diff --git a/x-pack/plugins/security/server/lib/__tests__/__fixtures__/request.js b/x-pack/plugins/security/server/lib/__tests__/__fixtures__/request.js index d3ba20e4d5b6..fbd088dcc958 100644 --- a/x-pack/plugins/security/server/lib/__tests__/__fixtures__/request.js +++ b/x-pack/plugins/security/server/lib/__tests__/__fixtures__/request.js @@ -8,6 +8,7 @@ import url from 'url'; export function requestFixture({ headers = { accept: 'something/html' }, path = '/wat', + basePath = '', search = '', payload } = {}) { @@ -15,6 +16,7 @@ export function requestFixture({ raw: { req: { headers } }, headers, url: { path, search }, + getBasePath: () => basePath, query: search ? url.parse(search, { parseQueryString: true }).query : {}, payload, state: { user: 'these are the contents of the user client cookie' } diff --git a/x-pack/plugins/security/server/lib/authentication/providers/__tests__/basic.js b/x-pack/plugins/security/server/lib/authentication/providers/__tests__/basic.js index 02c2df354232..931728a13981 100644 --- a/x-pack/plugins/security/server/lib/authentication/providers/__tests__/basic.js +++ b/x-pack/plugins/security/server/lib/authentication/providers/__tests__/basic.js @@ -44,13 +44,13 @@ describe('BasicAuthenticationProvider', () => { it('redirects non-AJAX requests that can not be authenticated to the login page.', async () => { const authenticationResult = await provider.authenticate( - requestFixture({ path: '/some-path # that needs to be encoded' }), + requestFixture({ path: '/some-path # that needs to be encoded', basePath: '/s/foo' }), null ); expect(authenticationResult.redirected()).to.be(true); expect(authenticationResult.redirectURL).to.be( - '/base-path/login?next=%2Fbase-path%2Fsome-path%20%23%20that%20needs%20to%20be%20encoded' + '/base-path/login?next=%2Fs%2Ffoo%2Fsome-path%20%23%20that%20needs%20to%20be%20encoded' ); }); diff --git a/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js b/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js index 2716c3d7598a..0000afe96a0b 100644 --- a/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js +++ b/x-pack/plugins/security/server/lib/authentication/providers/__tests__/saml.js @@ -40,7 +40,7 @@ describe('SAMLAuthenticationProvider', () => { }); it('redirects non-AJAX request that can not be authenticated to the IdP.', async () => { - const request = requestFixture({ path: '/some-path' }); + const request = requestFixture({ path: '/some-path', basePath: '/s/foo' }); callWithInternalUser .withArgs('shield.samlPrepare') @@ -61,7 +61,7 @@ describe('SAMLAuthenticationProvider', () => { expect(authenticationResult.redirectURL).to.be('https://idp-host/path/login?SAMLRequest=some%20request%20'); expect(authenticationResult.state).to.eql({ requestId: 'some-request-id', - nextURL: `/test-base-path/some-path` + nextURL: `/s/foo/some-path` }); }); @@ -334,7 +334,7 @@ describe('SAMLAuthenticationProvider', () => { }); it('initiates SAML handshake for non-AJAX requests if refresh token is used more than once.', async () => { - const request = requestFixture({ path: '/some-path' }); + const request = requestFixture({ path: '/some-path', basePath: '/s/foo' }); callWithInternalUser .withArgs('shield.samlPrepare') @@ -372,7 +372,7 @@ describe('SAMLAuthenticationProvider', () => { expect(authenticationResult.redirectURL).to.be('https://idp-host/path/login?SAMLRequest=some%20request%20'); expect(authenticationResult.state).to.eql({ requestId: 'some-request-id', - nextURL: `/test-base-path/some-path` + nextURL: `/s/foo/some-path` }); }); @@ -404,7 +404,7 @@ describe('SAMLAuthenticationProvider', () => { }); it('initiates SAML handshake for non-AJAX requests if refresh token is expired.', async () => { - const request = requestFixture({ path: '/some-path' }); + const request = requestFixture({ path: '/some-path', basePath: '/s/foo' }); callWithInternalUser .withArgs('shield.samlPrepare') @@ -442,7 +442,7 @@ describe('SAMLAuthenticationProvider', () => { expect(authenticationResult.redirectURL).to.be('https://idp-host/path/login?SAMLRequest=some%20request%20'); expect(authenticationResult.state).to.eql({ requestId: 'some-request-id', - nextURL: `/test-base-path/some-path` + nextURL: `/s/foo/some-path` }); }); diff --git a/x-pack/plugins/security/server/lib/authentication/providers/basic.js b/x-pack/plugins/security/server/lib/authentication/providers/basic.js index 756b8a6ee10c..87b193c9e053 100644 --- a/x-pack/plugins/security/server/lib/authentication/providers/basic.js +++ b/x-pack/plugins/security/server/lib/authentication/providers/basic.js @@ -55,7 +55,7 @@ export class BasicAuthenticationProvider { authenticationResult = await this._authenticateViaState(request, state); } else if (authenticationResult.notHandled() && canRedirectRequest(request)) { // If we couldn't handle authentication let's redirect user to the login page. - const nextURL = encodeURIComponent(`${this._options.basePath}${request.url.path}`); + const nextURL = encodeURIComponent(`${request.getBasePath()}${request.url.path}`); authenticationResult = AuthenticationResult.redirectTo( `${this._options.basePath}/login?next=${nextURL}` ); diff --git a/x-pack/plugins/security/server/lib/authentication/providers/saml.js b/x-pack/plugins/security/server/lib/authentication/providers/saml.js index 0319c84f1825..fc364736e395 100644 --- a/x-pack/plugins/security/server/lib/authentication/providers/saml.js +++ b/x-pack/plugins/security/server/lib/authentication/providers/saml.js @@ -357,7 +357,7 @@ export class SAMLAuthenticationProvider { return AuthenticationResult.redirectTo( redirect, // Store request id in the state so that we can reuse it once we receive `SAMLResponse`. - { requestId, nextURL: `${this._options.basePath}${request.url.path}` } + { requestId, nextURL: `${request.getBasePath()}${request.url.path}` } ); } catch (err) { this._options.log(['debug', 'security', 'saml'], `Failed to initiate SAML handshake: ${err.message}`);