Skip to content

Commit

Permalink
Remove default api key configuration
Browse files Browse the repository at this point in the history
  • Loading branch information
egvili committed Oct 16, 2023
1 parent b196913 commit eb6e70a
Show file tree
Hide file tree
Showing 31 changed files with 92 additions and 228 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
- Nothing should go in this section, please add to the latest unreleased version
(and update the corresponding date), or add a new version.

## [1.0.11-cloud] - 2023-10-29
### Changed
- Make API-key optional for hosts

## [1.0.10-cloud] - 2023-10-22
### Added
- Telemetry logs for ephemeral secrets
Expand Down
6 changes: 3 additions & 3 deletions app/domain/authentication/optional_api_key.rb
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@ module OptionalApiKey

AUTHN_ANNOTATION = 'authn/api-key'

def annotation_relevant?(annotation)
def api_annotation_relevant?(annotation)
annotation.name == AUTHN_ANNOTATION
end

def annotation_true?(annotation)
annotation_relevant?(annotation) && annotation.value.downcase == 'true'
def api_annotation_true?(annotation)
api_annotation_relevant?(annotation) && annotation.value.downcase == 'true'
end

end
Expand Down
29 changes: 1 addition & 28 deletions app/models/loader/types.rb
Original file line number Diff line number Diff line change
Expand Up @@ -160,34 +160,7 @@ def verify; end
class Host < Record
def_delegators :@policy_object, :restricted_to

# This is a temporary policy validation check to ensure that we're not
# creating hosts that will fail API key-based authentication by default
# in the future.
def future_api_key_auth_will_fail?
# The default config value is to allow API key authentication, so if this is
# either the default or set to true, then future API key authentication will
# continue to work and we don't need to reject this policy.
return false if Rails.application.config.conjur_config.authn_api_key_default

# If the default API authentication config is to disallow it, and the host
# does not explicitly state the policy authors intentions with the
# `authn/api-key` annotation with value true, then we should reject this until the annotation
# is added to the policy object.
self.annotations&.[]("authn/api-key").nil? || self.annotations["authn/api-key"].to_s.casecmp?("false")
end

def verify
# If policy contains a host with annotation authn/api-key effectively false, either by explicit
# value or by default value, then policy load is blocked.
if future_api_key_auth_will_fail?
message = "API key authentication for hosts is disabled by default and " \
"will be removed in a future release. Add the 'authn/api-key' " \
"annotation to this host with the value 'true' to " \
"ensure authentication works as expected for this host in the " \
"future."
raise Exceptions::InvalidPolicyObject.new(self.id, message: message)
end
end
def verify; end

def create!
self.handle_restricted_to(self.roleid, restricted_to)
Expand Down
5 changes: 2 additions & 3 deletions app/models/role.rb
Original file line number Diff line number Diff line change
Expand Up @@ -135,9 +135,8 @@ def api_key
end

def api_key_expected?
self.kind == 'user' ||
Rails.application.config.conjur_config.authn_api_key_default ||
self.annotations.any? { |a| annotation_true?(a) }
self.id == 'admin' || self.kind == 'user' ||
self.annotations.any? { |a| api_annotation_true?(a) }
end

def login
Expand Down
28 changes: 14 additions & 14 deletions cucumber/api/features/authenticate.feature
Original file line number Diff line number Diff line change
Expand Up @@ -165,20 +165,20 @@ Feature: Exchange a role's API key for a signed authentication token
cucumber:host:app failed to authenticate with authenticator authn
"""

#@negative @acceptance
#Scenario: Attempting to use host API key to authenticate host without api key result in 401 error
# Given I save my place in the audit log file for remote
# When I POST "/authn/cucumber/host%2FappNoApiKey/authenticate" with plain text body ""
# Then the HTTP response status code is 401
# And there is an audit record matching:
# """
# <84>1 * * conjur * authn
# [subject@43868 role="cucumber:host:appNoApiKey"]
# [auth@43868 user="cucumber:host:appNoApiKey" authenticator="authn" service="cucumber:webservice:conjur/authn"]
# [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
# [action@43868 result="failure" operation="authenticate"]
# cucumber:host:appNoApiKey failed to authenticate with authenticator authn
# """
@negative @acceptance
Scenario: Attempting to use host API key to authenticate host without api key result in 401 error
Given I save my place in the audit log file for remote
When I POST "/authn/cucumber/host%2FappNoApiKey/authenticate" with plain text body ""
Then the HTTP response status code is 401
And there is an audit record matching:
"""
<84>1 * * conjur * authn
[subject@43868 role="cucumber:host:appNoApiKey"]
[auth@43868 user="cucumber:host:appNoApiKey" authenticator="authn" service="cucumber:webservice:conjur/authn"]
[client@43868 ip="\d+\.\d+\.\d+\.\d+"]
[action@43868 result="failure" operation="authenticate"]
cucumber:host:appNoApiKey failed to authenticate with authenticator authn
"""

@negative @acceptance
Scenario: Attempting to use an invalid API key to authenticate with Accept-Encoding base64 result in 401 error
Expand Down
2 changes: 1 addition & 1 deletion cucumber/api/features/authn_optional_api_key.feature
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
@api @skip
@api
Feature: API key for host is created and removed based on host's annotation
Background:
Given I am the super-user
Expand Down
8 changes: 4 additions & 4 deletions cucumber/api/features/edge/internal/edge_hosts.feature
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,10 @@ Feature: Fetching host from edge endpoint
"""
[{"name": "authn/api-key", "value": "true"}]
"""
#And the JSON at "hosts/2/annotations" should be:
#"""
#[]
#"""
And the JSON at "hosts/2/annotations" should be:
"""
[]
"""

@acceptance
Scenario: Fetching hosts with parameters
Expand Down
2 changes: 1 addition & 1 deletion cucumber/api/features/host_factory_create_host.feature
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Feature: Create a host using the host factory.
"annotations" : [],
"id": "cucumber:host:host-01",
"owner": "cucumber:host_factory:the-layer-factory",
"api_key": "@response_api_key@",
"api_key": null,
"permissions": [],
"restricted_to": []
}
Expand Down
4 changes: 3 additions & 1 deletion cucumber/api/features/host_factory_rotate_host.feature
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ Feature: Rotate a host api key using the host factory.
- !host
id: brand-new-host
owner: !host-factory database/users
annotations:
authn/api-key: true
"""
And I create a host factory token for "database/users"
And I authorize the request with the host factory token
Expand All @@ -70,7 +72,7 @@ Feature: Rotate a host api key using the host factory.
And our JSON should be:
"""
{
"annotations" : [],
"annotations" : [{"name": "authn/api-key", "policy": "cucumber:policy:root", "value": "true"}],
"id": "cucumber:host:brand-new-host",
"owner": "cucumber:host_factory:database/users",
"policy": "cucumber:policy:root",
Expand Down
5 changes: 4 additions & 1 deletion cucumber/api/features/policy_load_response.feature
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,10 @@ Feature: Policy load response
- !layer
- !user bob
- !host host-01
- !host
id: host-01
annotations:
authn/api-key: true
"""
Then the JSON should have "created_roles"
And the JSON at "created_roles" should have 2 entries
Expand Down
2 changes: 1 addition & 1 deletion cucumber/api/features/retrieve_api_key.feature
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Feature: Retrieving an API key with conjurctl
When I retrieve an API key for user "cucumber:user:non-existing-user" using conjurctl
Then the stderr includes the error "role does not exist"

@smoke @skip
@smoke
Scenario: Retrieve an API key for a host
Given I have host "api_key_host"
And I have host "without_api_key_host" without api key
Expand Down
4 changes: 2 additions & 2 deletions cucumber/api/features/rotate_api_key.feature
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,7 @@ Feature: Rotate the API key of a role
cucumber:host:privileged_host successfully rotated their API key
"""

@negative @acceptance @skip
@negative @acceptance
Scenario: A Host without api key CANNOT rotate their own API key
Given I save my place in the audit log file
When I PUT "/authn/cucumber/api_key?role=host:privileged_host_without_apikey" with username "host/privileged_host_without_apikey" and password ":cucumber:host:api_key"
Expand Down Expand Up @@ -358,7 +358,7 @@ Feature: Rotate the API key of a role
"""

# A host with update permission rotating host without api key
@negative @acceptance @skip
@negative @acceptance
Scenario: A Host with update privilege CANNOT rotate host API key that doesn't have api key
Given I login as "host/privileged_host"
And I save my place in the audit log file
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error
resource: !webservice
"""
And I am the super-user
And I have host "test-app"
And I have host "test-app" without api key
And I set Azure annotations to host "test-app"
And I grant group "conjur/authn-azure/prod/apps" to host "test-app"
And I fetch a non-assigned-identity Azure access token from inside machine
Expand Down Expand Up @@ -55,7 +55,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error
resource: !webservice
"""
And I am the super-user
And I have host "test-app"
And I have host "test-app" without api key
And I set Azure annotations to host "test-app"
And I grant group "conjur/authn-azure/prod/apps" to host "test-app"
And I fetch a non-assigned-identity Azure access token from inside machine
Expand All @@ -81,7 +81,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error
- !group apps
"""
And I am the super-user
And I have host "test-app"
And I have host "test-app" without api key
And I set Azure annotations to host "test-app"
And I grant group "conjur/authn-azure/prod/apps" to host "test-app"
And I successfully set Azure provider-uri variable with the correct values
Expand Down Expand Up @@ -114,7 +114,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error
resource: !webservice
"""
And I am the super-user
And I have host "test-app"
And I have host "test-app" without api key
And I set Azure annotations to host "test-app"
And I grant group "conjur/authn-azure/prod/apps" to host "test-app"
And I successfully set Azure provider-uri variable with the correct values
Expand Down Expand Up @@ -148,7 +148,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error
"""
And I am the super-user
And I add the secret value "http://127.0.0.1.com/" to the resource "cucumber:variable:conjur/authn-azure/prod/provider-uri"
And I have host "test-app"
And I have host "test-app" without api key
And I set Azure annotations to host "test-app"
And I grant group "conjur/authn-azure/prod/apps" to host "test-app"
And I fetch a non-assigned-identity Azure access token from inside machine
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Feature: Azure Authenticator - Hosts can authenticate with Azure authenticator
"""
And I am the super-user
And I successfully set Azure provider-uri variable with the correct values
And I have host "test-app"
And I have host "test-app" without api key
And I set Azure annotations to host "test-app"
And I grant group "conjur/authn-azure/prod/apps" to host "test-app"

Expand Down
24 changes: 12 additions & 12 deletions cucumber/authenticators_azure/features/authn_azure_hosts.feature
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe

@smoke
Scenario: Host with user-assigned-identity annotation is authorized
And I have host "user-assigned-identity-app"
And I have host "user-assigned-identity-app" without api key
And I set subscription-id annotation to host "user-assigned-identity-app"
And I set resource-group annotation to host "user-assigned-identity-app"
And I set user-assigned-identity annotation to host "user-assigned-identity-app"
Expand All @@ -38,7 +38,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe

@smoke
Scenario: Host with system-assigned-identity annotation is authorized
And I have host "system-assigned-identity-app"
And I have host "system-assigned-identity-app" without api key
And I set subscription-id annotation to host "system-assigned-identity-app"
And I set resource-group annotation to host "system-assigned-identity-app"
And I set system-assigned-identity annotation to host "system-assigned-identity-app"
Expand All @@ -49,7 +49,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe

@negative @acceptance
Scenario: Host without resource-group annotation is denied
And I have host "no-resource-group-app"
And I have host "no-resource-group-app" without api key
And I set subscription-id annotation to host "no-resource-group-app"
And I grant group "conjur/authn-azure/prod/apps" to host "no-resource-group-app"
And I fetch a non-assigned-identity Azure access token from inside machine
Expand All @@ -63,7 +63,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe

@negative @acceptance
Scenario: Host without subscription-id annotation is denied
And I have host "no-subscription-id-app"
And I have host "no-subscription-id-app" without api key
And I set resource-group annotation to host "no-subscription-id-app"
And I grant group "conjur/authn-azure/prod/apps" to host "no-subscription-id-app"
And I fetch a non-assigned-identity Azure access token from inside machine
Expand All @@ -77,7 +77,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe

@negative @acceptance
Scenario: Host without any Azure annotation is denied
And I have host "no-azure-annotations-app"
And I have host "no-azure-annotations-app" without api key
And I grant group "conjur/authn-azure/prod/apps" to host "no-azure-annotations-app"
And I fetch a non-assigned-identity Azure access token from inside machine
And I save my place in the log file
Expand All @@ -90,7 +90,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe

@negative @acceptance
Scenario: Host with both identity Azure annotations is denied
And I have host "illegal-combination-app"
And I have host "illegal-combination-app" without api key
And I set resource-group annotation to host "illegal-combination-app"
And I set subscription-id annotation to host "illegal-combination-app"
And I set system-assigned-identity annotation to host "illegal-combination-app"
Expand All @@ -107,7 +107,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe

@negative @acceptance
Scenario: Host with incorrect subscription-id Azure annotation is denied
And I have host "incorrect-subscription-id-app"
And I have host "incorrect-subscription-id-app" without api key
And I set resource-group annotation to host "incorrect-subscription-id-app"
And I set subscription-id annotation with incorrect value to host "incorrect-subscription-id-app"
And I grant group "conjur/authn-azure/prod/apps" to host "incorrect-subscription-id-app"
Expand All @@ -122,7 +122,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe

@negative @acceptance
Scenario: Host with incorrect resource-group Azure annotation is denied
And I have host "incorrect-resource-group-app"
And I have host "incorrect-resource-group-app" without api key
And I set subscription-id annotation to host "incorrect-resource-group-app"
And I set resource-group annotation with incorrect value to host "incorrect-resource-group-app"
And I grant group "conjur/authn-azure/prod/apps" to host "incorrect-resource-group-app"
Expand All @@ -137,7 +137,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe

@negative @acceptance
Scenario: Host with incorrect user-assigned-identity annotation is denied
And I have host "incorrect-user-assigned-identity-app"
And I have host "incorrect-user-assigned-identity-app" without api key
And I set subscription-id annotation to host "incorrect-user-assigned-identity-app"
And I set resource-group annotation to host "incorrect-user-assigned-identity-app"
And I set user-assigned-identity annotation with incorrect value to host "incorrect-user-assigned-identity-app"
Expand All @@ -153,7 +153,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe

@negative @acceptance
Scenario: Host with incorrect system-assigned-identity annotation is denied
And I have host "incorrect-system-assigned-identity-app"
And I have host "incorrect-system-assigned-identity-app" without api key
And I set subscription-id annotation to host "incorrect-system-assigned-identity-app"
And I set resource-group annotation to host "incorrect-system-assigned-identity-app"
And I set system-assigned-identity annotation with incorrect value to host "incorrect-system-assigned-identity-app"
Expand Down Expand Up @@ -184,7 +184,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe

@negative @acceptance
Scenario: Host that is not in the permitted group is denied
And I have host "non-permitted-app"
And I have host "non-permitted-app" without api key
And I set Azure annotations to host "non-permitted-app"
And I fetch a non-assigned-identity Azure access token from inside machine
And I save my place in the log file
Expand All @@ -200,7 +200,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
# We run it again here to verify that we write a message to the audit log
@acceptance
Scenario: Authentication failure is written to the audit log
And I have host "no-resource-group-app"
And I have host "no-resource-group-app" without api key
And I set subscription-id annotation to host "no-resource-group-app"
And I grant group "conjur/authn-azure/prod/apps" to host "no-resource-group-app"
And I fetch a non-assigned-identity Azure access token from inside machine
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Feature: Azure Authenticator - Performance tests
"""
And I am the super-user
And I successfully set Azure provider-uri variable with the correct values
And I have host "test-app"
And I have host "test-app" without api key
And I set Azure annotations to host "test-app"
And I grant group "conjur/authn-azure/prod/apps" to host "test-app"

Expand All @@ -50,7 +50,7 @@ Feature: Azure Authenticator - Performance tests

@performance @negative
Scenario: Unsuccessful requests with invalid resource restrictions
Given I have host "no-azure-annotations-app"
Given I have host "no-azure-annotations-app" without api key
And I grant group "conjur/authn-azure/prod/apps" to host "no-azure-annotations-app"
And I fetch a non-assigned-identity Azure access token from inside machine
When I authenticate 1000 times in 10 threads via Azure with token as host "no-azure-annotations-app"
Expand Down
Loading

0 comments on commit eb6e70a

Please sign in to comment.