search

opensearch-project / security-dashboards-plugin

🔐 Manage your internal users, roles, access control, and audit logs from OpenSearch Dashboards
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
70 stars 152 forks source link

SAML auth tests for successful login assertion should be stronger #1376

Open cwperks opened 1 year ago

cwperks commented 1 year ago

Currently the SAML auth test for successful login is only checking for the presence of a cookie (https://github.com/opensearch-project/security-dashboards-plugin/blob/main/test/jest_integration/saml_auth.test.ts#L247). While this assertion is valid for successful login, the assertions can go further by reading the contents of the cookie to test different scenarios.

The cookie is encrypted using @hapi/Iron and can be unsealed in the test. The encryptionKey for encryption is set using opensearch_security.cookie.password: 'security_cookie_default_password' which the test has control over. The cookie name is security_authentication.

Unsealing the cookie can be performed by:

Iron = require('@hapi/iron')
let sealed = '<cookie>';
let password = '<password>';
Iron.unseal(sealed, password, Iron.defaults).then((result) => console.log(result));

when unsealed, the cookie on SAML authentication looks like:

> Iron.unseal(sealed, password, Iron.defaults).then((result) => console.log(result));
Promise {
  <pending>,
  [Symbol(async_id_symbol)]: 1529,
  [Symbol(trigger_async_id_symbol)]: 1521,
  [Symbol(destroyed)]: { destroyed: false }
}
> {
  username: 'admin',
  credentials: {
    authHeaderValue: 'bearer  <auth_token>'
  },
  authType: 'saml',
  expiryTime: 1678391950593,
  tenant: '__user__'
}

The tests could be improved by verifying the authType and username. Additionally, more scenarios could be written around extraction of backend roles and verifying the contents of the credentials.authHeaderValue payload.

peternied commented 1 year ago

[Triage] Thanks for filing @cwperks