override authentication methods

Signed-off-by: Sam <[email protected]>
opensearch-project · Oct 4, 2023 · 8aeb4ff · 8aeb4ff
1 parent 9e5cabf
commit 8aeb4ff
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 20 deletions.
diff --git a/server/auth/types/kerberos/kerberos_authentication.ts b/server/auth/types/kerberos/kerberos_authentication.ts
@@ -13,6 +13,7 @@
  *   permissions and limitations under the License.
  */
 
+import { get } from 'lodash';
 import { CoreSetup } from 'opensearch-dashboards/server';
 import { AuthenticationType } from '../authentication_type';
 import { SecurityPluginConfigType } from '../../../index';
@@ -35,7 +36,7 @@ export class KerberosAuthentication extends AuthenticationType {
   private authHeaderName: string;
 
   requestIncludesAuthInfo(request: OpenSearchDashboardsRequest): boolean {
-    return request.headers.Authorization ? true : false;
+    return get(request.headers, 'authorization') ? true : false;
   }
   public isValidCookie(
     cookie: SecuritySessionCookie,
@@ -73,8 +74,15 @@ export class KerberosAuthentication extends AuthenticationType {
     throw new Error('buildAuthHeaderFromCookie method not implemented.');
   }
 
-  getAdditionalAuthHeader(request: OpenSearchDashboardsRequest): Promise<any> {
-    throw new Error('getAdditionalAuthHeader method not implemented.');
+  async getAdditionalAuthHeader(
+    request: OpenSearchDashboardsRequest<unknown, unknown, unknown, any>
+  ): Promise<any> {
+    const header: any = {};
+    const token = get(request.headers, this.authHeaderName);
+    if (token) {
+      header[this.authHeaderName] = `${token}`;
+    }
+    return header;
   }
 
   getCookie(request: OpenSearchDashboardsRequest, authInfo: any): SecuritySessionCookie {
@@ -108,4 +116,9 @@ export class KerberosAuthentication extends AuthenticationType {
       return toolkit.notHandled(); // TODO: redirect to error page?
     }
   }
+
+  // public authHandler: AuthenticationHandler = async (request, response, toolkit) => {
+  //          return toolkit.notHandled();
+  //
+  //   }
 }
diff --git a/server/auth/types/kerberos/routes.ts b/server/auth/types/kerberos/routes.ts
@@ -105,9 +105,10 @@ export class KerberosAuthRoutes {
       //   return this.securityClient.authenticated();
       // }
 
-      const headers = {};
+      let headers;
       if (request.headers.authorization) {
-        headers.authorization = request.headers.authorization;
+        console.log('HHHHHHHHH');
+        headers = request.headers;
       }
 
       console.log(
@@ -116,37 +117,34 @@ export class KerberosAuthRoutes {
         request.headers
       );
 
-      const authInfo = await this.securityClient.authenticateWithHeaders(headers);
+      const authInfo = await this.securityClient.authenticateWithHeaders(request, headers);
 
       console.log(`Authenticated: ${JSON.stringify(authInfo, null, 2)}.`);
 
       return securityClient.authenticated();
-    } catch (error: Error) {
-      console.log('CATCH Error TYPE', typeof error);
-      console.log('CATCH Error NAME', error.name);
-      console.log('CATCH Error INNER', error.inner);
-
-      console.log('CATCH Error', error.toString());
-      console.log('CATCH Error HEADER', error.inner);
-
+    } catch (error) {
+      console.log(
+        'CATCH Error wwwAuthenticateDirective2',
+        get(error, `output.headers.${WWW_AUTHENTICATE_HEADER_NAME}`)
+      );
       backendError = error.inner || error;
     }
-    console.log('Backedn Error: ', backendError);
+    console.log('Backedn Error: ', backendError.toString());
 
     const negotiationProposal =
-      get(backendError, `body.error.header[${WWW_AUTHENTICATE_HEADER_NAME}]`, '') ||
+      get(backendError, `output.headers[${WWW_AUTHENTICATE_HEADER_NAME}]`, '') ||
       get(backendError, `meta.headers[${WWW_AUTHENTICATE_HEADER_NAME.toLowerCase()}]`, '');
     console.log(`Negotiating: ${negotiationProposal}`);
 
-    const isNegotiating =
-      negotiationProposal.startsWith('Negotiate') || // Kerberos negotiation
+    const isNegotiating: boolean =
+      negotiationProposal.startsWith('Negotiate') || // Kerberos negotiation  //TODO
       negotiationProposal === 'Basic realm="Authorization Required"'; // Basic auth negotiation
 
-    // Forward the SG backend negotiation proposal to a client.
+    // Browser should populate the header and repeat the request after the header is added...
     if (isNegotiating) {
       return response.unauthorized({
         headers: {
-          [WWW_AUTHENTICATE_HEADER_NAME]: negotiationProposal,
+          [WWW_AUTHENTICATE_HEADER_NAME]: 'Negotiate', // TODO
         },
       });
     }