added tests for origin config changes

Author: rgodfrey-elastic

x-pack/platform/plugins/shared/security/public/authentication/login/components/login_form/login_form.test.tsx

@@ -15,6 +15,7 @@ import { coreMock } from '@kbn/core/public/mocks';
 import { findTestSubject, mountWithIntl, nextTick, shallowWithIntl } from '@kbn/test-jest-helpers';
 
 import { LoginForm, MessageType, PageMode } from './login_form';
+import { i18n } from '@kbn/i18n';
 
 function expectPageMode(wrapper: ReactWrapper, mode: PageMode) {
   const assertions: Array<[string, boolean]> =
@@ -398,6 +399,137 @@ describe('LoginForm', () => {
       ]);
     });
 
+    it('does not render providers with origin configs that to not match current page', async () => {
+      const currentURL = `https://some-host.com/login?next=${encodeURIComponent(
+        '/some-base-path/app/kibana#/home?_g=()'
+      )}`;
+
+      const coreStartMock = coreMock.createStart({ basePath: '/some-base-path' });
+
+      window.location = { ...window.location, href: currentURL, origin: 'https://some-host.com' };
+      const wrapper = mountWithIntl(
+        <EuiProvider>
+          <LoginForm
+            http={coreStartMock.http}
+            notifications={coreStartMock.notifications}
+            loginAssistanceMessage=""
+            selector={{
+              enabled: true,
+              providers: [
+                {
+                  type: 'basic',
+                  name: 'basic',
+                  usesLoginForm: true,
+                  hint: 'Basic hint',
+                  icon: 'logoElastic',
+                  showInSelector: true,
+                },
+                {
+                  type: 'saml',
+                  name: 'saml1',
+                  description: 'Log in w/SAML',
+                  origin: ['https://some-host.com', 'https://some-other-host.com'],
+                  usesLoginForm: false,
+                  showInSelector: true,
+                },
+                {
+                  type: 'pki',
+                  name: 'pki1',
+                  description: 'Log in w/PKI',
+                  hint: 'PKI hint',
+                  origin: 'https://not-some-host.com',
+                  usesLoginForm: false,
+                  showInSelector: true,
+                },
+              ],
+            }}
+          />
+        </EuiProvider>
+      );
+
+      expect(window.location.origin).toBe('https://some-host.com');
+
+      expectPageMode(wrapper, PageMode.Selector);
+
+      const result = findTestSubject(wrapper, 'loginCard-', '^=').map((card) => {
+        const hint = findTestSubject(card, 'card-hint');
+        return {
+          title: findTestSubject(card, 'card-title').text(),
+          hint: hint.exists() ? hint.text() : '',
+          icon: card.find(EuiIcon).props().type,
+        };
+      });
+
+      expect(result).toEqual([
+        { title: 'Log in with basic/basic', hint: 'Basic hint', icon: 'logoElastic' },
+        { title: 'Log in w/SAML', hint: '', icon: 'empty' },
+      ]);
+    });
+
+    it('does not render any providers and shows error message if no providers match current origin', async () => {
+      const currentURL = `https://some-host.com/login?next=${encodeURIComponent(
+        '/some-base-path/app/kibana#/home?_g=()'
+      )}`;
+
+      const coreStartMock = coreMock.createStart({ basePath: '/some-base-path' });
+
+      window.location = { ...window.location, href: currentURL, origin: 'https://some-host.com' };
+      const wrapper = mountWithIntl(
+        <EuiProvider>
+          <LoginForm
+            http={coreStartMock.http}
+            notifications={coreStartMock.notifications}
+            loginAssistanceMessage=""
+            selector={{
+              enabled: true,
+              providers: [
+                {
+                  type: 'basic',
+                  name: 'basic',
+                  usesLoginForm: true,
+                  hint: 'Basic hint',
+                  icon: 'logoElastic',
+                  origin: 'https://not-some-host.com',
+                  showInSelector: true,
+                },
+                {
+                  type: 'saml',
+                  name: 'saml1',
+                  description: 'Log in w/SAML',
+                  origin: ['https://not-some-host.com', 'https://not-some-other-host.com'],
+                  usesLoginForm: false,
+                  showInSelector: true,
+                },
+                {
+                  type: 'pki',
+                  name: 'pki1',
+                  description: 'Log in w/PKI',
+                  hint: 'PKI hint',
+                  origin: 'https://not-some-host.com',
+                  usesLoginForm: false,
+                  showInSelector: true,
+                },
+              ],
+            }}
+          />
+        </EuiProvider>
+      );
+
+      expect(window.location.origin).toBe('https://some-host.com');
+
+      expect(findTestSubject(wrapper, 'loginForm').exists()).toBe(false);
+      expect(findTestSubject(wrapper, 'loginSelector').exists()).toBe(false);
+      expect(findTestSubject(wrapper, 'loginHelp').exists()).toBe(false);
+      expect(findTestSubject(wrapper, 'autoLoginOverlay').exists()).toBe(false);
+      expect(findTestSubject(wrapper, 'loginCard-', '^=').exists()).toBe(false);
+
+      expect(findTestSubject(wrapper, 'loginErrorMessage').text()).toEqual(
+        i18n.translate('xpack.security.noAuthProvidersForDomain', {
+          defaultMessage: 'No authentication providers have been configured for this domain.',
+        })
+      );
+    });
+
     it('properly redirects after successful login', async () => {
       const currentURL = `https://some-host/login?next=${encodeURIComponent(
         '/some-base-path/app/kibana#/home?_g=()'

x-pack/platform/plugins/shared/security/public/authentication/login/components/login_form/login_form.tsx

@@ -130,6 +130,10 @@ const assistanceCss = (theme: UseEuiTheme) => css`
   }
 `;
 
+const noProvidersMessage = i18n.translate('xpack.security.noAuthProvidersForDomain', {
+  defaultMessage: 'No authentication providers have been configured for this domain.',
+});
+
 export class LoginForm extends Component<LoginFormProps, State> {
   private readonly validator: LoginValidator;
 
@@ -173,9 +177,7 @@ export class LoginForm extends Component<LoginFormProps, State> {
         (this.availableProviders.length === 0
           ? {
               type: MessageType.Danger,
-              content: i18n.translate('xpack.security.noAuthProvidersForDomain', {
-                defaultMessage: 'No authentication providers have been configured for this domain.',
-              }),
+              content: noProvidersMessage,
             }
           : { type: MessageType.None }),
       mode,

x-pack/platform/plugins/shared/security/server/authentication/authenticator.test.ts

@@ -1376,6 +1376,216 @@ describe('Authenticator', () => {
         );
       });
     });
+
+    describe('with origin config', () => {
+      const headersWithOrigin = { authorization: 'Basic .....', origin: 'http://localhost:5601' };
+
+      const request = httpServerMock.createKibanaRequest({ headers: headersWithOrigin });
+      const user = mockAuthenticatedUser();
+
+      beforeEach(() => {
+        mockOptions.session.create.mockResolvedValue(mockSessVal);
+
+        mockBasicAuthenticationProvider.login.mockResolvedValue(
+          AuthenticationResult.succeeded(user, {
+            authHeaders: headersWithOrigin,
+            state: {}, // to ensure a new session is created
+          })
+        );
+      });
+
+      it('allows requests with matching origin header', async () => {
+        jest
+          .requireMock('./providers/basic')
+          .BasicAuthenticationProvider.mockImplementation(() => ({
+            type: 'basic',
+            origin: 'http://localhost:5601',
+            ...mockBasicAuthenticationProvider,
+          }));
+
+        authenticator = new Authenticator(
+          getMockOptions({
+            providers: {
+              basic: { basic1: { order: 0 } },
+            },
+          })
+        );
+
+        await expect(
+          authenticator.login(request, {
+            provider: { type: 'basic', name: 'basic1' },
+            value: {},
+          })
+        ).resolves.toEqual(
+          AuthenticationResult.succeeded(user, {
+            authHeaders: headersWithOrigin,
+            state: {},
+          })
+        );
+        expectAuditEvents({ action: 'user_login', outcome: 'success' });
+        expect(mockBasicAuthenticationProvider.login).toHaveBeenCalled();
+      });
+
+      it('allows requests without an origin header', async () => {
+        jest
+          .requireMock('./providers/basic')
+          .BasicAuthenticationProvider.mockImplementation(() => ({
+            type: 'basic',
+            origin: 'http://localhost:5601',
+            ...mockBasicAuthenticationProvider,
+          }));
+
+        authenticator = new Authenticator(
+          getMockOptions({
+            providers: {
+              basic: { basic1: { order: 0 } },
+            },
+          })
+        );
+
+        await expect(
+          authenticator.login(httpServerMock.createKibanaRequest(), {
+            provider: { type: 'basic', name: 'basic1' },
+            value: {},
+          })
+        ).resolves.toEqual(
+          AuthenticationResult.succeeded(user, {
+            authHeaders: headersWithOrigin,
+            state: {},
+          })
+        );
+        expectAuditEvents({ action: 'user_login', outcome: 'success' });
+        expect(mockBasicAuthenticationProvider.login).toHaveBeenCalled();
+      });
+
+      it('does not attempt to login for requests with non-matching origin header', async () => {
+        jest
+          .requireMock('./providers/basic')
+          .BasicAuthenticationProvider.mockImplementation(() => ({
+            type: 'basic',
+            origin: 'http://127.0.0.1:5601',
+            ...mockBasicAuthenticationProvider,
+          }));
+
+        jest.requireMock('./providers/http').HTTPAuthenticationProvider.mockImplementation(() => ({
+          type: 'http',
+          origin: 'http://127.0.0.1:5601',
+          ...mockHTTPAuthenticationProvider,
+        }));
+
+        const mockSamlAuthenticationProvider = jest
+          .requireMock('./providers/saml')
+          .SAMLAuthenticationProvider.mockImplementation(() => ({
+            type: 'saml',
+            origin: 'http://127.0.0.1:5601',
+            login: jest.fn(),
+            authenticate: jest.fn(),
+            logout: jest.fn(),
+            getHTTPAuthenticationScheme: jest.fn(),
+          }));
+
+        authenticator = new Authenticator(
+          getMockOptions({
+            providers: {
+              basic: { basic1: { order: 0 } },
+              saml: { saml1: { order: 1, realm: 'saml1' } },
+            },
+          })
+        );
+
+        await expect(
+          authenticator.login(request, {
+            provider: { type: 'basic', name: 'basic1' },
+            value: {},
+          })
+        ).resolves.toEqual(AuthenticationResult.notHandled());
+
+        await expect(
+          authenticator.login(request, {
+            provider: { type: 'http' },
+            value: {},
+          })
+        ).resolves.toEqual(AuthenticationResult.notHandled());
+
+        await expect(
+          authenticator.login(request, {
+            provider: { type: 'saml', name: 'saml1' },
+            value: {},
+          })
+        ).resolves.toEqual(AuthenticationResult.notHandled());
+
+        expect(auditLogger.log).not.toHaveBeenCalled();
+        expect(mockBasicAuthenticationProvider.login).not.toHaveBeenCalled();
+        expect(mockHTTPAuthenticationProvider.login).not.toHaveBeenCalled();
+        expect(mockSamlAuthenticationProvider.login).not.toHaveBeenCalled();
+      });
+
+      it('skips over providers that do not match the origin config', async () => {
+        const mockSAMLAuthenticationProvider1: jest.Mocked<
+          PublicMethodsOf<SAMLAuthenticationProvider>
+        > = {
+          login: jest.fn(),
+          authenticate: jest.fn(),
+          logout: jest.fn(),
+          getHTTPAuthenticationScheme: jest.fn(),
+        };
+
+        const mockSAMLAuthenticationProvider2: jest.Mocked<
+          PublicMethodsOf<SAMLAuthenticationProvider>
+        > = {
+          login: jest.fn().mockResolvedValue(
+            AuthenticationResult.succeeded(user, {
+              authHeaders: headersWithOrigin,
+              state: {}, // to ensure a new session is created
+            })
+          ),
+          authenticate: jest.fn(),
+          logout: jest.fn(),
+          getHTTPAuthenticationScheme: jest.fn(),
+        };
+
+        jest
+          .requireMock('./providers/saml')
+          .SAMLAuthenticationProvider.mockImplementationOnce(() => ({
+            type: 'saml',
+            origin: 'http://127.0.0.1:5601',
+            name: 'saml1',
+            order: 0,
+            ...mockSAMLAuthenticationProvider1,
+          }))
+          .mockImplementationOnce(() => ({
+            type: 'saml',
+            origin: ['http://localhost:5601', 'http://127.0.0.1:5601'],
+            name: 'saml2',
+            order: 1,
+            ...mockSAMLAuthenticationProvider2,
+          }));
+
+        authenticator = new Authenticator(
+          getMockOptions({
+            providers: {
+              saml: { saml1: { order: 0, realm: 'saml1' }, saml2: { order: 1, realm: 'saml1' } },
+            },
+          })
+        );
+
+        await expect(
+          authenticator.login(request, {
+            provider: { type: 'saml' },
+            value: {},
+          })
+        ).resolves.toEqual(
+          AuthenticationResult.succeeded(user, {
+            authHeaders: headersWithOrigin,
+            state: {},
+          })
+        );
+
+        expectAuditEvents({ action: 'user_login', outcome: 'success' });
+        expect(mockSAMLAuthenticationProvider1.login).not.toHaveBeenCalled();
+        expect(mockSAMLAuthenticationProvider2.login).toHaveBeenCalled();
+      });
+    });
   });
 
   describe('`authenticate` method', () => {

x-pack/platform/plugins/shared/security/server/authentication/authenticator.ts

@@ -340,7 +340,7 @@ export class Authenticator {
     const { origin: originHeader } = request.headers;
 
     const filteredProviders = providers.filter(([name, provider]) => {
-      const providerOrigin = provider.getOrigin();
+      const providerOrigin = provider.origin;
 
       return (
         !originHeader ||