Add Proxy Auth to Multi Auth Options

[stephen-crawford]

Description

[Describe what this change achieves]
This changes adds support for Proxy Auth as a Multi Auth option. It also adds tests for Proxy Auth which generally lacked testing.

With this change, you can enable proxy auth alongside one or more other auth types. For example, you can enable proxy and basic auth in your opensearch_dashboards.yml.

When proxy auth is enabled alongside other auth types, requests which do not include the expected proxy auth headers will redirect to the default OpenSearch Login page. There, the existing auth mechanisms can be accessed.

Category

[Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation]
Enhancement

Why these changes are required?

In order to support multi auth where one of the options is proxy auth.

What is the old behavior before changes and new behavior after changes?

Previously, when a user tried to enable Proxy auth alongside another auth type as part of a multi auth configuration, they would be notified that proxy auth was not a valid auth type. This was caused by the multi auth code lacking handling for Proxy auth. Similarly even if you could enable proxy auth as part of multi auth, the login page for OpenSearch would not properly render when sending a request which did not include the valid auth headers.

Issues Resolved

[List any issues this PR will resolve (Is this a backport? If so, please add backport PR # and/or commits #)]
#1724

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]
This change was manually tested and also includes jest integration and unit tests.

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[derek-ho]

Can you run yarn lint:es --fix and fix the failing tests?

[codecov]

Codecov Report

Attention: Patch coverage is 50.00000% with 2 lines in your changes missing coverage. Please review.

Project coverage is 71.39%. Comparing base (dc79df3) to head (ee3ca2f).
Report is 1 commits behind head on main.

Files	Patch %	Lines
public/apps/login/login-page.tsx	50.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2076      +/-   ##
==========================================
- Coverage   71.43%   71.39%   -0.05%     
==========================================
  Files          97       97              
  Lines        2647     2650       +3     
  Branches      408      410       +2     
==========================================
+ Hits         1891     1892       +1     
- Misses        641      642       +1     
- Partials      115      116       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cwperks]

@stephen-crawford Would it be possible to share a docker setup (or manual setup) with instructions on how to test the change?

[stephen-crawford]

HI @cwperks, sure no problem. It is not easy to get an actual proxy working with OpenSearch and dashboards with docker. However here are the details for running manually:

1. Install Nginx and make a note of where the configuration file is located (if you use homebrew, the config will be located inside the homebrew path system)
2. Update the Nginx config file (/nginx.conf) with

events {
  worker_connections  1024;
}

http {
  resolver 127.0.0.1 ipv6=off;

  upstream opensearch {
    server 0.0.0.0:5603;
    keepalive 15;
  }

  server {
    listen       8090; # http://localhost:8090/wxk/
    server_name  nginx.example.com;

    location / {
      proxy_pass http://opensearch;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header x-proxy-user admin;
      proxy_set_header x-proxy-roles admin;
      proxy_ssl_verify off; # Disable SSL verification if using self-signed certs
    }
  }
}

3. Install OpenSearch backend and run the usual manual setup steps for running OpenSearch with the Security plugin installed
4. Update the security configuration to minimally have

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: true
        internalProxies: '.*' # regex pattern
        remoteIpHeader: "x-forwarded-for"
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 4
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      proxy_auth_domain:
        description: "Authenticate via proxy"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop

5. Update opensearch_dashboards.yml following the Proxy auth steps on the documentation website. You should end up with a config that includes:

opensearch.requestHeadersAllowlist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"]
opensearch_security.auth.type: ["proxy", "basic"]
opensearch_security.proxycache.user_header: "x-proxy-user"
opensearch_security.proxycache.roles_header: "x-proxy-roles"

6. Turn everything on in order OpenSearch -> Nginx -> Dashboards (the last two should be interchangeable)

7. You should now be able to access the OpenSearch dashboards home page with http://localhost:8090//app/home#

But if you instead try to access the normal dashboards address i.e. 5601 you will be redirected to the login page.