From 108d9732f057c947edf60e7ade86bc987cee8fe6 Mon Sep 17 00:00:00 2001
From: Joe Portner <5295965+jportner@users.noreply.github.com>
Date: Wed, 27 Nov 2019 16:50:08 -0500
Subject: [PATCH] Fix infinite redirect loop when multiple cookies are sent
(#50452) (#51821)
Cookies are now checked for attributes that match the current
Kibana configuration. Invalid cookies are cleared more reliably.
---
.../core/server/kibana-plugin-server.md | 1 +
...r.sessioncookievalidationresult.isvalid.md | 13 ++
...in-server.sessioncookievalidationresult.md | 21 ++
...rver.sessioncookievalidationresult.path.md | 13 ++
...ssionstoragecookieoptions.encryptionkey.md | 2 +-
...ugin-server.sessionstoragecookieoptions.md | 4 +-
...er.sessionstoragecookieoptions.validate.md | 4 +-
.../server/http/cookie_session_storage.ts | 41 +++-
.../server/http/cookie_sesson_storage.test.ts | 71 +++++-
src/core/server/http/http_server.test.ts | 2 +-
src/core/server/http/index.ts | 5 +-
.../integration_tests/core_services.test.ts | 2 +-
.../http/integration_tests/lifecycle.test.ts | 2 +-
src/core/server/index.ts | 1 +
src/core/server/server.api.md | 8 +-
.../authentication/authenticator.test.ts | 205 +++++-------------
.../server/authentication/authenticator.ts | 13 ++
.../security/server/authentication/index.ts | 30 ++-
18 files changed, 256 insertions(+), 182 deletions(-)
create mode 100644 docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.isvalid.md
create mode 100644 docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.md
create mode 100644 docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.path.md
diff --git a/docs/development/core/server/kibana-plugin-server.md b/docs/development/core/server/kibana-plugin-server.md
index 360675b3490c2..13e0ea3645f26 100644
--- a/docs/development/core/server/kibana-plugin-server.md
+++ b/docs/development/core/server/kibana-plugin-server.md
@@ -115,6 +115,7 @@ The plugin integrates with the core system via lifecycle events: `setup`
| [SavedObjectsResolveImportErrorsOptions](./kibana-plugin-server.savedobjectsresolveimporterrorsoptions.md) | Options to control the "resolve import" operation. |
| [SavedObjectsUpdateOptions](./kibana-plugin-server.savedobjectsupdateoptions.md) | |
| [SavedObjectsUpdateResponse](./kibana-plugin-server.savedobjectsupdateresponse.md) | |
+| [SessionCookieValidationResult](./kibana-plugin-server.sessioncookievalidationresult.md) | Return type from a function to validate cookie contents. |
| [SessionStorage](./kibana-plugin-server.sessionstorage.md) | Provides an interface to store and retrieve data across requests. |
| [SessionStorageCookieOptions](./kibana-plugin-server.sessionstoragecookieoptions.md) | Configuration used to create HTTP session storage based on top of cookie mechanism. |
| [SessionStorageFactory](./kibana-plugin-server.sessionstoragefactory.md) | SessionStorage factory to bind one to an incoming request |
diff --git a/docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.isvalid.md b/docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.isvalid.md
new file mode 100644
index 0000000000000..6e5f6acca2eb9
--- /dev/null
+++ b/docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.isvalid.md
@@ -0,0 +1,13 @@
+
+
+[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [SessionCookieValidationResult](./kibana-plugin-server.sessioncookievalidationresult.md) > [isValid](./kibana-plugin-server.sessioncookievalidationresult.isvalid.md)
+
+## SessionCookieValidationResult.isValid property
+
+Whether the cookie is valid or not.
+
+Signature:
+
+```typescript
+isValid: boolean;
+```
diff --git a/docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.md b/docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.md
new file mode 100644
index 0000000000000..6d32c4cca3dd6
--- /dev/null
+++ b/docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.md
@@ -0,0 +1,21 @@
+
+
+[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [SessionCookieValidationResult](./kibana-plugin-server.sessioncookievalidationresult.md)
+
+## SessionCookieValidationResult interface
+
+Return type from a function to validate cookie contents.
+
+Signature:
+
+```typescript
+export interface SessionCookieValidationResult
+```
+
+## Properties
+
+| Property | Type | Description |
+| --- | --- | --- |
+| [isValid](./kibana-plugin-server.sessioncookievalidationresult.isvalid.md) | boolean | Whether the cookie is valid or not. |
+| [path](./kibana-plugin-server.sessioncookievalidationresult.path.md) | string | The "Path" attribute of the cookie; if the cookie is invalid, this is used to clear it. |
+
diff --git a/docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.path.md b/docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.path.md
new file mode 100644
index 0000000000000..8ca6d452213aa
--- /dev/null
+++ b/docs/development/core/server/kibana-plugin-server.sessioncookievalidationresult.path.md
@@ -0,0 +1,13 @@
+
+
+[Home](./index.md) > [kibana-plugin-server](./kibana-plugin-server.md) > [SessionCookieValidationResult](./kibana-plugin-server.sessioncookievalidationresult.md) > [path](./kibana-plugin-server.sessioncookievalidationresult.path.md)
+
+## SessionCookieValidationResult.path property
+
+The "Path" attribute of the cookie; if the cookie is invalid, this is used to clear it.
+
+Signature:
+
+```typescript
+path?: string;
+```
diff --git a/docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.encryptionkey.md b/docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.encryptionkey.md
index 167ab03d7567f..ef65735e7bdba 100644
--- a/docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.encryptionkey.md
+++ b/docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.encryptionkey.md
@@ -4,7 +4,7 @@
## SessionStorageCookieOptions.encryptionKey property
-A key used to encrypt a cookie value. Should be at least 32 characters long.
+A key used to encrypt a cookie's value. Should be at least 32 characters long.
Signature:
diff --git a/docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.md b/docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.md
index de412818142f2..778dc27a190d9 100644
--- a/docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.md
+++ b/docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.md
@@ -16,8 +16,8 @@ export interface SessionStorageCookieOptions
| Property | Type | Description |
| --- | --- | --- |
-| [encryptionKey](./kibana-plugin-server.sessionstoragecookieoptions.encryptionkey.md) | string | A key used to encrypt a cookie value. Should be at least 32 characters long. |
+| [encryptionKey](./kibana-plugin-server.sessionstoragecookieoptions.encryptionkey.md) | string | A key used to encrypt a cookie's value. Should be at least 32 characters long. |
| [isSecure](./kibana-plugin-server.sessionstoragecookieoptions.issecure.md) | boolean | Flag indicating whether the cookie should be sent only via a secure connection. |
| [name](./kibana-plugin-server.sessionstoragecookieoptions.name.md) | string | Name of the session cookie. |
-| [validate](./kibana-plugin-server.sessionstoragecookieoptions.validate.md) | (sessionValue: T) => boolean | Promise<boolean> | Function called to validate a cookie content. |
+| [validate](./kibana-plugin-server.sessionstoragecookieoptions.validate.md) | (sessionValue: T | T[]) => SessionCookieValidationResult | Function called to validate a cookie's decrypted value. |
diff --git a/docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.validate.md b/docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.validate.md
index f3cbfc0d84e18..effa4b6bbc077 100644
--- a/docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.validate.md
+++ b/docs/development/core/server/kibana-plugin-server.sessionstoragecookieoptions.validate.md
@@ -4,10 +4,10 @@
## SessionStorageCookieOptions.validate property
-Function called to validate a cookie content.
+Function called to validate a cookie's decrypted value.
Signature:
```typescript
-validate: (sessionValue: T) => boolean | Promise;
+validate: (sessionValue: T | T[]) => SessionCookieValidationResult;
```
diff --git a/src/core/server/http/cookie_session_storage.ts b/src/core/server/http/cookie_session_storage.ts
index 8a1b56d87fb4c..25b463140bfbc 100644
--- a/src/core/server/http/cookie_session_storage.ts
+++ b/src/core/server/http/cookie_session_storage.ts
@@ -34,19 +34,34 @@ export interface SessionStorageCookieOptions {
*/
name: string;
/**
- * A key used to encrypt a cookie value. Should be at least 32 characters long.
+ * A key used to encrypt a cookie's value. Should be at least 32 characters long.
*/
encryptionKey: string;
/**
- * Function called to validate a cookie content.
+ * Function called to validate a cookie's decrypted value.
*/
- validate: (sessionValue: T) => boolean | Promise;
+ validate: (sessionValue: T | T[]) => SessionCookieValidationResult;
/**
* Flag indicating whether the cookie should be sent only via a secure connection.
*/
isSecure: boolean;
}
+/**
+ * Return type from a function to validate cookie contents.
+ * @public
+ */
+export interface SessionCookieValidationResult {
+ /**
+ * Whether the cookie is valid or not.
+ */
+ isValid: boolean;
+ /**
+ * The "Path" attribute of the cookie; if the cookie is invalid, this is used to clear it.
+ */
+ path?: string;
+}
+
class ScopedCookieSessionStorage> implements SessionStorage {
constructor(
private readonly log: Logger,
@@ -98,15 +113,31 @@ export async function createCookieSessionStorageFactory(
cookieOptions: SessionStorageCookieOptions,
basePath?: string
): Promise> {
+ function clearInvalidCookie(req: Request | undefined, path: string = basePath || '/') {
+ // if the cookie did not include the 'path' attribute in the session value, it is a legacy cookie
+ // we will assume that the cookie was created with the current configuration
+ log.debug(`Clearing invalid session cookie`);
+ // need to use Hapi toolkit to clear cookie with defined options
+ if (req) {
+ (req.cookieAuth as any).h.unstate(cookieOptions.name, { path });
+ }
+ }
+
await server.register({ plugin: hapiAuthCookie });
server.auth.strategy('security-cookie', 'cookie', {
cookie: cookieOptions.name,
password: cookieOptions.encryptionKey,
- validateFunc: async (req, session: T) => ({ valid: await cookieOptions.validate(session) }),
+ validateFunc: async (req, session: T | T[]) => {
+ const result = cookieOptions.validate(session);
+ if (!result.isValid) {
+ clearInvalidCookie(req, result.path);
+ }
+ return { valid: result.isValid };
+ },
isSecure: cookieOptions.isSecure,
path: basePath,
- clearInvalid: true,
+ clearInvalid: false,
isHttpOnly: true,
isSameSite: false,
});
diff --git a/src/core/server/http/cookie_sesson_storage.test.ts b/src/core/server/http/cookie_sesson_storage.test.ts
index 5cd2fbaa1ebe8..bf0585ad280d5 100644
--- a/src/core/server/http/cookie_sesson_storage.test.ts
+++ b/src/core/server/http/cookie_sesson_storage.test.ts
@@ -80,6 +80,7 @@ interface User {
interface Storage {
value: User;
expires: number;
+ path: string;
}
function retrieveSessionCookie(cookies: string) {
@@ -92,13 +93,21 @@ function retrieveSessionCookie(cookies: string) {
const userData = { id: '42' };
const sessionDurationMs = 1000;
+const path = '/';
+const sessVal = () => ({ value: userData, expires: Date.now() + sessionDurationMs, path });
const delay = (ms: number) => new Promise(res => setTimeout(res, ms));
const cookieOptions = {
name: 'sid',
encryptionKey: 'something_at_least_32_characters',
- validate: (session: Storage) => session.expires > Date.now(),
+ validate: (session: Storage | Storage[]) => {
+ if (Array.isArray(session)) {
+ session = session[0];
+ }
+ const isValid = session.path === path && session.expires > Date.now();
+ return { isValid, path: session.path };
+ },
isSecure: false,
- path: '/',
+ path,
};
describe('Cookie based SessionStorage', () => {
@@ -107,9 +116,9 @@ describe('Cookie based SessionStorage', () => {
const { server: innerServer, createRouter } = await server.setup(setupDeps);
const router = createRouter('');
- router.get({ path: '/', validate: false }, (context, req, res) => {
+ router.get({ path, validate: false }, (context, req, res) => {
const sessionStorage = factory.asScoped(req);
- sessionStorage.set({ value: userData, expires: Date.now() + sessionDurationMs });
+ sessionStorage.set(sessVal());
return res.ok({});
});
@@ -136,6 +145,7 @@ describe('Cookie based SessionStorage', () => {
expect(sessionCookie.httpOnly).toBe(true);
});
});
+
describe('#get()', () => {
it('reads from session storage', async () => {
const { server: innerServer, createRouter } = await server.setup(setupDeps);
@@ -145,7 +155,7 @@ describe('Cookie based SessionStorage', () => {
const sessionStorage = factory.asScoped(req);
const sessionValue = await sessionStorage.get();
if (!sessionValue) {
- sessionStorage.set({ value: userData, expires: Date.now() + sessionDurationMs });
+ sessionStorage.set(sessVal());
return res.ok();
}
return res.ok({ body: { value: sessionValue.value } });
@@ -173,6 +183,7 @@ describe('Cookie based SessionStorage', () => {
.set('Cookie', `${sessionCookie.key}=${sessionCookie.value}`)
.expect(200, { value: userData });
});
+
it('returns null for empty session', async () => {
const { server: innerServer, createRouter } = await server.setup(setupDeps);
@@ -198,7 +209,7 @@ describe('Cookie based SessionStorage', () => {
expect(cookies).not.toBeDefined();
});
- it('returns null for invalid session & clean cookies', async () => {
+ it('returns null for invalid session (expired) & clean cookies', async () => {
const { server: innerServer, createRouter } = await server.setup(setupDeps);
const router = createRouter('');
@@ -208,7 +219,7 @@ describe('Cookie based SessionStorage', () => {
const sessionStorage = factory.asScoped(req);
if (!setOnce) {
setOnce = true;
- sessionStorage.set({ value: userData, expires: Date.now() + sessionDurationMs });
+ sessionStorage.set(sessVal());
return res.ok({ body: { value: userData } });
}
const sessionValue = await sessionStorage.get();
@@ -242,6 +253,50 @@ describe('Cookie based SessionStorage', () => {
'sid=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/',
]);
});
+
+ it('returns null for invalid session (incorrect path) & clean cookies accurately', async () => {
+ const { server: innerServer, createRouter } = await server.setup(setupDeps);
+
+ const router = createRouter('');
+
+ let setOnce = false;
+ router.get({ path: '/', validate: false }, async (context, req, res) => {
+ const sessionStorage = factory.asScoped(req);
+ if (!setOnce) {
+ setOnce = true;
+ sessionStorage.set({ ...sessVal(), path: '/foo' });
+ return res.ok({ body: { value: userData } });
+ }
+ const sessionValue = await sessionStorage.get();
+ return res.ok({ body: { value: sessionValue } });
+ });
+
+ const factory = await createCookieSessionStorageFactory(
+ logger.get(),
+ innerServer,
+ cookieOptions
+ );
+ await server.start();
+
+ const response = await supertest(innerServer.listener)
+ .get('/')
+ .expect(200, { value: userData });
+
+ const cookies = response.get('set-cookie');
+ expect(cookies).toBeDefined();
+
+ const sessionCookie = retrieveSessionCookie(cookies[0]);
+ const response2 = await supertest(innerServer.listener)
+ .get('/')
+ .set('Cookie', `${sessionCookie.key}=${sessionCookie.value}`)
+ .expect(200, { value: null });
+
+ const cookies2 = response2.get('set-cookie');
+ expect(cookies2).toEqual([
+ 'sid=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/foo',
+ ]);
+ });
+
// use mocks to simplify test setup
it('returns null if multiple session cookies are detected.', async () => {
const mockServer = {
@@ -342,7 +397,7 @@ describe('Cookie based SessionStorage', () => {
sessionStorage.clear();
return res.ok({});
}
- sessionStorage.set({ value: userData, expires: Date.now() + sessionDurationMs });
+ sessionStorage.set(sessVal());
return res.ok({});
});
diff --git a/src/core/server/http/http_server.test.ts b/src/core/server/http/http_server.test.ts
index f753de306b183..f26e5292b978d 100644
--- a/src/core/server/http/http_server.test.ts
+++ b/src/core/server/http/http_server.test.ts
@@ -34,7 +34,7 @@ import { HttpServer } from './http_server';
const cookieOptions = {
name: 'sid',
encryptionKey: 'something_at_least_32_characters',
- validate: () => true,
+ validate: () => ({ isValid: true }),
isSecure: false,
};
diff --git a/src/core/server/http/index.ts b/src/core/server/http/index.ts
index 2fa67750f6406..bed76201bb4f9 100644
--- a/src/core/server/http/index.ts
+++ b/src/core/server/http/index.ts
@@ -60,6 +60,9 @@ export {
} from './lifecycle/auth';
export { OnPostAuthHandler, OnPostAuthToolkit } from './lifecycle/on_post_auth';
export { SessionStorageFactory, SessionStorage } from './session_storage';
-export { SessionStorageCookieOptions } from './cookie_session_storage';
+export {
+ SessionStorageCookieOptions,
+ SessionCookieValidationResult,
+} from './cookie_session_storage';
export * from './types';
export { BasePath, IBasePath } from './base_path_service';
diff --git a/src/core/server/http/integration_tests/core_services.test.ts b/src/core/server/http/integration_tests/core_services.test.ts
index 00629b811b28f..f3867faa2ae75 100644
--- a/src/core/server/http/integration_tests/core_services.test.ts
+++ b/src/core/server/http/integration_tests/core_services.test.ts
@@ -39,7 +39,7 @@ describe('http service', () => {
const cookieOptions = {
name: 'sid',
encryptionKey: 'something_at_least_32_characters',
- validate: (session: StorageData) => true,
+ validate: () => ({ isValid: true }),
isSecure: false,
path: '/',
};
diff --git a/src/core/server/http/integration_tests/lifecycle.test.ts b/src/core/server/http/integration_tests/lifecycle.test.ts
index 4592a646b7f04..7c4a0097456ca 100644
--- a/src/core/server/http/integration_tests/lifecycle.test.ts
+++ b/src/core/server/http/integration_tests/lifecycle.test.ts
@@ -408,7 +408,7 @@ describe('Auth', () => {
const cookieOptions = {
name: 'sid',
encryptionKey: 'something_at_least_32_characters',
- validate: () => true,
+ validate: () => ({ isValid: true }),
isSecure: false,
};
diff --git a/src/core/server/index.ts b/src/core/server/index.ts
index 31dec2c9b96ff..b53f04d601ff4 100644
--- a/src/core/server/index.ts
+++ b/src/core/server/index.ts
@@ -117,6 +117,7 @@ export {
RouteRegistrar,
SessionStorage,
SessionStorageCookieOptions,
+ SessionCookieValidationResult,
SessionStorageFactory,
} from './http';
export { Logger, LoggerFactory, LogMeta, LogRecord, LogLevel } from './logging';
diff --git a/src/core/server/server.api.md b/src/core/server/server.api.md
index d6cfa54397565..3bbcb85fea9e5 100644
--- a/src/core/server/server.api.md
+++ b/src/core/server/server.api.md
@@ -1577,6 +1577,12 @@ export class ScopedClusterClient implements IScopedClusterClient {
callAsInternalUser(endpoint: string, clientParams?: Record, options?: CallAPIOptions): Promise;
}
+// @public
+export interface SessionCookieValidationResult {
+ isValid: boolean;
+ path?: string;
+}
+
// @public
export interface SessionStorage {
clear(): void;
@@ -1589,7 +1595,7 @@ export interface SessionStorageCookieOptions {
encryptionKey: string;
isSecure: boolean;
name: string;
- validate: (sessionValue: T) => boolean | Promise;
+ validate: (sessionValue: T | T[]) => SessionCookieValidationResult;
}
// @public
diff --git a/x-pack/plugins/security/server/authentication/authenticator.test.ts b/x-pack/plugins/security/server/authentication/authenticator.test.ts
index bfbd60f5f18e8..d87ed21001014 100644
--- a/x-pack/plugins/security/server/authentication/authenticator.test.ts
+++ b/x-pack/plugins/security/server/authentication/authenticator.test.ts
@@ -79,12 +79,20 @@ describe('Authenticator', () => {
let authenticator: Authenticator;
let mockOptions: ReturnType;
let mockSessionStorage: jest.Mocked>;
+ let mockSessVal: any;
beforeEach(() => {
mockOptions = getMockOptions({
authc: { providers: ['basic'], oidc: {}, saml: {} },
});
mockSessionStorage = sessionStorageMock.create();
mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage);
+ mockSessVal = {
+ idleTimeoutExpiration: null,
+ lifespanExpiration: null,
+ state: { authorization: 'Basic xxx' },
+ provider: 'basic',
+ path: mockOptions.basePath.serverBasePath,
+ };
authenticator = new Authenticator(mockOptions);
});
@@ -160,10 +168,8 @@ describe('Authenticator', () => {
expect(mockSessionStorage.set).toHaveBeenCalledTimes(1);
expect(mockSessionStorage.set).toHaveBeenCalledWith({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
+ ...mockSessVal,
state: { authorization },
- provider: 'basic',
});
});
@@ -177,18 +183,12 @@ describe('Authenticator', () => {
});
it('clears session if it belongs to a different provider.', async () => {
- const state = { authorization: 'Basic xxx' };
const user = mockAuthenticatedUser();
const credentials = { username: 'user', password: 'password' };
const request = httpServerMock.createKibanaRequest();
mockBasicAuthenticationProvider.login.mockResolvedValue(AuthenticationResult.succeeded(user));
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'token',
- });
+ mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, provider: 'token' });
const authenticationResult = await authenticator.login(request, {
provider: 'basic',
@@ -300,12 +300,20 @@ describe('Authenticator', () => {
let authenticator: Authenticator;
let mockOptions: ReturnType;
let mockSessionStorage: jest.Mocked>;
+ let mockSessVal: any;
beforeEach(() => {
mockOptions = getMockOptions({
authc: { providers: ['basic'], oidc: {}, saml: {} },
});
mockSessionStorage = sessionStorageMock.create();
mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage);
+ mockSessVal = {
+ idleTimeoutExpiration: null,
+ lifespanExpiration: null,
+ state: { authorization: 'Basic xxx' },
+ provider: 'basic',
+ path: mockOptions.basePath.serverBasePath,
+ };
authenticator = new Authenticator(mockOptions);
});
@@ -361,10 +369,8 @@ describe('Authenticator', () => {
expect(mockSessionStorage.set).toHaveBeenCalledTimes(1);
expect(mockSessionStorage.set).toHaveBeenCalledWith({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
+ ...mockSessVal,
state: { authorization },
- provider: 'basic',
});
});
@@ -384,28 +390,20 @@ describe('Authenticator', () => {
expect(mockSessionStorage.set).toHaveBeenCalledTimes(1);
expect(mockSessionStorage.set).toHaveBeenCalledWith({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
+ ...mockSessVal,
state: { authorization },
- provider: 'basic',
});
});
it('does not extend session for system API calls.', async () => {
const user = mockAuthenticatedUser();
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
mockOptions.isSystemAPIRequest.mockReturnValue(true);
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.succeeded(user)
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.succeeded()).toBe(true);
@@ -417,37 +415,25 @@ describe('Authenticator', () => {
it('extends session for non-system API calls.', async () => {
const user = mockAuthenticatedUser();
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
mockOptions.isSystemAPIRequest.mockReturnValue(false);
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.succeeded(user)
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.succeeded()).toBe(true);
expect(authenticationResult.user).toEqual(user);
expect(mockSessionStorage.set).toHaveBeenCalledTimes(1);
- expect(mockSessionStorage.set).toHaveBeenCalledWith({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'basic',
- });
+ expect(mockSessionStorage.set).toHaveBeenCalledWith(mockSessVal);
expect(mockSessionStorage.clear).not.toHaveBeenCalled();
});
it('properly extends session expiration if it is defined.', async () => {
const user = mockAuthenticatedUser();
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
const currentDate = new Date(Date.UTC(2019, 10, 10)).valueOf();
@@ -461,12 +447,7 @@ describe('Authenticator', () => {
});
mockSessionStorage = sessionStorageMock.create();
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage);
authenticator = new Authenticator(mockOptions);
@@ -483,17 +464,14 @@ describe('Authenticator', () => {
expect(mockSessionStorage.set).toHaveBeenCalledTimes(1);
expect(mockSessionStorage.set).toHaveBeenCalledWith({
+ ...mockSessVal,
idleTimeoutExpiration: currentDate + 3600 * 24,
- lifespanExpiration: null,
- state,
- provider: 'basic',
});
expect(mockSessionStorage.clear).not.toHaveBeenCalled();
});
it('does not extend session lifespan expiration.', async () => {
const user = mockAuthenticatedUser();
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
const currentDate = new Date(Date.UTC(2019, 10, 10)).valueOf();
const hr = 1000 * 60 * 60;
@@ -509,12 +487,11 @@ describe('Authenticator', () => {
mockSessionStorage = sessionStorageMock.create();
mockSessionStorage.get.mockResolvedValue({
+ ...mockSessVal,
// this session was created 6.5 hrs ago (and has 1.5 hrs left in its lifespan)
// it was last extended 1 hour ago, which means it will expire in 1 hour
idleTimeoutExpiration: currentDate + hr * 1,
lifespanExpiration: currentDate + hr * 1.5,
- state,
- provider: 'basic',
});
mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage);
@@ -532,17 +509,15 @@ describe('Authenticator', () => {
expect(mockSessionStorage.set).toHaveBeenCalledTimes(1);
expect(mockSessionStorage.set).toHaveBeenCalledWith({
+ ...mockSessVal,
idleTimeoutExpiration: currentDate + hr * 2,
lifespanExpiration: currentDate + hr * 1.5,
- state,
- provider: 'basic',
});
expect(mockSessionStorage.clear).not.toHaveBeenCalled();
});
it('only updates the session lifespan expiration if it does not match the current server config.', async () => {
const user = mockAuthenticatedUser();
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
const hr = 1000 * 60 * 60;
@@ -561,10 +536,9 @@ describe('Authenticator', () => {
mockSessionStorage = sessionStorageMock.create();
mockSessionStorage.get.mockResolvedValue({
+ ...mockSessVal,
idleTimeoutExpiration: 1,
lifespanExpiration: oldExpiration,
- state,
- provider: 'basic',
});
mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage);
@@ -580,10 +554,9 @@ describe('Authenticator', () => {
expect(mockSessionStorage.set).toHaveBeenCalledTimes(1);
expect(mockSessionStorage.set).toHaveBeenCalledWith({
+ ...mockSessVal,
idleTimeoutExpiration: 1,
lifespanExpiration: newExpiration,
- state,
- provider: 'basic',
});
expect(mockSessionStorage.clear).not.toHaveBeenCalled();
}
@@ -596,19 +569,13 @@ describe('Authenticator', () => {
});
it('does not touch session for system API calls if authentication fails with non-401 reason.', async () => {
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
mockOptions.isSystemAPIRequest.mockReturnValue(true);
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.failed(new Error('some error'))
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.failed()).toBe(true);
@@ -618,19 +585,13 @@ describe('Authenticator', () => {
});
it('does not touch session for non-system API calls if authentication fails with non-401 reason.', async () => {
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
mockOptions.isSystemAPIRequest.mockReturnValue(false);
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.failed(new Error('some error'))
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.failed()).toBe(true);
@@ -641,7 +602,6 @@ describe('Authenticator', () => {
it('replaces existing session with the one returned by authentication provider for system API requests', async () => {
const user = mockAuthenticatedUser();
- const existingState = { authorization: 'Basic xxx' };
const newState = { authorization: 'Basic yyy' };
const request = httpServerMock.createKibanaRequest();
@@ -649,12 +609,7 @@ describe('Authenticator', () => {
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.succeeded(user, { state: newState })
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state: existingState,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.succeeded()).toBe(true);
@@ -662,17 +617,14 @@ describe('Authenticator', () => {
expect(mockSessionStorage.set).toHaveBeenCalledTimes(1);
expect(mockSessionStorage.set).toHaveBeenCalledWith({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
+ ...mockSessVal,
state: newState,
- provider: 'basic',
});
expect(mockSessionStorage.clear).not.toHaveBeenCalled();
});
it('replaces existing session with the one returned by authentication provider for non-system API requests', async () => {
const user = mockAuthenticatedUser();
- const existingState = { authorization: 'Basic xxx' };
const newState = { authorization: 'Basic yyy' };
const request = httpServerMock.createKibanaRequest();
@@ -680,12 +632,7 @@ describe('Authenticator', () => {
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.succeeded(user, { state: newState })
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state: existingState,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.succeeded()).toBe(true);
@@ -693,28 +640,20 @@ describe('Authenticator', () => {
expect(mockSessionStorage.set).toHaveBeenCalledTimes(1);
expect(mockSessionStorage.set).toHaveBeenCalledWith({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
+ ...mockSessVal,
state: newState,
- provider: 'basic',
});
expect(mockSessionStorage.clear).not.toHaveBeenCalled();
});
it('clears session if provider failed to authenticate system API request with 401 with active session.', async () => {
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
mockOptions.isSystemAPIRequest.mockReturnValue(true);
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.failed(Boom.unauthorized())
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.failed()).toBe(true);
@@ -724,19 +663,13 @@ describe('Authenticator', () => {
});
it('clears session if provider failed to authenticate non-system API request with 401 with active session.', async () => {
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
mockOptions.isSystemAPIRequest.mockReturnValue(false);
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.failed(Boom.unauthorized())
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.failed()).toBe(true);
@@ -746,18 +679,12 @@ describe('Authenticator', () => {
});
it('clears session if provider requested it via setting state to `null`.', async () => {
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.redirectTo('some-url', { state: null })
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.redirected()).toBe(true);
@@ -767,19 +694,13 @@ describe('Authenticator', () => {
});
it('does not clear session if provider can not handle system API request authentication with active session.', async () => {
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
mockOptions.isSystemAPIRequest.mockReturnValue(true);
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.notHandled()
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.notHandled()).toBe(true);
@@ -789,19 +710,13 @@ describe('Authenticator', () => {
});
it('does not clear session if provider can not handle non-system API request authentication with active session.', async () => {
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
mockOptions.isSystemAPIRequest.mockReturnValue(false);
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.notHandled()
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.notHandled()).toBe(true);
@@ -811,19 +726,13 @@ describe('Authenticator', () => {
});
it('clears session for system API request if it belongs to not configured provider.', async () => {
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
mockOptions.isSystemAPIRequest.mockReturnValue(true);
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.notHandled()
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'token',
- });
+ mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, provider: 'token' });
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.notHandled()).toBe(true);
@@ -833,19 +742,13 @@ describe('Authenticator', () => {
});
it('clears session for non-system API request if it belongs to not configured provider.', async () => {
- const state = { authorization: 'Basic xxx' };
const request = httpServerMock.createKibanaRequest();
mockOptions.isSystemAPIRequest.mockReturnValue(false);
mockBasicAuthenticationProvider.authenticate.mockResolvedValue(
AuthenticationResult.notHandled()
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'token',
- });
+ mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, provider: 'token' });
const authenticationResult = await authenticator.authenticate(request);
expect(authenticationResult.notHandled()).toBe(true);
@@ -859,12 +762,20 @@ describe('Authenticator', () => {
let authenticator: Authenticator;
let mockOptions: ReturnType;
let mockSessionStorage: jest.Mocked>;
+ let mockSessVal: any;
beforeEach(() => {
mockOptions = getMockOptions({
authc: { providers: ['basic'], oidc: {}, saml: {} },
});
mockSessionStorage = sessionStorageMock.create();
mockOptions.sessionStorageFactory.asScoped.mockReturnValue(mockSessionStorage);
+ mockSessVal = {
+ idleTimeoutExpiration: null,
+ lifespanExpiration: null,
+ state: { authorization: 'Basic xxx' },
+ provider: 'basic',
+ path: mockOptions.basePath.serverBasePath,
+ };
authenticator = new Authenticator(mockOptions);
});
@@ -887,16 +798,10 @@ describe('Authenticator', () => {
it('clears session and returns whatever authentication provider returns.', async () => {
const request = httpServerMock.createKibanaRequest();
- const state = { authorization: 'Basic xxx' };
mockBasicAuthenticationProvider.logout.mockResolvedValue(
DeauthenticationResult.redirectTo('some-url')
);
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'basic',
- });
+ mockSessionStorage.get.mockResolvedValue(mockSessVal);
const deauthenticationResult = await authenticator.logout(request);
@@ -935,12 +840,7 @@ describe('Authenticator', () => {
it('only clears session if it belongs to not configured provider.', async () => {
const request = httpServerMock.createKibanaRequest();
const state = { authorization: 'Bearer xxx' };
- mockSessionStorage.get.mockResolvedValue({
- idleTimeoutExpiration: null,
- lifespanExpiration: null,
- state,
- provider: 'token',
- });
+ mockSessionStorage.get.mockResolvedValue({ ...mockSessVal, state, provider: 'token' });
const deauthenticationResult = await authenticator.logout(request);
@@ -979,6 +879,7 @@ describe('Authenticator', () => {
lifespanExpiration: mockInfo.lifespanExpiration,
state,
provider: mockInfo.provider,
+ path: mockOptions.basePath.serverBasePath,
});
jest.spyOn(Date, 'now').mockImplementation(() => currentDate);
diff --git a/x-pack/plugins/security/server/authentication/authenticator.ts b/x-pack/plugins/security/server/authentication/authenticator.ts
index 2367a623459cd..5283e2c231f4e 100644
--- a/x-pack/plugins/security/server/authentication/authenticator.ts
+++ b/x-pack/plugins/security/server/authentication/authenticator.ts
@@ -59,6 +59,11 @@ export interface ProviderSession {
* entirely determined by the authentication provider that owns the current session.
*/
state: unknown;
+
+ /**
+ * Cookie "Path" attribute that is validated against the current Kibana server configuration.
+ */
+ path: string;
}
/**
@@ -160,6 +165,11 @@ export class Authenticator {
*/
private readonly providers: Map;
+ /**
+ * Which base path the HTTP server is hosted on.
+ */
+ private readonly serverBasePath: string;
+
/**
* Session timeout in ms. If `null` session will stay active until the browser is closed.
*/
@@ -215,6 +225,7 @@ export class Authenticator {
] as [string, BaseAuthenticationProvider];
})
);
+ this.serverBasePath = this.options.basePath.serverBasePath || '/';
// only set these vars if they are defined in options (otherwise coalesce to existing/default)
this.idleTimeout = this.options.config.session.idleTimeout;
@@ -279,6 +290,7 @@ export class Authenticator {
provider: attempt.provider,
idleTimeoutExpiration,
lifespanExpiration,
+ path: this.serverBasePath,
});
}
@@ -467,6 +479,7 @@ export class Authenticator {
provider: providerType,
idleTimeoutExpiration,
lifespanExpiration,
+ path: this.serverBasePath,
});
}
}
diff --git a/x-pack/plugins/security/server/authentication/index.ts b/x-pack/plugins/security/server/authentication/index.ts
index 7f1b60207ba38..89ec5a662a3bd 100644
--- a/x-pack/plugins/security/server/authentication/index.ts
+++ b/x-pack/plugins/security/server/authentication/index.ts
@@ -78,6 +78,22 @@ export async function setupAuthentication({
.callAsCurrentUser('shield.authenticate')) as AuthenticatedUser;
};
+ const isValid = (sessionValue: ProviderSession) => {
+ // ensure that this cookie was created with the current Kibana configuration
+ const { path, idleTimeoutExpiration, lifespanExpiration } = sessionValue;
+ if (path !== undefined && path !== (http.basePath.serverBasePath || '/')) {
+ authLogger.debug(`Outdated session value with path "${sessionValue.path}"`);
+ return false;
+ }
+ // ensure that this cookie is not expired
+ if (idleTimeoutExpiration && idleTimeoutExpiration < Date.now()) {
+ return false;
+ } else if (lifespanExpiration && lifespanExpiration < Date.now()) {
+ return false;
+ }
+ return true;
+ };
+
const authenticator = new Authenticator({
clusterClient,
basePath: http.basePath,
@@ -89,14 +105,14 @@ export async function setupAuthentication({
encryptionKey: config.encryptionKey,
isSecure: config.secureCookies,
name: config.cookieName,
- validate: (sessionValue: ProviderSession) => {
- const { idleTimeoutExpiration, lifespanExpiration } = sessionValue;
- if (idleTimeoutExpiration && idleTimeoutExpiration < Date.now()) {
- return false;
- } else if (lifespanExpiration && lifespanExpiration < Date.now()) {
- return false;
+ validate: (session: ProviderSession | ProviderSession[]) => {
+ const array: ProviderSession[] = Array.isArray(session) ? session : [session];
+ for (const sess of array) {
+ if (!isValid(sess)) {
+ return { isValid: false, path: sess.path };
+ }
}
- return true;
+ return { isValid: true };
},
}),
});