Add origin configuration to authc providers (elastic#239993)

Closes [109525](elastic#109525)

## Summary
- Added origin configuration to authc providers.
- Changed login form to hide providers based on the origin configuration
and the current browser window origin.
- Filtered providers on the back end based on the origin header and the
configured provider origin properties.
- Origin configuration is optional and can be one value or an array of
values.
- All values provided in the origin config must be a valid URI
- An error is displayed in the UI if there are no valid auth providers
for the domain

### Example 1
```
xpack.security.authc.providers:
  basic.basic1:
    order: 0
    origin: [http://127.0.0.1:5601, http://localhost:5601, https://elastic.com]
  saml.saml1:
    order: 1
    realm: saml1
    origin: http://127.0.0.1:5601
  saml.saml2:
    order: 2
    realm: saml2
    origin: http://localhost:5601
  saml.saml3:
    order: 3
    realm: saml3
    origin: [http://127.0.0.1:5601, http://localhost:5601, https://elastic.com]
  saml.saml4:
    order: 4
    realm: saml4
```

<img width="735" height="585" alt="image"
src="https://github.com/user-attachments/assets/d691f692-6470-4d59-aba1-bc598b4b49a2"
/>


<img width="725" height="597" alt="image"
src="https://github.com/user-attachments/assets/28a61462-ef00-484f-b2c9-1816bc50fc54"
/>

### Example 2
```
xpack.security.authc.providers:
  basic.basic1:
    order: 0
    origin: [http://127.0.0.1:5601, https://elastic.com]
  saml.saml1:
    order: 1
    realm: saml1
    origin: https://elastic.com
```

<img width="772" height="443" alt="image"
src="https://github.com/user-attachments/assets/9c332a42-2a48-43ea-b4c5-0d9ab6660b6a"
/>

## Release Notes
Adds the ability to specify the origin(s) where an authentication
provider will appear to users in the Login Selector UI.

---------

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: florent-leborgne <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>

Author: 4 people

docs/reference/configuration-reference/security-settings.md

@@ -74,6 +74,23 @@ xpack.security.authc.providers.<provider-type>.<provider-name>.hint ![logo cloud
 xpack.security.authc.providers.<provider-type>.<provider-name>.icon ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on {{ech}}")
 :   Custom icon for the provider entry displayed on the Login Selector UI.
 
+xpack.security.authc.providers.<provider-type>.<provider-name>.origin {applies_to}`stack: ga 9.3` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on {{ech}}")
+:   Specifies the origin(s) where the provider will appear to users in the Login Selector UI. Each origin must be a valid URI only containing an origin. By default, providers are not restricted to specific origins.
+
+    For example:
+
+    ```yaml
+    xpack.security.authc:
+      providers:
+        basic.basic1:
+          origin: [http://localhost:5601, http://127.0.0.1:5601]
+          ...
+    
+        saml.saml1:
+          origin: https://elastic.co
+          ...
+    ```
+
 xpack.security.authc.providers.<provider-type>.<provider-name>.showInSelector ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on {{ech}}")
 :   Flag that indicates if the provider should have an entry on the Login Selector UI. Setting this to `false` doesn’t remove the provider from the authentication chain.
 

x-pack/platform/plugins/shared/security/common/login_state.ts

@@ -15,6 +15,7 @@ export interface LoginSelectorProvider {
   description?: string;
   hint?: string;
   icon?: string;
+  origin?: string | string[];
 }
 
 export interface LoginSelector {

x-pack/platform/plugins/shared/security/public/authentication/login/components/login_form/login_form.test.tsx

@@ -6,43 +6,59 @@
  */
 
 import { EuiCallOut, EuiIcon, EuiProvider } from '@elastic/eui';
-import { act } from '@testing-library/react';
+import type { RenderResult } from '@testing-library/react';
+import { act, queryByTestId } from '@testing-library/react';
 import type { ReactWrapper } from 'enzyme';
 import React from 'react';
 import ReactMarkdown from 'react-markdown';
 
 import { coreMock } from '@kbn/core/public/mocks';
-import { findTestSubject, mountWithIntl, nextTick, shallowWithIntl } from '@kbn/test-jest-helpers';
+import { i18n } from '@kbn/i18n';
+import {
+  findTestSubject,
+  mountWithIntl,
+  nextTick,
+  renderWithI18n,
+  shallowWithIntl,
+} from '@kbn/test-jest-helpers';
 
 import { LoginForm, MessageType, PageMode } from './login_form';
 
+function getPageModeAssertions(mode: PageMode): Array<[string, boolean]> {
+  return mode === PageMode.Form
+    ? [
+        ['loginForm', true],
+        ['loginSelector', false],
+        ['loginHelp', false],
+        ['autoLoginOverlay', false],
+      ]
+    : mode === PageMode.Selector
+    ? [
+        ['loginForm', false],
+        ['loginSelector', true],
+        ['loginHelp', false],
+        ['autoLoginOverlay', false],
+      ]
+    : [
+        ['loginForm', false],
+        ['loginSelector', false],
+        ['loginHelp', true],
+        ['autoLoginOverlay', false],
+      ];
+}
+
 function expectPageMode(wrapper: ReactWrapper, mode: PageMode) {
-  const assertions: Array<[string, boolean]> =
-    mode === PageMode.Form
-      ? [
-          ['loginForm', true],
-          ['loginSelector', false],
-          ['loginHelp', false],
-          ['autoLoginOverlay', false],
-        ]
-      : mode === PageMode.Selector
-      ? [
-          ['loginForm', false],
-          ['loginSelector', true],
-          ['loginHelp', false],
-          ['autoLoginOverlay', false],
-        ]
-      : [
-          ['loginForm', false],
-          ['loginSelector', false],
-          ['loginHelp', true],
-          ['autoLoginOverlay', false],
-        ];
-  for (const [selector, exists] of assertions) {
+  for (const [selector, exists] of getPageModeAssertions(mode)) {
     expect(findTestSubject(wrapper, selector).exists()).toBe(exists);
   }
 }
 
+function expectPageModeRenderResult(renderResult: RenderResult, mode: PageMode) {
+  for (const [selector, exists] of getPageModeAssertions(mode)) {
+    expect(!!renderResult.queryByTestId(selector)).toBe(exists);
+  }
+}
+
 function expectAutoLoginOverlay(wrapper: ReactWrapper) {
   // Everything should be hidden except for the overlay
   for (const selector of [
@@ -398,6 +414,149 @@ describe('LoginForm', () => {
       ]);
     });
 
+    it('does not render providers with origin configs that do not match current page', async () => {
+      const currentURL = `https://some-host.com/login?next=${encodeURIComponent(
+        '/some-base-path/app/kibana#/home?_g=()'
+      )}`;
+
+      const coreStartMock = coreMock.createStart({ basePath: '/some-base-path' });
+
+      window.location = { ...window.location, href: currentURL, origin: 'https://some-host.com' };
+      const wrapper = renderWithI18n(
+        <EuiProvider>
+          <LoginForm
+            http={coreStartMock.http}
+            notifications={coreStartMock.notifications}
+            loginAssistanceMessage=""
+            selector={{
+              enabled: true,
+              providers: [
+                {
+                  type: 'basic',
+                  name: 'basic',
+                  usesLoginForm: true,
+                  hint: 'Basic hint',
+                  icon: 'logoElastic',
+                  showInSelector: true,
+                },
+                {
+                  type: 'saml',
+                  name: 'saml1',
+                  description: 'Log in w/SAML',
+                  origin: ['https://some-host.com', 'https://some-other-host.com'],
+                  usesLoginForm: false,
+                  showInSelector: true,
+                },
+                {
+                  type: 'pki',
+                  name: 'pki1',
+                  description: 'Log in w/PKI',
+                  hint: 'PKI hint',
+                  origin: 'https://not-some-host.com',
+                  usesLoginForm: false,
+                  showInSelector: true,
+                },
+              ],
+            }}
+          />
+        </EuiProvider>
+      );
+
+      expect(window.location.origin).toBe('https://some-host.com');
+
+      expectPageModeRenderResult(wrapper, PageMode.Selector);
+
+      wrapper.queryAllByTestId(/^loginCard-/);
+
+      const result = wrapper.queryAllByTestId(/^loginCard-/).map((card) => {
+        const hint = queryByTestId(card, 'card-hint');
+        const title = queryByTestId(card, 'card-title');
+        const icon = card.querySelector('[data-euiicon-type]');
+        return {
+          title: title?.textContent ?? '',
+          hint: hint?.textContent ?? '',
+          icon: icon?.getAttribute('data-euiicon-type') ?? null,
+        };
+      });
+
+      expect(result).toEqual([
+        { title: 'Log in with basic/basic', hint: 'Basic hint', icon: 'logoElastic' },
+        { title: 'Log in w/SAML', hint: '', icon: 'empty' },
+      ]);
+    });
+
+    it('does not render any providers and shows error message if no providers match current origin', async () => {
+      const currentURL = `https://some-host.com/login?next=${encodeURIComponent(
+        '/some-base-path/app/kibana#/home?_g=()'
+      )}`;
+
+      window.location = {
+        ...window.location,
+        href: currentURL,
+        origin: 'https://some-host.com',
+      };
+
+      const coreStartMock = coreMock.createStart({
+        basePath: '/some-base-path',
+      });
+
+      const rendered = renderWithI18n(
+        <EuiProvider>
+          <LoginForm
+            http={coreStartMock.http}
+            notifications={coreStartMock.notifications}
+            loginAssistanceMessage=""
+            selector={{
+              enabled: true,
+              providers: [
+                {
+                  type: 'basic',
+                  name: 'basic',
+                  usesLoginForm: true,
+                  hint: 'Basic hint',
+                  icon: 'logoElastic',
+                  origin: 'https://not-some-host.com',
+                  showInSelector: true,
+                },
+                {
+                  type: 'saml',
+                  name: 'saml1',
+                  description: 'Log in w/SAML',
+                  origin: ['https://not-some-host.com', 'https://not-some-other-host.com'],
+                  usesLoginForm: false,
+                  showInSelector: true,
+                },
+                {
+                  type: 'pki',
+                  name: 'pki1',
+                  description: 'Log in w/PKI',
+                  hint: 'PKI hint',
+                  origin: 'https://not-some-host.com',
+                  usesLoginForm: false,
+                  showInSelector: true,
+                },
+              ],
+            }}
+          />
+        </EuiProvider>
+      );
+
+      expect(window.location.origin).toBe('https://some-host.com');
+
+      expect(rendered.queryByTestId('loginForm')).toBeFalsy();
+      expect(rendered.queryByTestId('loginSelector')).toBeFalsy();
+      expect(rendered.queryByTestId('loginHelp')).toBeFalsy();
+      expect(rendered.queryByTestId('autoLoginOverlay')).toBeFalsy();
+      expect(rendered.queryAllByTestId(/^loginCard-/).length).toBe(0);
+
+      expect((await rendered.findByTestId('loginErrorMessage')).textContent).toEqual(
+        i18n.translate('xpack.security.noAuthProvidersForDomain', {
+          defaultMessage:
+            'No authentication providers have been configured for this origin (https://some-host.com).',
+        })
+      );
+    });
+
     it('properly redirects after successful login', async () => {
       const currentURL = `https://some-host/login?next=${encodeURIComponent(
         '/some-base-path/app/kibana#/home?_g=()'

x-pack/platform/plugins/shared/security/public/authentication/login/components/login_form/login_form.tsx

@@ -131,8 +131,18 @@ const assistanceCss = (theme: UseEuiTheme) => css`
 `;
 
 export class LoginForm extends Component<LoginFormProps, State> {
+  private readonly noProvidersMessage = i18n.translate('xpack.security.noAuthProvidersForDomain', {
+    defaultMessage: 'No authentication providers have been configured for this origin ({origin}).',
+    values: { origin: window.location.origin },
+  });
+
   private readonly validator: LoginValidator;
 
+  /**
+   * Available providers that match the current origin.
+   */
+  private readonly availableProviders: LoginSelectorProvider[];
+
   /**
    * Optional provider that was suggested by the `auth_provider_hint={providerName}` query string parameter. If provider
    * doesn't require Kibana native login form then login process is triggered automatically, otherwise Login Selector
@@ -142,10 +152,15 @@ export class LoginForm extends Component<LoginFormProps, State> {
 
   constructor(props: LoginFormProps) {
     super(props);
+
+    this.availableProviders = this.props.selector.providers.filter((provider) =>
+      this.providerMatchesOrigin(provider)
+    );
+
     this.validator = new LoginValidator({ shouldValidate: false });
 
     this.suggestedProvider = this.props.authProviderHint
-      ? this.props.selector.providers.find(({ name }) => name === this.props.authProviderHint)
+      ? this.availableProviders.find(({ name }) => name === this.props.authProviderHint)
       : undefined;
 
     // Switch to the Form mode right away if provider from the hint requires it.
@@ -158,7 +173,14 @@ export class LoginForm extends Component<LoginFormProps, State> {
       loadingState: { type: LoadingStateType.None },
       username: '',
       password: '',
-      message: this.props.message || { type: MessageType.None },
+      message:
+        this.props.message ??
+        (this.availableProviders.length === 0
+          ? {
+              type: MessageType.Danger,
+              content: this.noProvidersMessage,
+            }
+          : { type: MessageType.None }),
       mode,
       previousMode: mode,
     };
@@ -238,6 +260,10 @@ export class LoginForm extends Component<LoginFormProps, State> {
   };
 
   public renderContent() {
+    if (this.availableProviders.length === 0) {
+      return;
+    }
+
     switch (this.state.mode) {
       case PageMode.Form:
         return this.renderLoginForm();
@@ -341,7 +367,8 @@ export class LoginForm extends Component<LoginFormProps, State> {
   };
 
   private renderSelector = () => {
-    const providers = this.props.selector.providers.filter((p) => p.showInSelector);
+    const providers = this.availableProviders.filter((p) => p.showInSelector);
+
     return (
       <EuiPanel data-test-subj="loginSelector" paddingSize="none">
         {providers.map((provider) => {
@@ -515,9 +542,7 @@ export class LoginForm extends Component<LoginFormProps, State> {
     });
 
     // We try to log in with the provider that uses login form and has the lowest order.
-    const providerToLoginWith = this.props.selector.providers.find(
-      (provider) => provider.usesLoginForm
-    )!;
+    const providerToLoginWith = this.availableProviders.find((provider) => provider.usesLoginForm)!;
 
     try {
       const { location } = await this.props.http.post<{ location: string }>(
@@ -605,9 +630,17 @@ export class LoginForm extends Component<LoginFormProps, State> {
   private showLoginSelector() {
     return (
       this.props.selector.enabled &&
-      this.props.selector.providers.some(
-        (provider) => !provider.usesLoginForm && provider.showInSelector
-      )
+      this.availableProviders.some((provider) => !provider.usesLoginForm && provider.showInSelector)
+    );
+  }
+
+  private providerMatchesOrigin(provider: LoginSelectorProvider): boolean {
+    const { origin } = window.location;
+    return (
+      !provider.origin ||
+      (Array.isArray(provider.origin)
+        ? provider.origin.includes(origin)
+        : provider.origin === origin)
     );
   }
 }