From 53777e9e6528d9e8f3fdc2c03b36bb01c66d0aae Mon Sep 17 00:00:00 2001 From: egvili Date: Sun, 15 Oct 2023 10:18:19 +0300 Subject: [PATCH] Remove default api key configuration --- CHANGELOG.md | 4 ++ app/domain/authentication/optional_api_key.rb | 6 +- app/models/loader/types.rb | 29 +-------- app/models/role.rb | 5 +- cucumber/api/features/authenticate.feature | 28 ++++----- .../features/authn_optional_api_key.feature | 2 +- .../features/edge/internal/edge_hosts.feature | 8 +-- .../features/host_factory_create_host.feature | 2 +- .../features/host_factory_rotate_host.feature | 4 +- .../api/features/policy_load_response.feature | 5 +- .../api/features/retrieve_api_key.feature | 2 +- cucumber/api/features/rotate_api_key.feature | 4 +- .../authn_azure_bad_configuration.feature | 10 +-- .../features/authn_azure_basic_host.feature | 2 +- .../features/authn_azure_hosts.feature | 24 +++---- .../features/authn_azure_performance.feature | 4 +- .../features/authn_gce.feature | 12 ++-- .../authn_gce_bad_configuration.feature | 4 +- .../features/authn_gce_hosts.feature | 4 +- .../features/authn_gce_performance.feature | 4 +- .../features/authn_gce_token_errors.feature | 8 +-- .../features/authn_gcf.feature | 2 +- .../features/authn_gcf_token_errors.feature | 2 +- lib/conjur/conjur_config.rb | 1 - .../authn_ldap/authenticator_spec.rb | 4 +- .../authentication/optional_api_key_spec.rb | 6 +- .../internal/edge_hosts_controller_spec.rb | 4 +- spec/models/credentials_spec.rb | 10 +-- spec/models/host_factory_spec.rb | 55 +--------------- spec/models/loader/types.rb | 62 ------------------- spec/models/role_spec.rb | 3 - 31 files changed, 92 insertions(+), 228 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b15457121..426ae24cd5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. - Nothing should go in this section, please add to the latest unreleased version (and update the corresponding date), or add a new version. +## [1.0.11-cloud] - 2023-10-29 +### Changed +- Make API-key optional for hosts + ## [1.0.10-cloud] - 2023-10-22 ### Added - Telemetry logs for ephemeral secrets diff --git a/app/domain/authentication/optional_api_key.rb b/app/domain/authentication/optional_api_key.rb index 5159a56727..8fa7ef9b26 100644 --- a/app/domain/authentication/optional_api_key.rb +++ b/app/domain/authentication/optional_api_key.rb @@ -5,12 +5,12 @@ module OptionalApiKey AUTHN_ANNOTATION = 'authn/api-key' - def annotation_relevant?(annotation) + def api_key_annotation_relevant?(annotation) annotation.name == AUTHN_ANNOTATION end - def annotation_true?(annotation) - annotation_relevant?(annotation) && annotation.value.downcase == 'true' + def api_key_annotation_true?(annotation) + api_key_annotation_relevant?(annotation) && annotation.value.downcase == 'true' end end diff --git a/app/models/loader/types.rb b/app/models/loader/types.rb index 82904b2c5b..858afdc606 100644 --- a/app/models/loader/types.rb +++ b/app/models/loader/types.rb @@ -160,34 +160,7 @@ def verify; end class Host < Record def_delegators :@policy_object, :restricted_to - # This is a temporary policy validation check to ensure that we're not - # creating hosts that will fail API key-based authentication by default - # in the future. - def future_api_key_auth_will_fail? - # The default config value is to allow API key authentication, so if this is - # either the default or set to true, then future API key authentication will - # continue to work and we don't need to reject this policy. - return false if Rails.application.config.conjur_config.authn_api_key_default - - # If the default API authentication config is to disallow it, and the host - # does not explicitly state the policy authors intentions with the - # `authn/api-key` annotation with value true, then we should reject this until the annotation - # is added to the policy object. - self.annotations&.[]("authn/api-key").nil? || self.annotations["authn/api-key"].to_s.casecmp?("false") - end - - def verify - # If policy contains a host with annotation authn/api-key effectively false, either by explicit - # value or by default value, then policy load is blocked. - if future_api_key_auth_will_fail? - message = "API key authentication for hosts is disabled by default and " \ - "will be removed in a future release. Add the 'authn/api-key' " \ - "annotation to this host with the value 'true' to " \ - "ensure authentication works as expected for this host in the " \ - "future." - raise Exceptions::InvalidPolicyObject.new(self.id, message: message) - end - end + def verify; end def create! self.handle_restricted_to(self.roleid, restricted_to) diff --git a/app/models/role.rb b/app/models/role.rb index 3b55971e66..57fb1b7b02 100644 --- a/app/models/role.rb +++ b/app/models/role.rb @@ -135,9 +135,8 @@ def api_key end def api_key_expected? - self.kind == 'user' || - Rails.application.config.conjur_config.authn_api_key_default || - self.annotations.any? { |a| annotation_true?(a) } + self.id == 'admin' || self.kind == 'user' || + self.annotations.any? { |a| api_key_annotation_true?(a) } end def login diff --git a/cucumber/api/features/authenticate.feature b/cucumber/api/features/authenticate.feature index 14681acaa9..582b80605a 100644 --- a/cucumber/api/features/authenticate.feature +++ b/cucumber/api/features/authenticate.feature @@ -165,20 +165,20 @@ Feature: Exchange a role's API key for a signed authentication token cucumber:host:app failed to authenticate with authenticator authn """ - #@negative @acceptance - #Scenario: Attempting to use host API key to authenticate host without api key result in 401 error - # Given I save my place in the audit log file for remote - # When I POST "/authn/cucumber/host%2FappNoApiKey/authenticate" with plain text body "" - # Then the HTTP response status code is 401 - # And there is an audit record matching: - # """ - # <84>1 * * conjur * authn - # [subject@43868 role="cucumber:host:appNoApiKey"] - # [auth@43868 user="cucumber:host:appNoApiKey" authenticator="authn" service="cucumber:webservice:conjur/authn"] - # [client@43868 ip="\d+\.\d+\.\d+\.\d+"] - # [action@43868 result="failure" operation="authenticate"] - # cucumber:host:appNoApiKey failed to authenticate with authenticator authn - # """ + @negative @acceptance + Scenario: Attempting to use host API key to authenticate host without api key result in 401 error + Given I save my place in the audit log file for remote + When I POST "/authn/cucumber/host%2FappNoApiKey/authenticate" with plain text body "" + Then the HTTP response status code is 401 + And there is an audit record matching: + """ + <84>1 * * conjur * authn + [subject@43868 role="cucumber:host:appNoApiKey"] + [auth@43868 user="cucumber:host:appNoApiKey" authenticator="authn" service="cucumber:webservice:conjur/authn"] + [client@43868 ip="\d+\.\d+\.\d+\.\d+"] + [action@43868 result="failure" operation="authenticate"] + cucumber:host:appNoApiKey failed to authenticate with authenticator authn + """ @negative @acceptance Scenario: Attempting to use an invalid API key to authenticate with Accept-Encoding base64 result in 401 error diff --git a/cucumber/api/features/authn_optional_api_key.feature b/cucumber/api/features/authn_optional_api_key.feature index 86c4620745..3a8ae9a56e 100644 --- a/cucumber/api/features/authn_optional_api_key.feature +++ b/cucumber/api/features/authn_optional_api_key.feature @@ -1,4 +1,4 @@ -@api @skip +@api Feature: API key for host is created and removed based on host's annotation Background: Given I am the super-user diff --git a/cucumber/api/features/edge/internal/edge_hosts.feature b/cucumber/api/features/edge/internal/edge_hosts.feature index 6f845096fb..723a05a5ea 100644 --- a/cucumber/api/features/edge/internal/edge_hosts.feature +++ b/cucumber/api/features/edge/internal/edge_hosts.feature @@ -62,10 +62,10 @@ Feature: Fetching host from edge endpoint """ [{"name": "authn/api-key", "value": "true"}] """ - #And the JSON at "hosts/2/annotations" should be: - #""" - #[] - #""" + And the JSON at "hosts/2/annotations" should be: + """ + [] + """ @acceptance Scenario: Fetching hosts with parameters diff --git a/cucumber/api/features/host_factory_create_host.feature b/cucumber/api/features/host_factory_create_host.feature index 3bfa6382cd..add42267b1 100644 --- a/cucumber/api/features/host_factory_create_host.feature +++ b/cucumber/api/features/host_factory_create_host.feature @@ -17,7 +17,7 @@ Feature: Create a host using the host factory. "annotations" : [], "id": "cucumber:host:host-01", "owner": "cucumber:host_factory:the-layer-factory", - "api_key": "@response_api_key@", + "api_key": null, "permissions": [], "restricted_to": [] } diff --git a/cucumber/api/features/host_factory_rotate_host.feature b/cucumber/api/features/host_factory_rotate_host.feature index d078162fba..38d12cbb8a 100644 --- a/cucumber/api/features/host_factory_rotate_host.feature +++ b/cucumber/api/features/host_factory_rotate_host.feature @@ -62,6 +62,8 @@ Feature: Rotate a host api key using the host factory. - !host id: brand-new-host owner: !host-factory database/users + annotations: + authn/api-key: true """ And I create a host factory token for "database/users" And I authorize the request with the host factory token @@ -70,7 +72,7 @@ Feature: Rotate a host api key using the host factory. And our JSON should be: """ { - "annotations" : [], + "annotations" : [{"name": "authn/api-key", "policy": "cucumber:policy:root", "value": "true"}], "id": "cucumber:host:brand-new-host", "owner": "cucumber:host_factory:database/users", "policy": "cucumber:policy:root", diff --git a/cucumber/api/features/policy_load_response.feature b/cucumber/api/features/policy_load_response.feature index 859e430ba2..7de9c55ab9 100644 --- a/cucumber/api/features/policy_load_response.feature +++ b/cucumber/api/features/policy_load_response.feature @@ -12,7 +12,10 @@ Feature: Policy load response - !layer - !user bob - - !host host-01 + - !host + id: host-01 + annotations: + authn/api-key: true """ Then the JSON should have "created_roles" And the JSON at "created_roles" should have 2 entries diff --git a/cucumber/api/features/retrieve_api_key.feature b/cucumber/api/features/retrieve_api_key.feature index 4a685d3f1e..9973acb7e8 100644 --- a/cucumber/api/features/retrieve_api_key.feature +++ b/cucumber/api/features/retrieve_api_key.feature @@ -16,7 +16,7 @@ Feature: Retrieving an API key with conjurctl When I retrieve an API key for user "cucumber:user:non-existing-user" using conjurctl Then the stderr includes the error "role does not exist" - @smoke @skip + @smoke Scenario: Retrieve an API key for a host Given I have host "api_key_host" And I have host "without_api_key_host" without api key diff --git a/cucumber/api/features/rotate_api_key.feature b/cucumber/api/features/rotate_api_key.feature index 3d2120c2fe..30c8c3d2de 100644 --- a/cucumber/api/features/rotate_api_key.feature +++ b/cucumber/api/features/rotate_api_key.feature @@ -316,7 +316,7 @@ Feature: Rotate the API key of a role cucumber:host:privileged_host successfully rotated their API key """ - @negative @acceptance @skip + @negative @acceptance Scenario: A Host without api key CANNOT rotate their own API key Given I save my place in the audit log file When I PUT "/authn/cucumber/api_key?role=host:privileged_host_without_apikey" with username "host/privileged_host_without_apikey" and password ":cucumber:host:api_key" @@ -358,7 +358,7 @@ Feature: Rotate the API key of a role """ # A host with update permission rotating host without api key - @negative @acceptance @skip + @negative @acceptance Scenario: A Host with update privilege CANNOT rotate host API key that doesn't have api key Given I login as "host/privileged_host" And I save my place in the audit log file diff --git a/cucumber/authenticators_azure/features/authn_azure_bad_configuration.feature b/cucumber/authenticators_azure/features/authn_azure_bad_configuration.feature index 999a77ca7f..6b7b8fa1e9 100644 --- a/cucumber/authenticators_azure/features/authn_azure_bad_configuration.feature +++ b/cucumber/authenticators_azure/features/authn_azure_bad_configuration.feature @@ -23,7 +23,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error resource: !webservice """ And I am the super-user - And I have host "test-app" + And I have host "test-app" without api key And I set Azure annotations to host "test-app" And I grant group "conjur/authn-azure/prod/apps" to host "test-app" And I fetch a non-assigned-identity Azure access token from inside machine @@ -55,7 +55,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error resource: !webservice """ And I am the super-user - And I have host "test-app" + And I have host "test-app" without api key And I set Azure annotations to host "test-app" And I grant group "conjur/authn-azure/prod/apps" to host "test-app" And I fetch a non-assigned-identity Azure access token from inside machine @@ -81,7 +81,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error - !group apps """ And I am the super-user - And I have host "test-app" + And I have host "test-app" without api key And I set Azure annotations to host "test-app" And I grant group "conjur/authn-azure/prod/apps" to host "test-app" And I successfully set Azure provider-uri variable with the correct values @@ -114,7 +114,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error resource: !webservice """ And I am the super-user - And I have host "test-app" + And I have host "test-app" without api key And I set Azure annotations to host "test-app" And I grant group "conjur/authn-azure/prod/apps" to host "test-app" And I successfully set Azure provider-uri variable with the correct values @@ -148,7 +148,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error """ And I am the super-user And I add the secret value "http://127.0.0.1.com/" to the resource "cucumber:variable:conjur/authn-azure/prod/provider-uri" - And I have host "test-app" + And I have host "test-app" without api key And I set Azure annotations to host "test-app" And I grant group "conjur/authn-azure/prod/apps" to host "test-app" And I fetch a non-assigned-identity Azure access token from inside machine diff --git a/cucumber/authenticators_azure/features/authn_azure_basic_host.feature b/cucumber/authenticators_azure/features/authn_azure_basic_host.feature index b7ab8ef907..17698105fb 100644 --- a/cucumber/authenticators_azure/features/authn_azure_basic_host.feature +++ b/cucumber/authenticators_azure/features/authn_azure_basic_host.feature @@ -27,7 +27,7 @@ Feature: Azure Authenticator - Hosts can authenticate with Azure authenticator """ And I am the super-user And I successfully set Azure provider-uri variable with the correct values - And I have host "test-app" + And I have host "test-app" without api key And I set Azure annotations to host "test-app" And I grant group "conjur/authn-azure/prod/apps" to host "test-app" diff --git a/cucumber/authenticators_azure/features/authn_azure_hosts.feature b/cucumber/authenticators_azure/features/authn_azure_hosts.feature index 9f22754315..2bc9552c50 100644 --- a/cucumber/authenticators_azure/features/authn_azure_hosts.feature +++ b/cucumber/authenticators_azure/features/authn_azure_hosts.feature @@ -27,7 +27,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe @smoke Scenario: Host with user-assigned-identity annotation is authorized - And I have host "user-assigned-identity-app" + And I have host "user-assigned-identity-app" without api key And I set subscription-id annotation to host "user-assigned-identity-app" And I set resource-group annotation to host "user-assigned-identity-app" And I set user-assigned-identity annotation to host "user-assigned-identity-app" @@ -38,7 +38,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe @smoke Scenario: Host with system-assigned-identity annotation is authorized - And I have host "system-assigned-identity-app" + And I have host "system-assigned-identity-app" without api key And I set subscription-id annotation to host "system-assigned-identity-app" And I set resource-group annotation to host "system-assigned-identity-app" And I set system-assigned-identity annotation to host "system-assigned-identity-app" @@ -49,7 +49,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe @negative @acceptance Scenario: Host without resource-group annotation is denied - And I have host "no-resource-group-app" + And I have host "no-resource-group-app" without api key And I set subscription-id annotation to host "no-resource-group-app" And I grant group "conjur/authn-azure/prod/apps" to host "no-resource-group-app" And I fetch a non-assigned-identity Azure access token from inside machine @@ -63,7 +63,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe @negative @acceptance Scenario: Host without subscription-id annotation is denied - And I have host "no-subscription-id-app" + And I have host "no-subscription-id-app" without api key And I set resource-group annotation to host "no-subscription-id-app" And I grant group "conjur/authn-azure/prod/apps" to host "no-subscription-id-app" And I fetch a non-assigned-identity Azure access token from inside machine @@ -77,7 +77,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe @negative @acceptance Scenario: Host without any Azure annotation is denied - And I have host "no-azure-annotations-app" + And I have host "no-azure-annotations-app" without api key And I grant group "conjur/authn-azure/prod/apps" to host "no-azure-annotations-app" And I fetch a non-assigned-identity Azure access token from inside machine And I save my place in the log file @@ -90,7 +90,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe @negative @acceptance Scenario: Host with both identity Azure annotations is denied - And I have host "illegal-combination-app" + And I have host "illegal-combination-app" without api key And I set resource-group annotation to host "illegal-combination-app" And I set subscription-id annotation to host "illegal-combination-app" And I set system-assigned-identity annotation to host "illegal-combination-app" @@ -107,7 +107,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe @negative @acceptance Scenario: Host with incorrect subscription-id Azure annotation is denied - And I have host "incorrect-subscription-id-app" + And I have host "incorrect-subscription-id-app" without api key And I set resource-group annotation to host "incorrect-subscription-id-app" And I set subscription-id annotation with incorrect value to host "incorrect-subscription-id-app" And I grant group "conjur/authn-azure/prod/apps" to host "incorrect-subscription-id-app" @@ -122,7 +122,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe @negative @acceptance Scenario: Host with incorrect resource-group Azure annotation is denied - And I have host "incorrect-resource-group-app" + And I have host "incorrect-resource-group-app" without api key And I set subscription-id annotation to host "incorrect-resource-group-app" And I set resource-group annotation with incorrect value to host "incorrect-resource-group-app" And I grant group "conjur/authn-azure/prod/apps" to host "incorrect-resource-group-app" @@ -137,7 +137,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe @negative @acceptance Scenario: Host with incorrect user-assigned-identity annotation is denied - And I have host "incorrect-user-assigned-identity-app" + And I have host "incorrect-user-assigned-identity-app" without api key And I set subscription-id annotation to host "incorrect-user-assigned-identity-app" And I set resource-group annotation to host "incorrect-user-assigned-identity-app" And I set user-assigned-identity annotation with incorrect value to host "incorrect-user-assigned-identity-app" @@ -153,7 +153,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe @negative @acceptance Scenario: Host with incorrect system-assigned-identity annotation is denied - And I have host "incorrect-system-assigned-identity-app" + And I have host "incorrect-system-assigned-identity-app" without api key And I set subscription-id annotation to host "incorrect-system-assigned-identity-app" And I set resource-group annotation to host "incorrect-system-assigned-identity-app" And I set system-assigned-identity annotation with incorrect value to host "incorrect-system-assigned-identity-app" @@ -184,7 +184,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe @negative @acceptance Scenario: Host that is not in the permitted group is denied - And I have host "non-permitted-app" + And I have host "non-permitted-app" without api key And I set Azure annotations to host "non-permitted-app" And I fetch a non-assigned-identity Azure access token from inside machine And I save my place in the log file @@ -200,7 +200,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe # We run it again here to verify that we write a message to the audit log @acceptance Scenario: Authentication failure is written to the audit log - And I have host "no-resource-group-app" + And I have host "no-resource-group-app" without api key And I set subscription-id annotation to host "no-resource-group-app" And I grant group "conjur/authn-azure/prod/apps" to host "no-resource-group-app" And I fetch a non-assigned-identity Azure access token from inside machine diff --git a/cucumber/authenticators_azure/features/authn_azure_performance.feature b/cucumber/authenticators_azure/features/authn_azure_performance.feature index d6f65c6d9e..21b5176b8f 100644 --- a/cucumber/authenticators_azure/features/authn_azure_performance.feature +++ b/cucumber/authenticators_azure/features/authn_azure_performance.feature @@ -26,7 +26,7 @@ Feature: Azure Authenticator - Performance tests """ And I am the super-user And I successfully set Azure provider-uri variable with the correct values - And I have host "test-app" + And I have host "test-app" without api key And I set Azure annotations to host "test-app" And I grant group "conjur/authn-azure/prod/apps" to host "test-app" @@ -50,7 +50,7 @@ Feature: Azure Authenticator - Performance tests @performance @negative Scenario: Unsuccessful requests with invalid resource restrictions - Given I have host "no-azure-annotations-app" + Given I have host "no-azure-annotations-app" without api key And I grant group "conjur/authn-azure/prod/apps" to host "no-azure-annotations-app" And I fetch a non-assigned-identity Azure access token from inside machine When I authenticate 1000 times in 10 threads via Azure with token as host "no-azure-annotations-app" diff --git a/cucumber/authenticators_gcp/features/authn_gce.feature b/cucumber/authenticators_gcp/features/authn_gce.feature index 5b6d64b642..ef7d7455f3 100644 --- a/cucumber/authenticators_gcp/features/authn_gce.feature +++ b/cucumber/authenticators_gcp/features/authn_gce.feature @@ -23,7 +23,7 @@ Feature: GCP Authenticator - GCE flow, hosts can authenticate with GCP authentic resource: !webservice """ And I am the super-user - And I have host "test-app" + And I have host "test-app" without api key And I grant group "conjur/authn-gcp/apps" to host "test-app" @smoke @@ -44,7 +44,7 @@ Feature: GCP Authenticator - GCE flow, hosts can authenticate with GCP authentic @acceptance Scenario: Host can authenticate with only project-id annotation set - Given I have host "test-app" + Given I have host "test-app" without api key And I grant group "conjur/authn-gcp/apps" to host "test-app" And I remove all annotations from host "test-app" And I set "authn-gcp/project-id" GCE annotation to host "test-app" @@ -59,7 +59,7 @@ Feature: GCP Authenticator - GCE flow, hosts can authenticate with GCP authentic @acceptance Scenario: Host can authenticate with only service-account-id annotation set - Given I have host "test-app" + Given I have host "test-app" without api key And I grant group "conjur/authn-gcp/apps" to host "test-app" And I remove all annotations from host "test-app" And I set "authn-gcp/service-account-id" GCE annotation to host "test-app" @@ -74,7 +74,7 @@ Feature: GCP Authenticator - GCE flow, hosts can authenticate with GCP authentic @acceptance Scenario: Host can authenticate with only service-account-email annotation set - Given I have host "test-app" + Given I have host "test-app" without api key And I grant group "conjur/authn-gcp/apps" to host "test-app" And I remove all annotations from host "test-app" And I set "authn-gcp/service-account-email" GCE annotation to host "test-app" @@ -89,7 +89,7 @@ Feature: GCP Authenticator - GCE flow, hosts can authenticate with GCP authentic @acceptance Scenario: Host can not authenticate with only instance-name annotation set - Given I have host "test-app" + Given I have host "test-app" without api key And I grant group "conjur/authn-gcp/apps" to host "test-app" And I remove all annotations from host "test-app" And I set "authn-gcp/instance-name" GCE annotation to host "test-app" @@ -133,7 +133,7 @@ Feature: GCP Authenticator - GCE flow, hosts can authenticate with GCP authentic @acceptance Scenario: Authenticate using token in standard format and host with only service-account-id annotation set - Given I have host "test-app" + Given I have host "test-app" without api key And I grant group "conjur/authn-gcp/apps" to host "test-app" And I remove all annotations from host "test-app" And I set "authn-gcp/service-account-id" GCE annotation to host "test-app" diff --git a/cucumber/authenticators_gcp/features/authn_gce_bad_configuration.feature b/cucumber/authenticators_gcp/features/authn_gce_bad_configuration.feature index 7cdbef9242..4e36dd44f1 100644 --- a/cucumber/authenticators_gcp/features/authn_gce_bad_configuration.feature +++ b/cucumber/authenticators_gcp/features/authn_gce_bad_configuration.feature @@ -19,7 +19,7 @@ Feature: GCP Authenticator - GCE flow, test malformed configuration - !group apps """ - And I have host "test-app" + And I have host "test-app" without api key And I set all valid GCE annotations to host "test-app" And I grant group "conjur/authn-gcp/apps" to host "test-app" And I save my place in the log file @@ -46,7 +46,7 @@ Feature: GCP Authenticator - GCE flow, test malformed configuration privilege: [ read ] resource: !webservice """ - And I have host "test-app" + And I have host "test-app" without api key And I set all valid GCE annotations to host "test-app" And I grant group "conjur/authn-gcp/apps" to host "test-app" And I save my place in the log file diff --git a/cucumber/authenticators_gcp/features/authn_gce_hosts.feature b/cucumber/authenticators_gcp/features/authn_gce_hosts.feature index 6f81eb2841..0cb3da8bec 100644 --- a/cucumber/authenticators_gcp/features/authn_gce_hosts.feature +++ b/cucumber/authenticators_gcp/features/authn_gce_hosts.feature @@ -19,7 +19,7 @@ Feature: GCP Authenticator - GCE flow, test hosts can authentication scenarios privilege: [ read, authenticate ] resource: !webservice """ - And I have host "test-app" + And I have host "test-app" without api key And I obtain a valid GCE identity token And I grant group "conjur/authn-gcp/apps" to host "test-app" @@ -126,7 +126,7 @@ Feature: GCP Authenticator - GCE flow, test hosts can authentication scenarios @smoke Scenario: Hosts defined outside of root can authenticate with GCP authenticator and fetch secret - Given I have host "non-rooted/test-app" + Given I have host "non-rooted/test-app" without api key And I set all valid GCE annotations to host "non-rooted/test-app" And I grant group "conjur/authn-gcp/apps" to host "non-rooted/test-app" And I have a "variable" resource called "test-variable" diff --git a/cucumber/authenticators_gcp/features/authn_gce_performance.feature b/cucumber/authenticators_gcp/features/authn_gce_performance.feature index b353ca5b77..2facbb8f4c 100644 --- a/cucumber/authenticators_gcp/features/authn_gce_performance.feature +++ b/cucumber/authenticators_gcp/features/authn_gce_performance.feature @@ -22,7 +22,7 @@ Feature: GCP Authenticator - GCE flow, Performance tests resource: !webservice """ And I am the super-user - And I have host "test-app" + And I have host "test-app" without api key And I grant group "conjur/authn-gcp/apps" to host "test-app" And I set all valid GCE annotations to host "test-app" And I obtain a valid GCE identity token @@ -34,7 +34,7 @@ Feature: GCP Authenticator - GCE flow, Performance tests @performance @negative Scenario: Unsuccessful requests with invalid resource restrictions - Given I have host "no-annotations-app" + Given I have host "no-annotations-app" without api key And I grant group "conjur/authn-gcp/apps" to host "no-annotations-app" When I authenticate 1000 times in 10 threads with authn-gcp using valid GCE token and existing account Then The avg authentication request responds in less than 0.75 seconds diff --git a/cucumber/authenticators_gcp/features/authn_gce_token_errors.feature b/cucumber/authenticators_gcp/features/authn_gce_token_errors.feature index a00d80b850..9b0a4db667 100644 --- a/cucumber/authenticators_gcp/features/authn_gce_token_errors.feature +++ b/cucumber/authenticators_gcp/features/authn_gce_token_errors.feature @@ -20,7 +20,7 @@ Feature: GCP Authenticator - GCE flow, test token error handling privilege: [ read, authenticate ] resource: !webservice """ - And I have host "test-app" + And I have host "test-app" without api key And I grant group "conjur/authn-gcp/apps" to host "test-app" And I set all valid GCE annotations to host "test-app" @@ -104,7 +104,7 @@ Feature: GCP Authenticator - GCE flow, test token error handling @negative @acceptance Scenario: Authenticate using token in standard format and host with only service-account-email annotation set is denied - Given I have host "test-app" + Given I have host "test-app" without api key And I remove all annotations from host "test-app" When I set "authn-gcp/service-account-email" GCE annotation to host "test-app" And I save my place in the log file @@ -118,7 +118,7 @@ Feature: GCP Authenticator - GCE flow, test token error handling @negative @acceptance Scenario: Authenticate using token in standard format and host with only project-id annotation set is denied - Given I have host "test-app" + Given I have host "test-app" without api key And I remove all annotations from host "test-app" When I set "authn-gcp/project-id" GCE annotation to host "test-app" And I save my place in the log file @@ -132,7 +132,7 @@ Feature: GCP Authenticator - GCE flow, test token error handling @negative @acceptance Scenario: Authenticate using token in standard format and host with only instance-name annotation set is denied - Given I have host "test-app" + Given I have host "test-app" without api key And I remove all annotations from host "test-app" When I set "authn-gcp/instance-name" GCE annotation to host "test-app" And I save my place in the log file diff --git a/cucumber/authenticators_gcp/features/authn_gcf.feature b/cucumber/authenticators_gcp/features/authn_gcf.feature index b877ffefcd..c59ca3aaec 100644 --- a/cucumber/authenticators_gcp/features/authn_gcf.feature +++ b/cucumber/authenticators_gcp/features/authn_gcf.feature @@ -22,7 +22,7 @@ Feature: GCP Authenticator - GCF flow, hosts can authenticate with GCP authentic privilege: [ read, authenticate ] resource: !webservice """ - And I have host "test-app" + And I have host "test-app" without api key And I grant group "conjur/authn-gcp/apps" to host "test-app" @smoke diff --git a/cucumber/authenticators_gcp/features/authn_gcf_token_errors.feature b/cucumber/authenticators_gcp/features/authn_gcf_token_errors.feature index 25e13566db..714fad7a35 100644 --- a/cucumber/authenticators_gcp/features/authn_gcf_token_errors.feature +++ b/cucumber/authenticators_gcp/features/authn_gcf_token_errors.feature @@ -20,7 +20,7 @@ Feature: GCP Authenticator - GCF flow, test token error hwahtandling privilege: [ read, authenticate ] resource: !webservice """ - And I have host "test-app" + And I have host "test-app" without api key And I grant group "conjur/authn-gcp/apps" to host "test-app" @negative @acceptance diff --git a/lib/conjur/conjur_config.rb b/lib/conjur/conjur_config.rb index 5a8c29c823..222dfcd201 100644 --- a/lib/conjur/conjur_config.rb +++ b/lib/conjur/conjur_config.rb @@ -36,7 +36,6 @@ class ConjurConfig < Anyway::Config api_resource_list_limit_max: 0, user_authorization_token_ttl: 480, # The default TTL of User is 8 minutes host_authorization_token_ttl: 480, # The default TTL of Host is 8 minutes - authn_api_key_default: true, authenticators: [], extensions: [], telemetry_enabled: false, diff --git a/spec/app/domain/authentication/authn_ldap/authenticator_spec.rb b/spec/app/domain/authentication/authn_ldap/authenticator_spec.rb index be2c739e32..685f4d56f0 100644 --- a/spec/app/domain/authentication/authn_ldap/authenticator_spec.rb +++ b/spec/app/domain/authentication/authn_ldap/authenticator_spec.rb @@ -29,14 +29,14 @@ allow(::Credentials) .to receive(:[]) .and_return(Credentials.new.tap do |cred| - cred.role_id = 1234 + cred.role_id = username cred.role = Role.new(role_id: cred.role_id) cred.rotate_api_key end) end context "as user alice" do - let(:username) { 'alice'} + let(:username) { 'rspec:user:alice'} context "with valid non-empty password" do let(:password) { 'secret' } diff --git a/spec/app/domain/authentication/optional_api_key_spec.rb b/spec/app/domain/authentication/optional_api_key_spec.rb index 151d13863f..be71c0b1b1 100644 --- a/spec/app/domain/authentication/optional_api_key_spec.rb +++ b/spec/app/domain/authentication/optional_api_key_spec.rb @@ -10,11 +10,11 @@ Class.new { include Authentication::OptionalApiKey }.new end - it { subject.annotation_true?(Annotation.new(name: 'authn/api-key', value: 'true')).should be_truthy } + it { expect(subject.api_key_annotation_true?(Annotation.new(name: 'authn/api-key', value: 'true'))).to be_truthy } - it { subject.annotation_true?(Annotation.new(name: 'authn/api-key', value: 'false')).should be_falsey } + it { expect(subject.api_key_annotation_true?(Annotation.new(name: 'authn/api-key', value: 'false'))).to be_falsey } - it { subject.annotation_true?(Annotation.new(name: 'authn/other-key', value: 'true')).should be_falsey } + it { expect(subject.api_key_annotation_true?(Annotation.new(name: 'authn/other-key', value: 'true'))).to be_falsey } end end diff --git a/spec/controllers/edge/internal/edge_hosts_controller_spec.rb b/spec/controllers/edge/internal/edge_hosts_controller_spec.rb index 8527762b87..7ac0644bf8 100644 --- a/spec/controllers/edge/internal/edge_hosts_controller_spec.rb +++ b/spec/controllers/edge/internal/edge_hosts_controller_spec.rb @@ -35,8 +35,8 @@ salt = Base64.strict_decode64(encoded_salt) test_api_key = Base64.strict_encode64(Cryptography.hmac_api_key(@other_user.credentials.api_key, salt)) expect(test_api_key).to eq(encoded_api_key) - #expect("").to eq(@result['hosts'][0]['api_key']) - #expect("").to eq(@result['hosts'][0]['salt']) + expect("").to eq(@result['hosts'][0]['api_key']) + expect("").to eq(@result['hosts'][0]['salt']) end end end \ No newline at end of file diff --git a/spec/models/credentials_spec.rb b/spec/models/credentials_spec.rb index 098c7611c2..4004464be4 100644 --- a/spec/models/credentials_spec.rb +++ b/spec/models/credentials_spec.rb @@ -45,11 +45,11 @@ credentials.rotate_api_key expect(credentials.api_key).to_not eq(api_key) end - #it "Fails changing the API key for host without api key" do - # expect { host_without_apikey.credentials.rotate_api_key }.to raise_error(Exceptions::MethodNotAllowed) do |e| - # expect(e.message).to eq("Operation is not supported for host since it does not use api-key for authentication") - # end - #end + it "Fails changing the API key for host without api key" do + expect { host_without_apikey.credentials.rotate_api_key }.to raise_error(Exceptions::MethodNotAllowed) do |e| + expect(e.message).to eq("Operation is not supported for host since it does not use api-key for authentication") + end + end end describe '#password=' do diff --git a/spec/models/host_factory_spec.rb b/spec/models/host_factory_spec.rb index 358d44729a..9457a953d7 100644 --- a/spec/models/host_factory_spec.rb +++ b/spec/models/host_factory_spec.rb @@ -66,6 +66,7 @@ let(:host) { create_host[0] } let(:api_key) { create_host[1] } context "existing host" do + let(:options) { {annotations: {AUTHN_ANNOTATION => 'true'}} } it "must be owned by the host factory" do create_host host.owner = the_user @@ -90,58 +91,7 @@ end end - describe 'verify create host given AUTHN_API_KEY config' do - context 'when CONJUR_AUTHN_API_KEY_DEFAULT is true' do - before do - allow(Rails.application.config.conjur_config).to receive(:authn_api_key_default).and_return(true) - end - - context 'when creating host with api-key annotation true' do - let(:options) { {annotations: { AUTHN_ANNOTATION => true}} } - it { expect { host_builder.create_host }.to_not raise_error } - end - - context 'when creating host with api-key annotation false' do - let(:options) { {annotations: {AUTHN_ANNOTATION => false}} } - it { expect { host_builder.create_host }.to_not raise_error } - end - - context 'when creating host without api-key annotation' do - it { expect { host_builder.create_host }.to_not raise_error } - end - end - - context 'when CONJUR_AUTHN_API_KEY_DEFAULT is false' do - before do - allow(Rails.application.config.conjur_config).to receive(:authn_api_key_default).and_return(false) - end - - context 'when creating host with api-key annotation true' do - let(:options) { {annotations: {AUTHN_ANNOTATION => true}} } - it { expect { host_builder.create_host }.to_not raise_error } - end - - context 'when creating host with api-key annotation false' do - let(:options) { {annotations: {AUTHN_ANNOTATION => false}} } - it { expect { host_builder.create_host }.to raise_error } - end - - context 'when creating host with api-key annotation False capital' do - let(:options) { {annotations: {AUTHN_ANNOTATION => "FALSE"}} } - it { expect { host_builder.create_host }.to raise_error } - end - - context 'when creating host without api-key annotation' do - it { expect { host_builder.create_host }.to raise_error } - end - end - - context "Without validation API key is created as expected" do - before do - allow(Rails.application.config.conjur_config).to receive(:authn_api_key_default).and_return(false) - allow_any_instance_of(Loader::Types::Host).to receive(:future_api_key_auth_will_fail?).and_return(false) - end - + describe 'API key is created per the annotation' do context 'when creating host with api-key annotation true' do let(:options) { {annotations: {AUTHN_ANNOTATION => 'true'}} } it { expect(host_builder.create_host[1]).not_to be_nil } # create_host returns [host, api_key] @@ -165,7 +115,6 @@ context 'when creating host without api-key annotation' do it { expect(host_builder.create_host[1]).to be_nil } # create_host returns [host, api_key] end - end end end end diff --git a/spec/models/loader/types.rb b/spec/models/loader/types.rb index 2564a1fec5..9fa8cf7727 100644 --- a/spec/models/loader/types.rb +++ b/spec/models/loader/types.rb @@ -86,68 +86,6 @@ end end -describe Loader::Types::Host do - let(:host) do - host = Conjur::PolicyParser::Types::Host.new - host.id = resource_id - if api_key != '' - host.annotations = { "authn/api-key" => api_key } - end - Loader::Types.wrap(host, self) - end - - describe '.verify' do - context 'when CONJUR_AUTHN_API_KEY_DEFAULT is true' do - before do - allow(Rails.application.config.conjur_config).to receive(:authn_api_key_default).and_return(true) - end - - context 'when creating host with api-key annotation true' do - let(:resource_id) { 'myhost@admin' } - let(:api_key) { true } - it { expect { host.verify }.to_not raise_error } - end - - context 'when creating host with api-key annotation false' do - let(:resource_id) { 'myhost@cyberark' } - let(:api_key) { false } - it { expect { host.verify }.to_not raise_error(Exceptions::InvalidPolicyObject) } - end - - context 'when creating host without api-key annotation' do - let(:resource_id) { 'myhost@cyberark' } - let(:api_key) { '' } - it { expect { host.verify }.to_not raise_error(Exceptions::InvalidPolicyObject) } - end - end - - context 'when CONJUR_AUTHN_API_KEY_DEFAULT is false' do - before do - allow(Rails.application.config.conjur_config).to receive(:authn_api_key_default).and_return(false) - end - - context 'when creating host with api-key annotation true' do - let(:resource_id) { 'myhost@admin' } - let(:api_key) { true } - it { expect { host.verify }.to_not raise_error } - end - - context 'when creating host with api-key annotation false' do - let(:resource_id) { 'alice@cyberark' } - let(:api_key) { false } - it { expect { host.verify }.to raise_error } - end - - context 'when creating host without api-key annotation' do - let(:resource_id) { 'alice@cyberark' } - let(:api_key) { '' } - it { expect { host.verify }.to raise_error } - end - end - - end -end - describe Loader::Types::Variable do let(:variable) do variable = Conjur::PolicyParser::Types::Variable.new diff --git a/spec/models/role_spec.rb b/spec/models/role_spec.rb index 6767e75f4a..41df8969ec 100644 --- a/spec/models/role_spec.rb +++ b/spec/models/role_spec.rb @@ -41,9 +41,6 @@ end context "Role has API key per annotation" do - before do - allow(Rails.application.config.conjur_config).to receive(:authn_api_key_default).and_return(false) - end subject(:role) { Role.create(role_id: "rspec:host:#{login}") }