From 84e9a4c8af7ad3699a3ff61959a38d6f259119a9 Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 24 Mar 2021 07:04:47 -0400 Subject: [PATCH] Expose session invalidation API. (#92376) (#95274) Co-authored-by: Aleh Zasypkin --- docs/api/session-management.asciidoc | 9 + .../session-management/invalidate.asciidoc | 114 ++++++ docs/user/api.asciidoc | 1 + .../security/authentication/index.asciidoc | 8 + .../user/security/session-management.asciidoc | 2 + .../authentication/authenticator.test.ts | 50 +-- .../server/authentication/authenticator.ts | 22 +- .../server/routes/session_management/index.ts | 2 + .../session_management/invalidate.test.ts | 155 ++++++++ .../routes/session_management/invalidate.ts | 49 +++ .../server/session_management/session.mock.ts | 2 +- .../server/session_management/session.test.ts | 115 ++++-- .../server/session_management/session.ts | 93 +++-- .../session_management/session_index.mock.ts | 2 +- .../session_management/session_index.test.ts | 140 ++++++- .../session_management/session_index.ts | 70 +++- x-pack/scripts/functional_tests.js | 1 + .../session_invalidate.config.ts | 55 +++ .../tests/session_invalidate/index.ts | 16 + .../tests/session_invalidate/invalidate.ts | 350 ++++++++++++++++++ 20 files changed, 1163 insertions(+), 93 deletions(-) create mode 100644 docs/api/session-management.asciidoc create mode 100644 docs/api/session-management/invalidate.asciidoc create mode 100644 x-pack/plugins/security/server/routes/session_management/invalidate.test.ts create mode 100644 x-pack/plugins/security/server/routes/session_management/invalidate.ts create mode 100644 x-pack/test/security_api_integration/session_invalidate.config.ts create mode 100644 x-pack/test/security_api_integration/tests/session_invalidate/index.ts create mode 100644 x-pack/test/security_api_integration/tests/session_invalidate/invalidate.ts diff --git a/docs/api/session-management.asciidoc b/docs/api/session-management.asciidoc new file mode 100644 index 0000000000000..7ac8b9dddcdbb --- /dev/null +++ b/docs/api/session-management.asciidoc @@ -0,0 +1,9 @@ +[role="xpack"] +[[session-management-api]] +== User session management APIs + +The following <> management APIs are available: + +* <> to invalidate user sessions + +include::session-management/invalidate.asciidoc[] diff --git a/docs/api/session-management/invalidate.asciidoc b/docs/api/session-management/invalidate.asciidoc new file mode 100644 index 0000000000000..c3dced17e72b7 --- /dev/null +++ b/docs/api/session-management/invalidate.asciidoc @@ -0,0 +1,114 @@ +[[session-management-api-invalidate]] +=== Invalidate user sessions API +++++ +Invalidate user sessions +++++ + +experimental[] Invalidates user sessions that match provided query. + +[[session-management-api-invalidate-prereqs]] +==== Prerequisite + +To use the invalidate user sessions API, you must be a `superuser`. + +[[session-management-api-invalidate-request]] +==== Request + +`POST :/api/security/session/_invalidate` + +[role="child_attributes"] +[[session-management-api-invalidate-request-body]] +==== Request body + +`match`:: +(Required, string) Specifies how {kib} determines which sessions to invalidate. Can either be `all` to invalidate all existing sessions, or `query` to only invalidate sessions that match the query specified in the additional `query` parameter. + +`query`:: +(Optional, object) Specifies the query that {kib} uses to match the sessions to invalidate when the `match` parameter is set to `query`. You cannot use this parameter if `match` is set to `all`. ++ +.Properties of `query` +[%collapsible%open] +===== +`provider` ::: +(Required, object) Describes the <> for which to invalidate sessions. + +`type` :::: +(Required, string) The authentication provider `type`. + +`name` :::: +(Optional, string) The authentication provider `name`. + +`username` ::: +(Optional, string) The username for which to invalidate sessions. +===== + +[[session-management-api-invalidate-response-body]] +==== Response body + +`total`:: +(number) The number of successfully invalidated sessions. + +[[session-management-api-invalidate-response-codes]] +==== Response codes + +`200`:: + Indicates a successful call. + +`403`:: + Indicates that the user may not be authorized to invalidate sessions for other users. Refer to <>. + +==== Examples + +Invalidate all existing sessions: + +[source,sh] +-------------------------------------------------- +$ curl -X POST api/security/session/_invalidate +{ + "match" : "all" +} +-------------------------------------------------- +// KIBANA + +Invalidate sessions that were created by any <>: + +[source,sh] +-------------------------------------------------- +$ curl -X POST api/security/session/_invalidate +{ + "match" : "query", + "query": { + "provider" : { "type": "saml" } + } +} +-------------------------------------------------- +// KIBANA + +Invalidate sessions that were created by the <> with the name `saml1`: + +[source,sh] +-------------------------------------------------- +$ curl -X POST api/security/session/_invalidate +{ + "match" : "query", + "query": { + "provider" : { "type": "saml", "name": "saml1" } + } +} +-------------------------------------------------- +// KIBANA + +Invalidate sessions that were created by any <> for the user with the username `user@my-oidc-sso.com`: + +[source,sh] +-------------------------------------------------- +$ curl -X POST api/security/session/_invalidate +{ + "match" : "query", + "query": { + "provider" : { "type": "oidc" }, + "username": "user@my-oidc-sso.com" + } +} +-------------------------------------------------- +// KIBANA diff --git a/docs/user/api.asciidoc b/docs/user/api.asciidoc index 459dbbdd34b27..c41f3d8a829e4 100644 --- a/docs/user/api.asciidoc +++ b/docs/user/api.asciidoc @@ -97,6 +97,7 @@ curl -X POST \ include::{kib-repo-dir}/api/features.asciidoc[] include::{kib-repo-dir}/api/spaces-management.asciidoc[] include::{kib-repo-dir}/api/role-management.asciidoc[] +include::{kib-repo-dir}/api/session-management.asciidoc[] include::{kib-repo-dir}/api/saved-objects.asciidoc[] include::{kib-repo-dir}/api/alerts.asciidoc[] include::{kib-repo-dir}/api/actions-and-connectors.asciidoc[] diff --git a/docs/user/security/authentication/index.asciidoc b/docs/user/security/authentication/index.asciidoc index c426a5a90e084..f82f9a92298a6 100644 --- a/docs/user/security/authentication/index.asciidoc +++ b/docs/user/security/authentication/index.asciidoc @@ -400,6 +400,14 @@ To make this iframe leverage anonymous access automatically, you will need to mo Note that `auth_provider_hint` query string parameter goes *before* the hash URL fragment. +[float] +[[anonymous-access-session]] +===== Anonymous access session + +{kib} maintains a separate <> for every anonymous user, as it does for all other authentication mechanisms. + +You can configure <> and <> for anonymous sessions the same as you do for any other session with the exception that idle timeout is explicitly disabled for anonymous sessions by default. The global <> setting doesn't affect anonymous sessions. To change the idle timeout for anonymous sessions, you must configure the provider-level <.session.idleTimeout`>> setting. + [[http-authentication]] ==== HTTP authentication diff --git a/docs/user/security/session-management.asciidoc b/docs/user/security/session-management.asciidoc index 0df5b3b31a203..ac7a777eb0580 100644 --- a/docs/user/security/session-management.asciidoc +++ b/docs/user/security/session-management.asciidoc @@ -6,6 +6,8 @@ When you log in, {kib} creates a session that is used to authenticate subsequent When your session expires, or you log out, {kib} will invalidate your cookie and remove session information from the index. {kib} also periodically invalidates and removes any expired sessions that weren't explicitly invalidated. +To manage user sessions programmatically, {kib} exposes <>. + [[session-idle-timeout]] ==== Session idle timeout diff --git a/x-pack/plugins/security/server/authentication/authenticator.test.ts b/x-pack/plugins/security/server/authentication/authenticator.test.ts index e96d51a7a2e91..8a37b5080a64a 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.test.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.test.ts @@ -586,8 +586,8 @@ describe('Authenticator', () => { expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.update).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); - expect(mockOptions.session.clear).toHaveBeenCalledTimes(1); - expect(mockOptions.session.clear).toHaveBeenCalledWith(request); + expect(mockOptions.session.invalidate).toHaveBeenCalledTimes(1); + expect(mockOptions.session.invalidate).toHaveBeenCalledWith(request, { match: 'current' }); }); it('clears session if provider asked to do so in `succeeded` result.', async () => { @@ -606,8 +606,8 @@ describe('Authenticator', () => { expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.update).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); - expect(mockOptions.session.clear).toHaveBeenCalledTimes(1); - expect(mockOptions.session.clear).toHaveBeenCalledWith(request); + expect(mockOptions.session.invalidate).toHaveBeenCalledTimes(1); + expect(mockOptions.session.invalidate).toHaveBeenCalledWith(request, { match: 'current' }); }); it('clears session if provider asked to do so in `redirected` result.', async () => { @@ -625,8 +625,8 @@ describe('Authenticator', () => { expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.update).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); - expect(mockOptions.session.clear).toHaveBeenCalledTimes(1); - expect(mockOptions.session.clear).toHaveBeenCalledWith(request); + expect(mockOptions.session.invalidate).toHaveBeenCalledTimes(1); + expect(mockOptions.session.invalidate).toHaveBeenCalledWith(request, { match: 'current' }); }); describe('with Access Agreement', () => { @@ -1192,7 +1192,7 @@ describe('Authenticator', () => { expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.update).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); - expect(mockOptions.session.clear).not.toHaveBeenCalled(); + expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); }); it('extends session for non-system API calls.', async () => { @@ -1214,7 +1214,7 @@ describe('Authenticator', () => { expect(mockOptions.session.extend).toHaveBeenCalledWith(request, mockSessVal); expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.update).not.toHaveBeenCalled(); - expect(mockOptions.session.clear).not.toHaveBeenCalled(); + expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); }); it('does not touch session for system API calls if authentication fails with non-401 reason.', async () => { @@ -1235,7 +1235,7 @@ describe('Authenticator', () => { expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.update).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); - expect(mockOptions.session.clear).not.toHaveBeenCalled(); + expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); }); it('does not touch session for non-system API calls if authentication fails with non-401 reason.', async () => { @@ -1256,7 +1256,7 @@ describe('Authenticator', () => { expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.update).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); - expect(mockOptions.session.clear).not.toHaveBeenCalled(); + expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); }); it('replaces existing session with the one returned by authentication provider for system API requests', async () => { @@ -1282,7 +1282,7 @@ describe('Authenticator', () => { }); expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); - expect(mockOptions.session.clear).not.toHaveBeenCalled(); + expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); }); it('replaces existing session with the one returned by authentication provider for non-system API requests', async () => { @@ -1308,7 +1308,7 @@ describe('Authenticator', () => { }); expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); - expect(mockOptions.session.clear).not.toHaveBeenCalled(); + expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); }); it('clears session if provider failed to authenticate system API request with 401 with active session.', async () => { @@ -1325,8 +1325,8 @@ describe('Authenticator', () => { AuthenticationResult.failed(Boom.unauthorized()) ); - expect(mockOptions.session.clear).toHaveBeenCalledTimes(1); - expect(mockOptions.session.clear).toHaveBeenCalledWith(request); + expect(mockOptions.session.invalidate).toHaveBeenCalledTimes(1); + expect(mockOptions.session.invalidate).toHaveBeenCalledWith(request, { match: 'current' }); expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.update).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); @@ -1346,8 +1346,8 @@ describe('Authenticator', () => { AuthenticationResult.failed(Boom.unauthorized()) ); - expect(mockOptions.session.clear).toHaveBeenCalledTimes(1); - expect(mockOptions.session.clear).toHaveBeenCalledWith(request); + expect(mockOptions.session.invalidate).toHaveBeenCalledTimes(1); + expect(mockOptions.session.invalidate).toHaveBeenCalledWith(request, { match: 'current' }); expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.update).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); @@ -1365,8 +1365,8 @@ describe('Authenticator', () => { AuthenticationResult.redirectTo('some-url', { state: null }) ); - expect(mockOptions.session.clear).toHaveBeenCalledTimes(1); - expect(mockOptions.session.clear).toHaveBeenCalledWith(request); + expect(mockOptions.session.invalidate).toHaveBeenCalledTimes(1); + expect(mockOptions.session.invalidate).toHaveBeenCalledWith(request, { match: 'current' }); expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.update).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); @@ -1383,7 +1383,7 @@ describe('Authenticator', () => { AuthenticationResult.notHandled() ); - expect(mockOptions.session.clear).not.toHaveBeenCalled(); + expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.update).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); @@ -1400,7 +1400,7 @@ describe('Authenticator', () => { AuthenticationResult.notHandled() ); - expect(mockOptions.session.clear).not.toHaveBeenCalled(); + expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); expect(mockOptions.session.create).not.toHaveBeenCalled(); expect(mockOptions.session.update).not.toHaveBeenCalled(); expect(mockOptions.session.extend).not.toHaveBeenCalled(); @@ -1790,7 +1790,7 @@ describe('Authenticator', () => { DeauthenticationResult.notHandled() ); - expect(mockOptions.session.clear).not.toHaveBeenCalled(); + expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); }); it('clears session and returns whatever authentication provider returns.', async () => { @@ -1805,7 +1805,7 @@ describe('Authenticator', () => { ); expect(mockBasicAuthenticationProvider.logout).toHaveBeenCalledTimes(1); - expect(mockOptions.session.clear).toHaveBeenCalled(); + expect(mockOptions.session.invalidate).toHaveBeenCalled(); }); it('if session does not exist but provider name is valid, returns whatever authentication provider returns.', async () => { @@ -1824,7 +1824,7 @@ describe('Authenticator', () => { expect(mockBasicAuthenticationProvider.logout).toHaveBeenCalledTimes(1); expect(mockBasicAuthenticationProvider.logout).toHaveBeenCalledWith(request, null); - expect(mockOptions.session.clear).toHaveBeenCalled(); + expect(mockOptions.session.invalidate).toHaveBeenCalled(); }); it('if session does not exist and provider name is not available, returns whatever authentication provider returns.', async () => { @@ -1841,7 +1841,7 @@ describe('Authenticator', () => { expect(mockBasicAuthenticationProvider.logout).toHaveBeenCalledTimes(1); expect(mockBasicAuthenticationProvider.logout).toHaveBeenCalledWith(request); - expect(mockOptions.session.clear).not.toHaveBeenCalled(); + expect(mockOptions.session.invalidate).not.toHaveBeenCalled(); }); it('returns `notHandled` if session does not exist and provider name is invalid', async () => { @@ -1853,7 +1853,7 @@ describe('Authenticator', () => { ); expect(mockBasicAuthenticationProvider.logout).not.toHaveBeenCalled(); - expect(mockOptions.session.clear).toHaveBeenCalled(); + expect(mockOptions.session.invalidate).toHaveBeenCalled(); }); }); diff --git a/x-pack/plugins/security/server/authentication/authenticator.ts b/x-pack/plugins/security/server/authentication/authenticator.ts index 6c9f4a6f53319..a9bbc66a7e52c 100644 --- a/x-pack/plugins/security/server/authentication/authenticator.ts +++ b/x-pack/plugins/security/server/authentication/authenticator.ts @@ -398,7 +398,7 @@ export class Authenticator { sessionValue?.provider.name ?? request.url.searchParams.get(LOGOUT_PROVIDER_QUERY_STRING_PARAMETER); if (suggestedProviderName) { - await this.session.clear(request); + await this.invalidateSessionValue(request); // Provider name may be passed in a query param and sourced from the browser's local storage; // hence, we can't assume that this provider exists, so we have to check it. @@ -524,7 +524,7 @@ export class Authenticator { this.logger.warn( `Attempted to retrieve session for the "${existingSessionValue.provider.type}/${existingSessionValue.provider.name}" provider, but it is not configured.` ); - await this.session.clear(request); + await this.invalidateSessionValue(request); return null; } @@ -558,7 +558,7 @@ export class Authenticator { // attempt didn't fail. if (authenticationResult.shouldClearState()) { this.logger.debug('Authentication provider requested to invalidate existing session.'); - await this.session.clear(request); + await this.invalidateSessionValue(request); return null; } @@ -572,7 +572,7 @@ export class Authenticator { if (authenticationResult.failed()) { if (ownsSession && getErrorStatusCode(authenticationResult.error) === 401) { this.logger.debug('Authentication attempt failed, existing session will be invalidated.'); - await this.session.clear(request); + await this.invalidateSessionValue(request); } return null; } @@ -610,17 +610,17 @@ export class Authenticator { this.logger.debug( 'Authentication provider has changed, existing session will be invalidated.' ); - await this.session.clear(request); + await this.invalidateSessionValue(request); existingSessionValue = null; } else if (sessionHasBeenAuthenticated) { this.logger.debug( 'Session is authenticated, existing unauthenticated session will be invalidated.' ); - await this.session.clear(request); + await this.invalidateSessionValue(request); existingSessionValue = null; } else if (usernameHasChanged) { this.logger.debug('Username has changed, existing session will be invalidated.'); - await this.session.clear(request); + await this.invalidateSessionValue(request); existingSessionValue = null; } @@ -653,6 +653,14 @@ export class Authenticator { }; } + /** + * Invalidates session value associated with the specified request. + * @param request Request instance. + */ + private async invalidateSessionValue(request: KibanaRequest) { + await this.session.invalidate(request, { match: 'current' }); + } + /** * Checks whether request should be redirected to the Login Selector UI. * @param request Request instance. diff --git a/x-pack/plugins/security/server/routes/session_management/index.ts b/x-pack/plugins/security/server/routes/session_management/index.ts index 1348179386ce0..16cda7b7b409d 100644 --- a/x-pack/plugins/security/server/routes/session_management/index.ts +++ b/x-pack/plugins/security/server/routes/session_management/index.ts @@ -8,8 +8,10 @@ import type { RouteDefinitionParams } from '../'; import { defineSessionExtendRoutes } from './extend'; import { defineSessionInfoRoutes } from './info'; +import { defineInvalidateSessionsRoutes } from './invalidate'; export function defineSessionManagementRoutes(params: RouteDefinitionParams) { defineSessionInfoRoutes(params); defineSessionExtendRoutes(params); + defineInvalidateSessionsRoutes(params); } diff --git a/x-pack/plugins/security/server/routes/session_management/invalidate.test.ts b/x-pack/plugins/security/server/routes/session_management/invalidate.test.ts new file mode 100644 index 0000000000000..215a66a3364e5 --- /dev/null +++ b/x-pack/plugins/security/server/routes/session_management/invalidate.test.ts @@ -0,0 +1,155 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { ObjectType } from '@kbn/config-schema'; +import type { PublicMethodsOf } from '@kbn/utility-types'; + +import type { RequestHandler, RouteConfig } from '../../../../../../src/core/server'; +import { kibanaResponseFactory } from '../../../../../../src/core/server'; +import { httpServerMock } from '../../../../../../src/core/server/mocks'; +import type { Session } from '../../session_management'; +import { sessionMock } from '../../session_management/session.mock'; +import type { SecurityRequestHandlerContext, SecurityRouter } from '../../types'; +import { routeDefinitionParamsMock } from '../index.mock'; +import { defineInvalidateSessionsRoutes } from './invalidate'; + +describe('Invalidate sessions routes', () => { + let router: jest.Mocked; + let session: jest.Mocked>; + beforeEach(() => { + const routeParamsMock = routeDefinitionParamsMock.create(); + router = routeParamsMock.router; + + session = sessionMock.create(); + routeParamsMock.getSession.mockReturnValue(session); + + defineInvalidateSessionsRoutes(routeParamsMock); + }); + + describe('invalidate sessions', () => { + let routeHandler: RequestHandler; + let routeConfig: RouteConfig; + beforeEach(() => { + const [extendRouteConfig, extendRouteHandler] = router.post.mock.calls.find( + ([{ path }]) => path === '/api/security/session/_invalidate' + )!; + + routeConfig = extendRouteConfig; + routeHandler = extendRouteHandler; + }); + + it('correctly defines route.', () => { + expect(routeConfig.options).toEqual({ tags: ['access:sessionManagement'] }); + + const bodySchema = (routeConfig.validate as any).body as ObjectType; + expect(() => bodySchema.validate({})).toThrowErrorMatchingInlineSnapshot( + `"[match]: expected at least one defined value but got [undefined]"` + ); + expect(() => bodySchema.validate({ match: 'current' })).toThrowErrorMatchingInlineSnapshot(` + "[match]: types that failed validation: + - [match.0]: expected value to equal [all] + - [match.1]: expected value to equal [query]" + `); + expect(() => + bodySchema.validate({ match: 'all', query: { provider: { type: 'basic' } } }) + ).toThrowErrorMatchingInlineSnapshot(`"[query]: a value wasn't expected to be present"`); + expect(() => bodySchema.validate({ match: 'query' })).toThrowErrorMatchingInlineSnapshot( + `"[query.provider.type]: expected value of type [string] but got [undefined]"` + ); + expect(() => + bodySchema.validate({ match: 'query', query: { username: 'user' } }) + ).toThrowErrorMatchingInlineSnapshot( + `"[query.provider.type]: expected value of type [string] but got [undefined]"` + ); + expect(() => + bodySchema.validate({ + match: 'query', + query: { provider: { name: 'basic1' }, username: 'user' }, + }) + ).toThrowErrorMatchingInlineSnapshot( + `"[query.provider.type]: expected value of type [string] but got [undefined]"` + ); + + expect(bodySchema.validate({ match: 'all' })).toEqual({ match: 'all' }); + expect( + bodySchema.validate({ match: 'query', query: { provider: { type: 'basic' } } }) + ).toEqual({ + match: 'query', + query: { provider: { type: 'basic' } }, + }); + expect( + bodySchema.validate({ + match: 'query', + query: { provider: { type: 'basic', name: 'basic1' } }, + }) + ).toEqual({ match: 'query', query: { provider: { type: 'basic', name: 'basic1' } } }); + expect( + bodySchema.validate({ + match: 'query', + query: { provider: { type: 'basic' }, username: 'user' }, + }) + ).toEqual({ match: 'query', query: { provider: { type: 'basic' }, username: 'user' } }); + expect( + bodySchema.validate({ + match: 'query', + query: { provider: { type: 'basic', name: 'basic1' }, username: 'user' }, + }) + ).toEqual({ + match: 'query', + query: { provider: { type: 'basic', name: 'basic1' }, username: 'user' }, + }); + }); + + it('properly constructs `query` match filter.', async () => { + session.invalidate.mockResolvedValue(30); + + const mockRequest = httpServerMock.createKibanaRequest({ + body: { + match: 'query', + query: { provider: { type: 'basic', name: 'basic1' }, username: 'user' }, + }, + }); + await expect( + routeHandler( + ({} as unknown) as SecurityRequestHandlerContext, + mockRequest, + kibanaResponseFactory + ) + ).resolves.toEqual({ + status: 200, + options: { body: { total: 30 } }, + payload: { total: 30 }, + }); + + expect(session.invalidate).toHaveBeenCalledTimes(1); + expect(session.invalidate).toHaveBeenCalledWith(mockRequest, { + match: 'query', + query: { provider: { type: 'basic', name: 'basic1' }, username: 'user' }, + }); + }); + + it('properly constructs `all` match filter.', async () => { + session.invalidate.mockResolvedValue(30); + + const mockRequest = httpServerMock.createKibanaRequest({ body: { match: 'all' } }); + await expect( + routeHandler( + ({} as unknown) as SecurityRequestHandlerContext, + mockRequest, + kibanaResponseFactory + ) + ).resolves.toEqual({ + status: 200, + options: { body: { total: 30 } }, + payload: { total: 30 }, + }); + + expect(session.invalidate).toHaveBeenCalledTimes(1); + expect(session.invalidate).toHaveBeenCalledWith(mockRequest, { match: 'all' }); + }); + }); +}); diff --git a/x-pack/plugins/security/server/routes/session_management/invalidate.ts b/x-pack/plugins/security/server/routes/session_management/invalidate.ts new file mode 100644 index 0000000000000..3416be3dd2965 --- /dev/null +++ b/x-pack/plugins/security/server/routes/session_management/invalidate.ts @@ -0,0 +1,49 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { schema } from '@kbn/config-schema'; + +import type { RouteDefinitionParams } from '..'; + +/** + * Defines routes required for session invalidation. + */ +export function defineInvalidateSessionsRoutes({ router, getSession }: RouteDefinitionParams) { + router.post( + { + path: '/api/security/session/_invalidate', + validate: { + body: schema.object({ + match: schema.oneOf([schema.literal('all'), schema.literal('query')]), + query: schema.conditional( + schema.siblingRef('match'), + schema.literal('query'), + schema.object({ + provider: schema.object({ + type: schema.string(), + name: schema.maybe(schema.string()), + }), + username: schema.maybe(schema.string()), + }), + schema.never() + ), + }), + }, + options: { tags: ['access:sessionManagement'] }, + }, + async (_context, request, response) => { + return response.ok({ + body: { + total: await getSession().invalidate(request, { + match: request.body.match, + query: request.body.query, + }), + }, + }); + } + ); +} diff --git a/x-pack/plugins/security/server/session_management/session.mock.ts b/x-pack/plugins/security/server/session_management/session.mock.ts index dfe1293f57e92..65ae43e5fa705 100644 --- a/x-pack/plugins/security/server/session_management/session.mock.ts +++ b/x-pack/plugins/security/server/session_management/session.mock.ts @@ -18,7 +18,7 @@ export const sessionMock = { create: jest.fn(), update: jest.fn(), extend: jest.fn(), - clear: jest.fn(), + invalidate: jest.fn(), }), createValue: (sessionValue: Partial = {}): SessionValue => ({ diff --git a/x-pack/plugins/security/server/session_management/session.test.ts b/x-pack/plugins/security/server/session_management/session.test.ts index bd94c9483d561..dfe6ba343ca3c 100644 --- a/x-pack/plugins/security/server/session_management/session.test.ts +++ b/x-pack/plugins/security/server/session_management/session.test.ts @@ -103,7 +103,7 @@ describe('Session', () => { await expect(session.get(httpServerMock.createKibanaRequest())).resolves.toBeNull(); expect(mockSessionCookie.clear).toHaveBeenCalledTimes(1); - expect(mockSessionIndex.clear).toHaveBeenCalledTimes(1); + expect(mockSessionIndex.invalidate).toHaveBeenCalledTimes(1); }); it('clears session value if session is expired because of lifespan', async () => { @@ -122,7 +122,7 @@ describe('Session', () => { await expect(session.get(httpServerMock.createKibanaRequest())).resolves.toBeNull(); expect(mockSessionCookie.clear).toHaveBeenCalledTimes(1); - expect(mockSessionIndex.clear).toHaveBeenCalledTimes(1); + expect(mockSessionIndex.invalidate).toHaveBeenCalledTimes(1); }); it('clears session value if session cookie does not have corresponding session index value', async () => { @@ -151,7 +151,7 @@ describe('Session', () => { await expect(session.get(httpServerMock.createKibanaRequest())).resolves.toBeNull(); expect(mockSessionCookie.clear).toHaveBeenCalledTimes(1); - expect(mockSessionIndex.clear).toHaveBeenCalledTimes(1); + expect(mockSessionIndex.invalidate).toHaveBeenCalledTimes(1); }); it('clears session value if session index value content cannot be decrypted because of wrong AAD', async () => { @@ -170,7 +170,7 @@ describe('Session', () => { await expect(session.get(httpServerMock.createKibanaRequest())).resolves.toBeNull(); expect(mockSessionCookie.clear).toHaveBeenCalledTimes(1); - expect(mockSessionIndex.clear).toHaveBeenCalledTimes(1); + expect(mockSessionIndex.invalidate).toHaveBeenCalledTimes(1); }); it('returns session value with decrypted content', async () => { @@ -199,7 +199,7 @@ describe('Session', () => { username: 'some-user', }); expect(mockSessionCookie.clear).not.toHaveBeenCalled(); - expect(mockSessionIndex.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).not.toHaveBeenCalled(); }); }); @@ -279,7 +279,7 @@ describe('Session', () => { const mockRequest = httpServerMock.createKibanaRequest(); await expect(session.update(mockRequest, sessionMock.createValue())).resolves.toBeNull(); - expect(mockSessionIndex.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).not.toHaveBeenCalled(); expect(mockSessionCookie.clear).toHaveBeenCalledTimes(1); expect(mockSessionCookie.clear).toHaveBeenCalledWith(mockRequest); }); @@ -432,7 +432,7 @@ describe('Session', () => { }) ); - expect(mockSessionIndex.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).not.toHaveBeenCalled(); expect(mockSessionCookie.clear).not.toHaveBeenCalled(); } @@ -485,7 +485,7 @@ describe('Session', () => { ); expect(mockSessionIndex.update).not.toHaveBeenCalled(); expect(mockSessionCookie.set).not.toHaveBeenCalled(); - expect(mockSessionIndex.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).not.toHaveBeenCalled(); expect(mockSessionCookie.clear).not.toHaveBeenCalled(); }); @@ -563,7 +563,7 @@ describe('Session', () => { mockRequest, expect.objectContaining({ idleTimeoutExpiration: expectedNewExpiration }) ); - expect(mockSessionIndex.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).not.toHaveBeenCalled(); expect(mockSessionCookie.clear).not.toHaveBeenCalled(); }); @@ -582,7 +582,7 @@ describe('Session', () => { ) ).resolves.toBeNull(); - expect(mockSessionIndex.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).not.toHaveBeenCalled(); expect(mockSessionCookie.clear).toHaveBeenCalledTimes(1); expect(mockSessionCookie.clear).toHaveBeenCalledWith(mockRequest); }); @@ -625,7 +625,7 @@ describe('Session', () => { mockRequest, expect.objectContaining({ idleTimeoutExpiration: expectedNewExpiration }) ); - expect(mockSessionIndex.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).not.toHaveBeenCalled(); expect(mockSessionCookie.clear).not.toHaveBeenCalled(); }); @@ -653,7 +653,7 @@ describe('Session', () => { mockRequest, expect.objectContaining({ idleTimeoutExpiration: expectedNewExpiration }) ); - expect(mockSessionIndex.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).not.toHaveBeenCalled(); expect(mockSessionCookie.clear).not.toHaveBeenCalled(); }); @@ -696,7 +696,7 @@ describe('Session', () => { mockRequest, expect.objectContaining({ idleTimeoutExpiration: expectedNewExpiration }) ); - expect(mockSessionIndex.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).not.toHaveBeenCalled(); expect(mockSessionCookie.clear).not.toHaveBeenCalled(); }); }); @@ -764,7 +764,7 @@ describe('Session', () => { ); } - expect(mockSessionIndex.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).not.toHaveBeenCalled(); expect(mockSessionCookie.clear).not.toHaveBeenCalled(); } @@ -786,27 +786,98 @@ describe('Session', () => { }); }); - describe('#clear', () => { - it('does not clear anything if session does not exist', async () => { + describe('#invalidate', () => { + beforeEach(() => { + mockSessionCookie.get.mockResolvedValue(sessionCookieMock.createValue()); + mockSessionIndex.invalidate.mockResolvedValue(10); + }); + + it('[match=current] does not clear anything if session does not exist', async () => { mockSessionCookie.get.mockResolvedValue(null); - await session.clear(httpServerMock.createKibanaRequest()); + await session.invalidate(httpServerMock.createKibanaRequest(), { match: 'current' }); - expect(mockSessionIndex.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).not.toHaveBeenCalled(); expect(mockSessionCookie.clear).not.toHaveBeenCalled(); }); - it('clears both session cookie and session index', async () => { + it('[match=current] clears both session cookie and session index', async () => { mockSessionCookie.get.mockResolvedValue(sessionCookieMock.createValue()); const mockRequest = httpServerMock.createKibanaRequest(); - await session.clear(mockRequest); + await session.invalidate(mockRequest, { match: 'current' }); - expect(mockSessionIndex.clear).toHaveBeenCalledTimes(1); - expect(mockSessionIndex.clear).toHaveBeenCalledWith('some-long-sid'); + expect(mockSessionIndex.invalidate).toHaveBeenCalledTimes(1); + expect(mockSessionIndex.invalidate).toHaveBeenCalledWith({ + match: 'sid', + sid: 'some-long-sid', + }); expect(mockSessionCookie.clear).toHaveBeenCalledTimes(1); expect(mockSessionCookie.clear).toHaveBeenCalledWith(mockRequest); }); + + it('[match=all] clears all sessions even if current initiator request does not have a session', async () => { + mockSessionCookie.get.mockResolvedValue(null); + + await expect( + session.invalidate(httpServerMock.createKibanaRequest(), { match: 'all' }) + ).resolves.toBe(10); + + expect(mockSessionCookie.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).toHaveBeenCalledTimes(1); + expect(mockSessionIndex.invalidate).toHaveBeenCalledWith({ match: 'all' }); + }); + + it('[match=query] properly forwards filter with the provider type to the session index', async () => { + await expect( + session.invalidate(httpServerMock.createKibanaRequest(), { + match: 'query', + query: { provider: { type: 'basic' } }, + }) + ).resolves.toBe(10); + + expect(mockSessionCookie.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).toHaveBeenCalledTimes(1); + expect(mockSessionIndex.invalidate).toHaveBeenCalledWith({ + match: 'query', + query: { provider: { type: 'basic' } }, + }); + }); + + it('[match=query] properly forwards filter with the provider type and provider name to the session index', async () => { + await expect( + session.invalidate(httpServerMock.createKibanaRequest(), { + match: 'query', + query: { provider: { type: 'basic', name: 'basic1' } }, + }) + ).resolves.toBe(10); + + expect(mockSessionCookie.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).toHaveBeenCalledTimes(1); + expect(mockSessionIndex.invalidate).toHaveBeenCalledWith({ + match: 'query', + query: { provider: { type: 'basic', name: 'basic1' } }, + }); + }); + + it('[match=query] properly forwards filter with the provider type, provider name, and username hash to the session index', async () => { + await expect( + session.invalidate(httpServerMock.createKibanaRequest(), { + match: 'query', + query: { provider: { type: 'basic', name: 'basic1' }, username: 'elastic' }, + }) + ).resolves.toBe(10); + + expect(mockSessionCookie.clear).not.toHaveBeenCalled(); + expect(mockSessionIndex.invalidate).toHaveBeenCalledTimes(1); + expect(mockSessionIndex.invalidate).toHaveBeenCalledWith({ + match: 'query', + query: { + provider: { type: 'basic', name: 'basic1' }, + usernameHash: 'eb28536c8ead72bf81a0a9226e38fc9bad81f5e07c2081bb801b2a5c8842924e', + }, + }); + }); }); }); diff --git a/x-pack/plugins/security/server/session_management/session.ts b/x-pack/plugins/security/server/session_management/session.ts index 7fada4d1730cd..8d2b56b4d2b7a 100644 --- a/x-pack/plugins/security/server/session_management/session.ts +++ b/x-pack/plugins/security/server/session_management/session.ts @@ -79,6 +79,18 @@ export interface SessionValueContentToEncrypt { state: unknown; } +/** + * Filter provided for the `Session.invalidate` method that determines which session values should + * be invalidated. It can have three possible types: + * - `all` means that all existing active and inactive sessions should be invalidated. + * - `current` means that session associated with the current request should be invalidated. + * - `query` means that only sessions that match specified query should be invalidated. + */ +export type InvalidateSessionsFilter = + | { match: 'all' } + | { match: 'current' } + | { match: 'query'; query: { provider: { type: string; name?: string }; username?: string } }; + /** * The SIDs and AAD must be unpredictable to prevent guessing attacks, where an attacker is able to * guess or predict the ID of a valid session through statistical analysis techniques. That's why we @@ -133,7 +145,7 @@ export class Session { (sessionCookieValue.lifespanExpiration && sessionCookieValue.lifespanExpiration < now) ) { sessionLogger.debug('Session has expired and will be invalidated.'); - await this.clear(request); + await this.invalidate(request, { match: 'current' }); return null; } @@ -155,7 +167,7 @@ export class Session { sessionLogger.warn( `Unable to decrypt session content, session will be invalidated: ${err.message}` ); - await this.clear(request); + await this.invalidate(request, { match: 'current' }); return null; } @@ -194,7 +206,7 @@ export class Session { ...publicSessionValue, ...sessionExpirationInfo, sid, - usernameHash: username && createHash('sha3-256').update(username).digest('hex'), + usernameHash: username && Session.getUsernameHash(username), content: await this.crypto.encrypt(JSON.stringify({ username, state }), aad), }); @@ -230,7 +242,7 @@ export class Session { ...sessionValue.metadata.index, ...publicSessionInfo, ...sessionExpirationInfo, - usernameHash: username && createHash('sha3-256').update(username).digest('hex'), + usernameHash: username && Session.getUsernameHash(username), content: await this.crypto.encrypt( JSON.stringify({ username, state }), sessionCookieValue.aad @@ -358,24 +370,53 @@ export class Session { } /** - * Clears session value for the specified request. - * @param request Request instance to clear session value for. + * Invalidates sessions that match the specified filter. + * @param request Request instance initiated invalidation. + * @param filter Filter that narrows down the list of the sessions that should be invalidated. */ - async clear(request: KibanaRequest) { + async invalidate(request: KibanaRequest, filter: InvalidateSessionsFilter) { + // We don't require request to have the associated session, but nevertheless we still want to + // log the SID if session is available. const sessionCookieValue = await this.options.sessionCookie.get(request); - if (!sessionCookieValue) { - return; - } - - const sessionLogger = this.getLoggerForSID(sessionCookieValue.sid); - sessionLogger.debug('Invalidating session.'); + const sessionLogger = this.getLoggerForSID(sessionCookieValue?.sid); + + // We clear session cookie only when the current session should be invalidated since it's the + // only case when this action is explicitly and unequivocally requested. This behavior doesn't + // introduce any risk since even if the current session has been affected the session cookie + // will be automatically invalidated as soon as client attempts to re-use it due to missing + // underlying session index value. + let invalidateIndexValueFilter; + if (filter.match === 'current') { + if (!sessionCookieValue) { + return; + } - await Promise.all([ - this.options.sessionCookie.clear(request), - this.options.sessionIndex.clear(sessionCookieValue.sid), - ]); + sessionLogger.debug('Invalidating current session.'); + await this.options.sessionCookie.clear(request); + invalidateIndexValueFilter = { match: 'sid' as 'sid', sid: sessionCookieValue.sid }; + } else if (filter.match === 'all') { + sessionLogger.debug('Invalidating all sessions.'); + invalidateIndexValueFilter = filter; + } else { + sessionLogger.debug( + `Invalidating sessions that match query: ${JSON.stringify( + filter.query.username ? { ...filter.query, username: '[REDACTED]' } : filter.query + )}.` + ); + invalidateIndexValueFilter = filter.query.username + ? { + ...filter, + query: { + provider: filter.query.provider, + usernameHash: Session.getUsernameHash(filter.query.username), + }, + } + : filter; + } - sessionLogger.debug('Successfully invalidated session.'); + const invalidatedCount = await this.options.sessionIndex.invalidate(invalidateIndexValueFilter); + sessionLogger.debug(`Successfully invalidated ${invalidatedCount} session(s).`); + return invalidatedCount; } private calculateExpiry( @@ -414,9 +455,19 @@ export class Session { /** * Creates logger scoped to a specified session ID. - * @param sid Session ID to create logger for. + * @param [sid] Session ID to create logger for. + */ + private getLoggerForSID(sid?: string) { + return this.options.logger.get(sid?.slice(-10) ?? 'no_session'); + } + + /** + * Generates a sha3-256 hash for the specified `username`. The hash is intended to be stored in + * the session index to allow querying user specific sessions and don't expose the original + * `username` at the same time. + * @param username Username string to generate hash for. */ - private getLoggerForSID(sid: string) { - return this.options.logger.get(sid?.slice(-10)); + private static getUsernameHash(username: string) { + return createHash('sha3-256').update(username).digest('hex'); } } diff --git a/x-pack/plugins/security/server/session_management/session_index.mock.ts b/x-pack/plugins/security/server/session_management/session_index.mock.ts index 56049a3ae9205..9498b60d916a2 100644 --- a/x-pack/plugins/security/server/session_management/session_index.mock.ts +++ b/x-pack/plugins/security/server/session_management/session_index.mock.ts @@ -14,7 +14,7 @@ export const sessionIndexMock = { get: jest.fn(), create: jest.fn(), update: jest.fn(), - clear: jest.fn(), + invalidate: jest.fn(), initialize: jest.fn(), cleanUp: jest.fn(), }), diff --git a/x-pack/plugins/security/server/session_management/session_index.test.ts b/x-pack/plugins/security/server/session_management/session_index.test.ts index 2b3ec0adeb51e..b5b4f64438902 100644 --- a/x-pack/plugins/security/server/session_management/session_index.test.ts +++ b/x-pack/plugins/security/server/session_management/session_index.test.ts @@ -162,7 +162,7 @@ describe('Session index', () => { }); }); - describe('cleanUp', () => { + describe('#cleanUp', () => { const now = 123456; beforeEach(() => { mockElasticsearchClient.deleteByQuery.mockResolvedValue( @@ -797,18 +797,26 @@ describe('Session index', () => { }); }); - describe('#clear', () => { - it('throws if call to Elasticsearch fails', async () => { + describe('#invalidate', () => { + beforeEach(() => { + mockElasticsearchClient.deleteByQuery.mockResolvedValue( + securityMock.createApiResponse({ body: { deleted: 10 } }) + ); + }); + + it('[match=sid] throws if call to Elasticsearch fails', async () => { const failureReason = new errors.ResponseError( securityMock.createApiResponse(securityMock.createApiResponse({ body: { type: 'Uh oh.' } })) ); mockElasticsearchClient.delete.mockRejectedValue(failureReason); - await expect(sessionIndex.clear('some-long-sid')).rejects.toBe(failureReason); + await expect(sessionIndex.invalidate({ match: 'sid', sid: 'some-long-sid' })).rejects.toBe( + failureReason + ); }); - it('properly removes session value from the index', async () => { - await sessionIndex.clear('some-long-sid'); + it('[match=sid] properly removes session value from the index', async () => { + await sessionIndex.invalidate({ match: 'sid', sid: 'some-long-sid' }); expect(mockElasticsearchClient.delete).toHaveBeenCalledTimes(1); expect(mockElasticsearchClient.delete).toHaveBeenCalledWith( @@ -816,5 +824,125 @@ describe('Session index', () => { { ignore: [404] } ); }); + + it('[match=all] throws if call to Elasticsearch fails', async () => { + const failureReason = new errors.ResponseError( + securityMock.createApiResponse(securityMock.createApiResponse({ body: { type: 'Uh oh.' } })) + ); + mockElasticsearchClient.deleteByQuery.mockRejectedValue(failureReason); + + await expect(sessionIndex.invalidate({ match: 'all' })).rejects.toBe(failureReason); + }); + + it('[match=all] properly constructs query', async () => { + await expect(sessionIndex.invalidate({ match: 'all' })).resolves.toBe(10); + + expect(mockElasticsearchClient.deleteByQuery).toHaveBeenCalledTimes(1); + expect(mockElasticsearchClient.deleteByQuery).toHaveBeenCalledWith({ + index: indexName, + refresh: true, + body: { query: { match_all: {} } }, + }); + }); + + it('[match=query] throws if call to Elasticsearch fails', async () => { + const failureReason = new errors.ResponseError( + securityMock.createApiResponse(securityMock.createApiResponse({ body: { type: 'Uh oh.' } })) + ); + mockElasticsearchClient.deleteByQuery.mockRejectedValue(failureReason); + + await expect( + sessionIndex.invalidate({ match: 'query', query: { provider: { type: 'basic' } } }) + ).rejects.toBe(failureReason); + }); + + it('[match=query] when only provider type is specified', async () => { + await expect( + sessionIndex.invalidate({ match: 'query', query: { provider: { type: 'basic' } } }) + ).resolves.toBe(10); + + expect(mockElasticsearchClient.deleteByQuery).toHaveBeenCalledTimes(1); + expect(mockElasticsearchClient.deleteByQuery).toHaveBeenCalledWith({ + index: indexName, + refresh: true, + body: { query: { bool: { must: [{ term: { 'provider.type': 'basic' } }] } } }, + }); + }); + + it('[match=query] when both provider type and provider name are specified', async () => { + await expect( + sessionIndex.invalidate({ + match: 'query', + query: { provider: { type: 'basic', name: 'basic1' } }, + }) + ).resolves.toBe(10); + + expect(mockElasticsearchClient.deleteByQuery).toHaveBeenCalledTimes(1); + expect(mockElasticsearchClient.deleteByQuery).toHaveBeenCalledWith({ + index: indexName, + refresh: true, + body: { + query: { + bool: { + must: [ + { term: { 'provider.type': 'basic' } }, + { term: { 'provider.name': 'basic1' } }, + ], + }, + }, + }, + }); + }); + + it('[match=query] when both provider type and username hash are specified', async () => { + await expect( + sessionIndex.invalidate({ + match: 'query', + query: { provider: { type: 'basic' }, usernameHash: 'some-hash' }, + }) + ).resolves.toBe(10); + + expect(mockElasticsearchClient.deleteByQuery).toHaveBeenCalledTimes(1); + expect(mockElasticsearchClient.deleteByQuery).toHaveBeenCalledWith({ + index: indexName, + refresh: true, + body: { + query: { + bool: { + must: [ + { term: { 'provider.type': 'basic' } }, + { term: { usernameHash: 'some-hash' } }, + ], + }, + }, + }, + }); + }); + + it('[match=query] when provider type, provider name, and username hash are specified', async () => { + await expect( + sessionIndex.invalidate({ + match: 'query', + query: { provider: { type: 'basic', name: 'basic1' }, usernameHash: 'some-hash' }, + }) + ).resolves.toBe(10); + + expect(mockElasticsearchClient.deleteByQuery).toHaveBeenCalledTimes(1); + expect(mockElasticsearchClient.deleteByQuery).toHaveBeenCalledWith({ + index: indexName, + refresh: true, + body: { + query: { + bool: { + must: [ + { term: { 'provider.type': 'basic' } }, + { term: { 'provider.name': 'basic1' } }, + { term: { usernameHash: 'some-hash' } }, + ], + }, + }, + }, + }); + }); }); }); diff --git a/x-pack/plugins/security/server/session_management/session_index.ts b/x-pack/plugins/security/server/session_management/session_index.ts index 828c8fa11acdd..1b5c820ec4710 100644 --- a/x-pack/plugins/security/server/session_management/session_index.ts +++ b/x-pack/plugins/security/server/session_management/session_index.ts @@ -17,6 +17,18 @@ export interface SessionIndexOptions { readonly logger: Logger; } +/** + * Filter provided for the `SessionIndex.invalidate` method that determines which session index + * values should be invalidated (removed from the index). It can have three possible types: + * - `all` means that all existing active and inactive sessions should be invalidated. + * - `sid` means that only session with the specified SID should be invalidated. + * - `query` means that only sessions that match specified query should be invalidated. + */ +export type InvalidateSessionsFilter = + | { match: 'all' } + | { match: 'sid'; sid: string } + | { match: 'query'; query: { provider: { type: string; name?: string }; usernameHash?: string } }; + /** * Version of the current session index template. */ @@ -237,19 +249,57 @@ export class SessionIndex { } /** - * Clears session value with the specified ID. - * @param sid Session ID to clear. + * Clears session value(s) determined by the specified filter. + * @param filter Filter that narrows down the list of the session values that should be cleared. */ - async clear(sid: string) { + async invalidate(filter: InvalidateSessionsFilter) { + if (filter.match === 'sid') { + try { + // We don't specify primary term and sequence number as delete should always take precedence + // over any updates that could happen in the meantime. + const { statusCode } = await this.options.elasticsearchClient.delete( + { id: filter.sid, index: this.indexName, refresh: 'wait_for' }, + { ignore: [404] } + ); + + // 404 means the session with such SID wasn't found and hence nothing was removed. + return statusCode !== 404 ? 1 : 0; + } catch (err) { + this.options.logger.error(`Failed to clear session value: ${err.message}`); + throw err; + } + } + + // If filter is specified we should clear only session values that are matched by the filter. + // Otherwise all session values should be cleared. + let deleteQuery; + if (filter.match === 'query') { + deleteQuery = { + bool: { + must: [ + { term: { 'provider.type': filter.query.provider.type } }, + ...(filter.query.provider.name + ? [{ term: { 'provider.name': filter.query.provider.name } }] + : []), + ...(filter.query.usernameHash + ? [{ term: { usernameHash: filter.query.usernameHash } }] + : []), + ], + }, + }; + } else { + deleteQuery = { match_all: {} }; + } + try { - // We don't specify primary term and sequence number as delete should always take precedence - // over any updates that could happen in the meantime. - await this.options.elasticsearchClient.delete( - { id: sid, index: this.indexName, refresh: 'wait_for' }, - { ignore: [404] } - ); + const { body: response } = await this.options.elasticsearchClient.deleteByQuery({ + index: this.indexName, + refresh: true, + body: { query: deleteQuery }, + }); + return response.deleted as number; } catch (err) { - this.options.logger.error(`Failed to clear session value: ${err.message}`); + this.options.logger.error(`Failed to clear session value(s): ${err.message}`); throw err; } } diff --git a/x-pack/scripts/functional_tests.js b/x-pack/scripts/functional_tests.js index 473cf6a4851bf..e9687f7b4cd06 100644 --- a/x-pack/scripts/functional_tests.js +++ b/x-pack/scripts/functional_tests.js @@ -36,6 +36,7 @@ require('@kbn/test').runTestsCli([ require.resolve('../test/plugin_api_integration/config.ts'), require.resolve('../test/security_api_integration/saml.config.ts'), require.resolve('../test/security_api_integration/session_idle.config.ts'), + require.resolve('../test/security_api_integration/session_invalidate.config.ts'), require.resolve('../test/security_api_integration/session_lifespan.config.ts'), require.resolve('../test/security_api_integration/login_selector.config.ts'), require.resolve('../test/security_api_integration/audit.config.ts'), diff --git a/x-pack/test/security_api_integration/session_invalidate.config.ts b/x-pack/test/security_api_integration/session_invalidate.config.ts new file mode 100644 index 0000000000000..82510062035a9 --- /dev/null +++ b/x-pack/test/security_api_integration/session_invalidate.config.ts @@ -0,0 +1,55 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { resolve } from 'path'; +import { FtrConfigProviderContext } from '@kbn/test/types/ftr'; +import { services } from './services'; + +// the default export of config files must be a config provider +// that returns an object with the projects config values +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const xPackAPITestsConfig = await readConfigFile(require.resolve('../api_integration/config.ts')); + + const kibanaPort = xPackAPITestsConfig.get('servers.kibana.port'); + const idpPath = resolve(__dirname, './fixtures/saml/idp_metadata.xml'); + + return { + testFiles: [resolve(__dirname, './tests/session_invalidate')], + services, + servers: xPackAPITestsConfig.get('servers'), + esTestCluster: { + ...xPackAPITestsConfig.get('esTestCluster'), + serverArgs: [ + ...xPackAPITestsConfig.get('esTestCluster.serverArgs'), + 'xpack.security.authc.token.enabled=true', + 'xpack.security.authc.realms.native.native1.order=0', + 'xpack.security.authc.realms.saml.saml1.order=1', + `xpack.security.authc.realms.saml.saml1.idp.metadata.path=${idpPath}`, + 'xpack.security.authc.realms.saml.saml1.idp.entity_id=http://www.elastic.co/saml1', + `xpack.security.authc.realms.saml.saml1.sp.entity_id=http://localhost:${kibanaPort}`, + `xpack.security.authc.realms.saml.saml1.sp.logout=http://localhost:${kibanaPort}/logout`, + `xpack.security.authc.realms.saml.saml1.sp.acs=http://localhost:${kibanaPort}/api/security/saml/callback`, + 'xpack.security.authc.realms.saml.saml1.attributes.principal=urn:oid:0.0.7', + ], + }, + + kbnTestServer: { + ...xPackAPITestsConfig.get('kbnTestServer'), + serverArgs: [ + ...xPackAPITestsConfig.get('kbnTestServer.serverArgs'), + `--xpack.security.authc.providers=${JSON.stringify({ + basic: { basic1: { order: 0 } }, + saml: { saml1: { order: 1, realm: 'saml1' } }, + })}`, + ], + }, + + junit: { + reportName: 'X-Pack Security API Integration Tests (Session Invalidate)', + }, + }; +} diff --git a/x-pack/test/security_api_integration/tests/session_invalidate/index.ts b/x-pack/test/security_api_integration/tests/session_invalidate/index.ts new file mode 100644 index 0000000000000..6408e4cfbd43d --- /dev/null +++ b/x-pack/test/security_api_integration/tests/session_invalidate/index.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrProviderContext } from '../../ftr_provider_context'; + +export default function ({ loadTestFile }: FtrProviderContext) { + describe('security APIs - Session Invalidate', function () { + this.tags('ciGroup6'); + + loadTestFile(require.resolve('./invalidate')); + }); +} diff --git a/x-pack/test/security_api_integration/tests/session_invalidate/invalidate.ts b/x-pack/test/security_api_integration/tests/session_invalidate/invalidate.ts new file mode 100644 index 0000000000000..60605c88ce45e --- /dev/null +++ b/x-pack/test/security_api_integration/tests/session_invalidate/invalidate.ts @@ -0,0 +1,350 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import request, { Cookie } from 'request'; +import expect from '@kbn/expect'; +import { adminTestUser } from '@kbn/test'; +import type { AuthenticationProvider } from '../../../../plugins/security/common/model'; +import { getSAMLRequestId, getSAMLResponse } from '../../fixtures/saml/saml_tools'; +import { FtrProviderContext } from '../../ftr_provider_context'; + +export default function ({ getService }: FtrProviderContext) { + const supertest = getService('supertestWithoutAuth'); + const es = getService('es'); + const security = getService('security'); + const esDeleteAllIndices = getService('esDeleteAllIndices'); + const config = getService('config'); + const randomness = getService('randomness'); + const kibanaServerConfig = config.get('servers.kibana'); + const notSuperuserTestUser = { username: 'test_user', password: 'changeme' }; + + async function checkSessionCookie( + sessionCookie: Cookie, + username: string, + provider: AuthenticationProvider + ) { + const apiResponse = await supertest + .get('/internal/security/me') + .set('kbn-xsrf', 'xxx') + .set('Cookie', sessionCookie.cookieString()) + .expect(200); + + expect(apiResponse.body.username).to.be(username); + expect(apiResponse.body.authentication_provider).to.eql(provider); + + return Array.isArray(apiResponse.headers['set-cookie']) + ? request.cookie(apiResponse.headers['set-cookie'][0])! + : undefined; + } + + async function loginWithSAML() { + const handshakeResponse = await supertest + .post('/internal/security/login') + .set('kbn-xsrf', 'xxx') + .send({ providerType: 'saml', providerName: 'saml1', currentURL: '' }) + .expect(200); + + const authenticationResponse = await supertest + .post('/api/security/saml/callback') + .set('kbn-xsrf', 'xxx') + .set('Cookie', request.cookie(handshakeResponse.headers['set-cookie'][0])!.cookieString()) + .send({ + SAMLResponse: await getSAMLResponse({ + destination: `http://localhost:${kibanaServerConfig.port}/api/security/saml/callback`, + sessionIndex: String(randomness.naturalNumber()), + inResponseTo: await getSAMLRequestId(handshakeResponse.body.location), + }), + }) + .expect(302); + + const cookie = request.cookie(authenticationResponse.headers['set-cookie'][0])!; + await checkSessionCookie(cookie, 'a@b.c', { type: 'saml', name: 'saml1' }); + return cookie; + } + + async function loginWithBasic(credentials: { username: string; password: string }) { + const authenticationResponse = await supertest + .post('/internal/security/login') + .set('kbn-xsrf', 'xxx') + .send({ + providerType: 'basic', + providerName: 'basic1', + currentURL: '/', + params: credentials, + }) + .expect(200); + + const cookie = request.cookie(authenticationResponse.headers['set-cookie'][0])!; + await checkSessionCookie(cookie, credentials.username, { type: 'basic', name: 'basic1' }); + return cookie; + } + + describe('Session Invalidate', () => { + beforeEach(async () => { + await es.cluster.health({ index: '.kibana_security_session*', wait_for_status: 'green' }); + await esDeleteAllIndices('.kibana_security_session*'); + await security.testUser.setRoles(['kibana_admin']); + }); + + it('should be able to invalidate all sessions at once', async function () { + const basicSessionCookie = await loginWithBasic(notSuperuserTestUser); + const samlSessionCookie = await loginWithSAML(); + + // Invalidate all sessions and make sure neither of the sessions is active now. + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(adminTestUser.username, adminTestUser.password) + .send({ match: 'all' }) + .expect(200, { total: 2 }); + await supertest + .get('/internal/security/me') + .set('kbn-xsrf', 'xxx') + .set('Cookie', basicSessionCookie.cookieString()) + .expect(401); + await supertest + .get('/internal/security/me') + .set('kbn-xsrf', 'xxx') + .set('Cookie', samlSessionCookie.cookieString()) + .expect(401); + }); + + it('should do nothing if specified provider type is not configured', async function () { + const basicSessionCookie = await loginWithBasic(notSuperuserTestUser); + const samlSessionCookie = await loginWithSAML(); + + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(adminTestUser.username, adminTestUser.password) + .send({ match: 'query', query: { provider: { type: 'oidc' } } }) + .expect(200, { total: 0 }); + await checkSessionCookie(basicSessionCookie, notSuperuserTestUser.username, { + type: 'basic', + name: 'basic1', + }); + await checkSessionCookie(samlSessionCookie, 'a@b.c', { type: 'saml', name: 'saml1' }); + }); + + it('should be able to invalidate session only for a specific provider type', async function () { + const basicSessionCookie = await loginWithBasic(notSuperuserTestUser); + const samlSessionCookie = await loginWithSAML(); + + // Invalidate `basic` session and make sure that only `saml` session is still active. + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(adminTestUser.username, adminTestUser.password) + .send({ match: 'query', query: { provider: { type: 'basic' } } }) + .expect(200, { total: 1 }); + await supertest + .get('/internal/security/me') + .set('kbn-xsrf', 'xxx') + .set('Cookie', basicSessionCookie.cookieString()) + .expect(401); + await checkSessionCookie(samlSessionCookie, 'a@b.c', { type: 'saml', name: 'saml1' }); + + // Invalidate `saml` session and make sure neither of the sessions is active now. + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(adminTestUser.username, adminTestUser.password) + .send({ match: 'query', query: { provider: { type: 'saml' } } }) + .expect(200, { total: 1 }); + await supertest + .get('/internal/security/me') + .set('kbn-xsrf', 'xxx') + .set('Cookie', samlSessionCookie.cookieString()) + .expect(401); + }); + + it('should do nothing if specified provider name is not configured', async function () { + const basicSessionCookie = await loginWithBasic(notSuperuserTestUser); + const samlSessionCookie = await loginWithSAML(); + + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(adminTestUser.username, adminTestUser.password) + .send({ match: 'query', query: { provider: { type: 'basic', name: 'basic2' } } }) + .expect(200, { total: 0 }); + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(adminTestUser.username, adminTestUser.password) + .send({ match: 'query', query: { provider: { type: 'saml', name: 'saml2' } } }) + .expect(200, { total: 0 }); + await checkSessionCookie(basicSessionCookie, notSuperuserTestUser.username, { + type: 'basic', + name: 'basic1', + }); + await checkSessionCookie(samlSessionCookie, 'a@b.c', { type: 'saml', name: 'saml1' }); + }); + + it('should be able to invalidate session only for a specific provider name', async function () { + const basicSessionCookie = await loginWithBasic(notSuperuserTestUser); + const samlSessionCookie = await loginWithSAML(); + + // Invalidate `saml1` session and make sure that only `basic1` session is still active. + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(adminTestUser.username, adminTestUser.password) + .send({ match: 'query', query: { provider: { type: 'saml', name: 'saml1' } } }) + .expect(200, { total: 1 }); + await checkSessionCookie(basicSessionCookie, notSuperuserTestUser.username, { + type: 'basic', + name: 'basic1', + }); + await supertest + .get('/internal/security/me') + .set('kbn-xsrf', 'xxx') + .set('Cookie', samlSessionCookie.cookieString()) + .expect(401); + + // Invalidate `basic1` session and make sure neither of the sessions is active now. + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(adminTestUser.username, adminTestUser.password) + .send({ match: 'query', query: { provider: { type: 'basic', name: 'basic1' } } }) + .expect(200, { total: 1 }); + await supertest + .get('/internal/security/me') + .set('kbn-xsrf', 'xxx') + .set('Cookie', basicSessionCookie.cookieString()) + .expect(401); + }); + + it('should do nothing if specified username does not have session', async function () { + const basicSessionCookie = await loginWithBasic(notSuperuserTestUser); + const samlSessionCookie = await loginWithSAML(); + + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(adminTestUser.username, adminTestUser.password) + .send({ + match: 'query', + query: { + provider: { type: 'basic', name: 'basic1' }, + username: `_${notSuperuserTestUser.username}`, + }, + }) + .expect(200, { total: 0 }); + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(adminTestUser.username, adminTestUser.password) + .send({ + match: 'query', + query: { provider: { type: 'saml', name: 'saml1' }, username: '_a@b.c' }, + }) + .expect(200, { total: 0 }); + await checkSessionCookie(basicSessionCookie, notSuperuserTestUser.username, { + type: 'basic', + name: 'basic1', + }); + await checkSessionCookie(samlSessionCookie, 'a@b.c', { type: 'saml', name: 'saml1' }); + }); + + it('should be able to invalidate session only for a specific user', async function () { + const basicSessionCookie = await loginWithBasic(notSuperuserTestUser); + const samlSessionCookie = await loginWithSAML(); + + // Invalidate session for `test_user` and make sure that only session of `a@b.c` is still active. + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(adminTestUser.username, adminTestUser.password) + .send({ + match: 'query', + query: { + provider: { type: 'basic', name: 'basic1' }, + username: notSuperuserTestUser.username, + }, + }) + .expect(200, { total: 1 }); + await supertest + .get('/internal/security/me') + .set('kbn-xsrf', 'xxx') + .set('Cookie', basicSessionCookie.cookieString()) + .expect(401); + await checkSessionCookie(samlSessionCookie, 'a@b.c', { type: 'saml', name: 'saml1' }); + + // Invalidate session for `a@b.c` and make sure neither of the sessions is active now. + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(adminTestUser.username, adminTestUser.password) + .send({ + match: 'query', + query: { provider: { type: 'saml', name: 'saml1' }, username: 'a@b.c' }, + }) + .expect(200, { total: 1 }); + await supertest + .get('/internal/security/me') + .set('kbn-xsrf', 'xxx') + .set('Cookie', samlSessionCookie.cookieString()) + .expect(401); + }); + + it('only super users should be able to invalidate sessions', async function () { + const basicSessionCookie = await loginWithBasic(notSuperuserTestUser); + const samlSessionCookie = await loginWithSAML(); + + // User without a superuser role shouldn't be able to invalidate sessions. + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(notSuperuserTestUser.username, notSuperuserTestUser.password) + .send({ match: 'all' }) + .expect(403); + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(notSuperuserTestUser.username, notSuperuserTestUser.password) + .send({ match: 'query', query: { provider: { type: 'basic' } } }) + .expect(403); + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(notSuperuserTestUser.username, notSuperuserTestUser.password) + .send({ + match: 'query', + query: { provider: { type: 'basic' }, username: notSuperuserTestUser.username }, + }) + .expect(403); + + await checkSessionCookie(basicSessionCookie, notSuperuserTestUser.username, { + type: 'basic', + name: 'basic1', + }); + await checkSessionCookie(samlSessionCookie, 'a@b.c', { type: 'saml', name: 'saml1' }); + + // With superuser role, it should be possible now. + await security.testUser.setRoles(['superuser']); + + await supertest + .post('/api/security/session/_invalidate') + .set('kbn-xsrf', 'xxx') + .auth(notSuperuserTestUser.username, notSuperuserTestUser.password) + .send({ match: 'all' }) + .expect(200, { total: 2 }); + await supertest + .get('/internal/security/me') + .set('kbn-xsrf', 'xxx') + .set('Cookie', basicSessionCookie.cookieString()) + .expect(401); + await supertest + .get('/internal/security/me') + .set('kbn-xsrf', 'xxx') + .set('Cookie', samlSessionCookie.cookieString()) + .expect(401); + }); + }); +}