fix redirect after logging in (elastic#25546) (elastic#25684)

kobelb · Nov 26, 2018 · ba984a3 · ba984a3
1 parent 014a00d
commit ba984a3
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 10 deletions.
diff --git a/x-pack/plugins/security/server/lib/__tests__/__fixtures__/request.js b/x-pack/plugins/security/server/lib/__tests__/__fixtures__/request.js
@@ -8,13 +8,15 @@ import url from 'url';
 export function requestFixture({
   headers = { accept: 'something/html' },
   path = '/wat',
+  basePath = '',
   search = '',
   payload
 } = {}) {
   return {
     raw: { req: { headers } },
     headers,
     url: { path, search },
+    getBasePath: () => basePath,
     query: search ? url.parse(search, { parseQueryString: true }).query : {},
     payload,
     state: { user: 'these are the contents of the user client cookie' }

diff --git a/x-pack/plugins/security/server/lib/authentication/providers/__tests__/basic.js b/x-pack/plugins/security/server/lib/authentication/providers/__tests__/basic.js
@@ -44,13 +44,13 @@ describe('BasicAuthenticationProvider', () => {
 
     it('redirects non-AJAX requests that can not be authenticated to the login page.', async () => {
       const authenticationResult = await provider.authenticate(
-        requestFixture({ path: '/some-path # that needs to be encoded' }),
+        requestFixture({ path: '/some-path # that needs to be encoded', basePath: '/s/foo' }),
         null
       );
 
       expect(authenticationResult.redirected()).to.be(true);
       expect(authenticationResult.redirectURL).to.be(
-        '/base-path/login?next=%2Fbase-path%2Fsome-path%20%23%20that%20needs%20to%20be%20encoded'
+        '/base-path/login?next=%2Fs%2Ffoo%2Fsome-path%20%23%20that%20needs%20to%20be%20encoded'
       );
     });
 

diff --git a/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js b/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js
@@ -40,7 +40,7 @@ describe('SAMLAuthenticationProvider', () => {
     });
 
     it('redirects non-AJAX request that can not be authenticated to the IdP.', async () => {
-      const request = requestFixture({ path: '/some-path' });
+      const request = requestFixture({ path: '/some-path', basePath: '/s/foo' });
 
       callWithInternalUser
         .withArgs('shield.samlPrepare')
@@ -61,7 +61,7 @@ describe('SAMLAuthenticationProvider', () => {
       expect(authenticationResult.redirectURL).to.be('https://idp-host/path/login?SAMLRequest=some%20request%20');
       expect(authenticationResult.state).to.eql({
         requestId: 'some-request-id',
-        nextURL: `/test-base-path/some-path`
+        nextURL: `/s/foo/some-path`
       });
     });
 
@@ -334,7 +334,7 @@ describe('SAMLAuthenticationProvider', () => {
     });
 
     it('initiates SAML handshake for non-AJAX requests if refresh token is used more than once.', async () => {
-      const request = requestFixture({ path: '/some-path' });
+      const request = requestFixture({ path: '/some-path', basePath: '/s/foo' });
 
       callWithInternalUser
         .withArgs('shield.samlPrepare')
@@ -372,7 +372,7 @@ describe('SAMLAuthenticationProvider', () => {
       expect(authenticationResult.redirectURL).to.be('https://idp-host/path/login?SAMLRequest=some%20request%20');
       expect(authenticationResult.state).to.eql({
         requestId: 'some-request-id',
-        nextURL: `/test-base-path/some-path`
+        nextURL: `/s/foo/some-path`
       });
     });
 
@@ -404,7 +404,7 @@ describe('SAMLAuthenticationProvider', () => {
     });
 
     it('initiates SAML handshake for non-AJAX requests if refresh token is expired.', async () => {
-      const request = requestFixture({ path: '/some-path' });
+      const request = requestFixture({ path: '/some-path', basePath: '/s/foo' });
 
       callWithInternalUser
         .withArgs('shield.samlPrepare')
@@ -442,7 +442,7 @@ describe('SAMLAuthenticationProvider', () => {
       expect(authenticationResult.redirectURL).to.be('https://idp-host/path/login?SAMLRequest=some%20request%20');
       expect(authenticationResult.state).to.eql({
         requestId: 'some-request-id',
-        nextURL: `/test-base-path/some-path`
+        nextURL: `/s/foo/some-path`
       });
     });
 

diff --git a/x-pack/plugins/security/server/lib/authentication/providers/basic.js b/x-pack/plugins/security/server/lib/authentication/providers/basic.js
@@ -55,7 +55,7 @@ export class BasicAuthenticationProvider {
       authenticationResult = await this._authenticateViaState(request, state);
     } else if (authenticationResult.notHandled() && canRedirectRequest(request)) {
       // If we couldn't handle authentication let's redirect user to the login page.
-      const nextURL = encodeURIComponent(`${this._options.basePath}${request.url.path}`);
+      const nextURL = encodeURIComponent(`${request.getBasePath()}${request.url.path}`);
       authenticationResult = AuthenticationResult.redirectTo(
         `${this._options.basePath}/login?next=${nextURL}`
       );

diff --git a/x-pack/plugins/security/server/lib/authentication/providers/saml.js b/x-pack/plugins/security/server/lib/authentication/providers/saml.js
@@ -357,7 +357,7 @@ export class SAMLAuthenticationProvider {
       return AuthenticationResult.redirectTo(
         redirect,
         // Store request id in the state so that we can reuse it once we receive `SAMLResponse`.
-        { requestId, nextURL: `${this._options.basePath}${request.url.path}` }
+        { requestId, nextURL: `${request.getBasePath()}${request.url.path}` }
       );
     } catch (err) {
       this._options.log(['debug', 'security', 'saml'], `Failed to initiate SAML handshake: ${err.message}`);