From 258f6d4e08f16097180225e79ab538078b0436c7 Mon Sep 17 00:00:00 2001
From: Constance <constancecchen@users.noreply.github.com>
Date: Wed, 9 Sep 2020 20:20:20 -0700
Subject: [PATCH] [Enterprise Search] Update shared API request handler
 (#77112)

* Add user auth check for /ent/select redirects

- Recent Enterprise Search CSRF changes have made it so redirects can occur to /ent/select and not just /login

* Fix request.query typing

- API endpoints passing in custom request.query params were seeing {} type errors - this change works around them

* Add Accept and Content-Type JSON headers to Enterprise Search requests

- Without the Accept header, Enterprise Search APIs will kick back a CSRF error
- Without the Content-Type header, APIs will not load JSON bodies as parameters per Ruby on Rails docs
---
 .../enterprise_search/common/constants.ts     |  5 +++-
 .../enterprise_search_request_handler.test.ts | 29 ++++++++++++-------
 .../lib/enterprise_search_request_handler.ts  | 11 +++----
 3 files changed, 29 insertions(+), 16 deletions(-)

diff --git a/x-pack/plugins/enterprise_search/common/constants.ts b/x-pack/plugins/enterprise_search/common/constants.ts
index 6e2f0c0f24b7a..c6ca0d532ce07 100644
--- a/x-pack/plugins/enterprise_search/common/constants.ts
+++ b/x-pack/plugins/enterprise_search/common/constants.ts
@@ -70,6 +70,9 @@ export const WORKPLACE_SEARCH_PLUGIN = {
 
 export const LICENSED_SUPPORT_URL = 'https://support.elastic.co';
 
-export const JSON_HEADER = { 'Content-Type': 'application/json' }; // This needs specific casing or Chrome throws a 415 error
+export const JSON_HEADER = {
+  'Content-Type': 'application/json', // This needs specific casing or Chrome throws a 415 error
+  Accept: 'application/json', // Required for Enterprise Search APIs
+};
 
 export const ENGINES_PAGE_SIZE = 10;
diff --git a/x-pack/plugins/enterprise_search/server/lib/enterprise_search_request_handler.test.ts b/x-pack/plugins/enterprise_search/server/lib/enterprise_search_request_handler.test.ts
index 3f3f182433144..34f83ef3a3fd2 100644
--- a/x-pack/plugins/enterprise_search/server/lib/enterprise_search_request_handler.test.ts
+++ b/x-pack/plugins/enterprise_search/server/lib/enterprise_search_request_handler.test.ts
@@ -5,6 +5,7 @@
  */
 
 import { mockConfig, mockLogger } from '../__mocks__';
+import { JSON_HEADER } from '../../common/constants';
 
 import { EnterpriseSearchRequestHandler } from './enterprise_search_request_handler';
 
@@ -150,18 +151,26 @@ describe('EnterpriseSearchRequestHandler', () => {
       );
     });
 
-    it('returns an error when user authentication to Enterprise Search fails', async () => {
-      EnterpriseSearchAPI.mockReturn({}, { url: 'http://localhost:3002/login' });
-      const requestHandler = enterpriseSearchRequestHandler.createRequest({
-        path: '/api/unauthenticated',
+    describe('user authentication errors', () => {
+      afterEach(async () => {
+        const requestHandler = enterpriseSearchRequestHandler.createRequest({
+          path: '/api/unauthenticated',
+        });
+        await makeAPICall(requestHandler);
+
+        EnterpriseSearchAPI.shouldHaveBeenCalledWith('http://localhost:3002/api/unauthenticated');
+        expect(responseMock.customError).toHaveBeenCalledWith({
+          body: 'Error connecting to Enterprise Search: Cannot authenticate Enterprise Search user',
+          statusCode: 502,
+        });
       });
 
-      await makeAPICall(requestHandler);
-      EnterpriseSearchAPI.shouldHaveBeenCalledWith('http://localhost:3002/api/unauthenticated');
+      it('errors when redirected to /login', async () => {
+        EnterpriseSearchAPI.mockReturn({}, { url: 'http://localhost:3002/login' });
+      });
 
-      expect(responseMock.customError).toHaveBeenCalledWith({
-        body: 'Error connecting to Enterprise Search: Cannot authenticate Enterprise Search user',
-        statusCode: 502,
+      it('errors when redirected to /ent/select', async () => {
+        EnterpriseSearchAPI.mockReturn({}, { url: 'http://localhost:3002/ent/select' });
       });
     });
   });
@@ -185,7 +194,7 @@ const makeAPICall = (handler: Function, params = {}) => {
 const EnterpriseSearchAPI = {
   shouldHaveBeenCalledWith(expectedUrl: string, expectedParams = {}) {
     expect(fetchMock).toHaveBeenCalledWith(expectedUrl, {
-      headers: { Authorization: 'Basic 123' },
+      headers: { Authorization: 'Basic 123', ...JSON_HEADER },
       method: 'GET',
       body: undefined,
       ...expectedParams,
diff --git a/x-pack/plugins/enterprise_search/server/lib/enterprise_search_request_handler.ts b/x-pack/plugins/enterprise_search/server/lib/enterprise_search_request_handler.ts
index 8f31bd9063d4a..18f10c590847c 100644
--- a/x-pack/plugins/enterprise_search/server/lib/enterprise_search_request_handler.ts
+++ b/x-pack/plugins/enterprise_search/server/lib/enterprise_search_request_handler.ts
@@ -14,6 +14,7 @@ import {
   Logger,
 } from 'src/core/server';
 import { ConfigType } from '../index';
+import { JSON_HEADER } from '../../common/constants';
 
 interface IConstructorDependencies {
   config: ConfigType;
@@ -25,7 +26,7 @@ interface IRequestParams<ResponseBody> {
   hasValidData?: (body?: ResponseBody) => boolean;
 }
 export interface IEnterpriseSearchRequestHandler {
-  createRequest(requestParams?: object): RequestHandler<unknown, Readonly<{}>, unknown>;
+  createRequest(requestParams?: object): RequestHandler<unknown, unknown, unknown>;
 }
 
 /**
@@ -52,12 +53,12 @@ export class EnterpriseSearchRequestHandler {
   }: IRequestParams<ResponseBody>) {
     return async (
       _context: RequestHandlerContext,
-      request: KibanaRequest<unknown, Readonly<{}>, unknown>,
+      request: KibanaRequest<unknown, unknown, unknown>,
       response: KibanaResponseFactory
     ) => {
       try {
         // Set up API URL
-        const queryParams = { ...request.query, ...params };
+        const queryParams = { ...(request.query as object), ...params };
         const queryString = !this.isEmptyObj(queryParams)
           ? `?${querystring.stringify(queryParams)}`
           : '';
@@ -65,7 +66,7 @@ export class EnterpriseSearchRequestHandler {
 
         // Set up API options
         const { method } = request.route;
-        const headers = { Authorization: request.headers.authorization as string };
+        const headers = { Authorization: request.headers.authorization as string, ...JSON_HEADER };
         const body = !this.isEmptyObj(request.body as object)
           ? JSON.stringify(request.body)
           : undefined;
@@ -73,7 +74,7 @@ export class EnterpriseSearchRequestHandler {
         // Call the Enterprise Search API and pass back response to the front-end
         const apiResponse = await fetch(url, { method, headers, body });
 
-        if (apiResponse.url.endsWith('/login')) {
+        if (apiResponse.url.endsWith('/login') || apiResponse.url.endsWith('/ent/select')) {
           throw new Error('Cannot authenticate Enterprise Search user');
         }