Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce PKI authentication provider. #42606

Merged
merged 10 commits into from
Aug 27, 2019
5 changes: 4 additions & 1 deletion src/core/server/http/http_server.mocks.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
*/
import { Request } from 'hapi';
import { merge } from 'lodash';
import { Socket } from 'net';

import querystring from 'querystring';

Expand All @@ -37,6 +38,7 @@ interface RequestFixtureOptions {
query?: Record<string, any>;
path?: string;
method?: RouteMethod;
socket?: Socket;
}

function createKibanaRequestMock({
Expand All @@ -46,6 +48,7 @@ function createKibanaRequestMock({
body = {},
query = {},
method = 'get',
socket = new Socket(),
}: RequestFixtureOptions = {}) {
const queryString = querystring.stringify(query);
return KibanaRequest.from(
Expand All @@ -63,7 +66,7 @@ function createKibanaRequestMock({
},
route: { settings: {} },
raw: {
req: {},
req: { socket },
},
} as any,
{
Expand Down
16 changes: 16 additions & 0 deletions x-pack/legacy/server/lib/esjs_shield_plugin.js
Original file line number Diff line number Diff line change
Expand Up @@ -536,5 +536,21 @@
fmt: '/_security/api_key',
},
});

/**
* Gets an access token in exchange to the certificate chain for the target subject distinguished name.
*
* @param {string[]} x509_certificate_chain An ordered array of base64-encoded (Section 4 of RFC4648 - not
* base64url-encoded) DER PKIX certificate values.
*
* @returns {{access_token: string, type: string, expires_in: number}}
*/
shield.delegatePKI = ca({
method: 'POST',
needBody: true,
url: {
fmt: '/_security/delegate_pki',
},
});
};
}));
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import {
SAMLAuthenticationProvider,
TokenAuthenticationProvider,
OIDCAuthenticationProvider,
PKIAuthenticationProvider,
isSAMLRequestQuery,
} from './providers';
import { AuthenticationResult } from './authentication_result';
Expand Down Expand Up @@ -98,6 +99,7 @@ const providerMap = new Map<
['saml', SAMLAuthenticationProvider],
['token', TokenAuthenticationProvider],
['oidc', OIDCAuthenticationProvider],
['pki', PKIAuthenticationProvider],
]);

function assertRequest(request: KibanaRequest) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,20 @@
import sinon from 'sinon';
import { ScopedClusterClient } from '../../../../../../src/core/server';
import { Tokens } from '../tokens';
import { loggingServiceMock, httpServiceMock } from '../../../../../../src/core/server/mocks';
import {
loggingServiceMock,
httpServiceMock,
elasticsearchServiceMock,
} from '../../../../../../src/core/server/mocks';

export type MockAuthenticationProviderOptions = ReturnType<
typeof mockAuthenticationProviderOptions
>;

export type MockAuthenticationProviderOptionsWithJest = ReturnType<
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: want to migrate to a pure Jest mocks for a long time already (not that I like Jest mocks, they are limited comparing to sinon, but just for the consistency sake). So decided to write tests for PKI auth provider without sinon and then will be migrating provider tests one by one when I have a spare time.

typeof mockAuthenticationProviderOptionsWithJest
>;

export function mockScopedClusterClient(
client: MockAuthenticationProviderOptions['client'],
requestMatcher: sinon.SinonMatcher = sinon.match.any
Expand All @@ -34,3 +42,16 @@ export function mockAuthenticationProviderOptions() {
tokens: sinon.createStubInstance(Tokens),
};
}

// Will be renamed to mockAuthenticationProviderOptions as soon as we migrate all providers tests to Jest.
export function mockAuthenticationProviderOptionsWithJest() {
const basePath = httpServiceMock.createSetupContract().basePath;
basePath.get.mockReturnValue('/base-path');

return {
client: elasticsearchServiceMock.createClusterClient(),
logger: loggingServiceMock.create().get(),
basePath,
tokens: { refresh: jest.fn(), invalidate: jest.fn() },
};
}
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ export { KerberosAuthenticationProvider } from './kerberos';
export { SAMLAuthenticationProvider, isSAMLRequestQuery } from './saml';
export { TokenAuthenticationProvider } from './token';
export { OIDCAuthenticationProvider, OIDCAuthenticationFlow } from './oidc';
export { PKIAuthenticationProvider } from './pki';
Loading