Prevent status webservices from being returned on the providers endpoint #2640
+43
−8
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,19 +1,27 @@ | ||
| module DB | ||
| module Repository | ||
| class AuthenticatorRepository | ||
| def initialize( | ||
| data_object:, | ||
| resource_repository: ::Resource, | ||
| logger: Rails.logger, | ||
| enabled_authenticators: Rails.application.config.conjur_config.authenticators | ||
| ) | ||
| @resource_repository = resource_repository | ||
| @data_object = data_object | ||
| @logger = logger | ||
| @enabled_authenticators = enabled_authenticators | ||
| end | ||
|
|
||
| def find_all(type:, account:) | ||
| enabled_authenticator_types = @enabled_authenticators.select { |authenticator| authenticator.match("#{type}") } | ||
|
There was a problem hiding this comment. Prefer |
||
| .map { |authenticator| "#{account}:webservice:conjur/#{authenticator}" } | ||
|
There was a problem hiding this comment. Use 2 (not 8) spaces for indenting an expression in an assignment spanning multiple lines. |
||
| @resource_repository.where( | ||
|
There was a problem hiding this comment. Inconsistent indentation detected. |
||
| Sequel.like( | ||
| :resource_id, | ||
| "#{account}:webservice:conjur/#{type}/%" | ||
| ) | ||
| ).all.select { |webservice|enabled_authenticator_types.include?(webservice.resource_id) }.map do |webservice| | ||
|
There was a problem hiding this comment. Space after closing |
||
| load_authenticator(account: account, id: webservice.id.split(':').last, type: type) | ||
| end.compact | ||
| end | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,6 +4,7 @@ module Authentication | |
| class InstalledAuthenticators | ||
|
|
||
| AUTHN_RESOURCE_PREFIX = "conjur/authn-" | ||
| AUTHN_STATUS_FILTER = %r{conjur/(authn(?:-[^/]+)?(?:/[^/]+)?)$} | ||
|
There was a problem hiding this comment. Freeze mutable objects assigned to constants. |
||
|
|
||
| class << self | ||
| def authenticators(env, authentication_module: ::Authentication) | ||
|
|
@@ -28,7 +29,7 @@ def configured_authenticators | |
| .where(identifier.like("#{AUTHN_RESOURCE_PREFIX}%")) | ||
| .where(kind => "webservice") | ||
| .select_map(identifier) | ||
| .map { |id| id[AUTHN_STATUS_FILTER, 1] } # filter out nested status webservice | ||
| .compact | ||
| .push(::Authentication::Common.default_authenticator_name) | ||
| end | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -44,7 +44,7 @@ services: | |
| RAILS_ENV: | ||
| REQUIRE_SIMPLECOV: "true" | ||
| CONJUR_LOG_LEVEL: debug | ||
| CONJUR_AUTHENTICATORS: authn-ldap/test,authn-ldap/secure,authn-oidc/keycloak,authn-oidc,authn-oidc/okta,authn-oidc/oidceast,authn-k8s/test,authn-azure/prod,authn-gcp,authn-jwt/raw,authn-jwt/keycloak,authn-oidc/keycloak2,authn-oidc/okta-2 | ||
| LDAP_URI: ldap://ldap-server:389 | ||
| LDAP_BASE: dc=conjur,dc=net | ||
| LDAP_FILTER: '(uid=%s)' | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -250,7 +250,7 @@ enable_oidc_authenticators() { | |
| echo "Configuring Keycloak as OpenID provider for automatic testing" | ||
| # We enable an OIDC authenticator without a service-id to test that it's | ||
| # invalid. | ||
| enabled_authenticators="$enabled_authenticators,authn-oidc/keycloak,authn-oidc/okta,authn-oidc/oidceast,authn-oidc/keycloak2" | ||
|
|
||
| if [[ $ENABLE_OIDC_OKTA = true ]]; then | ||
| echo "Configuring OKTA as OpenID provider for manual testing" | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -8,10 +8,17 @@ | |
| let(:repo) do | ||
| DB::Repository::AuthenticatorRepository.new( | ||
| resource_repository: resource_repository, | ||
| data_object: Authentication::AuthnOidc::V2::DataObjects::Authenticator, | ||
| enabled_authenticators: enabled_authenticators | ||
| ) | ||
| end | ||
|
|
||
| let (:enabled_authenticators) { | ||
| %w[authn-oidc/foo-abc123 | ||
| authn-oidc/baz-abc123 | ||
| authn-oidc/bar-abc123] | ||
| } | ||
|
|
||
| let(:arguments) { %i[provider_uri client_id client_secret claim_mapping nonce state] } | ||
|
|
||
| describe('#find_all') do | ||
|
|
@@ -89,6 +96,21 @@ | |
| ::Role['rspec:policy:conjur/authn-oidc/baz-abc123'].destroy | ||
| end | ||
| end | ||
|
|
||
| context 'when webservices status are presents' do | ||
| before(:each) do | ||
| ::Resource.create( | ||
| resource_id: "rspec:webservice:conjur/authn-oidc/foo-abc123/status", | ||
| owner_id: "rspec:policy:conjur/authn-oidc/foo-abc123" | ||
| ) | ||
| end | ||
|
|
||
| it { expect(repo.find_all(type: 'authn-oidc', account: 'rspec').length).to eq(2) } | ||
|
Contributor
There was a problem hiding this comment. How cumbersome would it be to actually verify the contents of the list, rather than just the count? Being explicit about the expected outcome would be a more valuable assurance than just the number of results.
Contributor
Author
There was a problem hiding this comment. would not work since we and not brining over the real resource_id in the repository, but a created one based on the service_id which is the same between the status and normal web-services. |
||
|
|
||
| after(:each) do | ||
| ::Resource['rspec:webservice:conjur/authn-oidc/foo-abc123/status'].destroy | ||
| end | ||
| end | ||
| end | ||
|
|
||
| after(:each) do | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lists should be surrounded by blank lines