Fixes anonymous auth flow to work with SAML

Signed-off-by: Darshit Chanpura <[email protected]>
DarshitChanpura · Mar 6, 2024 · 199683c · 199683c
1 parent c80b64a
commit 199683c
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 25 deletions.
diff --git a/public/apps/login/login-page.tsx b/public/apps/login/login-page.tsx
@@ -212,7 +212,7 @@ export function LoginPage(props: LoginPageDeps) {
             </EuiFormRow>
           );
 
-          if (authOpts.length > 1) {
+          if (authOpts.length > 0) {
             if (props.config.auth.anonymous_auth_enabled) {
               const anonymousConfig = props.config.ui[AuthType.ANONYMOUS].login;
               formBody.push(

diff --git a/server/auth/types/authentication_type.ts b/server/auth/types/authentication_type.ts
@@ -113,6 +113,12 @@ export abstract class AuthenticationType implements IAuthenticationType {
     const authHeaders = {};
     let cookie: SecuritySessionCookie | null | undefined;
     let authInfo: any | undefined;
+
+    if (this.config.auth.anonymous_auth_enabled) {
+      const anonymousAuthHeaders = { _auth_request_type_: 'anonymous' };
+      Object.assign(authHeaders, anonymousAuthHeaders);
+    }
+
     // if this is an REST API call, suppose the request includes necessary auth header
     // see https://www.elastic.co/guide/en/opensearch-dashboards/master/using-api.html
     if (this.requestIncludesAuthInfo(request)) {
@@ -153,10 +159,14 @@ export abstract class AuthenticationType implements IAuthenticationType {
         if (request.url.pathname && request.url.pathname.startsWith('/bundles/')) {
           return toolkit.notHandled();
         }
+        console.log('Request is unauthorized');
+        console.log(request.url);
+        console.log(request.route);
 
         // send to auth workflow
         return this.handleUnauthedRequest(request, response, toolkit);
       }
+      console.log('we have a cookie: ' + JSON.stringify(cookie));
 
       // extend session expiration time
       if (this.config.session.keepalive) {
@@ -211,6 +221,7 @@ export abstract class AuthenticationType implements IAuthenticationType {
     }
     if (!authInfo) {
       authInfo = await this.securityClient.authinfo(request, authHeaders);
+      console.log(authInfo);
     }
     authState.authInfo = authInfo;
 

diff --git a/server/auth/types/basic/basic_auth.ts b/server/auth/types/basic/basic_auth.ts
@@ -111,21 +111,13 @@ export class BasicAuthentication extends AuthenticationType {
         request,
         this.coreSetup.http.basePath.serverBasePath
       );
-      if (this.config.auth.anonymous_auth_enabled) {
-        const redirectLocation = `${this.coreSetup.http.basePath.serverBasePath}${ANONYMOUS_AUTH_LOGIN}?${nextUrlParam}`;
-        return response.redirected({
-          headers: {
-            location: `${redirectLocation}`,
-          },
-        });
-      } else {
-        const redirectLocation = `${this.coreSetup.http.basePath.serverBasePath}${LOGIN_PAGE_URI}?${nextUrlParam}`;
-        return response.redirected({
-          headers: {
-            location: `${redirectLocation}`,
-          },
-        });
-      }
+
+      const redirectLocation = `${this.coreSetup.http.basePath.serverBasePath}${LOGIN_PAGE_URI}?${nextUrlParam}`;
+      return response.redirected({
+        headers: {
+          location: `${redirectLocation}`,
+        },
+      });
     } else {
       return response.unauthorized({
         body: `Authentication required`,

diff --git a/server/auth/types/basic/routes.ts b/server/auth/types/basic/routes.ts
@@ -186,7 +186,9 @@ export class BasicAuthRoutes {
           }
           context.security_plugin.logger.info('The Redirect Path is ' + redirectUrl);
           try {
-            user = await this.securityClient.authenticateWithHeaders(request, {});
+            user = await this.securityClient.authenticateWithHeaders(request, {
+              _auth_request_type_: 'anonymous',
+            });
           } catch (error) {
             context.security_plugin.logger.error(
               `Failed authentication: ${error}. Redirecting to Login Page`
@@ -200,6 +202,8 @@ export class BasicAuthRoutes {
             });
           }
 
+          console.log('Anon user: ' + JSON.stringify(user));
+
           this.sessionStorageFactory.asScoped(request).clear();
           const sessionStorage: SecuritySessionCookie = {
             username: user.username,
@@ -209,6 +213,7 @@ export class BasicAuthRoutes {
           };
 
           if (user.multitenancy_enabled) {
+            request.headers._auth_request_type_ = 'anonymous';
             const selectTenant = resolveTenant({
               request,
               username: user.username,

diff --git a/server/auth/types/multiple/multi_auth.ts b/server/auth/types/multiple/multi_auth.ts
@@ -166,20 +166,13 @@ export class MultipleAuthentication extends AuthenticationType {
         this.coreSetup.http.basePath.serverBasePath
       );
 
-      if (this.config.auth.anonymous_auth_enabled) {
-        const redirectLocation = `${this.coreSetup.http.basePath.serverBasePath}${ANONYMOUS_AUTH_LOGIN}?${nextUrlParam}`;
-        return response.redirected({
-          headers: {
-            location: `${redirectLocation}`,
-          },
-        });
-      }
       return response.redirected({
         headers: {
           location: `${this.coreSetup.http.basePath.serverBasePath}${LOGIN_PAGE_URI}?${nextUrlParam}`,
         },
       });
     } else {
+      console.log('not a page request');
       return response.unauthorized();
     }
   }