diff --git a/CHANGELOG.md b/CHANGELOG.md index 84086fed80..8465c970d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,11 +13,15 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Added - List resources request (`GET /resources`) now produce audit events. - ([cyberark/conjur#2652](https://github.com/cyberark/conjur/pull/2652) + [cyberark/conjur#2652](https://github.com/cyberark/conjur/pull/2652) ### Changed - AWS Access Key Rotation now preserves only one key +### Fixed +- Removed Status webservices from the list providers endpoint + [cyberark/conjur#2640](https://github.com/cyberark/conjur/pull/2640) + ## [1.18.4] - 2022-09-11 ### Added diff --git a/app/db/repository/authenticator_repository.rb b/app/db/repository/authenticator_repository.rb index 6a9b7f0021..d18d2ea71d 100644 --- a/app/db/repository/authenticator_repository.rb +++ b/app/db/repository/authenticator_repository.rb @@ -1,19 +1,27 @@ module DB module Repository class AuthenticatorRepository - def initialize(data_object:, resource_repository: ::Resource, logger: Rails.logger) + def initialize( + data_object:, + resource_repository: ::Resource, + logger: Rails.logger, + enabled_authenticators: Rails.application.config.conjur_config.authenticators + ) @resource_repository = resource_repository @data_object = data_object @logger = logger + @enabled_authenticators = enabled_authenticators end def find_all(type:, account:) - @resource_repository.where( + enabled_authenticator_types = @enabled_authenticators.select { |authenticator| authenticator.match("#{type}") } + .map { |authenticator| "#{account}:webservice:conjur/#{authenticator}" } + @resource_repository.where( Sequel.like( :resource_id, "#{account}:webservice:conjur/#{type}/%" ) - ).all.map do |webservice| + ).all.select { |webservice|enabled_authenticator_types.include?(webservice.resource_id) }.map do |webservice| load_authenticator(account: account, id: webservice.id.split(':').last, type: type) end.compact end diff --git a/app/domain/authentication/installed_authenticators.rb b/app/domain/authentication/installed_authenticators.rb index 295d5c19de..4bcf13dc9c 100644 --- a/app/domain/authentication/installed_authenticators.rb +++ b/app/domain/authentication/installed_authenticators.rb @@ -4,6 +4,7 @@ module Authentication class InstalledAuthenticators AUTHN_RESOURCE_PREFIX = "conjur/authn-" + AUTHN_STATUS_FILTER = %r{conjur/(authn(?:-[^/]+)?(?:/[^/]+)?)$} class << self def authenticators(env, authentication_module: ::Authentication) @@ -28,7 +29,7 @@ def configured_authenticators .where(identifier.like("#{AUTHN_RESOURCE_PREFIX}%")) .where(kind => "webservice") .select_map(identifier) - .map { |id| id[%r{^conjur/(authn(?:-[^/]+)?(?:/[^/]+)?)$}, 1] } # filter out nested status webservice + .map { |id| id[AUTHN_STATUS_FILTER, 1] } # filter out nested status webservice .compact .push(::Authentication::Common.default_authenticator_name) end diff --git a/ci/docker-compose.yml b/ci/docker-compose.yml index 38f4c67de1..9028bf26ea 100644 --- a/ci/docker-compose.yml +++ b/ci/docker-compose.yml @@ -44,7 +44,7 @@ services: RAILS_ENV: REQUIRE_SIMPLECOV: "true" CONJUR_LOG_LEVEL: debug - CONJUR_AUTHENTICATORS: authn-ldap/test,authn-ldap/secure,authn-oidc/keycloak,authn-oidc,authn-k8s/test,authn-azure/prod,authn-gcp,authn-jwt/raw,authn-jwt/keycloak,authn-oidc/keycloak2,authn-oidc/okta-2 + CONJUR_AUTHENTICATORS: authn-ldap/test,authn-ldap/secure,authn-oidc/keycloak,authn-oidc,authn-oidc/okta,authn-oidc/oidceast,authn-k8s/test,authn-azure/prod,authn-gcp,authn-jwt/raw,authn-jwt/keycloak,authn-oidc/keycloak2,authn-oidc/okta-2 LDAP_URI: ldap://ldap-server:389 LDAP_BASE: dc=conjur,dc=net LDAP_FILTER: '(uid=%s)' diff --git a/dev/start b/dev/start index e06baedb56..4aa1a7e861 100755 --- a/dev/start +++ b/dev/start @@ -250,7 +250,7 @@ enable_oidc_authenticators() { echo "Configuring Keycloak as OpenID provider for automatic testing" # We enable an OIDC authenticator without a service-id to test that it's # invalid. - enabled_authenticators="$enabled_authenticators,authn-oidc/keycloak,authn-oidc,authn-oidc/keycloak2" + enabled_authenticators="$enabled_authenticators,authn-oidc/keycloak,authn-oidc/okta,authn-oidc/oidceast,authn-oidc/keycloak2" if [[ $ENABLE_OIDC_OKTA = true ]]; then echo "Configuring OKTA as OpenID provider for manual testing" diff --git a/spec/app/db/repository/authenticator_repository_spec.rb b/spec/app/db/repository/authenticator_repository_spec.rb index e1b50a9eed..c33b8a2c89 100644 --- a/spec/app/db/repository/authenticator_repository_spec.rb +++ b/spec/app/db/repository/authenticator_repository_spec.rb @@ -8,10 +8,17 @@ let(:repo) do DB::Repository::AuthenticatorRepository.new( resource_repository: resource_repository, - data_object: Authentication::AuthnOidc::V2::DataObjects::Authenticator + data_object: Authentication::AuthnOidc::V2::DataObjects::Authenticator, + enabled_authenticators: enabled_authenticators ) end + let (:enabled_authenticators) { + %w[authn-oidc/foo-abc123 + authn-oidc/baz-abc123 + authn-oidc/bar-abc123] + } + let(:arguments) { %i[provider_uri client_id client_secret claim_mapping nonce state] } describe('#find_all') do @@ -89,6 +96,21 @@ ::Role['rspec:policy:conjur/authn-oidc/baz-abc123'].destroy end end + + context 'when webservices status are presents' do + before(:each) do + ::Resource.create( + resource_id: "rspec:webservice:conjur/authn-oidc/foo-abc123/status", + owner_id: "rspec:policy:conjur/authn-oidc/foo-abc123" + ) + end + + it { expect(repo.find_all(type: 'authn-oidc', account: 'rspec').length).to eq(2) } + + after(:each) do + ::Resource['rspec:webservice:conjur/authn-oidc/foo-abc123/status'].destroy + end + end end after(:each) do