preserve 401 errors from new es client

src/core/server/elasticsearch/client/errors.test.ts

@@ -0,0 +1,82 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import {
+  ResponseError,
+  ConnectionError,
+  ConfigurationError,
+} from '@elastic/elasticsearch/lib/errors';
+import { ApiResponse } from '@elastic/elasticsearch';
+import { isResponseError, isUnauthorizedError } from './errors';
+
+const createApiResponseError = ({
+  statusCode = 200,
+  headers = {},
+  body = {},
+}: {
+  statusCode?: number;
+  headers?: Record<string, string>;
+  body?: Record<string, any>;
+} = {}): ApiResponse => {
+  return {
+    body,
+    statusCode,
+    headers,
+    warnings: [],
+    meta: {} as any,
+  };
+};
+
+describe('isResponseError', () => {
+  it('returns `true` when the input is a `ResponseError`', () => {
+    expect(isResponseError(new ResponseError(createApiResponseError()))).toBe(true);
+  });
+
+  it('returns `false` when the input is not a `ResponseError`', () => {
+    expect(isResponseError(new Error('foo'))).toBe(false);
+    expect(isResponseError(new ConnectionError('error', createApiResponseError()))).toBe(false);
+    expect(isResponseError(new ConfigurationError('foo'))).toBe(false);
+  });
+});
+
+describe('isUnauthorizedError', () => {
+  it('returns true when the input is a `ResponseError` and statusCode === 401', () => {
+    expect(
+      isUnauthorizedError(new ResponseError(createApiResponseError({ statusCode: 401 })))
+    ).toBe(true);
+  });
+
+  it('returns false when the input is a `ResponseError` and statusCode !== 401', () => {
+    expect(
+      isUnauthorizedError(new ResponseError(createApiResponseError({ statusCode: 200 })))
+    ).toBe(false);
+    expect(
+      isUnauthorizedError(new ResponseError(createApiResponseError({ statusCode: 403 })))
+    ).toBe(false);
+    expect(
+      isUnauthorizedError(new ResponseError(createApiResponseError({ statusCode: 500 })))
+    ).toBe(false);
+  });
+
+  it('returns `false` when the input is not a `ResponseError`', () => {
+    expect(isUnauthorizedError(new Error('foo'))).toBe(false);
+    expect(isUnauthorizedError(new ConnectionError('error', createApiResponseError()))).toBe(false);
+    expect(isUnauthorizedError(new ConfigurationError('foo'))).toBe(false);
+  });
+});

src/core/server/elasticsearch/client/errors.ts

@@ -0,0 +1,32 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { ResponseError } from '@elastic/elasticsearch/lib/errors';
+
+export type UnauthorizedError = ResponseError & {
+  statusCode: 401;
+};
+
+export function isResponseError(error: any): error is ResponseError {
+  return Boolean(error.body && error.statusCode && error.headers);
+}
+
+export function isUnauthorizedError(error: any): error is UnauthorizedError {
+  return isResponseError(error) && error.statusCode === 401;
+}

src/core/server/elasticsearch/client/mocks.test.ts

@@ -49,6 +49,12 @@ describe('Mocked client', () => {
     expectMocked(client.close);
   });
 
+  it('used EventEmitter functions should be mocked', () => {
+    expectMocked(client.on);
+    expectMocked(client.off);
+    expectMocked(client.once);
+  });
+
   it('`child` should be mocked and return a mocked Client', () => {
     expectMocked(client.child);
 

src/core/server/elasticsearch/client/mocks.ts

@@ -54,13 +54,20 @@ const createInternalClientMock = (): DeeplyMockedKeys<Client> => {
 
   mockify(client, omittedProps);
 
-  client.transport = {
+  // client got some read-only (getter) properties
+  // so we need to extend it to override the getter-only props.
+  const mock: any = { ...client };
+
+  mock.transport = {
     request: jest.fn(),
   };
-  client.close = jest.fn().mockReturnValue(Promise.resolve());
-  client.child = jest.fn().mockImplementation(() => createInternalClientMock());
+  mock.close = jest.fn().mockReturnValue(Promise.resolve());
+  mock.child = jest.fn().mockImplementation(() => createInternalClientMock());
+  mock.on = jest.fn();
+  mock.off = jest.fn();
+  mock.once = jest.fn();
 
-  return (client as unknown) as DeeplyMockedKeys<Client>;
+  return (mock as unknown) as DeeplyMockedKeys<Client>;
 };
 
 export type ElasticSearchClientMock = DeeplyMockedKeys<ElasticsearchClient>;

src/core/server/http/integration_tests/core_service.test.mocks.ts

@@ -18,10 +18,12 @@
  */
 import { elasticsearchServiceMock } from '../../elasticsearch/elasticsearch_service.mock';
 
-export const clusterClientMock = jest.fn();
-export const clusterClientInstanceMock = elasticsearchServiceMock.createLegacyScopedClusterClient();
+export const MockLegacyScopedClusterClient = jest.fn();
+export const legacyClusterClientInstanceMock = elasticsearchServiceMock.createLegacyScopedClusterClient();
 jest.doMock('../../elasticsearch/legacy/scoped_cluster_client', () => ({
-  LegacyScopedClusterClient: clusterClientMock.mockImplementation(() => clusterClientInstanceMock),
+  LegacyScopedClusterClient: MockLegacyScopedClusterClient.mockImplementation(
+    () => legacyClusterClientInstanceMock
+  ),
 }));
 
 jest.doMock('elasticsearch', () => {
@@ -34,3 +36,12 @@ jest.doMock('elasticsearch', () => {
     },
   };
 });
+
+export const MockElasticsearchClient = jest.fn();
+jest.doMock('@elastic/elasticsearch', () => {
+  const real = jest.requireActual('@elastic/elasticsearch');
+  return {
+    ...real,
+    Client: MockElasticsearchClient,
+  };
+});

src/core/server/http/integration_tests/core_services.test.ts

@@ -17,14 +17,21 @@
  * under the License.
  */
 
-import { clusterClientMock, clusterClientInstanceMock } from './core_service.test.mocks';
+import {
+  MockLegacyScopedClusterClient,
+  MockElasticsearchClient,
+  legacyClusterClientInstanceMock,
+} from './core_service.test.mocks';
 
 import Boom from 'boom';
 import { Request } from 'hapi';
 import { errors as esErrors } from 'elasticsearch';
 import { LegacyElasticsearchErrorHelpers } from '../../elasticsearch/legacy';
 
+import { elasticsearchClientMock } from '../../elasticsearch/client/mocks';
+import { ResponseError } from '@elastic/elasticsearch/lib/errors';
 import * as kbnTestServer from '../../../../test_utils/kbn_server';
+import { InternalElasticsearchServiceStart } from '../../elasticsearch';
 
 interface User {
   id: string;
@@ -44,6 +51,17 @@ const cookieOptions = {
 };
 
 describe('http service', () => {
+  let esClient: ReturnType<typeof elasticsearchClientMock.createInternalClient>;
+
+  beforeEach(async () => {
+    esClient = elasticsearchClientMock.createInternalClient();
+    MockElasticsearchClient.mockImplementation(() => esClient);
+  }, 30000);
+
+  afterEach(async () => {
+    MockElasticsearchClient.mockClear();
+  });
+
   describe('auth', () => {
     let root: ReturnType<typeof kbnTestServer.createRoot>;
     beforeEach(async () => {
@@ -200,7 +218,7 @@ describe('http service', () => {
       }, 30000);
 
       afterEach(async () => {
-        clusterClientMock.mockClear();
+        MockLegacyScopedClusterClient.mockClear();
         await root.shutdown();
       });
 
@@ -363,7 +381,7 @@ describe('http service', () => {
     }, 30000);
 
     afterEach(async () => {
-      clusterClientMock.mockClear();
+      MockLegacyScopedClusterClient.mockClear();
       await root.shutdown();
     });
 
@@ -386,7 +404,7 @@ describe('http service', () => {
       await kbnTestServer.request.get(root, '/new-platform/').expect(200);
 
       // client contains authHeaders for BWC with legacy platform.
-      const [client] = clusterClientMock.mock.calls;
+      const [client] = MockLegacyScopedClusterClient.mock.calls;
       const [, , clientHeaders] = client;
       expect(clientHeaders).toEqual(authHeaders);
     });
@@ -410,7 +428,7 @@ describe('http service', () => {
         .set('Authorization', authorizationHeader)
         .expect(200);
 
-      const [client] = clusterClientMock.mock.calls;
+      const [client] = MockLegacyScopedClusterClient.mock.calls;
       const [, , clientHeaders] = client;
       expect(clientHeaders).toEqual({ authorization: authorizationHeader });
     });
@@ -426,7 +444,7 @@ describe('http service', () => {
         })
       );
 
-      clusterClientInstanceMock.callAsCurrentUser.mockRejectedValue(authenticationError);
+      legacyClusterClientInstanceMock.callAsCurrentUser.mockRejectedValue(authenticationError);
 
       const router = createRouter('/new-platform');
       router.get({ path: '/', validate: false }, async (context, req, res) => {
@@ -441,4 +459,91 @@ describe('http service', () => {
       expect(response.header['www-authenticate']).toEqual('authenticate header');
     });
   });
+
+  describe('elasticsearch client', () => {
+    let root: ReturnType<typeof kbnTestServer.createRoot>;
+
+    beforeEach(async () => {
+      root = kbnTestServer.createRoot({ plugins: { initialize: false } });
+    }, 30000);
+
+    afterEach(async () => {
+      MockElasticsearchClient.mockClear();
+      await root.shutdown();
+    });
+
+    it('forwards unauthorized errors from elasticsearch', async () => {
+      const { http } = await root.setup();
+      const { createRouter } = http;
+      // eslint-disable-next-line prefer-const
+      let elasticsearch: InternalElasticsearchServiceStart;
+
+      esClient.ping.mockImplementation(() =>
+        elasticsearchClientMock.createClientError(
+          new ResponseError({
+            statusCode: 401,
+            body: {
+              error: {
+                type: 'Unauthorized',
+              },
+            },
+            warnings: [],
+            headers: {
+              'WWW-Authenticate': 'content',
+            },
+            meta: {} as any,
+          })
+        )
+      );
+
+      const router = createRouter('/new-platform');
+      router.get({ path: '/', validate: false }, async (context, req, res) => {
+        await elasticsearch.client.asScoped(req).asInternalUser.ping();
+        return res.ok();
+      });
+
+      const coreStart = await root.start();
+      elasticsearch = coreStart.elasticsearch;
+
+      const { header } = await kbnTestServer.request.get(root, '/new-platform/').expect(401);
+
+      expect(header['www-authenticate']).toEqual('content');
+    });
+
+    it('uses a default value for `www-authenticate` header when ES 401 does not specify it', async () => {
+      const { http } = await root.setup();
+      const { createRouter } = http;
+      // eslint-disable-next-line prefer-const
+      let elasticsearch: InternalElasticsearchServiceStart;
+
+      esClient.ping.mockImplementation(() =>
+        elasticsearchClientMock.createClientError(
+          new ResponseError({
+            statusCode: 401,
+            body: {
+              error: {
+                type: 'Unauthorized',
+              },
+            },
+            warnings: [],
+            headers: {},
+            meta: {} as any,
+          })
+        )
+      );
+
+      const router = createRouter('/new-platform');
+      router.get({ path: '/', validate: false }, async (context, req, res) => {
+        await elasticsearch.client.asScoped(req).asInternalUser.ping();
+        return res.ok();
+      });
+
+      const coreStart = await root.start();
+      elasticsearch = coreStart.elasticsearch;
+
+      const { header } = await kbnTestServer.request.get(root, '/new-platform/').expect(401);
+
+      expect(header['www-authenticate']).toEqual('Basic realm="Authorization Required"');
+    });
+  });
 });