Reject authentication requests if license is not available. (#88850)

2021-01-21 07:59:00 +01:00 · 2021-01-21 07:59:00 +01:00 · c7267b63df
parent d28fa36e8a
commit c7267b63df
3 changed files with 31 additions and 2 deletions
--- a/x-pack/plugins/security/common/licensing/index.mock.ts
+++ b/x-pack/plugins/security/common/licensing/index.mock.ts
@ -9,7 +9,7 @@ import { SecurityLicense, SecurityLicenseFeatures } from '.';

 export const licenseMock = {
  create: (features?: Partial<SecurityLicenseFeatures>): jest.Mocked<SecurityLicense> => ({
-    isLicenseAvailable: jest.fn(),
+    isLicenseAvailable: jest.fn().mockReturnValue(true),
    isEnabled: jest.fn().mockReturnValue(true),
    getType: jest.fn().mockReturnValue('basic'),
    getFeatures: jest.fn(),
--- a/x-pack/plugins/security/server/authentication/authentication_service.test.ts
+++ b/x-pack/plugins/security/server/authentication/authentication_service.test.ts
@ -121,6 +121,23 @@ describe('AuthenticationService', () => {
          .authenticate;
      });

+      it('returns error if license is not available.', async () => {
+        const mockResponse = httpServerMock.createLifecycleResponseFactory();
+
+        mockSetupAuthenticationParams.license.isLicenseAvailable.mockReturnValue(false);
+
+        await authHandler(httpServerMock.createKibanaRequest(), mockResponse, mockAuthToolkit);
+
+        expect(mockResponse.customError).toHaveBeenCalledTimes(1);
+        expect(mockResponse.customError).toHaveBeenCalledWith({
+          body: 'License is not available.',
+          statusCode: 503,
+          headers: { 'Retry-After': '30' },
+        });
+        expect(mockAuthToolkit.authenticated).not.toHaveBeenCalled();
+        expect(mockAuthToolkit.redirected).not.toHaveBeenCalled();
+      });
+
      it('replies with no credentials when security is disabled in elasticsearch', async () => {
        const mockRequest = httpServerMock.createKibanaRequest();
        const mockResponse = httpServerMock.createLifecycleResponseFactory();
--- a/x-pack/plugins/security/server/authentication/authentication_service.ts
+++ b/x-pack/plugins/security/server/authentication/authentication_service.ts
@ -106,8 +106,20 @@ export class AuthenticationService {
    });

    http.registerAuth(async (request, response, t) => {
-      // If security is disabled continue with no user credentials and delete the client cookie as well.
+      if (!license.isLicenseAvailable()) {
+        this.logger.error('License is not available, authentication is not possible.');
+        return response.customError({
+          body: 'License is not available.',
+          statusCode: 503,
+          headers: { 'Retry-After': '30' },
+        });
+      }
+
+      // If security is disabled, then continue with no user credentials.
      if (!license.isEnabled()) {
+        this.logger.debug(
+          'Current license does not support any security features, authentication is not needed.'
+        );
        return t.authenticated();
      }