Allows access via Kibana

[Alex-At-Home]

2 cases:

• You have a user/pass but no direct access to Kibana ... in that case it's as simple as just hitting the Kibana URL and using POST /api/console/proxy?path=$ENCODE($endpoint)&method=$method
• You are using SAML or oauth to authenticate vs Kibana .. in that case the best you can do (leaving aside browser plugins) is to tell people to "copy as curl" a network request to Kibana and then paste that into a box and infer the URL and creds from the header

[Alex-At-Home]

example:

curl 'https://XXXX.us-east-1.aws.found.io:9243/api/console/proxy?path=.kibana%2F_search&method=GET' \
> -XPOST \
> -H 'Cookie: xxx' \
> -H 'Accept: text/plain, */*; q=0.01' \
> -H 'Origin: https://XXXX.us-east-1.aws.found.io:9243' \
> -H 'Referer: https://XXXX.us-east-1.aws.found.io:9243/app/kibana' \
> -H 'Accept-Encoding: br, gzip, deflate' \
> -H 'Host: XXXX.us-east-1.aws.found.io:9243' \
> -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15' \
> -H 'Content-Length: 0' \
> -H 'Accept-Language: en-us' \
> -H 'Connection: keep-alive' \
> -H 'kbn-version: 6.5.4'

So probably just snagging Cookie: [^']+ and https://[^/]+ would be sufficient?

[Alex-At-Home]

(v similar logic could allow access via the Cloud user console as well)

[Alex-At-Home]

OK so it's a bit ugly, currently Kibana CORS only allows you to do * or nothing ... this may be too open for people's taste

I've been looking into what it would look like instead to add direct ES/SAML support ... I think it's doable.... see https://developers.google.com/apps-script/reference/script/script-app (search for usercallback)

You set the callback id to be https://script.google.com/macros/d/{SCRIPT ID}/usercallback and it appears in the callback .. this would then (I guess) set an ES token (not 100% sure where that comes from in this flow) into the user token service, and then the sidebar would go fetch that (instead of the password)

[Alex-At-Home]

OK some more experimentation into what it would take to get (direct to ES) SAML working

Starting with https://github.com/gsuitedevs/apps-script-oauth2/blob/8c1963ed3eeb74a244e3f306217f536009e86575/dist/OAuth2.gs I added the following test code:

  function getCallbackURL(callbackFunctionName){
    var stateToken = ScriptApp.newStateToken()
        .withMethod(callbackFunctionName)
        .withTimeout(120)
        .createToken();
    return  'https://script.google.com/macros/d/' + encodeURIComponent(ScriptApp.getScriptId()) +
      '/usercallback?state=' + stateToken;
  }
//...
    html.testLink = getCallbackURL("myTestCallback")
//...
function myTestCallback(inVal) {
  Logger.log("in " + JSON.stringify(inVal)
  return true
}

Then using the cookies etc that I get by pasting that link into the browser I did a curl:

curl 'https://script.google.com/macros/d/<<from code above>>/usercallback?state=<<from code above>>' -XGET -H 'Cookie: SIDCC=AN0-TYvLfQNUP8s6tyfnwqLf4jzjo2LpOGXSKjR343kYK_1RqDDT5FXmQG36GnyGnc9r0UbHogc; 1P_JAR=2019-11-22-21; NID=192=xxx-Y92Gq_Np24NL90Fl0iQL23KnMo-xxx-xxx-xxx; S=maestro=xxx-xxx; __utma=23934520.1167527487.1574377313.1574377313.1574458053.2; __utmb=23934520.1.10.1574458053; __utmc=23934520; __utmz=23934520.1574458053.2.2.utmcsr=docs.google.com|utmccn=(referral)|utmcmd=referral|utmcct=/; OTZ=5202405_76_76_104100_72_446760; SID=xxx.; APISID=xxx/xxx; HSID=xxx; SAPISID=xxx/xxx; SSID=xxx; SEARCH_SAMESITE=xxx' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Host: script.google.com' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15' -H 'Accept-Language: en-us' -H 'Accept-Encoding: br, gzip, deflate' -H 'Connection: keep-alive' -H 'Content-Length: 2' -XPOST -d' '

And sure enough looking at the logs for my script I get:

[19-11-22 13:48:21:930 PST] in {"parameter":{" ":"","state":"<<from app>>"},"contextPath":"","contentLength":2,"queryString":"state=<<from app>>","parameters":{" ":[""],"state":["<<from app>>"]},"postData":{"type":"application/x-www-form-urlencoded","length":2,"contents":" ","name":"postData"}}

So in theory I can set the ACS to be that callback (provided I can make it pass in the state= param <- UNVALIDATED, which will work for all users of the script) and then stick the relay state etc into the script properties for a given URL and then hit ES with an ACS to get a token I then use for API calls