From 84f9638b879a589ab148da1eebb48fee9cb08b71 Mon Sep 17 00:00:00 2001 From: Court Ewing Date: Thu, 6 Dec 2018 11:59:10 -0500 Subject: [PATCH] Update token API calls in elaticsearch.js (#26650) --- .../providers/__tests__/saml.js | 14 +++++------ .../lib/authentication/providers/saml.js | 4 ++-- x-pack/server/lib/esjs_shield_plugin.js | 24 +++++++++++++++++-- 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js b/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js index 0000afe96a0b50..ad9720422cfa33 100644 --- a/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js +++ b/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js @@ -236,7 +236,7 @@ describe('SAMLAuthenticationProvider', () => { expect(request.headers).to.not.have.property('authorization'); expect(authenticationResult.failed()).to.be(true); expect(authenticationResult.error).to.be(failureReason); - sinon.assert.neverCalledWith(callWithRequest, 'shield.samlRefreshAccessToken'); + sinon.assert.neverCalledWith(callWithRequest, 'shield.getAccessToken'); }); it('succeeds if token from the state is expired, but has been successfully refreshed.', async () => { @@ -259,7 +259,7 @@ describe('SAMLAuthenticationProvider', () => { callWithInternalUser .withArgs( - 'shield.samlRefreshAccessToken', + 'shield.getAccessToken', { body: { grant_type: 'refresh_token', refresh_token: 'valid-refresh-token' } } ) .returns(Promise.resolve({ access_token: 'new-access-token', refresh_token: 'new-refresh-token' })); @@ -291,7 +291,7 @@ describe('SAMLAuthenticationProvider', () => { const refreshFailureReason = new Error('Something is wrong with refresh token.'); callWithInternalUser .withArgs( - 'shield.samlRefreshAccessToken', + 'shield.getAccessToken', { body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } } ) .returns(Promise.reject(refreshFailureReason)); @@ -318,7 +318,7 @@ describe('SAMLAuthenticationProvider', () => { callWithInternalUser .withArgs( - 'shield.samlRefreshAccessToken', + 'shield.getAccessToken', { body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } } ) .returns(Promise.reject({ body: { error_description: 'token has already been refreshed' } })); @@ -352,7 +352,7 @@ describe('SAMLAuthenticationProvider', () => { callWithInternalUser .withArgs( - 'shield.samlRefreshAccessToken', + 'shield.getAccessToken', { body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } } ) .returns(Promise.reject({ body: { error_description: 'token has already been refreshed' } })); @@ -388,7 +388,7 @@ describe('SAMLAuthenticationProvider', () => { callWithInternalUser .withArgs( - 'shield.samlRefreshAccessToken', + 'shield.getAccessToken', { body: { grant_type: 'refresh_token', refresh_token: 'expired-refresh-token' } } ) .returns(Promise.reject({ body: { error_description: 'refresh token is expired' } })); @@ -422,7 +422,7 @@ describe('SAMLAuthenticationProvider', () => { callWithInternalUser .withArgs( - 'shield.samlRefreshAccessToken', + 'shield.getAccessToken', { body: { grant_type: 'refresh_token', refresh_token: 'expired-refresh-token' } } ) .returns(Promise.reject({ body: { error_description: 'refresh token is expired' } })); diff --git a/x-pack/plugins/security/server/lib/authentication/providers/saml.js b/x-pack/plugins/security/server/lib/authentication/providers/saml.js index fc364736e395b9..dbe6091d987ddf 100644 --- a/x-pack/plugins/security/server/lib/authentication/providers/saml.js +++ b/x-pack/plugins/security/server/lib/authentication/providers/saml.js @@ -34,7 +34,7 @@ function isAccessTokenExpiredError(err) { } /** - * Checks the error returned by Elasticsearch as the result of `samlRefreshAccessToken` call and returns `true` if + * Checks the error returned by Elasticsearch as the result of `getAccessToken` call and returns `true` if * request has been rejected because of invalid refresh token (expired after 24 hours or have been used already), * otherwise returns `false`. * @param {Object} err Error returned from Elasticsearch. @@ -269,7 +269,7 @@ export class SAMLAuthenticationProvider { access_token: newAccessToken, refresh_token: newRefreshToken } = await this._options.client.callWithInternalUser( - 'shield.samlRefreshAccessToken', + 'shield.getAccessToken', { body: { grant_type: 'refresh_token', refresh_token: refreshToken } } ); diff --git a/x-pack/server/lib/esjs_shield_plugin.js b/x-pack/server/lib/esjs_shield_plugin.js index fd1552e38bb5c3..e8b962e89e7b8d 100644 --- a/x-pack/server/lib/esjs_shield_plugin.js +++ b/x-pack/server/lib/esjs_shield_plugin.js @@ -360,14 +360,14 @@ }); /** - * Refreshes SAML access token. + * Refreshes an access token. * * @param {string} grant_type Currently only "refresh_token" grant type is supported. * @param {string} refresh_token One-time refresh token that will be exchanged to the new access/refresh token pair. * * @returns {{access_token: string, type: string, expires_in: number, refresh_token: string}} */ - shield.samlRefreshAccessToken = ca({ + shield.getAccessToken = ca({ method: 'POST', needBody: true, url: { @@ -375,6 +375,26 @@ } }); + /** + * Invalidates an access token. + * + * @param {string} token The access token to invalidate + * + * @returns {{created: boolean}} + */ + shield.deleteAccessToken = ca({ + method: 'DELETE', + needBody: true, + params: { + token: { + type: 'string' + } + }, + url: { + fmt: '/_xpack/security/oauth2/token' + } + }); + shield.getPrivilege = ca({ method: 'GET', urls: [{