The cookie is encrypted using @hapi/Iron and can be unsealed in the test. The encryptionKey for encryption is set using opensearch_security.cookie.password: 'security_cookie_default_password' which the test has control over. The cookie name is security_authentication.
Unsealing the cookie can be performed by:
Iron = require('@hapi/iron')
let sealed = '<cookie>';
let password = '<password>';
Iron.unseal(sealed, password, Iron.defaults).then((result) => console.log(result));
when unsealed, the cookie on SAML authentication looks like:
The tests could be improved by verifying the authType and username. Additionally, more scenarios could be written around extraction of backend roles and verifying the contents of the credentials.authHeaderValue payload.
Currently the SAML auth test for successful login is only checking for the presence of a cookie (https://github.com/opensearch-project/security-dashboards-plugin/blob/main/test/jest_integration/saml_auth.test.ts#L247). While this assertion is valid for successful login, the assertions can go further by reading the contents of the cookie to test different scenarios.
The cookie is encrypted using
@hapi/Iron
and can be unsealed in the test. TheencryptionKey
for encryption is set usingopensearch_security.cookie.password: 'security_cookie_default_password'
which the test has control over. The cookie name issecurity_authentication
.Unsealing the cookie can be performed by:
when unsealed, the cookie on SAML authentication looks like:
The tests could be improved by verifying the
authType
andusername
. Additionally, more scenarios could be written around extraction of backend roles and verifying the contents of thecredentials.authHeaderValue
payload.