Prevent status webservices from being returned on the providers endpoint #2640
Conversation
7f33977 to
1dc8916
Compare
| ).where( | ||
| Sequel.like( | ||
| identifier, | ||
| %r{conjur/(authn(?:-[^/]+)?(?:/[^/]+)?)$} |
There was a problem hiding this comment.
It would be worth adding a comment here explaining how this regex prevents the status resources from being included in the result. (No forward slashes are allowed after authn).
There was a problem hiding this comment.
Also, given this isn't an urgent change, would should improve this re-use beyond just copying the regex between this location and https://github.com/cyberark/conjur/blob/master/app/domain/authentication/installed_authenticators.rb#L31.
For example, it should probably be a constant in one class or the other, and just reference in the other location:
# installed_authenticators.rb
...
class InstalledAuthenticators
...
AUTHN_RESOURCE_PREFIX = "conjur/authn-"
AUTHN_STATUS_FILTER = %r{conjur/(authn(?:-[^/]+)?(?:/[^/]+)?)$}
...
# filter out nested status webservice
.map { |id| id[AUTHN_STATUS_FILTER, 1] }
...# authenticator_repository.rb
...
...
Sequel.like(
identifier,
# filter out nested status webservice
Authentication::InstalledAuthenticators::AUTHN_STATUS_FILTER
)
...| ) | ||
| end | ||
|
|
||
| it { expect(repo.find_all(type: 'authn-oidc', account: 'rspec').length).to eq(2) } |
There was a problem hiding this comment.
How cumbersome would it be to actually verify the contents of the list, rather than just the count?
Being explicit about the expected outcome would be a more valuable assurance than just the number of results.
There was a problem hiding this comment.
would not work since we and not brining over the real resource_id in the repository, but a created one based on the service_id which is the same between the status and normal web-services.
|
When you get a chance could you fill out the PR description @mFelgate ? Thanks |
1dc8916 to
19a5d3f
Compare
041d9d0 to
66dbe15
Compare
| @@ -4,6 +4,7 @@ module Authentication | |||
| class InstalledAuthenticators | |||
|
|
|||
| AUTHN_RESOURCE_PREFIX = "conjur/authn-" | |||
| AUTHN_STATUS_FILTER = %r{conjur/(authn(?:-[^/]+)?(?:/[^/]+)?)$} | |||
There was a problem hiding this comment.
Freeze mutable objects assigned to constants.
66dbe15 to
06a4f77
Compare
|
|
||
| ### Changed | ||
| - AWS Access Key Rotation now preserves only one key | ||
|
|
||
| ### Fixed | ||
| - Removed Status webservices from the list providers endpoint |
There was a problem hiding this comment.
Lists should be surrounded by blank lines
CHANGELOG.md
Outdated
| @@ -35,6 +39,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
| ### Changed | |||
| - Reduces debug log verbosity. | |||
| [cyberark/conjur#2639](https://github.com/cyberark/conjur/pull/2639) | |||
| - Remove status webservices from providers endpoints | |||
There was a problem hiding this comment.
Each changelog entry should go under a single header, not multiple. I think this makes more sense under Fixed.
|
|
||
| ### Changed | ||
| - AWS Access Key Rotation now preserves only one key | ||
|
|
||
| ### Fixed | ||
| - Removed Status webservices from the list providers endpoint |
There was a problem hiding this comment.
I'd recommend something like:
| - Removed Status webservices from the list providers endpoint | |
| - OIDC Provider endpoint no longer includes duplicates when Status is enabled. |
06a4f77 to
588abed
Compare
|
I'd actually recommend making the changes in the module DB
module Repository
class AuthenticatorRepository
def initialize(data_object:, resource_repository: ::Resource, logger: Rails.logger, enabled_authenticators: Rails.application.config.conjur_config.authenticators)
@resource_repository = resource_repository
@data_object = data_object
@logger = logger
@enabled_authenticators = enabled_authenticators
end
def find_all(type:, account:)
enabled_authenticator_types = @enabled_authenticators
.select { |authenticator| authenticator.match(/^#{type}/) }
.map { |authenticator| "#{account}:webservice:conjur/#{authenticator}" }
@resource_repository.where(
Sequel.like(
:resource_id,
"#{account}:webservice:conjur/#{type}/%"
)
)
.all
.select { |webservice| enabled_authenticator_types.include?(webservice.id) }
.map do |webservice|
load_authenticator(account: account, id: webservice.id.split(':').last, type: type)
end
.compact
end
...we can limit the available authenticators to those enabled AND strip out the Status webservices. |
588abed to
de1e574
Compare
| @resource_repository.where( | ||
| enabled_authenticator_types = @enabled_authenticators.select { |authenticator| authenticator.match("#{type}") } | ||
| .map { |authenticator| "#{account}:webservice:conjur/#{authenticator}" } | ||
| @resource_repository.where( |
There was a problem hiding this comment.
Inconsistent indentation detected.
| end | ||
|
|
||
| def find_all(type:, account:) | ||
| @resource_repository.where( | ||
| enabled_authenticator_types = @enabled_authenticators.select { |authenticator| authenticator.match("#{type}") } | ||
| .map { |authenticator| "#{account}:webservice:conjur/#{authenticator}" } |
There was a problem hiding this comment.
Use 2 (not 8) spaces for indenting an expression in an assignment spanning multiple lines.
| Sequel.like( | ||
| :resource_id, | ||
| "#{account}:webservice:conjur/#{type}/%" | ||
| ) | ||
| ).all.map do |webservice| | ||
| ).all.select { |webservice|enabled_authenticator_types.include?(webservice.resource_id) }.map do |webservice| |
There was a problem hiding this comment.
Space after closing | missing.
| end | ||
|
|
||
| def find_all(type:, account:) | ||
| @resource_repository.where( | ||
| enabled_authenticator_types = @enabled_authenticators.select { |authenticator| authenticator.match("#{type}") } |
There was a problem hiding this comment.
Prefer to_s over string interpolation.
|
Code Climate has analyzed commit de1e574 and detected 8 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 89.9% (-1.6% change). View more on Code Climate. |
Desired Outcome
Duplictae authenticators show up in the providers endpoint due to not removing the status webservices from the list of providers. This pr removes web services that end in /status from the list of authenticators
Implemented Changes
Describe how the desired outcome above has been achieved with this PR. In
particular, consider:
Added the regex used in InstalledAuthenticators to remove the status webservices
That the tests work effectively and the code is reasonably made
No
Connected Issue/Story
Resolves #[relevant GitHub issue(s), e.g. 76]
CyberArk internal issue link: ONYX-25530
Definition of Done
At least 1 todo must be completed in the sections below for the PR to be
merged.
Changelog
CHANGELOG update
Test coverage
changes, or
Documentation
READMEs) were updated in this PRBehavior
Security