From e031d808196bab3ea4dd54f39c7e56b42c87551b Mon Sep 17 00:00:00 2001
From: Derek Ho <dxho@amazon.com>
Date: Thu, 15 Aug 2024 09:53:18 -0400
Subject: [PATCH] Auth failure listener page with basic get, delete dummy
 create

Signed-off-by: Derek Ho <dxho@amazon.com>
---
 common/index.ts                               |   1 +
 public/apps/configuration/app-router.tsx      |  12 ++
 public/apps/configuration/constants.tsx       |   1 +
 .../panels/auth-failure-listeners.tsx         | 125 ++++++++++++++++++
 .../__snapshots__/app-router.test.tsx.snap    |   4 +
 ...pensearch_security_configuration_plugin.ts |  10 ++
 server/routes/index.ts                        |  57 ++++++++
 7 files changed, 210 insertions(+)
 create mode 100644 public/apps/configuration/panels/auth-failure-listeners.tsx

diff --git a/common/index.ts b/common/index.ts
index b33c099a7..1838c7251 100644
--- a/common/index.ts
+++ b/common/index.ts
@@ -83,6 +83,7 @@ export enum ResourceType {
   tenantsConfigureTab = 'tenantsConfigureTab',
   auth = 'auth',
   auditLogging = 'auditLogging',
+  authFailureListeners = 'authFailureListeners',
 }
 
 /**
diff --git a/public/apps/configuration/app-router.tsx b/public/apps/configuration/app-router.tsx
index f0dc0cae2..abb97d635 100644
--- a/public/apps/configuration/app-router.tsx
+++ b/public/apps/configuration/app-router.tsx
@@ -41,6 +41,7 @@ import { ResourceType } from '../../../common';
 import { buildHashUrl, buildUrl } from './utils/url-builder';
 import { CrossPageToast } from './cross-page-toast';
 import { getDataSourceFromUrl, LocalCluster } from '../../utils/datasource-utils';
+import { AuthFailureListeners } from './panels/auth-failure-listeners';
 
 const LANDING_PAGE_URL = '/getstarted';
 
@@ -77,6 +78,10 @@ export const ROUTE_MAP: { [key: string]: RouteItem } = {
     name: 'Audit logs',
     href: buildUrl(ResourceType.auditLogging),
   },
+  [ResourceType.authFailureListeners]: {
+    name: 'Rate limiting',
+    href: buildUrl(ResourceType.authFailureListeners),
+  },
 };
 
 const getRouteList = (multitenancyEnabled: boolean) => {
@@ -262,6 +267,13 @@ export function AppRouter(props: AppDependencies) {
                   return <GetStarted {...props} />;
                 }}
               />
+              <Route
+                path={ROUTE_MAP.authFailureListeners.href}
+                render={() => {
+                  setGlobalBreadcrumbs();
+                  return <AuthFailureListeners {...props} />;
+                }}
+              />
               {multitenancyEnabled && (
                 <Route
                   path={ROUTE_MAP.tenants.href}
diff --git a/public/apps/configuration/constants.tsx b/public/apps/configuration/constants.tsx
index a1a79cb06..7be98b2fe 100644
--- a/public/apps/configuration/constants.tsx
+++ b/public/apps/configuration/constants.tsx
@@ -20,6 +20,7 @@ export const API_ENDPOINT = API_PREFIX + '/configuration';
 export const API_ENDPOINT_ROLES = API_ENDPOINT + '/roles';
 export const API_ENDPOINT_ROLESMAPPING = API_ENDPOINT + '/rolesmapping';
 export const API_ENDPOINT_ACTIONGROUPS = API_ENDPOINT + '/actiongroups';
+export const API_ENDPOINT_AUTHFAILURELISTENERS = API_ENDPOINT + '/authfailurelisteners';
 export const API_ENDPOINT_TENANTS = API_ENDPOINT + '/tenants';
 export const API_ENDPOINT_MULTITENANCY = API_PREFIX + '/multitenancy/tenant';
 export const API_ENDPOINT_TENANCY_CONFIGS = API_ENDPOINT + '/tenancy/config';
diff --git a/public/apps/configuration/panels/auth-failure-listeners.tsx b/public/apps/configuration/panels/auth-failure-listeners.tsx
new file mode 100644
index 000000000..a9c02b119
--- /dev/null
+++ b/public/apps/configuration/panels/auth-failure-listeners.tsx
@@ -0,0 +1,125 @@
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { EuiButton, EuiInMemoryTable, EuiIcon } from '@elastic/eui';
+import React, { useContext, useState } from 'react';
+import { AppDependencies } from '../../types';
+import { API_ENDPOINT_AUTHFAILURELISTENERS } from '../constants';
+import { createRequestContextWithDataSourceId } from '../utils/request-utils';
+import { SecurityPluginTopNavMenu } from '../top-nav-menu';
+import { DataSourceContext } from '../app-router';
+import { getResourceUrl } from '../utils/resource-utils';
+
+export function AuthFailureListeners(props: AppDependencies) {
+  const dataSourceEnabled = !!props.depsStart.dataSource?.dataSourceEnabled;
+  const { dataSource, setDataSource } = useContext(DataSourceContext)!;
+
+  const [listeners, setListeners] = useState([]);
+
+  const fetchData = async () => {
+    const data = await createRequestContextWithDataSourceId(dataSource.id).httpGet<any>({
+      http: props.coreStart.http,
+      url: API_ENDPOINT_AUTHFAILURELISTENERS,
+    });
+    setListeners(data.data);
+  };
+
+  const handleDelete = async (name: string) => {
+    await createRequestContextWithDataSourceId(dataSource.id).httpDelete<any>({
+      http: props.coreStart.http,
+      url: getResourceUrl(API_ENDPOINT_AUTHFAILURELISTENERS, name),
+    });
+  };
+
+  const createDummyAuthFailureListener = async () => {
+    await createRequestContextWithDataSourceId(dataSource.id).httpPost<any>({
+      http: props.coreStart.http,
+      url: getResourceUrl(API_ENDPOINT_AUTHFAILURELISTENERS, 'test'),
+      body: {
+        type: 'ip',
+        authentication_backend: 'test',
+        allowed_tries: 10,
+        time_window_seconds: 3600,
+        block_expiry_seconds: 600,
+        max_blocked_clients: 100000,
+        max_tracked_clients: 100000,
+      },
+    });
+  };
+
+  const columns = [
+    {
+      field: 'name',
+      name: 'Name',
+    },
+    {
+      field: 'type',
+      name: 'Type',
+    },
+    {
+      field: 'authentication_backend',
+      name: 'Authentication backend',
+    },
+    {
+      field: 'allowed_tries',
+      name: 'Allowed tries',
+    },
+    {
+      field: 'time_window_seconds',
+      name: 'Time window (sec)',
+    },
+    {
+      field: 'block_expiry_seconds',
+      name: 'Block expiry (sec)',
+    },
+    {
+      field: 'max_blocked_clients',
+      name: 'Max blocked clients',
+    },
+    {
+      field: 'max_tracked_clients',
+      name: 'Max tracked clients',
+    },
+    {
+      field: 'name',
+      name: 'Actions',
+      render: (name) => <EuiIcon type="trash" onClick={() => handleDelete(name)} />,
+    },
+  ];
+
+  return (
+    <>
+      <div className="panel-restrict-width">
+        <SecurityPluginTopNavMenu
+          {...props}
+          dataSourcePickerReadOnly={false}
+          setDataSource={setDataSource}
+          selectedDataSource={dataSource}
+        />
+      </div>
+      <EuiButton onClick={fetchData}>GET</EuiButton>
+      <EuiInMemoryTable
+        tableLayout={'auto'}
+        columns={columns}
+        items={listeners}
+        itemId={'domain_name'}
+        pagination={true}
+        sorting={true}
+      />
+
+      <EuiButton onClick={createDummyAuthFailureListener}>CREATE</EuiButton>
+    </>
+  );
+}
diff --git a/public/apps/configuration/test/__snapshots__/app-router.test.tsx.snap b/public/apps/configuration/test/__snapshots__/app-router.test.tsx.snap
index d5ee503be..8ff3a6b42 100644
--- a/public/apps/configuration/test/__snapshots__/app-router.test.tsx.snap
+++ b/public/apps/configuration/test/__snapshots__/app-router.test.tsx.snap
@@ -484,6 +484,10 @@ exports[`SecurityPluginTopNavMenu renders DataSourceMenu when dataSource is enab
             path="/getstarted"
             render={[Function]}
           />
+          <Route
+            path="/authFailureListeners"
+            render={[Function]}
+          />
           <Route
             path="/tenants"
             render={[Function]}
diff --git a/server/backend/opensearch_security_configuration_plugin.ts b/server/backend/opensearch_security_configuration_plugin.ts
index ff0ccfe21..4f4447c1e 100644
--- a/server/backend/opensearch_security_configuration_plugin.ts
+++ b/server/backend/opensearch_security_configuration_plugin.ts
@@ -220,4 +220,14 @@ export default function (Client: any, config: any, components: any) {
       fmt: '/_plugins/_security/api/audit/config',
     },
   });
+
+  /**
+   * Gets auth failure listeners.
+   */
+  Client.prototype.opensearch_security.prototype.getAuthFailureListeners = ca({
+    method: 'GET',
+    url: {
+      fmt: '/_plugins/_security/api/authfailurelisteners',
+    },
+  });
 }
diff --git a/server/routes/index.ts b/server/routes/index.ts
index 270d05f71..fd7e5e086 100644
--- a/server/routes/index.ts
+++ b/server/routes/index.ts
@@ -67,6 +67,16 @@ export function defineRoutes(router: IRouter, dataSourceEnabled: boolean) {
     current_password: schema.string(),
   });
 
+  const authFailureListenersSchema = schema.object({
+    allowed_tries: schema.number(),
+    authentication_backend: schema.string(),
+    block_expiry_seconds: schema.number(),
+    max_blocked_clients: schema.number(),
+    max_tracked_clients: schema.number(),
+    time_window_seconds: schema.number(),
+    type: schema.string(),
+  });
+
   const schemaMap: any = {
     internalusers: internalUserSchema,
     actiongroups: actionGroupSchema,
@@ -74,6 +84,7 @@ export function defineRoutes(router: IRouter, dataSourceEnabled: boolean) {
     roles: roleSchema,
     tenants: tenantSchema,
     account: accountSchema,
+    authfailurelisteners: authFailureListenersSchema,
   };
 
   function validateRequestBody(resourceName: string, requestBody: any): any {
@@ -694,6 +705,52 @@ export function defineRoutes(router: IRouter, dataSourceEnabled: boolean) {
     }
   );
 
+  /**
+   * Gets auth failure listeners。
+   *
+   * Sample payload:
+   * [
+   * { ??? }
+   *
+   * ]
+   */
+  router.get(
+    {
+      path: `${API_PREFIX}/configuration/authfailurelisteners`,
+      validate: {
+        query: schema.object({
+          dataSourceId: schema.maybe(schema.string()),
+        }),
+      },
+    },
+    async (
+      context,
+      request,
+      response
+    ): Promise<IOpenSearchDashboardsResponse<any | ResponseError>> => {
+      try {
+        const esResp = await wrapRouteWithDataSource(
+          dataSourceEnabled,
+          context,
+          request,
+          'opensearch_security.getAuthFailureListeners'
+        );
+
+        return response.ok({
+          body: {
+            total: Object.keys(esResp).length,
+            data: esResp,
+          },
+        });
+      } catch (error) {
+        return response.custom({
+          statusCode: error.statusCode,
+          body: parseEsErrorResponse(error),
+        });
+      }
+    }
+  );
+
   /**
    * Update audit log configuration。
    *