-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preserve URL fragment during SAML handshake. #44513
Changes from 1 commit
71f2980
c891059
a3e32fd
ca8942a
19e6fb3
1f7faff
017f7bb
f564987
776ca98
8270f19
6febc2c
432d7bb
ff90be4
184c977
3302508
50fada9
170ee51
a38be2e
a361167
2b88f7b
dca6431
0a86b77
8b51a1c
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -31,6 +31,7 @@ import { SecureSavedObjectsClientWrapper } from './server/lib/saved_objects_clie | |
import { deepFreeze } from './server/lib/deep_freeze'; | ||
import { createOptionalPlugin } from '../../server/lib/optional_plugin'; | ||
import { KibanaRequest } from '../../../../src/core/server'; | ||
import { createCSPRuleString } from '../../../../src/legacy/server/csp'; | ||
|
||
export const security = (kibana) => new kibana.Plugin({ | ||
id: 'security', | ||
|
@@ -128,17 +129,18 @@ export const security = (kibana) => new kibana.Plugin({ | |
throw new Error('New Platform XPack Security plugin is not available.'); | ||
} | ||
|
||
const config = server.config(); | ||
const xpackMainPlugin = server.plugins.xpack_main; | ||
const xpackInfo = xpackMainPlugin.info; | ||
securityPlugin.registerLegacyAPI({ | ||
xpackInfo, | ||
isSystemAPIRequest: server.plugins.kibana.systemApi.isSystemApiRequest.bind( | ||
server.plugins.kibana.systemApi | ||
), | ||
cspRules: createCSPRuleString(config.get('csp.rules')), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. note: if we still need this we'll include that into NP blockers for Security plugin. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Included as blocker, for now we agreed with Platform to provide this through legacy API shim and hopefully get support for "lightweight" apps by 8.0 so that we don't need to set CSP manually anymore. |
||
}); | ||
|
||
const plugin = this; | ||
const config = server.config(); | ||
const xpackInfoFeature = xpackInfo.feature(plugin.id); | ||
|
||
// Register a function that is called whenever the xpack info changes, | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,6 +12,27 @@ import { KibanaRequest } from '../../../../../../../../src/core/server'; | |
import { createCSPRuleString } from '../../../../../../../../src/legacy/server/csp'; | ||
|
||
export function initAuthenticateApi({ authc: { login, logout }, config }, server) { | ||
const xsrfWhitelist = server.config().get('server.xsrf.whitelist'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. note: that the only BWC route deprecation approach I managed to find that wouldn't require NP plugin to expose SAML APIs directly (so that we can call them here). I don't like it, I'd rather be able to temporarily define routes with any URL for BWC reasons or have something like "URL alias" that we could define in NP for the new route. Will discuss with the Platform Team (discussing here #44620) |
||
server.ext('onRequest', (request, h) => { | ||
// We handle this route in new platform plugin, but use different URL. | ||
if (request.path === '/api/security/v1/saml') { | ||
server.log( | ||
['warning', 'security', 'deprecation'], | ||
`The following URL is deprecated and will stop working in the next major version: ${request.path}` | ||
); | ||
|
||
// If deprecated route (`/api/security/v1/saml`) is included into XSRF whitelist we should | ||
// implicitly include `/security/api/authc/saml/callback` as well to preserve the same behavior. | ||
// We can't modify config, but we can mark route as ^safe^ via `kbn-xsrf` header. | ||
if (xsrfWhitelist.includes(request.path)) { | ||
request.headers['kbn-xsrf'] = true; | ||
} | ||
|
||
request.setUrl('/security/api/authc/saml/callback'); | ||
} | ||
|
||
return h.continue; | ||
}); | ||
|
||
server.route({ | ||
method: 'POST', | ||
|
@@ -52,37 +73,6 @@ export function initAuthenticateApi({ authc: { login, logout }, config }, server | |
} | ||
}); | ||
|
||
server.route({ | ||
method: 'POST', | ||
path: '/api/security/v1/saml', | ||
config: { | ||
auth: false, | ||
validate: { | ||
payload: Joi.object({ | ||
SAMLResponse: Joi.string().required(), | ||
RelayState: Joi.string().allow('') | ||
}) | ||
} | ||
}, | ||
async handler(request, h) { | ||
try { | ||
// When authenticating using SAML we _expect_ to redirect to the SAML Identity provider. | ||
const authenticationResult = await login(KibanaRequest.from(request), { | ||
provider: 'saml', | ||
value: { samlResponse: request.payload.SAMLResponse } | ||
}); | ||
|
||
if (authenticationResult.redirected()) { | ||
return h.redirect(authenticationResult.redirectURL); | ||
} | ||
|
||
return Boom.unauthorized(authenticationResult.error); | ||
} catch (err) { | ||
return wrapError(err); | ||
} | ||
} | ||
}); | ||
|
||
/** | ||
* The route should be configured as a redirect URI in OP when OpenID Connect implicit flow | ||
* is used, so that we can extract authentication response from URL fragment and send it to | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: not completely sure if we need
authc
part. It may seem redundant, but at the same the security plugin API surface will expand significantly over time with various authz endpoints and such so it may be beneficial to separate them....There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Once #44855 is merged I'll change URLs from
/security/api/*
to/api/security/*
. The question regardingauthc
part in URL is still open though.