[Connector] Adding internal route for requesting ad-hoc ServiceNow access token

x-pack/plugins/actions/server/actions_client.mock.ts

@@ -19,6 +19,7 @@ const createActionsClientMock = () => {
     update: jest.fn(),
     getAll: jest.fn(),
     getBulk: jest.fn(),
+    getOAuthAccessToken: jest.fn(),
     execute: jest.fn(),
     enqueueExecution: jest.fn(),
     ephemeralEnqueuedExecution: jest.fn(),

x-pack/plugins/actions/server/actions_client.test.ts

@@ -18,11 +18,14 @@ import { actionsConfigMock } from './actions_config.mock';
 import { getActionsConfigurationUtilities } from './actions_config';
 import { licenseStateMock } from './lib/license_state.mock';
 import { licensingMock } from '@kbn/licensing-plugin/server/mocks';
-import { httpServerMock, loggingSystemMock } from '@kbn/core/server/mocks';
+import {
+  httpServerMock,
+  loggingSystemMock,
+  elasticsearchServiceMock,
+  savedObjectsClientMock,
+} from '@kbn/core/server/mocks';
 import { auditLoggerMock } from '@kbn/security-plugin/server/audit/mocks';
 import { usageCountersServiceMock } from '@kbn/usage-collection-plugin/server/usage_counters/usage_counters_service.mock';
-
-import { elasticsearchServiceMock, savedObjectsClientMock } from '@kbn/core/server/mocks';
 import { actionExecutorMock } from './lib/action_executor.mock';
 import uuid from 'uuid';
 import { ActionsAuthorization } from './authorization/actions_authorization';
@@ -37,6 +40,9 @@ import { encryptedSavedObjectsMock } from '@kbn/encrypted-saved-objects-plugin/s
 import { Logger } from '@kbn/core/server';
 import { connectorTokenClientMock } from './builtin_action_types/lib/connector_token_client.mock';
 import { inMemoryMetricsMock } from './monitoring/in_memory_metrics.mock';
+import { getOAuthJwtAccessToken } from './builtin_action_types/lib/get_oauth_jwt_access_token';
+import { getOAuthClientCredentialsAccessToken } from './builtin_action_types/lib/get_oauth_client_credentials_access_token';
+import { OAuthParams } from './routes/get_oauth_access_token';
 
 jest.mock('@kbn/core/server/saved_objects/service/lib/utils', () => ({
   SavedObjectsUtils: {
@@ -60,6 +66,13 @@ jest.mock('./authorization/get_authorization_mode_by_source', () => {
   };
 });
 
+jest.mock('./builtin_action_types/lib/get_oauth_jwt_access_token', () => ({
+  getOAuthJwtAccessToken: jest.fn(),
+}));
+jest.mock('./builtin_action_types/lib/get_oauth_client_credentials_access_token', () => ({
+  getOAuthClientCredentialsAccessToken: jest.fn(),
+}));
+
 const defaultKibanaIndex = '.kibana';
 const unsecuredSavedObjectsClient = savedObjectsClientMock.create();
 const scopedClusterClient = elasticsearchServiceMock.createScopedClusterClient();
@@ -73,6 +86,7 @@ const mockUsageCountersSetup = usageCountersServiceMock.createSetupContract();
 const mockUsageCounter = mockUsageCountersSetup.createUsageCounter('test');
 const logger = loggingSystemMock.create().get() as jest.Mocked<Logger>;
 const mockTaskManager = taskManagerMock.createSetup();
+const configurationUtilities = actionsConfigMock.create();
 
 let actionsClient: ActionsClient;
 let mockedLicenseState: jest.Mocked<ILicenseState>;
@@ -115,6 +129,10 @@ beforeEach(() => {
     usageCounter: mockUsageCounter,
     connectorTokenClient,
   });
+  (getOAuthJwtAccessToken as jest.Mock).mockResolvedValue(`Bearer jwttokentokentoken`);
+  (getOAuthClientCredentialsAccessToken as jest.Mock).mockResolvedValue(
+    `Bearer clienttokentokentoken`
+  );
 });
 
 describe('create()', () => {
@@ -1274,6 +1292,292 @@ describe('getBulk()', () => {
   });
 });
 
+describe('getOAuthAccessToken()', () => {
+  function getOAuthAccessToken(
+    requestBody: OAuthParams
+  ): ReturnType<ActionsClient['getOAuthAccessToken']> {
+    actionsClient = new ActionsClient({
+      actionTypeRegistry,
+      unsecuredSavedObjectsClient,
+      scopedClusterClient,
+      defaultKibanaIndex,
+      actionExecutor,
+      executionEnqueuer,
+      ephemeralExecutionEnqueuer,
+      request,
+      authorization: authorization as unknown as ActionsAuthorization,
+      preconfiguredActions: [
+        {
+          id: 'testPreconfigured',
+          actionTypeId: '.slack',
+          secrets: {},
+          isPreconfigured: true,
+          isDeprecated: false,
+          name: 'test',
+          config: {
+            foo: 'bar',
+          },
+        },
+      ],
+      connectorTokenClient: connectorTokenClientMock.create(),
+    });
+    return actionsClient.getOAuthAccessToken(requestBody, logger, configurationUtilities);
+  }
+
+  describe('authorization', () => {
+    test('ensures user is authorised to get the type of action', async () => {
+      await getOAuthAccessToken({
+        type: 'jwt',
+        options: {
+          tokenUrl: 'https://testurl.service-now.com/oauth_token.do',
+          config: {
+            clientId: 'abc',
+            jwtKeyId: 'def',
+            userIdentifierValue: 'userA',
+          },
+          secrets: {
+            clientSecret: 'iamasecret',
+            privateKey: 'xyz',
+          },
+        },
+      });
+      expect(authorization.ensureAuthorized).toHaveBeenCalledWith('update');
+    });
+
+    test('throws when user is not authorised to create the type of action', async () => {
+      authorization.ensureAuthorized.mockRejectedValue(new Error(`Unauthorized to update actions`));
+
+      await expect(
+        getOAuthAccessToken({
+          type: 'jwt',
+          options: {
+            tokenUrl: 'https://testurl.service-now.com/oauth_token.do',
+            config: {
+              clientId: 'abc',
+              jwtKeyId: 'def',
+              userIdentifierValue: 'userA',
+            },
+            secrets: {
+              clientSecret: 'iamasecret',
+              privateKey: 'xyz',
+            },
+          },
+        })
+      ).rejects.toMatchInlineSnapshot(`[Error: Unauthorized to update actions]`);
+
+      expect(authorization.ensureAuthorized).toHaveBeenCalledWith('update');
+    });
+  });
+
+  test('throws when tokenUrl is not using http or https', async () => {
+    await expect(
+      getOAuthAccessToken({
+        type: 'jwt',
+        options: {
+          tokenUrl: 'ftp://testurl.service-now.com/oauth_token.do',
+          config: {
+            clientId: 'abc',
+            jwtKeyId: 'def',
+            userIdentifierValue: 'userA',
+          },
+          secrets: {
+            clientSecret: 'iamasecret',
+            privateKey: 'xyz',
+          },
+        },
+      })
+    ).rejects.toMatchInlineSnapshot(`[Error: Token URL must use http or https]`);
+
+    expect(authorization.ensureAuthorized).toHaveBeenCalledWith('update');
+  });
+
+  test('throws when tokenUrl does not contain hostname', async () => {
+    await expect(
+      getOAuthAccessToken({
+        type: 'jwt',
+        options: {
+          tokenUrl: '/path/to/myfile',
+          config: {
+            clientId: 'abc',
+            jwtKeyId: 'def',
+            userIdentifierValue: 'userA',
+          },
+          secrets: {
+            clientSecret: 'iamasecret',
+            privateKey: 'xyz',
+          },
+        },
+      })
+    ).rejects.toMatchInlineSnapshot(`[Error: Token URL must contain hostname]`);
+
+    expect(authorization.ensureAuthorized).toHaveBeenCalledWith('update');
+  });
+
+  test('throws when tokenUrl is not in allowed hosts', async () => {
+    configurationUtilities.ensureUriAllowed.mockImplementationOnce(() => {
+      throw new Error('URI not allowed');
+    });
+
+    await expect(
+      getOAuthAccessToken({
+        type: 'jwt',
+        options: {
+          tokenUrl: 'https://testurl.service-now.com/oauth_token.do',
+          config: {
+            clientId: 'abc',
+            jwtKeyId: 'def',
+            userIdentifierValue: 'userA',
+          },
+          secrets: {
+            clientSecret: 'iamasecret',
+            privateKey: 'xyz',
+          },
+        },
+      })
+    ).rejects.toMatchInlineSnapshot(`[Error: URI not allowed]`);
+
+    expect(authorization.ensureAuthorized).toHaveBeenCalledWith('update');
+    expect(configurationUtilities.ensureUriAllowed).toHaveBeenCalledWith(
+      `https://testurl.service-now.com/oauth_token.do`
+    );
+  });
+
+  test('calls getOAuthJwtAccessToken when type="jwt"', async () => {
+    const result = await getOAuthAccessToken({
+      type: 'jwt',
+      options: {
+        tokenUrl: 'https://testurl.service-now.com/oauth_token.do',
+        config: {
+          clientId: 'abc',
+          jwtKeyId: 'def',
+          userIdentifierValue: 'userA',
+        },
+        secrets: {
+          clientSecret: 'iamasecret',
+          privateKey: 'xyz',
+        },
+      },
+    });
+    expect(result).toEqual({
+      accessToken: 'Bearer jwttokentokentoken',
+    });
+    expect(getOAuthJwtAccessToken as jest.Mock).toHaveBeenCalledWith({
+      logger,
+      configurationUtilities,
+      credentials: {
+        config: {
+          clientId: 'abc',
+          jwtKeyId: 'def',
+          userIdentifierValue: 'userA',
+        },
+        secrets: {
+          clientSecret: 'iamasecret',
+          privateKey: 'xyz',
+        },
+      },
+      tokenUrl: 'https://testurl.service-now.com/oauth_token.do',
+    });
+    expect(getOAuthClientCredentialsAccessToken).not.toHaveBeenCalled();
+    expect(logger.debug).toHaveBeenCalledWith(
+      `Successfully retrieved access token using JWT OAuth with tokenUrl https://testurl.service-now.com/oauth_token.do and config {\"clientId\":\"abc\",\"jwtKeyId\":\"def\",\"userIdentifierValue\":\"userA\"}`
+    );
+  });
+
+  test('calls getOAuthClientCredentialsAccessToken when type="client"', async () => {
+    const result = await getOAuthAccessToken({
+      type: 'client',
+      options: {
+        tokenUrl: 'https://login.microsoftonline.com/98765/oauth2/v2.0/token',
+        scope: 'https://graph.microsoft.com/.default',
+        config: {
+          clientId: 'abc',
+          tenantId: 'def',
+        },
+        secrets: {
+          clientSecret: 'iamasecret',
+        },
+      },
+    });
+    expect(result).toEqual({
+      accessToken: 'Bearer clienttokentokentoken',
+    });
+    expect(getOAuthClientCredentialsAccessToken as jest.Mock).toHaveBeenCalledWith({
+      logger,
+      configurationUtilities,
+      credentials: {
+        config: {
+          clientId: 'abc',
+          tenantId: 'def',
+        },
+        secrets: {
+          clientSecret: 'iamasecret',
+        },
+      },
+      tokenUrl: 'https://login.microsoftonline.com/98765/oauth2/v2.0/token',
+      oAuthScope: 'https://graph.microsoft.com/.default',
+    });
+    expect(getOAuthJwtAccessToken).not.toHaveBeenCalled();
+    expect(logger.debug).toHaveBeenCalledWith(
+      `Successfully retrieved access token using Client Credentials OAuth with tokenUrl https://login.microsoftonline.com/98765/oauth2/v2.0/token, scope https://graph.microsoft.com/.default and config {\"clientId\":\"abc\",\"tenantId\":\"def\"}`
+    );
+  });
+
+  test('throws when getOAuthJwtAccessToken throws error', async () => {
+    (getOAuthJwtAccessToken as jest.Mock).mockRejectedValue(new Error(`Something went wrong!`));
+
+    await expect(
+      getOAuthAccessToken({
+        type: 'jwt',
+        options: {
+          tokenUrl: 'https://testurl.service-now.com/oauth_token.do',
+          config: {
+            clientId: 'abc',
+            jwtKeyId: 'def',
+            userIdentifierValue: 'userA',
+          },
+          secrets: {
+            clientSecret: 'iamasecret',
+            privateKey: 'xyz',
+          },
+        },
+      })
+    ).rejects.toMatchInlineSnapshot(`[Error: Failed to retrieve access token]`);
+
+    expect(getOAuthJwtAccessToken as jest.Mock).toHaveBeenCalled();
+    expect(logger.debug).toHaveBeenCalledWith(
+      `Failed to retrieve access token using JWT OAuth with tokenUrl https://testurl.service-now.com/oauth_token.do and config {\"clientId\":\"abc\",\"jwtKeyId\":\"def\",\"userIdentifierValue\":\"userA\"} - Something went wrong!`
+    );
+  });
+
+  test('throws when getOAuthClientCredentialsAccessToken throws error', async () => {
+    (getOAuthClientCredentialsAccessToken as jest.Mock).mockRejectedValue(
+      new Error(`Something went wrong!`)
+    );
+
+    await expect(
+      getOAuthAccessToken({
+        type: 'client',
+        options: {
+          tokenUrl: 'https://login.microsoftonline.com/98765/oauth2/v2.0/token',
+          scope: 'https://graph.microsoft.com/.default',
+          config: {
+            clientId: 'abc',
+            tenantId: 'def',
+          },
+          secrets: {
+            clientSecret: 'iamasecret',
+          },
+        },
+      })
+    ).rejects.toMatchInlineSnapshot(`[Error: Failed to retrieve access token]`);
+
+    expect(getOAuthClientCredentialsAccessToken as jest.Mock).toHaveBeenCalled();
+    expect(logger.debug).toHaveBeenCalledWith(
+      `Failed to retrieved access token using Client Credentials OAuth with tokenUrl https://login.microsoftonline.com/98765/oauth2/v2.0/token, scope https://graph.microsoft.com/.default and config {\"clientId\":\"abc\",\"tenantId\":\"def\"} - Something went wrong!`
+    );
+  });
+});
+
 describe('delete()', () => {
   describe('authorization', () => {
     test('ensures user is authorised to delete actions', async () => {