Fix cookie expiry issues from IDP/JWT auth methods, disables keepaliv…

…e for JWT/IDP (#1773)



Signed-off-by: Derek Ho <dxho@amazon.com>

server/auth/types/authentication_type.test.ts

@@ -16,8 +16,12 @@
 import { SecurityPluginConfigType } from '../..';
 import { AuthenticationType } from './authentication_type';
 import { httpServerMock } from '../../../../../src/core/server/mocks';
+import { OpenSearchDashboardsRequest } from '../../../../../src/core/server';
 
 class DummyAuthType extends AuthenticationType {
+  authNotRequired(request: OpenSearchDashboardsRequest): boolean {
+    return false;
+  }
   buildAuthHeaderFromCookie() {}
   getAdditionalAuthHeader() {}
   handleUnauthedRequest() {}

server/auth/types/authentication_type.ts

@@ -160,7 +160,7 @@ export abstract class AuthenticationType implements IAuthenticationType {
 
       // extend session expiration time
       if (this.config.session.keepalive) {
-        cookie!.expiryTime = Date.now() + this.config.session.ttl;
+        cookie!.expiryTime = this.getKeepAliveExpiry(cookie!, request);
         this.sessionStorageFactory.asScoped(request).set(cookie!);
       }
       // cookie is valid
@@ -266,6 +266,13 @@ export abstract class AuthenticationType implements IAuthenticationType {
     });
   }
 
+  public getKeepAliveExpiry(
+    cookie: SecuritySessionCookie,
+    request: OpenSearchDashboardsRequest
+  ): number {
+    return Date.now() + this.config.session.ttl;
+  }
+
   isPageRequest(request: OpenSearchDashboardsRequest) {
     const path = request.url.pathname || '/';
     return path.startsWith('/app/') || path === '/' || path.startsWith('/goto/');
@@ -286,5 +293,10 @@ export abstract class AuthenticationType implements IAuthenticationType {
     response: LifecycleResponseFactory,
     toolkit: AuthToolkit
   ): IOpenSearchDashboardsResponse | AuthResult;
+  public abstract requestIncludesAuthInfo(request: OpenSearchDashboardsRequest): boolean;
+  public abstract buildAuthHeaderFromCookie(
+    cookie: SecuritySessionCookie,
+    request: OpenSearchDashboardsRequest
+  ): any;
   public abstract init(): Promise<void>;
 }

server/auth/types/basic/basic_auth.test.ts

@@ -0,0 +1,69 @@
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { httpServerMock } from '../../../../../../src/core/server/http/http_server.mocks';
+
+import { SecurityPluginConfigType } from '../../../index';
+import { SecuritySessionCookie } from '../../../session/security_cookie';
+import {
+  IRouter,
+  CoreSetup,
+  ILegacyClusterClient,
+  Logger,
+  SessionStorageFactory,
+} from '../../../../../../src/core/server';
+import { BasicAuthentication } from './basic_auth';
+
+describe('Basic auth tests', () => {
+  let router: IRouter;
+  let core: CoreSetup;
+  let esClient: ILegacyClusterClient;
+  let sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>;
+  let logger: Logger;
+
+  const config = {
+    session: {
+      ttl: 1000,
+    },
+  } as SecurityPluginConfigType;
+
+  test('getKeepAliveExpiry', () => {
+    const realDateNow = Date.now.bind(global.Date);
+    const dateNowStub = jest.fn(() => 0);
+    global.Date.now = dateNowStub;
+    const basicAuthentication = new BasicAuthentication(
+      config,
+      sessionStorageFactory,
+      router,
+      esClient,
+      core,
+      logger
+    );
+
+    const cookie: SecuritySessionCookie = {
+      credentials: {
+        authHeaderValueExtra: true,
+      },
+      expiryTime: 0,
+    };
+
+    const request = httpServerMock.createOpenSearchDashboardsRequest({
+      path: '/internal/v1',
+    });
+
+    expect(basicAuthentication.getKeepAliveExpiry(cookie, request)).toBe(1000);
+    global.Date.now = realDateNow;
+  });
+});

server/auth/types/basic/basic_auth.ts

@@ -133,7 +133,10 @@ export class BasicAuthentication extends AuthenticationType {
     }
   }
 
-  buildAuthHeaderFromCookie(cookie: SecuritySessionCookie): any {
+  buildAuthHeaderFromCookie(
+    cookie: SecuritySessionCookie,
+    request: OpenSearchDashboardsRequest
+  ): any {
     if (this.config.auth.anonymous_auth_enabled && cookie.isAnonymousAuth) {
       return {};
     }

server/auth/types/jwt/jwt_auth.ts

@@ -35,6 +35,7 @@ import {
   getExtraAuthStorageValue,
   setExtraAuthStorage,
 } from '../../../session/cookie_splitter';
+import { getExpirationDate } from './jwt_helper';
 
 export const JWT_DEFAULT_EXTRA_STORAGE_OPTIONS: ExtraAuthStorageOptions = {
   cookiePrefix: 'security_authentication_jwt',
@@ -154,13 +155,17 @@ export class JwtAuthentication extends AuthenticationType {
       this.getBearerToken(request) || '',
       this.getExtraAuthStorageOptions()
     );
+
     return {
       username: authInfo.user_name,
       credentials: {
         authHeaderValueExtra: true,
       },
       authType: this.type,
-      expiryTime: Date.now() + this.config.session.ttl,
+      expiryTime: getExpirationDate(
+        this.getBearerToken(request),
+        Date.now() + this.config.session.ttl
+      ),
     };
   }
 
@@ -175,6 +180,13 @@ export class JwtAuthentication extends AuthenticationType {
     );
   }
 
+  getKeepAliveExpiry(cookie: SecuritySessionCookie, request: OpenSearchDashboardsRequest): number {
+    return getExpirationDate(
+      this.buildAuthHeaderFromCookie(cookie, request)[this.authHeaderName],
+      Date.now() + this.config.session.ttl
+    );
+  }
+
   handleUnauthedRequest(
     request: OpenSearchDashboardsRequest,
     response: LifecycleResponseFactory,