Switch Kerberos authentication provider to a dedicated _kerberos gr…

…ant. Introduce `Tokens` for common access/refresh token tasks. (#39366) * Switch Kerberos authentication provider to a dedicated `_kerberos` grant. Introduce `Tokens` for common access/refresh token tasks. * Review#1: improve/fix code comments, properly log the case when token invalidation failed.
elastic · Jul 1, 2019 · 743f631 · 743f631
1 parent f60b536
commit 743f631
Show file tree

Hide file tree

Showing 16 changed files with 930 additions and 859 deletions.
diff --git a/x-pack/legacy/plugins/security/server/lib/authentication/authenticator.ts b/x-pack/legacy/plugins/security/server/lib/authentication/authenticator.ts
@@ -22,6 +22,7 @@ import { DeauthenticationResult } from './deauthentication_result';
 import { Session } from './session';
 import { LoginAttempt } from './login_attempt';
 import { AuthenticationProviderSpecificOptions } from './providers/base';
+import { Tokens } from './tokens';
 
 interface ProviderSession {
   provider: string;
@@ -56,11 +57,14 @@ function assertRequest(request: Legacy.Request) {
  */
 function getProviderOptions(server: Legacy.Server) {
   const config = server.config();
+  const client = getClient(server);
+  const log = server.log.bind(server);
 
   return {
-    client: getClient(server),
-    log: server.log.bind(server),
+    client,
+    log,
     basePath: config.get<string>('server.basePath'),
+    tokens: new Tokens({ client, log }),
   };
 }
 

diff --git a/x-pack/legacy/plugins/security/server/lib/authentication/providers/base.mock.ts b/x-pack/legacy/plugins/security/server/lib/authentication/providers/base.mock.ts
@@ -4,16 +4,21 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { stub } from 'sinon';
+import { stub, createStubInstance } from 'sinon';
+import { Tokens } from '../tokens';
 import { AuthenticationProviderOptions } from './base';
 
 export function mockAuthenticationProviderOptions(
-  providerOptions: Partial<AuthenticationProviderOptions> = {}
+  providerOptions: Partial<Pick<AuthenticationProviderOptions, 'basePath'>> = {}
 ) {
+  const client = { callWithRequest: stub(), callWithInternalUser: stub() };
+  const log = stub();
+
   return {
-    client: { callWithRequest: stub(), callWithInternalUser: stub() },
-    log: stub(),
+    client,
+    log,
     basePath: '/base-path',
+    tokens: createStubInstance(Tokens),
     ...providerOptions,
   };
 }
diff --git a/x-pack/legacy/plugins/security/server/lib/authentication/providers/base.ts b/x-pack/legacy/plugins/security/server/lib/authentication/providers/base.ts
@@ -8,6 +8,7 @@ import { Legacy } from 'kibana';
 import { AuthenticationResult } from '../authentication_result';
 import { DeauthenticationResult } from '../deauthentication_result';
 import { LoginAttempt } from '../login_attempt';
+import { Tokens } from '../tokens';
 
 /**
  * Describes a request complemented with `loginAttempt` method.
@@ -23,6 +24,7 @@ export interface AuthenticationProviderOptions {
   basePath: string;
   client: Legacy.Plugins.elasticsearch.Cluster;
   log: (tags: string[], message: string) => void;
+  tokens: PublicMethodsOf<Tokens>;
 }
 
 /**

diff --git a/x-pack/legacy/plugins/security/server/lib/authentication/providers/basic.test.ts b/x-pack/legacy/plugins/security/server/lib/authentication/providers/basic.test.ts
@@ -24,7 +24,7 @@ describe('BasicAuthenticationProvider', () => {
     let callWithRequest: sinon.SinonStub;
     beforeEach(() => {
       const providerOptions = mockAuthenticationProviderOptions();
-      callWithRequest = providerOptions.client.callWithRequest as sinon.SinonStub;
+      callWithRequest = providerOptions.client.callWithRequest;
       provider = new BasicAuthenticationProvider(providerOptions);
     });