Push idp timeout test case

Signed-off-by: Derek Ho <[email protected]>

server/auth/types/authentication_type.test.ts

@@ -29,6 +29,8 @@ import { SecuritySessionCookie } from '../../session/security_cookie';
 const mockedNow = 0;
 Date.now = jest.fn(() => mockedNow);
 
+export const SecurityAuthSessionStorageKey = 'security_cookie';
+
 class DummyAuthType extends AuthenticationType {
   authNotRequired(request: OpenSearchDashboardsRequest): boolean {
     return false;
@@ -74,7 +76,7 @@ class BrowserSessionStorage<T> implements SessionStorage<T> {
 }
 
 // Implementation of SessionStorageFactory using the browser's sessionStorage
-class BrowserSessionStorageFactory<T> implements SessionStorageFactory<T> {
+export class BrowserSessionStorageFactory<T> implements SessionStorageFactory<T> {
   private readonly storageKey: string;
 
   constructor(storageKey: string) {
@@ -174,7 +176,7 @@ describe('test tenant header', () => {
     } as SecurityPluginConfigType;
     const keepAliveDummyAuth = new DummyAuthType(
       keepAliveConfig,
-      new BrowserSessionStorageFactory('security_cookie'),
+      new BrowserSessionStorageFactory(SecurityAuthSessionStorageKey),
       router,
       esClient,
       coreSetup,
@@ -187,7 +189,7 @@ describe('test tenant header', () => {
       expiryTime: 2000,
     };
     // Set cookie
-    sessionStorage.setItem('security_cookie', JSON.stringify(testCookie));
+    sessionStorage.setItem(SecurityAuthSessionStorageKey, JSON.stringify(testCookie));
     const request = httpServerMock.createOpenSearchDashboardsRequest({
       path: '/internal/v1',
     });
@@ -196,7 +198,7 @@ describe('test tenant header', () => {
       authenticated: jest.fn((value) => value),
     };
     const _ = await keepAliveDummyAuth.authHandler(request, response, toolkit);
-    const cookieAfterRequest = sessionStorage.getItem('security_cookie');
+    const cookieAfterRequest = sessionStorage.getItem(SecurityAuthSessionStorageKey);
     expect(JSON.parse(cookieAfterRequest!).expiryTime).toBe(2000);
   });
 });

server/auth/types/openid/helper.ts

@@ -130,6 +130,8 @@ export interface TokenResponse {
 }
 
 export function getExpirationDate(tokenResponse: TokenResponse | undefined) {
+  console.log('AIHWEGHIOAHERGIOHAER')
+  console.log(tokenResponse)
   if (!tokenResponse) {
     throw new Error('Invalid token');
   } else if (tokenResponse.idToken) {
@@ -138,6 +140,7 @@ export function getExpirationDate(tokenResponse: TokenResponse | undefined) {
     if (parts.length !== 3) {
       throw new Error('Invalid token');
     }
+    console.log(parts)
     const claim = JSON.parse(Buffer.from(parts[1], 'base64').toString());
     return claim.exp * 1000;
   } else {

server/auth/types/openid/openid_auth.test.ts

@@ -28,6 +28,35 @@ import {
   ILegacyClusterClient,
   SessionStorageFactory,
 } from '../../../../../../src/core/server';
+import { BrowserSessionStorageFactory, SecurityAuthSessionStorageKey } from '../authentication_type.test';
+
+jest.mock('./helper', () => ({
+  ...jest.requireActual('./helper'),
+  callTokenEndpoint: jest.fn().mockImplementation(() => {
+    return {idToken:'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSaHFsWXdKaTFXR1FJV0d6LUtsMklCUklDQTh0Y3loa1ZMdmk1eDZ2WmxRIn0.eyJleHAiOjkyMDg5NDQwMDAwMDAwfQ==.nsNfG5xxJWU24CcmgOBvJEKRKpoY81noHCO9_is4tLdX7grLz8HcQIFsrQaWTpPkIIbb7lc8FkYOlkwbnC9L5MX7lhfoJdPmG_Eh7uJl3RSIHm743gTmWmOeK8s5OPJnNibyfeUMpdH244jZ__uUchz3IrXKwt8pSvIKvGAFSgykkBtPghaePz4XOqNrOHvbP5bqKeoJGSSmHq_4b0bF0d_WQaPrQuduOJ545bTcfUJe38jWPPB1C4MywR1w1fzC0yg7DZFliPrLNXFwKSPd_CYwzLf1hwmr0vEd9I6QXAZo5BcAe9hVlX0mgZZ1H8FNqwvWd4rQKoDDnQMKs7NpsQ', refreshToken: 'blah'}
+  }),
+}));
+
+jest.mock('../../session/cookie_splitter.ts', () => ({
+  ...jest.requireActual('./helper'),
+  callTokenEndpoint: jest.fn().mockImplementation(() => {
+    return {idToken:'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJSaHFsWXdKaTFXR1FJV0d6LUtsMklCUklDQTh0Y3loa1ZMdmk1eDZ2WmxRIn0.eyJleHAiOjkyMDg5NDQwMDAwMDAwfQ==.nsNfG5xxJWU24CcmgOBvJEKRKpoY81noHCO9_is4tLdX7grLz8HcQIFsrQaWTpPkIIbb7lc8FkYOlkwbnC9L5MX7lhfoJdPmG_Eh7uJl3RSIHm743gTmWmOeK8s5OPJnNibyfeUMpdH244jZ__uUchz3IrXKwt8pSvIKvGAFSgykkBtPghaePz4XOqNrOHvbP5bqKeoJGSSmHq_4b0bF0d_WQaPrQuduOJ545bTcfUJe38jWPPB1C4MywR1w1fzC0yg7DZFliPrLNXFwKSPd_CYwzLf1hwmr0vEd9I6QXAZo5BcAe9hVlX0mgZZ1H8FNqwvWd4rQKoDDnQMKs7NpsQ', refreshToken: 'blah'}
+  }),
+}));
+
+const mockedNow = 0;
+Date.now = jest.fn(() => mockedNow);
+
+class MockESClient {
+  asScoped(request: OpenSearchDashboardsRequest) {
+      return {
+          async callAsCurrentUser(action: string, params: any) {
+              // Dummy implementation, replace it with desired dummy value
+              return { dummy: 'value' };
+          }
+      };
+  }
+}
 
 interface Logger {
   debug(message: string): void;
@@ -55,6 +84,9 @@ describe('test OpenId authHeaderValue', () => {
         additional_cookies: 5,
       },
     },
+    auth: {
+      unauthenticated_routes: []
+    }
   } as unknown) as SecurityPluginConfigType;
 
   const logger = {
@@ -207,4 +239,54 @@ describe('test OpenId authHeaderValue', () => {
     expect(wreckHttpsOptions.cert).toBeUndefined();
     expect(wreckHttpsOptions.passphrase).toBeUndefined();
   });
+
+  test('OpenID cookie expiry time is based on IDP', async () => {
+    const oidcConfig = ({
+      openid: {
+        header: 'authorization',
+        scope: [],
+        extra_storage: {
+          cookie_prefix: 'testcookie',
+          additional_cookies: 5,
+        },
+      },
+      auth: {
+        unauthenticated_routes: []
+      },
+      session:{
+        keepalive: false
+      }
+    } as unknown) as SecurityPluginConfigType;
+    const openIdAuthentication = new OpenIdAuthentication(
+      oidcConfig,
+      new BrowserSessionStorageFactory(SecurityAuthSessionStorageKey),
+      router,
+      new MockESClient(),
+      core,
+      logger
+    );
+    const cookie: SecuritySessionCookie = {
+      credentials: {
+        authHeaderValue: 'Bearer eyToken',
+        refresh_token: 'blah'
+      },
+      username: 'admin',
+      expiryTime: -1,
+      authType: 'openid'
+    };
+    sessionStorage.setItem(SecurityAuthSessionStorageKey, JSON.stringify(cookie));
+
+    const mockRequest = httpServerMock.createOpenSearchDashboardsRequest({
+      path: '/api/v1',
+    });
+
+    // Mock response and toolkit functions
+    const responseMock = jest.fn();
+    const toolkitMock = {
+      authenticated: jest.fn((value) => value),
+    };
+
+    const _ = await openIdAuthentication.authHandler(mockRequest, responseMock, toolkitMock);
+    console.log(JSON.parse(sessionStorage.getItem(SecurityAuthSessionStorageKey)!))
+  })
 });

server/auth/types/openid/openid_auth.ts

@@ -286,6 +286,7 @@ export class OpenIdAuthentication extends AuthenticationType {
 
         // if no id_token from refresh token call, maybe the Idp doesn't allow refresh id_token
         if (refreshTokenResponse.idToken) {
+          console.log('successfully in refresh flow')
           cookie.credentials = {
             authHeaderValueExtra: true,
             refresh_token: refreshTokenResponse.refreshToken,

server/session/cookie_splitter.ts

@@ -125,6 +125,7 @@ export function splitValueIntoCookies(
   for (let i = 1; i <= additionalCookies; i++) {
     values.push(value.substring((i - 1) * splitValueAt, i * splitValueAt));
   }
+  console.log(rawRequest.cookieAuth)
 
   values.forEach(async (cookieSplitValue: string, index: number) => {
     const cookieName: string = cookiePrefix + (index + 1);