mirror of
https://github.com/elastic/kibana.git
synced 2025-04-23 17:28:26 -04:00
Court Ewing
GitHub
parent
52f79b94d2
commit
d0c0959843
3 changed files with 31 additions and 11 deletions
|
|
@ -236,7 +236,7 @@ describe('SAMLAuthenticationProvider', () => {
|
|||
expect(request.headers).to.not.have.property('authorization');
|
||||
expect(authenticationResult.failed()).to.be(true);
|
||||
expect(authenticationResult.error).to.be(failureReason);
|
||||
sinon.assert.neverCalledWith(callWithRequest, 'shield.samlRefreshAccessToken');
|
||||
sinon.assert.neverCalledWith(callWithRequest, 'shield.getAccessToken');
|
||||
});
|
||||
|
||||
it('succeeds if token from the state is expired, but has been successfully refreshed.', async () => {
|
||||
|
|
@ -259,7 +259,7 @@ describe('SAMLAuthenticationProvider', () => {
|
|||
|
||||
callWithInternalUser
|
||||
.withArgs(
|
||||
'shield.samlRefreshAccessToken',
|
||||
'shield.getAccessToken',
|
||||
{ body: { grant_type: 'refresh_token', refresh_token: 'valid-refresh-token' } }
|
||||
)
|
||||
.returns(Promise.resolve({ access_token: 'new-access-token', refresh_token: 'new-refresh-token' }));
|
||||
|
|
@ -291,7 +291,7 @@ describe('SAMLAuthenticationProvider', () => {
|
|||
const refreshFailureReason = new Error('Something is wrong with refresh token.');
|
||||
callWithInternalUser
|
||||
.withArgs(
|
||||
'shield.samlRefreshAccessToken',
|
||||
'shield.getAccessToken',
|
||||
{ body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
|
||||
)
|
||||
.returns(Promise.reject(refreshFailureReason));
|
||||
|
|
@ -318,7 +318,7 @@ describe('SAMLAuthenticationProvider', () => {
|
|||
|
||||
callWithInternalUser
|
||||
.withArgs(
|
||||
'shield.samlRefreshAccessToken',
|
||||
'shield.getAccessToken',
|
||||
{ body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
|
||||
)
|
||||
.returns(Promise.reject({ body: { error_description: 'token has already been refreshed' } }));
|
||||
|
|
@ -352,7 +352,7 @@ describe('SAMLAuthenticationProvider', () => {
|
|||
|
||||
callWithInternalUser
|
||||
.withArgs(
|
||||
'shield.samlRefreshAccessToken',
|
||||
'shield.getAccessToken',
|
||||
{ body: { grant_type: 'refresh_token', refresh_token: 'invalid-refresh-token' } }
|
||||
)
|
||||
.returns(Promise.reject({ body: { error_description: 'token has already been refreshed' } }));
|
||||
|
|
@ -388,7 +388,7 @@ describe('SAMLAuthenticationProvider', () => {
|
|||
|
||||
callWithInternalUser
|
||||
.withArgs(
|
||||
'shield.samlRefreshAccessToken',
|
||||
'shield.getAccessToken',
|
||||
{ body: { grant_type: 'refresh_token', refresh_token: 'expired-refresh-token' } }
|
||||
)
|
||||
.returns(Promise.reject({ body: { error_description: 'refresh token is expired' } }));
|
||||
|
|
@ -422,7 +422,7 @@ describe('SAMLAuthenticationProvider', () => {
|
|||
|
||||
callWithInternalUser
|
||||
.withArgs(
|
||||
'shield.samlRefreshAccessToken',
|
||||
'shield.getAccessToken',
|
||||
{ body: { grant_type: 'refresh_token', refresh_token: 'expired-refresh-token' } }
|
||||
)
|
||||
.returns(Promise.reject({ body: { error_description: 'refresh token is expired' } }));
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ function isAccessTokenExpiredError(err) {
|
|||
}
|
||||
|
||||
/**
|
||||
* Checks the error returned by Elasticsearch as the result of `samlRefreshAccessToken` call and returns `true` if
|
||||
* Checks the error returned by Elasticsearch as the result of `getAccessToken` call and returns `true` if
|
||||
* request has been rejected because of invalid refresh token (expired after 24 hours or have been used already),
|
||||
* otherwise returns `false`.
|
||||
* @param {Object} err Error returned from Elasticsearch.
|
||||
|
|
@ -269,7 +269,7 @@ export class SAMLAuthenticationProvider {
|
|||
access_token: newAccessToken,
|
||||
refresh_token: newRefreshToken
|
||||
} = await this._options.client.callWithInternalUser(
|
||||
'shield.samlRefreshAccessToken',
|
||||
'shield.getAccessToken',
|
||||
{ body: { grant_type: 'refresh_token', refresh_token: refreshToken } }
|
||||
);
|
||||
|
||||
|
|
|
|||
|
|
@ -360,14 +360,14 @@
|
|||
});
|
||||
|
||||
/**
|
||||
* Refreshes SAML access token.
|
||||
* Refreshes an access token.
|
||||
*
|
||||
* @param {string} grant_type Currently only "refresh_token" grant type is supported.
|
||||
* @param {string} refresh_token One-time refresh token that will be exchanged to the new access/refresh token pair.
|
||||
*
|
||||
* @returns {{access_token: string, type: string, expires_in: number, refresh_token: string}}
|
||||
*/
|
||||
shield.samlRefreshAccessToken = ca({
|
||||
shield.getAccessToken = ca({
|
||||
method: 'POST',
|
||||
needBody: true,
|
||||
url: {
|
||||
|
|
@ -375,6 +375,26 @@
|
|||
}
|
||||
});
|
||||
|
||||
/**
|
||||
* Invalidates an access token.
|
||||
*
|
||||
* @param {string} token The access token to invalidate
|
||||
*
|
||||
* @returns {{created: boolean}}
|
||||
*/
|
||||
shield.deleteAccessToken = ca({
|
||||
method: 'DELETE',
|
||||
needBody: true,
|
||||
params: {
|
||||
token: {
|
||||
type: 'string'
|
||||
}
|
||||
},
|
||||
url: {
|
||||
fmt: '/_xpack/security/oauth2/token'
|
||||
}
|
||||
});
|
||||
|
||||
shield.getPrivilege = ca({
|
||||
method: 'GET',
|
||||
urls: [{
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue