Merge branch 'master' into 73221-remove-success

elastic · Aug 27, 2020 · dfccf25 · dfccf25
2 parents 1546bef + 54bbd6a
commit dfccf25
Show file tree

Hide file tree

Showing 9 changed files with 221 additions and 32 deletions.
diff --git a/x-pack/plugins/security/common/model/authenticated_user.mock.ts b/x-pack/plugins/security/common/model/authenticated_user.mock.ts
@@ -16,6 +16,7 @@ export function mockAuthenticatedUser(user: Partial<AuthenticatedUser> = {}) {
     authentication_realm: { name: 'native1', type: 'native' },
     lookup_realm: { name: 'native1', type: 'native' },
     authentication_provider: 'basic1',
+    authentication_type: 'realm',
     ...user,
   };
 }
diff --git a/x-pack/plugins/security/common/model/authenticated_user.ts b/x-pack/plugins/security/common/model/authenticated_user.ts
@@ -31,6 +31,13 @@ export interface AuthenticatedUser extends User {
    * Name of the Kibana authentication provider that used to authenticate user.
    */
   authentication_provider: string;
+
+  /**
+   * The AuthenticationType used by ES to authenticate the user.
+   *
+   * @example "realm" | "api_key" | "token" | "anonymous" | "internal"
+   */
+  authentication_type: string;
 }
 
 export function canUserChangePassword(user: AuthenticatedUser) {

diff --git a/x-pack/test/api_integration/apis/security/basic_login.js b/x-pack/test/api_integration/apis/security/basic_login.js
@@ -15,8 +15,7 @@ export default function ({ getService }) {
   const validUsername = kibanaServerConfig.username;
   const validPassword = kibanaServerConfig.password;
 
-  // Failing: See https://github.com/elastic/kibana/issues/75707
-  describe.skip('Basic authentication', () => {
+  describe('Basic authentication', () => {
     it('should redirect non-AJAX requests to the login page if not authenticated', async () => {
       const response = await supertest.get('/abc/xyz').expect(302);
 
@@ -145,8 +144,15 @@ export default function ({ getService }) {
         'authentication_realm',
         'lookup_realm',
         'authentication_provider',
+        'authentication_type',
       ]);
       expect(apiResponse.body.username).to.be(validUsername);
+      expect(apiResponse.body.authentication_provider).to.eql('__http__');
+      expect(apiResponse.body.authentication_realm).to.eql({
+        name: 'reserved',
+        type: 'reserved',
+      });
+      expect(apiResponse.body.authentication_type).to.be('realm');
     });
 
     describe('with session cookie', () => {
@@ -187,8 +193,15 @@ export default function ({ getService }) {
           'authentication_realm',
           'lookup_realm',
           'authentication_provider',
+          'authentication_type',
         ]);
         expect(apiResponse.body.username).to.be(validUsername);
+        expect(apiResponse.body.authentication_provider).to.eql('basic');
+        expect(apiResponse.body.authentication_realm).to.eql({
+          name: 'reserved',
+          type: 'reserved',
+        });
+        expect(apiResponse.body.authentication_type).to.be('realm');
       });
 
       it('should extend cookie on every successful non-system API call', async () => {

diff --git a/x-pack/test/kerberos_api_integration/apis/security/kerberos_login.ts b/x-pack/test/kerberos_api_integration/apis/security/kerberos_login.ts
@@ -37,8 +37,7 @@ export default function ({ getService }: FtrProviderContext) {
     expect(cookie.maxAge).to.be(0);
   }
 
-  // FAILING: https://github.com/elastic/kibana/issues/75707
-  describe.skip('Kerberos authentication', () => {
+  describe('Kerberos authentication', () => {
     before(async () => {
       await getService('esSupertest')
         .post('/_security/role_mapping/krb5')
@@ -82,6 +81,7 @@ export default function ({ getService }: FtrProviderContext) {
       expect(user.username).to.eql(username);
       expect(user.authentication_realm).to.eql({ name: 'reserved', type: 'reserved' });
       expect(user.authentication_provider).to.eql('basic');
+      expect(user.authentication_type).to.eql('realm');
     });
 
     describe('initiating SPNEGO', () => {
@@ -121,7 +121,14 @@ export default function ({ getService }: FtrProviderContext) {
         const sessionCookie = request.cookie(cookies[0])!;
         checkCookieIsSet(sessionCookie);
 
-        const expectedUserRoles = ['kibana_admin'];
+        const isAnonymousAccessEnabled = (config.get(
+          'esTestCluster.serverArgs'
+        ) as string[]).some((setting) => setting.startsWith('xpack.security.authc.anonymous'));
+
+        // `superuser_anonymous` role is derived from the enabled anonymous access.
+        const expectedUserRoles = isAnonymousAccessEnabled
+          ? ['kibana_admin', 'superuser_anonymous']
+          : ['kibana_admin'];
 
         await supertest
           .get('/internal/security/me')
@@ -140,6 +147,7 @@ export default function ({ getService }: FtrProviderContext) {
             authentication_realm: { name: 'kerb1', type: 'kerberos' },
             lookup_realm: { name: 'kerb1', type: 'kerberos' },
             authentication_provider: 'kerberos',
+            authentication_type: 'token',
           });
       });