Merge branch 'main' into release-ftr-tests

opensearch-project · Jun 13, 2024 · 0163999 · 0163999
2 parents 2d68089 + 208089e
commit 0163999
Show file tree

Hide file tree

Showing 11 changed files with 177 additions and 88 deletions.
diff --git a/package.json b/package.json
@@ -49,6 +49,8 @@
   "resolutions": {
     "selenium-webdriver": "4.10.0",
     "glob-parent": "^5.1.2",
-    "debug": "^4.3.4"
+    "debug": "^4.3.4",
+    "ejs": "^3.1.10",
+    "express": "^4.19.2"
   }
 }
diff --git a/public/apps/configuration/panels/audit-logging/audit-logging.tsx b/public/apps/configuration/panels/audit-logging/audit-logging.tsx
@@ -260,7 +260,7 @@ export function AuditLogging(props: AuditLoggingProps) {
       />
       <EuiPageHeader>
         <EuiTitle size="l">
-          <h1>Audit Logging</h1>
+          <h3>Audit logging</h3>
         </EuiTitle>
       </EuiPageHeader>
       <EuiSpacer />

diff --git a/...ic/apps/configuration/panels/audit-logging/test/__snapshots__/audit-logging.test.tsx.snap b/...ic/apps/configuration/panels/audit-logging/test/__snapshots__/audit-logging.test.tsx.snap
@@ -260,9 +260,9 @@ exports[`Audit logs render when AuditLoggingSettings.enabled is true 1`] = `
     <EuiTitle
       size="l"
     >
-      <h1>
-        Audit Logging
-      </h1>
+      <h3>
+        Audit logging
+      </h3>
     </EuiTitle>
   </EuiPageHeader>
   <EuiSpacer />
@@ -670,9 +670,9 @@ exports[`Audit logs should load access error component 1`] = `
     <EuiTitle
       size="l"
     >
-      <h1>
-        Audit Logging
-      </h1>
+      <h3>
+        Audit logging
+      </h3>
     </EuiTitle>
   </EuiPageHeader>
   <EuiSpacer />

diff --git a/public/apps/configuration/panels/user-list.tsx b/public/apps/configuration/panels/user-list.tsx
@@ -256,7 +256,7 @@ export function UserList(props: AppDependencies) {
                     href={buildHashUrl(ResourceType.users, Action.create)}
                     data-test-subj="create-user"
                   >
-                    Create user account
+                    Create internal user
                   </EuiButton>
                 </EuiFlexItem>
               </EuiFlexGroup>

diff --git a/public/apps/login/login-page.tsx b/public/apps/login/login-page.tsx
@@ -17,7 +17,6 @@ import React, { useState } from 'react';
 import {
   EuiText,
   EuiFieldText,
-  EuiIcon,
   EuiSpacer,
   EuiButton,
   EuiImage,
@@ -194,7 +193,7 @@ export function LoginPage(props: LoginPageDeps) {
                 data-test-subj="user-name"
                 aria-label="username_input"
                 placeholder="Username"
-                prepend={<EuiIcon type="user" />}
+                icon="user"
                 onChange={(e) => setUsername(e.target.value)}
                 value={username}
                 isInvalid={usernameValidationFailed}

diff --git a/public/apps/login/test/__snapshots__/login-page.test.tsx.snap b/public/apps/login/test/__snapshots__/login-page.test.tsx.snap
@@ -44,14 +44,10 @@ exports[`Login page renders renders with config value for multiauth 1`] = `
       <EuiFieldText
         aria-label="username_input"
         data-test-subj="user-name"
+        icon="user"
         isInvalid={false}
         onChange={[Function]}
         placeholder="Username"
-        prepend={
-          <EuiIcon
-            type="user"
-          />
-        }
         value=""
       />
     </EuiFormRow>
@@ -195,14 +191,10 @@ exports[`Login page renders renders with config value for multiauth with anonymo
       <EuiFieldText
         aria-label="username_input"
         data-test-subj="user-name"
+        icon="user"
         isInvalid={false}
         onChange={[Function]}
         placeholder="Username"
-        prepend={
-          <EuiIcon
-            type="user"
-          />
-        }
         value=""
       />
     </EuiFormRow>
@@ -364,14 +356,10 @@ exports[`Login page renders renders with config value with anonymous auth enable
       <EuiFieldText
         aria-label="username_input"
         data-test-subj="user-name"
+        icon="user"
         isInvalid={false}
         onChange={[Function]}
         placeholder="Username"
-        prepend={
-          <EuiIcon
-            type="user"
-          />
-        }
         value=""
       />
     </EuiFormRow>
@@ -483,14 +471,10 @@ exports[`Login page renders renders with config value with anonymous auth enable
       <EuiFieldText
         aria-label="username_input"
         data-test-subj="user-name"
+        icon="user"
         isInvalid={false}
         onChange={[Function]}
         placeholder="Username"
-        prepend={
-          <EuiIcon
-            type="user"
-          />
-        }
         value=""
       />
     </EuiFormRow>
@@ -602,14 +586,10 @@ exports[`Login page renders renders with config value: string 1`] = `
       <EuiFieldText
         aria-label="username_input"
         data-test-subj="user-name"
+        icon="user"
         isInvalid={false}
         onChange={[Function]}
         placeholder="Username"
-        prepend={
-          <EuiIcon
-            type="user"
-          />
-        }
         value=""
       />
     </EuiFormRow>
@@ -703,14 +683,10 @@ exports[`Login page renders renders with config value: string array 1`] = `
       <EuiFieldText
         aria-label="username_input"
         data-test-subj="user-name"
+        icon="user"
         isInvalid={false}
         onChange={[Function]}
         placeholder="Username"
-        prepend={
-          <EuiIcon
-            type="user"
-          />
-        }
         value=""
       />
     </EuiFormRow>
@@ -804,14 +780,10 @@ exports[`Login page renders renders with default value: string 1`] = `
       <EuiFieldText
         aria-label="username_input"
         data-test-subj="user-name"
+        icon="user"
         isInvalid={false}
         onChange={[Function]}
         placeholder="Username"
-        prepend={
-          <EuiIcon
-            type="user"
-          />
-        }
         value=""
       />
     </EuiFormRow>
@@ -905,14 +877,10 @@ exports[`Login page renders renders with default value: string array 1`] = `
       <EuiFieldText
         aria-label="username_input"
         data-test-subj="user-name"
+        icon="user"
         isInvalid={false}
         onChange={[Function]}
         placeholder="Username"
-        prepend={
-          <EuiIcon
-            type="user"
-          />
-        }
         value=""
       />
     </EuiFormRow>

diff --git a/release-notes/opensearch-security-dashboards-plugin.release-notes-2.15.0.0.md b/release-notes/opensearch-security-dashboards-plugin.release-notes-2.15.0.0.md
@@ -0,0 +1,18 @@
+## Version 2.15.0 Release Notes
+
+Compatible with OpenSearch and OpenSearch Dashboards version 2.15.0
+
+### Enhancements
+* Remove tenant tab when disabled via yaml ([#1960](https://github.com/opensearch-project/security-dashboards-plugin/pull/1960))
+* Always show security screen and shows error page when trying to access forbidden data-source ([#1964](https://github.com/opensearch-project/security-dashboards-plugin/pull/1964))
+* Provide ability to view password ([#1980](https://github.com/opensearch-project/security-dashboards-plugin/pull/1980))
+* Make login screen input feels consistent ([#1993](https://github.com/opensearch-project/security-dashboards-plugin/pull/1993))
+
+### Bug Fixes
+* Fix bugs where pages were stuck in error state ([#1944](https://github.com/opensearch-project/security-dashboards-plugin/pull/1944))
+* Fix issue when using OpenID Authentication with serverBasePath ([#1899](https://github.com/opensearch-project/security-dashboards-plugin/pull/1899))
+* Fixes issue with expiryTime of OIDC cookie that causes refreshToken workflow to be skipped ([#1990](https://github.com/opensearch-project/security-dashboards-plugin/pull/1990))
+
+### Maintenance
+* Updating security reachout email ([#1948](https://github.com/opensearch-project/security-dashboards-plugin/pull/1948))
+* Bump ejs and express versions to address CVEs ([#1988](https://github.com/opensearch-project/security-dashboards-plugin/pull/1988))
diff --git a/server/auth/types/openid/openid_auth.test.ts b/server/auth/types/openid/openid_auth.test.ts
@@ -37,6 +37,12 @@ interface Logger {
   fatal(message: string): void;
 }
 
+const mockClient = { post: jest.fn() };
+
+jest.mock('@hapi/wreck', () => ({
+  defaults: jest.fn(() => mockClient),
+}));
+
 describe('test OpenId authHeaderValue', () => {
   let router: IRouter;
   let core: CoreSetup;
@@ -208,7 +214,7 @@ describe('test OpenId authHeaderValue', () => {
     expect(wreckHttpsOptions.passphrase).toBeUndefined();
   });
 
-  test('Ensure expiryTime is being used to test validity of cookie', async () => {
+  test('Ensure accessToken expiryTime is being used to test validity of cookie', async () => {
     const realDateNow = Date.now.bind(global.Date);
     const dateNowStub = jest.fn(() => 0);
     global.Date.now = dateNowStub;
@@ -229,22 +235,84 @@ describe('test OpenId authHeaderValue', () => {
     const testCookie: SecuritySessionCookie = {
       credentials: {
         authHeaderValue: 'Bearer eyToken',
-        expiry_time: -1,
+        expiryTime: 200,
       },
-      expiryTime: 2000,
+      expiryTime: 10000,
       username: 'admin',
       authType: 'openid',
     };
 
+    // Credentials are valid because 0 < 200
     expect(await openIdAuthentication.isValidCookie(testCookie, {})).toBe(true);
     global.Date.now = realDateNow;
   });
 
+  test('Ensure refreshToken workflow is called if current time is after access token expiry, but before session expiry', async () => {
+    const realDateNow = Date.now.bind(global.Date);
+    const dateNowStub = jest.fn(() => 300);
+    global.Date.now = dateNowStub;
+    const oidcConfig: unknown = {
+      openid: {
+        header: 'authorization',
+        scope: [],
+        extra_storage: {
+          cookie_prefix: 'testcookie',
+          additional_cookies: 0,
+        },
+      },
+    };
+
+    const openIdAuthentication = new OpenIdAuthentication(
+      oidcConfig as SecurityPluginConfigType,
+      sessionStorageFactory,
+      router,
+      esClient,
+      core,
+      logger
+    );
+    const testCookie: SecuritySessionCookie = {
+      credentials: {
+        authHeaderValue: 'Bearer eyToken',
+        expiryTime: 200,
+        refresh_token: 'refreshToken',
+      },
+      expiryTime: 10000,
+      username: 'admin',
+      authType: 'openid',
+    };
+
+    const mockRequestPayload = JSON.stringify({
+      grant_type: 'refresh_token',
+      client_id: 'clientId',
+      client_secret: 'clientSecret',
+      refresh_token: 'refreshToken',
+    });
+    const mockResponsePayload = JSON.stringify({
+      id_token: '.eyJleHAiOiIwLjUifQ.', // Translates to {"exp":"0.5"}
+      access_token: 'accessToken',
+      refresh_token: 'refreshToken',
+    });
+    mockClient.post.mockResolvedValue({
+      res: { statusCode: 200 },
+      payload: mockResponsePayload,
+    });
+
+    expect(await openIdAuthentication.isValidCookie(testCookie, {})).toBe(true);
+    expect(mockClient.post).toBeCalledTimes(1);
+    global.Date.now = realDateNow;
+  });
+
   test('getKeepAliveExpiry', () => {
+    const realDateNow = Date.now.bind(global.Date);
+    const dateNowStub = jest.fn(() => 300);
+    global.Date.now = dateNowStub;
     const oidcConfig: unknown = {
       openid: {
         scope: [],
       },
+      session: {
+        ttl: 3600,
+      },
     };
 
     const openIdAuthentication = new OpenIdAuthentication(
@@ -262,6 +330,7 @@ describe('test OpenId authHeaderValue', () => {
       expiryTime: 1000,
     };
 
-    expect(openIdAuthentication.getKeepAliveExpiry(testCookie, {})).toBe(1000);
+    expect(openIdAuthentication.getKeepAliveExpiry(testCookie, {})).toBe(3900);
+    global.Date.now = realDateNow;
   });
 });
diff --git a/server/auth/types/openid/openid_auth.ts b/server/auth/types/openid/openid_auth.ts
@@ -250,12 +250,11 @@ export class OpenIdAuthentication extends AuthenticationType {
     };
   }
 
-  // OIDC expiry time is set by the IDP and refreshed via refreshTokens
   getKeepAliveExpiry(
     cookie: SecuritySessionCookie,
     request: OpenSearchDashboardsRequest<unknown, unknown, unknown, any>
   ): number {
-    return cookie.expiryTime!;
+    return Date.now() + this.config.session.ttl;
   }
 
   // TODO: Add token expiration check here
@@ -272,7 +271,7 @@ export class OpenIdAuthentication extends AuthenticationType {
       return false;
     }
 
-    if (cookie.expiryTime > Date.now()) {
+    if (cookie.credentials.expiryTime > Date.now()) {
       return true;
     }
 
@@ -296,8 +295,8 @@ export class OpenIdAuthentication extends AuthenticationType {
           cookie.credentials = {
             authHeaderValueExtra: true,
             refresh_token: refreshTokenResponse.refreshToken,
+            expiryTime: getExpirationDate(refreshTokenResponse),
           };
-          cookie.expiryTime = getExpirationDate(refreshTokenResponse);
 
           setExtraAuthStorage(
             request,

diff --git a/server/auth/types/openid/routes.ts b/server/auth/types/openid/routes.ts
@@ -195,9 +195,10 @@ export class OpenIdAuthRoutes {
             username: user.username,
             credentials: {
               authHeaderValueExtra: true,
+              expiryTime: getExpirationDate(tokenResponse),
             },
             authType: AuthType.OPEN_ID,
-            expiryTime: getExpirationDate(tokenResponse),
+            expiryTime: Date.now() + this.config.session.ttl,
           };
           if (this.config.openid?.refresh_tokens && tokenResponse.refreshToken) {
             Object.assign(sessionStorage.credentials, {