Prevent Kerberos and PKI providers from initiating a new session for unauthenticated XHR/API requests. #82817
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
azasypkin
added
release_note:fix
Team:Security
azasypkin
commented
Nov 6, 2020
| @@ -253,9 +253,6 @@ | |||
| /x-pack/test/ui_capabilities/ @elastic/kibana-security | |||
| /x-pack/test/encrypted_saved_objects_api_integration/ @elastic/kibana-security | |||
| /x-pack/test/functional/apps/security/ @elastic/kibana-security | |||
| /x-pack/test/kerberos_api_integration/ @elastic/kibana-security | |||
There was a problem hiding this comment.
note: just continue moving the remaining tests whenever I have chance.
azasypkin
force-pushed
the
issue-78260-new-session-pki-kerberos
branch
3 times, most recently
from
9430012 to
1291abb
Compare
azasypkin
commented
Nov 6, 2020
| @@ -75,11 +77,8 @@ export class KerberosAuthenticationProvider extends BaseAuthenticationProvider { | |||
| return AuthenticationResult.notHandled(); | |||
| } | |||
|
|
|||
| let authenticationResult = authorizationHeader | |||
There was a problem hiding this comment.
note: I'm not sure why we weren't checking the canStartNewSession here before, but I cannot find any reason why we shouldn't do it now. And we also should give a higher priority to the current session as well.
azasypkin
commented
Nov 6, 2020
| @@ -399,55 +408,102 @@ describe('PKIAuthenticationProvider', () => { | |||
| LegacyElasticsearchErrorHelpers.decorateNotAuthorizedError(new Error()) | |||
| ) | |||
| // In response to a call with a new token. | |||
| .mockResolvedValueOnce(user) // In response to call with an expired token. | |||
There was a problem hiding this comment.
note: I'll remove this stupid setup in the scope of #80952 soon.
azasypkin
commented
Nov 6, 2020
| }); | ||
| }); | ||
|
|
||
| describe('finishing SPNEGO', () => { | ||
| it('should properly set cookie and authenticate user', async () => { | ||
| const response = await supertest | ||
| .get('/internal/security/me') | ||
| .get('/security/account') |
There was a problem hiding this comment.
note: recently we started to treat all /internal/.... as API requests (canRedirectRequest === false).
|
Pinging @elastic/kibana-security (Team:Security) |
…unauthenticated XHR requests.
azasypkin
force-pushed
the
issue-78260-new-session-pki-kerberos
branch
from
1291abb to
0b6369e
Compare
|
Took the liberty of force-pushing to this branch to resolve conflicts with the most recent |
|
ACK: will review on Monday or Tuesday next week |
legrego
approved these changes
Nov 9, 2020
| @@ -264,12 +267,12 @@ export class KerberosAuthenticationProvider extends BaseAuthenticationProvider { | |||
| return AuthenticationResult.failed(err); | |||
| } | |||
|
|
|||
| // If refresh token is no longer valid, then we should clear session and renegotiate using SPNEGO. | |||
| // If refresh token is no longer valid, let's check if the request is allowed to start a new session, and if so try | |||
There was a problem hiding this comment.
Is this comment still valid? It seems like we don't have to check if the request is allowed to start a new session anymore, since authentication via refresh token is extending an existing session.
There was a problem hiding this comment.
You're absolutely right! This looks like a leftover from one of my initial WIPs, will fix, thanks!
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
azasypkin
added a commit
to azasypkin/kibana
that referenced
this pull request
Nov 9, 2020
…unauthenticated XHR/API requests. (elastic#82817) * Prevent Kerberos and PKI providers from initiating a new session for unauthenticated XHR requests. * Review#1: fix comment. # Conflicts: # .github/CODEOWNERS # x-pack/scripts/functional_tests.js
|
7.x/7.11.0: 129f4df |
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Nov 10, 2020
* master: (39 commits) Fix ilm navigation (elastic#81664) [Lens] Distinct icons for XY and pie chart value labels toolbar (elastic#82927) [data.search.aggs] Throw an error when trying to create an agg type that doesn't exist. (elastic#81509) Index patterns api - load field list on server (elastic#82629) New events resolver (elastic#82170) [App Search] Misc naming tech debt (elastic#82770) load empty_kibana in test to have clean starting point (elastic#82772) Remove data <--> expressions circular dependencies. (elastic#82685) Update 8.0 breaking change template to gather information on how to programmatically detect it. (elastic#82905) Add alerting as codeowners to related documentation folder (elastic#82777) Add captions to user and space grid pages (elastic#82713) add alternate path for x-pack/Cloud test for Lens (elastic#82634) Uses asCurrentUser in getClusterUuid (elastic#82908) [Alerting][Connectors] Add new executor subaction to get 3rd party case fields (elastic#82519) Fix test import objects (elastic#82767) [ML] Add option for anomaly charts for metric detector should plot min, mean or max as appropriate (elastic#81662) Update alert type selection layout to rows instead of grid (elastic#73665) Prevent Kerberos and PKI providers from initiating a new session for unauthenticated XHR/API requests. (elastic#82817) Update grunt and related packages (elastic#79327) Allow the repository to search across all namespaces (elastic#82863) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See the detailed description of the problem in #78260. But in short the idea is following:
When we re-initiate session because of expired access/refresh token it doesn't matter if it's an API request or not since the user-facing session is still valid and the fact that we're internally using tokens is just an implementation detail. Same for requests that don't require authentication, if we have a valid Kibana session and we can re-acquire tokens without user involvement then we should do it.
Fixes: #78260
Release note: previously API request could create a new PKI or Kerberos session without user even realizing it. With this fix we use a bit more sophisticated heuristic to know when a new session is really desired.