feat: improve isAnonymousPage, add error log in isReadonly

Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
opensearch-project · Oct 31, 2023 · e70efb5 · e70efb5
1 parent 798ca64
commit e70efb5
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 10 deletions.
diff --git a/common/index.ts b/common/index.ts
@@ -38,6 +38,19 @@ export const OPENID_AUTH_LOGOUT = '/auth/openid/logout';
 export const SAML_AUTH_LOGOUT = '/auth/saml/logout';
 export const ANONYMOUS_AUTH_LOGOUT = '/auth/anonymous/logout';
 
+export const ANONYMOUS_ROUTES = [
+  LOGIN_PAGE_URI,
+  CUSTOM_ERROR_PAGE_URI,
+  API_AUTH_LOGIN,
+  API_AUTH_LOGOUT,
+  OPENID_AUTH_LOGIN,
+  ANONYMOUS_AUTH_LOGIN,
+  OPENID_AUTH_LOGOUT,
+  SAML_AUTH_LOGOUT,
+  ANONYMOUS_AUTH_LOGOUT,
+  SAML_AUTH_LOGIN,
+];
+
 export const ERROR_MISSING_ROLE_PATH = '/missing-role';
 export const AUTH_HEADER_NAME = 'authorization';
 export const AUTH_GRANT_TYPE = 'authorization_code';

diff --git a/server/readonly/readonly_service.test.ts b/server/readonly/readonly_service.test.ts
@@ -114,7 +114,7 @@ describe('checks isAnonymousPage', () => {
     [
       {
         headers: {
-          referer: 'https://localhost/login',
+          referer: 'https://localhost/app/login',
         },
       },
       true,

diff --git a/server/readonly/readonly_service.ts b/server/readonly/readonly_service.ts
@@ -19,7 +19,7 @@ import {
   OpenSearchDashboardsRequest,
   SessionStorageFactory,
 } from '../../../../src/core/server';
-import { globalTenantName, isPrivateTenant } from '../../common';
+import { globalTenantName, isPrivateTenant, ANONYMOUS_ROUTES } from '../../common';
 import { SecurityClient } from '../backend/opensearch_security_client';
 import { IAuthenticationType, OpenSearchAuthInfo } from '../auth/types/authentication_type';
 import { SecuritySessionCookie } from '../session/security_cookie';
@@ -53,13 +53,8 @@ export class ReadonlyService extends BaseReadonlyService {
       return false;
     }
 
-    try {
-      const url = new URL(request.headers.referer as string);
-      const pathsToIgnore = ['login', 'logout', 'customerror'];
-      return pathsToIgnore.includes(url.pathname?.split('/').pop() || '');
-    } catch (error: any) {
-      this.logger.error(`Could not parse the referer for the capabilites: ${error.stack}`);
-    }
+    const url = new URL(request.headers.referer as string);
+    return ANONYMOUS_ROUTES.some((path) => url.pathname?.includes(path));
   }
 
   isReadOnlyTenant(authInfo: OpenSearchAuthInfo): boolean {
@@ -70,7 +65,7 @@ export class ReadonlyService extends BaseReadonlyService {
       return false;
     }
 
-    let readWriteAccess = authInfo.tenants[currentTenant];
+    const readWriteAccess = authInfo.tenants[currentTenant];
     return !readWriteAccess;
   }
 
@@ -100,6 +95,7 @@ export class ReadonlyService extends BaseReadonlyService {
 
       return authInfo && this.isReadOnlyTenant(authInfo);
     } catch (error: any) {
+      this.logger.error(`Failed to resolve if it's a readonly tenant: ${error.stack}`);
       return false;
     }
   }