[Backport 1.x] Split up a value into multiple cookie payloads

.github/actions/install-dashboards/action.yml

@@ -48,7 +48,7 @@ runs:
     - id: branch-switch-if-possible
       continue-on-error: true # Defaults onto main if the branch switch doesn't work
       if: ${{ steps.osd-version.outputs.osd-version }}
-      run: git checkout ${{ steps.osd-version.outputs.osd-version }} || git checkout ${{ steps.osd-version.outputs.osd-x-version }}x
+      run: git checkout 1.3.14 || git checkout ${{ steps.osd-version.outputs.osd-version }} || git checkout ${{ steps.osd-version.outputs.osd-x-version }}x
       working-directory: ./OpenSearch-Dashboards
       shell: bash
 

common/index.ts

@@ -37,6 +37,8 @@ export const DEFAULT_TENANT = 'default';
 export const GLOBAL_TENANT_RENDERING_TEXT = 'Global';
 export const PRIVATE_TENANT_RENDERING_TEXT = 'Private';
 export const globalTenantName = 'global_tenant';
+export const MAX_LENGTH_OF_COOKIE_BYTES = 4000;
+export const ESTIMATED_IRON_COOKIE_OVERHEAD = 1.5;
 
 export enum AuthType {
   BASIC = 'basicauth',

release-notes/opensearch-security-dashboards-plugin.release-notes-1.3.14.0.md

@@ -0,0 +1,8 @@
+## 2023-12-08 Version 1.3.14.0
+
+Compatible with OpenSearch-Dashboards 1.3.14
+
+### Maintenance
+
+* Update `yarn.lock` file ([#1669](https://github.com/opensearch-project/security-dashboards-plugin/pull/1669))
+* Bump  `debug` to `4.3.4` and `browserify-sign` to `4.2.2` to address CVEs ([#1674](https://github.com/opensearch-project/security-dashboards-plugin/pull/1674))

server/auth/auth_handler_factory.test.ts

@@ -30,30 +30,35 @@ jest.mock('./types', () => {
       return {
         authHandler: () => {},
         type: 'basicauth',
+        init: () => {},
       };
     }),
     JwtAuthentication: jest.fn().mockImplementation(() => {
       return {
         authHandler: () => {},
         type: 'jwt',
+        init: () => {},
       };
     }),
     OpenIdAuthentication: jest.fn().mockImplementation(() => {
       return {
         authHandler: () => {},
         type: 'openid',
+        init: () => {},
       };
     }),
     ProxyAuthentication: jest.fn().mockImplementation(() => {
       return {
         authHandler: () => {},
         type: 'proxy',
+        init: () => {},
       };
     }),
     SamlAuthentication: jest.fn().mockImplementation(() => {
       return {
         authHandler: () => {},
         type: 'saml',
+        init: () => {},
       };
     }),
   };
@@ -69,8 +74,8 @@ describe('test authentication factory', () => {
 
   beforeEach(() => {});
 
-  test('get basic auth', () => {
-    const auth = getAuthenticationHandler(
+  test('get basic auth', async () => {
+    const auth = await getAuthenticationHandler(
       'basicauth',
       router,
       config,
@@ -82,8 +87,8 @@ describe('test authentication factory', () => {
     expect(auth.type).toEqual('basicauth');
   });
 
-  test('get basic auth with empty auth type', () => {
-    const auth = getAuthenticationHandler(
+  test('get basic auth with empty auth type', async () => {
+    const auth = await getAuthenticationHandler(
       '',
       router,
       config,
@@ -95,8 +100,8 @@ describe('test authentication factory', () => {
     expect(auth.type).toEqual('basicauth');
   });
 
-  test('get jwt auth', () => {
-    const auth = getAuthenticationHandler(
+  test('get jwt auth', async () => {
+    const auth = await getAuthenticationHandler(
       'jwt',
       router,
       config,
@@ -108,8 +113,8 @@ describe('test authentication factory', () => {
     expect(auth.type).toEqual('jwt');
   });
 
-  test('get openid auth', () => {
-    const auth = getAuthenticationHandler(
+  test('get openid auth', async () => {
+    const auth = await getAuthenticationHandler(
       'openid',
       router,
       config,
@@ -121,8 +126,8 @@ describe('test authentication factory', () => {
     expect(auth.type).toEqual('openid');
   });
 
-  test('get proxy auth', () => {
-    const auth = getAuthenticationHandler(
+  test('get proxy auth', async () => {
+    const auth = await getAuthenticationHandler(
       'proxy',
       router,
       config,
@@ -134,8 +139,8 @@ describe('test authentication factory', () => {
     expect(auth.type).toEqual('proxy');
   });
 
-  test('get saml auth', () => {
-    const auth = getAuthenticationHandler(
+  test('get saml auth', async () => {
+    const auth = await getAuthenticationHandler(
       'saml',
       router,
       config,
@@ -147,9 +152,9 @@ describe('test authentication factory', () => {
     expect(auth.type).toEqual('saml');
   });
 
-  test('throws error for invalid auth type', () => {
-    expect(() => {
-      getAuthenticationHandler(
+  test('throws error for invalid auth type', async () => {
+    try {
+      await getAuthenticationHandler(
         'invalid',
         router,
         config,
@@ -158,6 +163,9 @@ describe('test authentication factory', () => {
         sessionStorageFactory,
         logger
       );
-    }).toThrow('Unsupported authentication type: invalid');
+    } catch (e) {
+      const targetError = 'Error: Unsupported authentication type: invalid';
+      expect(e.toString()).toEqual(targetError);
+    }
   });
 });

server/auth/auth_handler_factory.ts

@@ -32,27 +32,29 @@ import { SecuritySessionCookie } from '../session/security_cookie';
 import { IAuthenticationType, IAuthHandlerConstructor } from './types/authentication_type';
 import { SecurityPluginConfigType } from '..';
 
-function createAuthentication(
+async function createAuthentication(
   ctor: IAuthHandlerConstructor,
   config: SecurityPluginConfigType,
   sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
   router: IRouter,
   esClient: ILegacyClusterClient,
   coreSetup: CoreSetup,
   logger: Logger
-): IAuthenticationType {
-  return new ctor(config, sessionStorageFactory, router, esClient, coreSetup, logger);
+): Promise<IAuthenticationType> {
+  const authHandler = new ctor(config, sessionStorageFactory, router, esClient, coreSetup, logger);
+  await authHandler.init();
+  return authHandler;
 }
 
-export function getAuthenticationHandler(
+export async function getAuthenticationHandler(
   authType: string,
   router: IRouter,
   config: SecurityPluginConfigType,
   core: CoreSetup,
   esClient: ILegacyClusterClient,
   securitySessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
   logger: Logger
-): IAuthenticationType {
+): Promise<IAuthenticationType> {
   let authHandlerType: IAuthHandlerConstructor;
   switch (authType) {
     case '':
@@ -74,7 +76,7 @@ export function getAuthenticationHandler(
     default:
       throw new Error(`Unsupported authentication type: ${authType}`);
   }
-  const auth: IAuthenticationType = createAuthentication(
+  const auth: IAuthenticationType = await createAuthentication(
     authHandlerType,
     config,
     securitySessionStorageFactory,

server/auth/types/authentication_type.ts

@@ -39,6 +39,7 @@ import { UnauthenticatedError } from '../../errors';
 export interface IAuthenticationType {
   type: string;
   authHandler: AuthenticationHandler;
+  init: () => Promise<void>;
 }
 
 export type IAuthHandlerConstructor = new (
@@ -118,7 +119,7 @@ export abstract class AuthenticationType implements IAuthenticationType {
         cookie = undefined;
       }
 
-      if (!cookie || !(await this.isValidCookie(cookie))) {
+      if (!cookie || !(await this.isValidCookie(cookie, request))) {
         // clear cookie
         this.sessionStorageFactory.asScoped(request).clear();
 
@@ -140,7 +141,7 @@ export abstract class AuthenticationType implements IAuthenticationType {
       }
       // cookie is valid
       // build auth header
-      const authHeadersFromCookie = this.buildAuthHeaderFromCookie(cookie!);
+      const authHeadersFromCookie = this.buildAuthHeaderFromCookie(cookie!, request);
       Object.assign(authHeaders, authHeadersFromCookie);
       const additonalAuthHeader = this.getAdditionalAuthHeader(request);
       Object.assign(authHeaders, additonalAuthHeader);
@@ -236,11 +237,21 @@ export abstract class AuthenticationType implements IAuthenticationType {
     request: OpenSearchDashboardsRequest,
     authInfo: any
   ): SecuritySessionCookie;
-  protected abstract async isValidCookie(cookie: SecuritySessionCookie): Promise<boolean>;
+
+  public abstract isValidCookie(
+    cookie: SecuritySessionCookie,
+    request: OpenSearchDashboardsRequest
+  ): Promise<boolean>;
+
   protected abstract handleUnauthedRequest(
     request: OpenSearchDashboardsRequest,
     response: LifecycleResponseFactory,
     toolkit: AuthToolkit
   ): IOpenSearchDashboardsResponse | AuthResult;
-  protected abstract buildAuthHeaderFromCookie(cookie: SecuritySessionCookie): any;
+
+  public abstract buildAuthHeaderFromCookie(
+    cookie: SecuritySessionCookie,
+    request: OpenSearchDashboardsRequest
+  ): any;
+  public abstract init(): Promise<void>;
 }

server/auth/types/basic/basic_auth.ts

@@ -44,11 +44,9 @@ export class BasicAuthentication extends AuthenticationType {
     logger: Logger
   ) {
     super(config, sessionStorageFactory, router, esClient, coreSetup, logger);
-
-    this.init();
   }
 
-  private async init() {
+  public async init() {
     const routes = new BasicAuthRoutes(
       this.router,
       this.config,

server/auth/types/jwt/jwt_auth.ts

@@ -45,11 +45,9 @@ export class JwtAuthentication extends AuthenticationType {
   ) {
     super(config, sessionStorageFactory, router, esClient, coreSetup, logger);
     this.authHeaderName = this.config.jwt?.header.toLowerCase() || 'authorization';
-
-    this.init();
   }
 
-  private async init() {
+  public async init() {
     const routes = new JwtAuthRoutes(this.router, this.sessionStorageFactory);
     routes.setupRoutes();
   }

server/auth/types/openid/openid_auth.test.ts

@@ -0,0 +1,120 @@
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { httpServerMock } from '../../../../../../src/core/server/http/http_server.mocks';
+
+import { OpenSearchDashboardsRequest } from '../../../../../../src/core/server/http/router';
+
+import { OpenIdAuthentication } from './openid_auth';
+import { SecurityPluginConfigType } from '../../../index';
+import { SecuritySessionCookie } from '../../../session/security_cookie';
+import { deflateValue } from '../../../utils/compression';
+import {
+  IRouter,
+  CoreSetup,
+  ILegacyClusterClient,
+  Logger,
+  SessionStorageFactory,
+} from '../../../../../../src/core/server';
+
+describe('test OpenId authHeaderValue', () => {
+  let router: IRouter;
+  let core: CoreSetup;
+  let esClient: ILegacyClusterClient;
+  let sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>;
+  let logger: Logger;
+
+  // Consistent with auth_handler_factory.test.ts
+  beforeEach(() => {});
+
+  const config = ({
+    openid: {
+      header: 'authorization',
+      scope: [],
+      extra_storage: {
+        cookie_prefix: 'testcookie',
+        additional_cookies: 5,
+      },
+    },
+  } as unknown) as SecurityPluginConfigType;
+
+  test('make sure that cookies with authHeaderValue are still valid', async () => {
+    const openIdAuthentication = new OpenIdAuthentication(
+      config,
+      sessionStorageFactory,
+      router,
+      esClient,
+      core,
+      logger
+    );
+
+    const mockRequest = httpServerMock.createRawRequest();
+    const osRequest = OpenSearchDashboardsRequest.from(mockRequest);
+
+    const cookie: SecuritySessionCookie = {
+      credentials: {
+        authHeaderValue: 'Bearer eyToken',
+      },
+    };
+
+    const expectedHeaders = {
+      authorization: 'Bearer eyToken',
+    };
+
+    const headers = openIdAuthentication.buildAuthHeaderFromCookie(cookie, osRequest);
+
+    expect(headers).toEqual(expectedHeaders);
+  });
+
+  test('get authHeaderValue from split cookies', async () => {
+    const openIdAuthentication = new OpenIdAuthentication(
+      config,
+      sessionStorageFactory,
+      router,
+      esClient,
+      core,
+      logger
+    );
+
+    const testString = 'Bearer eyCombinedToken';
+    const testStringBuffer: Buffer = deflateValue(testString);
+    const cookieValue = testStringBuffer.toString('base64');
+    const cookiePrefix = config.openid!.extra_storage.cookie_prefix;
+    const splitValueAt = Math.ceil(
+      cookieValue.length / config.openid!.extra_storage.additional_cookies
+    );
+    const mockRequest = httpServerMock.createRawRequest({
+      state: {
+        [cookiePrefix + '1']: cookieValue.substring(0, splitValueAt),
+        [cookiePrefix + '2']: cookieValue.substring(splitValueAt),
+      },
+    });
+    const osRequest = OpenSearchDashboardsRequest.from(mockRequest);
+
+    const cookie: SecuritySessionCookie = {
+      credentials: {
+        authHeaderValueExtra: true,
+      },
+    };
+
+    const expectedHeaders = {
+      authorization: testString,
+    };
+
+    const headers = openIdAuthentication.buildAuthHeaderFromCookie(cookie, osRequest);
+
+    expect(headers).toEqual(expectedHeaders);
+  });
+});