Add JWT authentication type to MultipleAuthentication

[merlinz01]

Description

Allows JWT to be included in a multiple-authentication configuration.

Category

Enhancement

Why these changes are required?

Previously one cannot use basic auth and JWT auth together

What is the old behavior before changes and new behavior after changes?

OSD error when basic auth and JWT auth are configured

Issues Resolved

#1814

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[merlinz01]

At this point what I am seeing is that the session cookie is being lost (deleted) when the browser requests /startup.js initiated by a script tag in the response. This results in all further API calls being unauthenticated and ultimately results in an endless loop of refreshing the page.

[merlinz01]

The request for /startup.js is the first request after the initial HTML is loaded, and it runs through the authentication flow that APIs use.

The logic here

security-dashboards-plugin/server/auth/types/authentication_type.ts

Line 100 in c143bce

if (this.authNotRequired(request)) {

decides that the request needs authenticated.

This line

security-dashboards-plugin/server/auth/types/authentication_type.ts

Line 145 in c143bce

this.sessionStorageFactory.asScoped(request).clear();

is then called, which deletes the auth cookie.

I assume this is not the desired behavior, and it seems like it would cause problems even without my changes.

Any input?

[merlinz01]

OK, I think I fixed the endless loop of the page refreshing with the above commit.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 71.46%. Comparing base (dc3e5a9) to head (bab1646).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2107      +/-   ##
==========================================
+ Coverage   71.40%   71.46%   +0.05%     
==========================================
  Files          97       97              
  Lines        2651     2649       -2     
  Branches      404      411       +7     
==========================================
  Hits         1893     1893              
+ Misses        642      641       -1     
+ Partials      116      115       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[derek-ho]

Left two minor comments, but otherwise thanks for the contribution @merlinz01 ! We can also get this merged first and follow up, since it has been a while, sorry for the delay in review

[cwperks]

@merlinz01 Can you check the integTest failure?

Summary of all failing tests
FAIL plugins/security-dashboards-plugin/test/jest_integration/jwt_multiauth.test.ts (5.246 s)
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
  ● start OpenSearch Dashboards server › Verify JWT access to dashboards

    Response Error: 401 Unauthorized

      162 |       .setProtectedHeader({ alg: 'HS256' })
      163 |       .sign(new TextEncoder().encode('99011df6ef40e4a2cd9cd6ccb2d649e0'));
    > 164 |     await wreck.get(`http://localhost:5601/app/home?token=${adminJWT}#`, {
          |     ^
      165 |       rejectUnauthorized: true,
      166 |       headers: {
      167 |         'Content-Type': 'application/json',

      at Object.<anonymous>.internals.Client._shortcut (plugins/security-dashboards-plugin/node_modules/@hapi/wreck/lib/index.js:569:15)
      at Object.<anonymous> (plugins/security-dashboards-plugin/test/jest_integration/jwt_multiauth.test.ts:164:5)

[merlinz01]

Try it now.

[cwperks]

Try it now.

All CI Checks green now. Thank you @merlinz01. @derek-ho Can you review again?

[derek-ho]

LGTM

[merlinz01]

Thanks for your assistance! 🎉 🚀 👍