Fix the bug of capabilities request not supporting carrying authinfo (#…

…2014) * capabilities api support authinfo Signed-off-by: yubonluo <yubonluo@amazon.com> * optimize the annotation Signed-off-by: yubonluo <yubonluo@amazon.com> * optimize the code Signed-off-by: yubonluo <yubonluo@amazon.com> --------- Signed-off-by: yubonluo <yubonluo@amazon.com>
opensearch-project · Jun 24, 2024 · 293490d · 293490d
1 parent 06b2e96
commit 293490d
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 4 deletions.
diff --git a/server/auth/types/authentication_type.test.ts b/server/auth/types/authentication_type.test.ts
@@ -111,3 +111,57 @@ describe('test tenant header', () => {
     expect(result.requestHeaders.securitytenant).toEqual('dummy_tenant');
   });
 });
+
+describe('test capabilities request authinfo', () => {
+  const config = {
+    auth: {
+      unauthenticated_routes: [] as string[],
+    },
+    session: {
+      keepalive: false,
+    },
+  } as SecurityPluginConfigType;
+  const sessionStorageFactory = {
+    asScoped: jest.fn(() => {
+      return {
+        clear: jest.fn(),
+        get: jest.fn().mockResolvedValue({}),
+      };
+    }),
+  };
+  const router = jest.fn();
+  const esClient = {
+    asScoped: jest.fn().mockImplementation(() => {
+      return {
+        callAsCurrentUser: jest.fn().mockImplementation(() => {
+          return { username: 'capabilities-username' };
+        }),
+      };
+    }),
+  };
+  const coreSetup = jest.fn();
+  const logger = {
+    error: jest.fn(),
+  };
+
+  const dummyAuthType = new DummyAuthType(
+    config,
+    sessionStorageFactory,
+    router,
+    esClient,
+    coreSetup,
+    logger
+  );
+
+  it(`Capabilities API includes authinfo`, async () => {
+    const request = httpServerMock.createOpenSearchDashboardsRequest({
+      path: '/api/core/capabilities',
+    });
+    const response = jest.fn();
+    const toolkit = {
+      authenticated: jest.fn((value) => value),
+    };
+    const result = await dummyAuthType.authHandler(request, response, toolkit);
+    expect(result.state.authInfo.username).toEqual('capabilities-username');
+  });
+});
diff --git a/server/auth/types/authentication_type.ts b/server/auth/types/authentication_type.ts
@@ -73,10 +73,8 @@ export interface OpenSearchDashboardsAuthState {
 }
 
 export abstract class AuthenticationType implements IAuthenticationType {
-  protected static readonly ROUTES_TO_IGNORE: string[] = [
-    '/api/core/capabilities', // FIXME: need to figure out how to bypass this API call
-    '/app/login',
-  ];
+  protected static readonly ROUTES_TO_IGNORE: string[] = ['/app/login'];
+  protected static readonly ROUTES_AUTH_OPTIONAL: string[] = ['/api/core/capabilities'];
 
   protected static readonly REST_API_CALL_HEADER = 'osd-xsrf';
 
@@ -153,6 +151,11 @@ export abstract class AuthenticationType implements IAuthenticationType {
           return toolkit.notHandled();
         }
 
+        // allow optional authentication
+        if (this.authOptional(request)) {
+          return toolkit.authenticated();
+        }
+
         // send to auth workflow
         return this.handleUnauthedRequest(request, response, toolkit);
       }
@@ -236,6 +239,14 @@ export abstract class AuthenticationType implements IAuthenticationType {
     return false;
   }
 
+  authOptional(request: OpenSearchDashboardsRequest): boolean {
+    const pathname = request.url.pathname;
+    if (!pathname) {
+      return false;
+    }
+    return AuthenticationType.ROUTES_AUTH_OPTIONAL.includes(pathname!);
+  }
+
   async resolveTenant(
     request: OpenSearchDashboardsRequest,
     cookie: SecuritySessionCookie,