-
Notifications
You must be signed in to change notification settings - Fork 8.3k
/
cleanup.ts
207 lines (179 loc) · 7.8 KB
/
cleanup.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import { parse as parseCookie, Cookie } from 'tough-cookie';
import { setTimeout as setTimeoutAsync } from 'timers/promises';
import expect from '@kbn/expect';
import { adminTestUser } from '@kbn/test';
import type { AuthenticationProvider } from '../../../../plugins/security/common/model';
import { getSAMLRequestId, getSAMLResponse } from '../../fixtures/saml/saml_tools';
import { FtrProviderContext } from '../../ftr_provider_context';
export default function ({ getService }: FtrProviderContext) {
const supertest = getService('supertestWithoutAuth');
const es = getService('es');
const esDeleteAllIndices = getService('esDeleteAllIndices');
const config = getService('config');
const log = getService('log');
const randomness = getService('randomness');
const { username: basicUsername, password: basicPassword } = adminTestUser;
const kibanaServerConfig = config.get('servers.kibana');
async function checkSessionCookie(
sessionCookie: Cookie,
username: string,
provider: AuthenticationProvider
) {
const apiResponse = await supertest
.get('/internal/security/me')
.set('kbn-xsrf', 'xxx')
.set('Cookie', sessionCookie.cookieString())
.expect(200);
expect(apiResponse.body.username).to.be(username);
expect(apiResponse.body.authentication_provider).to.eql(provider);
return Array.isArray(apiResponse.headers['set-cookie'])
? parseCookie(apiResponse.headers['set-cookie'][0])!
: undefined;
}
async function getNumberOfSessionDocuments() {
return (
// @ts-expect-error doesn't handle total as number
(await es.search({ index: '.kibana_security_session*' })).hits.total.value as number
);
}
async function loginWithSAML(providerName: string) {
const handshakeResponse = await supertest
.post('/internal/security/login')
.set('kbn-xsrf', 'xxx')
.send({ providerType: 'saml', providerName, currentURL: '' })
.expect(200);
const authenticationResponse = await supertest
.post('/api/security/saml/callback')
.set('kbn-xsrf', 'xxx')
.set('Cookie', parseCookie(handshakeResponse.headers['set-cookie'][0])!.cookieString())
.send({
SAMLResponse: await getSAMLResponse({
destination: `http://localhost:${kibanaServerConfig.port}/api/security/saml/callback`,
sessionIndex: String(randomness.naturalNumber()),
inResponseTo: await getSAMLRequestId(handshakeResponse.body.location),
}),
})
.expect(302);
const cookie = parseCookie(authenticationResponse.headers['set-cookie'][0])!;
await checkSessionCookie(cookie, '[email protected]', { type: 'saml', name: providerName });
return cookie;
}
describe('Session Idle cleanup', () => {
beforeEach(async () => {
await es.cluster.health({ index: '.kibana_security_session*', wait_for_status: 'green' });
await esDeleteAllIndices('.kibana_security_session*');
});
it('should properly clean up session expired because of idle timeout', async function () {
this.timeout(60000);
const response = await supertest
.post('/internal/security/login')
.set('kbn-xsrf', 'xxx')
.send({
providerType: 'basic',
providerName: 'basic1',
currentURL: '/',
params: { username: basicUsername, password: basicPassword },
})
.expect(200);
const sessionCookie = parseCookie(response.headers['set-cookie'][0])!;
await checkSessionCookie(sessionCookie, basicUsername, { type: 'basic', name: 'basic1' });
expect(await getNumberOfSessionDocuments()).to.be(1);
// Cleanup routine runs every 10s, and idle timeout threshold is three times larger than 5s
// idle timeout, let's wait for 40s to make sure cleanup routine runs when idle timeout
// threshold is exceeded.
await setTimeoutAsync(40000);
// Session info is removed from the index and cookie isn't valid anymore
expect(await getNumberOfSessionDocuments()).to.be(0);
await supertest
.get('/internal/security/me')
.set('kbn-xsrf', 'xxx')
.set('Cookie', sessionCookie.cookieString())
.expect(401);
});
it('should properly clean up session expired because of idle timeout when providers override global session config', async function () {
this.timeout(60000);
const [samlDisableSessionCookie, samlOverrideSessionCookie, samlFallbackSessionCookie] =
await Promise.all([
loginWithSAML('saml_disable'),
loginWithSAML('saml_override'),
loginWithSAML('saml_fallback'),
]);
const response = await supertest
.post('/internal/security/login')
.set('kbn-xsrf', 'xxx')
.send({
providerType: 'basic',
providerName: 'basic1',
currentURL: '/',
params: { username: basicUsername, password: basicPassword },
})
.expect(200);
const basicSessionCookie = parseCookie(response.headers['set-cookie'][0])!;
await checkSessionCookie(basicSessionCookie, basicUsername, {
type: 'basic',
name: 'basic1',
});
expect(await getNumberOfSessionDocuments()).to.be(4);
// Cleanup routine runs every 10s, and idle timeout threshold is three times larger than 5s
// idle timeout, let's wait for 40s to make sure cleanup routine runs when idle timeout
// threshold is exceeded.
await setTimeoutAsync(40000);
// Session for basic and SAML that used global session settings should not be valid anymore.
expect(await getNumberOfSessionDocuments()).to.be(2);
await supertest
.get('/internal/security/me')
.set('kbn-xsrf', 'xxx')
.set('Cookie', basicSessionCookie.cookieString())
.expect(401);
await supertest
.get('/internal/security/me')
.set('kbn-xsrf', 'xxx')
.set('Cookie', samlFallbackSessionCookie.cookieString())
.expect(401);
// But sessions for the SAML with overridden and disabled lifespan should still be valid.
await checkSessionCookie(samlOverrideSessionCookie, '[email protected]', {
type: 'saml',
name: 'saml_override',
});
await checkSessionCookie(samlDisableSessionCookie, '[email protected]', {
type: 'saml',
name: 'saml_disable',
});
});
it('should not clean up session if user is active', async function () {
this.timeout(60000);
const response = await supertest
.post('/internal/security/login')
.set('kbn-xsrf', 'xxx')
.send({
providerType: 'basic',
providerName: 'basic1',
currentURL: '/',
params: { username: basicUsername, password: basicPassword },
})
.expect(200);
let sessionCookie = parseCookie(response.headers['set-cookie'][0])!;
await checkSessionCookie(sessionCookie, basicUsername, { type: 'basic', name: 'basic1' });
expect(await getNumberOfSessionDocuments()).to.be(1);
// Run 20 consequent requests with 1.5s delay, during this time cleanup procedure should run at
// least twice.
for (const counter of [...Array(20).keys()]) {
// Session idle timeout is 15s, let's wait 10s and make a new request that would extend the session.
await setTimeoutAsync(1500);
sessionCookie = (await checkSessionCookie(sessionCookie, basicUsername, {
type: 'basic',
name: 'basic1',
}))!;
log.debug(`Session is still valid after ${(counter + 1) * 1.5}s`);
}
// Session document should still be present.
expect(await getNumberOfSessionDocuments()).to.be(1);
});
});
}