=')) {
       securityAuthCookie = setCookie.split(';')[0];

test/jest_integration/runIdpServer.js

@@ -0,0 +1,32 @@
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+const { runServer } = require('saml-idp');
+
+const { generate } = require('selfsigned');
+
+const pems = generate(null, {
+  keySize: 2048,
+  clientCertificateCN: '/C=US/ST=California/L=San Francisco/O=JankyCo/CN=Test Identity Provider',
+  days: 7300,
+});
+
+// Create certificate pair on the fly and pass it to runServer
+runServer({
+  acsUrl: 'http://localhost:5601/_opendistro/_security/saml/acs',
+  audience: 'https://localhost:9200',
+  cert: pems.cert,
+  key: pems.private.toString().replace(/\r\n/, '\n'),
+});