AuthnOIDC V2: write custom certs to non-default directory

[john-odonnell]

Desired Outcome

Authn-OIDC with ca-cert variable fails on Conjur Enterprise.

Errno::EACCES: Permission denied @ rb_file_s_symlink - (/tmp/d20231006-289-9u7rno/conjur-oidc-client.0.pem, /usr/lib/ssl/certs/bb3ed97b.0)

When Authn-OIDC V2 is configured with a ca-cert variable, it writes the provided certificate content into a temporary file, and creates a symlink to the file in the Conjur container's default certificate directory, meaning it would be trusted for outbound requests to the configured OIDC provider. After a successful request, the symlinks are deleted, and the temp files destroyed.

In Conjur Enterprise, the Conjur server is running as a user conjur, which lacks write permissions on the container's default cert store.

Implemented Changes

Instead of creating symlinks in the default cert store, instead create them in the Conjur project directory tree - the Conjur process is able to write to the ${conjur_root}/etc/certs in both Conjur Open Source and Enterprise.

In the previous solution iteration, if a custom certificate was established in the ca-cert variable but connecting to the OIDC provider did not require that particular certificate, Authn-OIDC could fall back on any trusted certificate in the default cert store. No longer - if the ca-cert variable is set, it must contain the full certificate chain required for connecting to the OIDC provider. No certificates included in the system's default store will be considered.

Connected Issue/Story

CyberArk internal issue ID: CNJR-2844

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a
  CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code
  changes, or
• The changes in this PR do not require tests

Documentation

• Docs (e.g. READMEs) were updated in this PR
• A follow-up issue to update official docs has been filed here: [insert issue ID]
• This PR does not require updating any documentation

Behavior

• This PR changes product behavior and has been reviewed by a PO, or
• These changes are part of a larger initiative that will be reviewed later, or
• No behavior was changed with this PR

Security

• Security architect has reviewed the changes in this PR,
• These changes are part of a larger initiative with a separate security review, or
• There are no security aspects to these changes

[codeclimate]

Authentication::AuthnOidc::V2::Client#callback_with_temporary_cert calls 'config.ssl' 2 times

[codeclimate]

Authentication::AuthnOidc::V2::Client#self.discover calls 'config.ssl' 2 times

[codeclimate]

Authentication::AuthnOidc::V2::Client#callback_with_temporary_cert performs a nil-check

[codeclimate]

Authentication::AuthnOidc::V2::Client#self.discover performs a nil-check

[codeclimate]

Replace class var :@@http_config with a class instance var.

[codeclimate]

Replace class var :@@http_config with a class instance var.

[codeclimate]

Replace class var :@@http_config with a class instance var.

[codeclimate]

Replace class var :@@http_config with a class instance var.

[codeclimate]

Replace class var :@@http_config with a class instance var.

[codeclimate]

Replace class var :@@http_config with a class instance var.

[codeclimate]

Code Climate has analyzed commit 1d079cd and detected 16 issues on this pull request.

Here's the issue category breakdown:

Category	Count
Style	9
Complexity	7

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 88.5% (0.0% change).

View more on Code Climate.

[jvanderhoof]

Any particular reason we're using instance variables instead of variables scoped to the method?

Ah, I think I understand what you're trying to accomplish here. We only want to set the @default_cert_dir if it hasn't yet been set. This is in a singleton so you can pass it into the callback_with_temporary_cert method below.

[jvanderhoof]

I believe this code is good enough for now. I'll work with @jtuttle, @andytinkham, and @adamouamani, and the rest of the C&I team on a refactor to cleanup the implementation and improve testability of the code.