Preserve Query in nextUrl during openid login redirect

release-notes/opensearch-security-dashboards-plugin.release-notes-2.18.0.0.md

@@ -0,0 +1,10 @@
+## Version 2.18.0 Release Notes
+
+Compatible with OpenSearch and OpenSearch Dashboards version 2.18.0
+
+### Enhancements
+* Add JWT authentication type to MultipleAuthentication ([#2107](https://github.com/opensearch-project/security-dashboards-plugin/pull/2107))
+
+### Bug Fixes
+* Update category label for security plugin ([#2121](https://github.com/opensearch-project/security-dashboards-plugin/pull/2121))
+* Fix button label ([#2130](https://github.com/opensearch-project/security-dashboards-plugin/pull/2130))

server/auth/types/openid/openid_auth.test.ts

@@ -15,19 +15,27 @@
 
 import { httpServerMock } from '../../../../../../src/core/server/http/http_server.mocks';
 
-import { OpenSearchDashboardsRequest } from '../../../../../../src/core/server/http/router';
+import {
+  OpenSearchDashboardsRequest,
+  ResponseHeaders,
+} from '../../../../../../src/core/server/http/router';
 
 import { OpenIdAuthentication } from './openid_auth';
 import { SecurityPluginConfigType } from '../../../index';
 import { SecuritySessionCookie } from '../../../session/security_cookie';
 import { deflateValue } from '../../../utils/compression';
 import { getObjectProperties } from '../../../utils/object_properties_defined';
 import {
-  IRouter,
+  AuthResult,
+  AuthResultParams,
+  AuthResultType,
+  AuthToolkit,
   CoreSetup,
   ILegacyClusterClient,
+  IRouter,
   SessionStorageFactory,
 } from '../../../../../../src/core/server';
+import { coreMock } from '../../../../../../src/core/public/mocks';
 
 interface Logger {
   debug(message: string): void;
@@ -334,3 +342,206 @@
     global.Date.now = realDateNow;
   });
 });
+
+describe('Test OpenID Unauthorized Flows', () => {
+  let router: IRouter;
+  let core: CoreSetup;
+  let esClient: ILegacyClusterClient;
+  let sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>;
+
+  // Consistent with auth_handler_factory.test.ts
+  beforeEach(() => {});
+
+  const config = ({
+    cookie: {
+      secure: false,
+    },
+    openid: {
+      header: 'authorization',
+      scope: [],
+      extra_storage: {
+        cookie_prefix: 'testcookie',
+        additional_cookies: 5,
+      },
+    },
+  } as unknown) as SecurityPluginConfigType;
+
+  const logger = {
+    debug: (message: string) => {},
+    info: (message: string) => {},
+    warn: (message: string) => {},
+    error: (message: string) => {},
+    fatal: (message: string) => {},
+  };
+
+  const authToolkit: AuthToolkit = {
+    authenticated(data: AuthResultParams = {}): AuthResult {
+      return {
+        type: AuthResultType.authenticated,
+        state: data.state,
+        requestHeaders: data.requestHeaders,
+        responseHeaders: data.responseHeaders,
+      };
+    },
+    notHandled(): AuthResult {
+      return {
+        type: AuthResultType.notHandled,
+      };
+    },
+    redirected(headers: { location: string } & ResponseHeaders): AuthResult {
+      return {
+        type: AuthResultType.redirected,
+        headers,
+      };
+    },
+  };
+
+  test('Ensure non pageRequest returns an unauthorized response', () => {
+    const openIdAuthentication = new OpenIdAuthentication(
+      config,
+      sessionStorageFactory,
+      router,
+      esClient,
+      core,
+      logger
+    );
+
+    const mockRequest = httpServerMock.createRawRequest({
+      url: {
+        pathname: '/unknownPath/',
+      },
+    });
+    const osRequest = OpenSearchDashboardsRequest.from(mockRequest);
+
+    const mockLifecycleFactory = httpServerMock.createLifecycleResponseFactory();
+
+    openIdAuthentication.handleUnauthedRequest(osRequest, mockLifecycleFactory, authToolkit);
+
+    expect(mockLifecycleFactory.unauthorized).toBeCalledTimes(1);
+  });
+
+  test('Ensure request without path redirects to default route', () => {
+    const mockCore = coreMock.createSetup();
+    const openIdAuthentication = new OpenIdAuthentication(
+      config,
+      sessionStorageFactory,
+      router,
+      esClient,
+      mockCore,
+      logger
+    );
+
+    const mockRequest = httpServerMock.createRawRequest();
+    const osRequest = OpenSearchDashboardsRequest.from(mockRequest);
+
+    const mockLifecycleFactory = httpServerMock.createLifecycleResponseFactory();
+
+    const authToolKitSpy = jest.spyOn(authToolkit, 'redirected');
+
+    openIdAuthentication.handleUnauthedRequest(osRequest, mockLifecycleFactory, authToolkit);
+
+    expect(authToolKitSpy).toHaveBeenCalledWith({
+      location: '/auth/openid/captureUrlFragment?nextUrl=/',
+      'set-cookie':
+        'security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/',
+    });
+  });
+
+  test('Verify cookie is set "Secure" if configured', () => {
+    const mockCore = coreMock.createSetup();
+    const openIdAuthentication = new OpenIdAuthentication(
+      {
+        ...config,
+        cookie: {
+          secure: true,
+        },
+      },
+      sessionStorageFactory,
+      router,
+      esClient,
+      mockCore,
+      logger
+    );
+
+    const mockRequest = httpServerMock.createRawRequest();
+    const osRequest = OpenSearchDashboardsRequest.from(mockRequest);
+
+    const mockLifecycleFactory = httpServerMock.createLifecycleResponseFactory();
+
+    const authToolKitSpy = jest.spyOn(authToolkit, 'redirected');
+
+    openIdAuthentication.handleUnauthedRequest(osRequest, mockLifecycleFactory, authToolkit);
+
+    expect(authToolKitSpy).toHaveBeenCalledWith({
+      location: '/auth/openid/captureUrlFragment?nextUrl=/',
+      'set-cookie':
+        'security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; Path=/',
+    });
+  });
+
+  test('Ensure nextUrl points to original request pathname',() =>{
+    const mockCore = coreMock.createSetup();
+    const openIdAuthentication = new OpenIdAuthentication(
+      config,
+      sessionStorageFactory,
+      router,
+      esClient,
+      mockCore,
+      logger
+    );
+
+    const mockRequest = httpServerMock.createRawRequest({
+      url: {
+        pathname: '/app/dashboards',
+      },
+    });
+    const osRequest = OpenSearchDashboardsRequest.from(mockRequest);
+
+    const mockLifecycleFactory = httpServerMock.createLifecycleResponseFactory();
+
+    const authToolKitSpy = jest.spyOn(authToolkit, 'redirected');
+
+
+    openIdAuthentication.handleUnauthedRequest(osRequest, mockLifecycleFactory, authToolkit);
+
+    expect(authToolKitSpy).toHaveBeenCalledWith({
+      location: '/auth/openid/captureUrlFragment?nextUrl=/app/dashboards',
+      'set-cookie':
+        'security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/',
+    });
+  })
+
+  test('Ensure nextUrl points to original request pathname including security_tenant',() =>{
+    const mockCore = coreMock.createSetup();
+    const openIdAuthentication = new OpenIdAuthentication(
+      config,
+      sessionStorageFactory,
+      router,
+      esClient,
+      mockCore,
+      logger
+    );
+
+    const mockRequest = httpServerMock.createRawRequest({
+      url: {
+        pathname: '/app/dashboards',
+        search: 'security_tenant=testing'
+      },
+    });
+    const osRequest = OpenSearchDashboardsRequest.from(mockRequest);
+
+    const mockLifecycleFactory = httpServerMock.createLifecycleResponseFactory();
+
+    const authToolKitSpy = jest.spyOn(authToolkit, 'redirected');
+
+
+    openIdAuthentication.handleUnauthedRequest(osRequest, mockLifecycleFactory, authToolkit);
+
+    expect(authToolKitSpy).toHaveBeenCalledWith({
+      location: `/auth/openid/captureUrlFragment?nextUrl=${escape("/app/dashboards?security_tenant=testing")}`,
+      'set-cookie':
+        'security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/',
+    });
+  })
+
+});

server/auth/types/openid/openid_auth.ts

@@ -16,30 +16,29 @@
 import * as fs from 'fs';
 import wreck from '@hapi/wreck';
 import {
-  Logger,
-  SessionStorageFactory,
+  AuthResult,
+  AuthToolkit,
   CoreSetup,
-  IRouter,
   ILegacyClusterClient,
-  OpenSearchDashboardsRequest,
-  LifecycleResponseFactory,
-  AuthToolkit,
   IOpenSearchDashboardsResponse,
-  AuthResult,
+  IRouter,
+  LifecycleResponseFactory,
+  Logger,
+  OpenSearchDashboardsRequest,
+  SessionStorageFactory,
 } from 'opensearch-dashboards/server';
 import { PeerCertificate } from 'tls';
 import { Server, ServerStateCookieOptions } from '@hapi/hapi';
 import { ProxyAgent } from 'proxy-agent';
 import { SecurityPluginConfigType } from '../../..';
 import {
-  SecuritySessionCookie,
   clearOldVersionCookieValue,
+  SecuritySessionCookie,
 } from '../../../session/security_cookie';
 import { OpenIdAuthRoutes } from './routes';
 import { AuthenticationType } from '../authentication_type';
-import { callTokenEndpoint } from './helper';
+import { callTokenEndpoint, getExpirationDate } from './helper';
 import { getObjectProperties } from '../../../utils/object_properties_defined';
-import { getExpirationDate } from './helper';
 import { AuthType } from '../../../../common';
 import {
   ExtraAuthStorageOptions,
@@ -128,11 +127,14 @@ export class OpenIdAuthentication extends AuthenticationType {
   }
 
   private generateNextUrl(request: OpenSearchDashboardsRequest): string {
-    const path = getRedirectUrl({
+    let path = getRedirectUrl({
       request,
       basePath: this.coreSetup.http.basePath.serverBasePath,
       nextUrl: request.url.pathname || '/app/opensearch-dashboards',
     });
+    if (request.url.search) {
+      path += request.url.search;
+    }
     return escape(path);
   }
 

server/auth/types/openid/routes.ts

@@ -101,7 +101,7 @@ export class OpenIdAuthRoutes {
                   },
                 })
               ),
-              redirectHash: schema.maybe(schema.boolean()),
+              redirectHash: schema.maybe(schema.string()),
               state: schema.maybe(schema.string()),
               refresh: schema.maybe(schema.string()),
             },