Adds status support for V2 OIDC Authenticators

This commit adds support for checking a V2 authenticator configuration using the authenticator status endpoint. Previously, status was invalid because the required variables differ between version 1 and 2.
cyberark · Dec 29, 2022 · 2905dbe · 2905dbe
1 parent b4f1652
commit 2905dbe
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 7 deletions.
diff --git a/app/domain/authentication/authn_oidc/authenticator.rb b/app/domain/authentication/authn_oidc/authenticator.rb
@@ -23,10 +23,39 @@ def valid?(input)
       end
 
       def status(authenticator_status_input:)
-        Authentication::AuthnOidc::ValidateStatus.new.(
+        # The following is intended as a short-term fix for dealing
+        # with two versions of the OIDC authenticator. In the medium
+        # term, we need to port the V1 functionality to V2. Once that
+        # is done, the following check can be removed.
+
+        # Attempt to load the V2 version of the OIDC Authenticator
+        data_object = if Rails.configuration.feature_flags.enabled?(:pkce_support)
+          Authentication::AuthnOidc::PkceSupportFeature::DataObjects::Authenticator
+        else
+          Authentication::AuthnOidc::V2::DataObjects::Authenticator
+        end
+        authenticator = DB::Repository::AuthenticatorRepository.new(
+          data_object: data_object
+        ).find(
+          type: authenticator_status_input.authenticator_name,
           account: authenticator_status_input.account,
           service_id: authenticator_status_input.service_id
         )
+        # If successful, validate the new set of required variables
+        if authenticator.present?
+          Authentication::AuthnOidc::ValidateStatus.new(
+            required_variable_names: %w[provider-uri client-id client-secret claim-mapping]
+          ).(
+            account: authenticator_status_input.account,
+            service_id: authenticator_status_input.service_id
+          )
+        else
+          # Otherwise, perform the default check
+          Authentication::AuthnOidc::ValidateStatus.new.(
+            account: authenticator_status_input.account,
+            service_id: authenticator_status_input.service_id
+          )
+        end
       end
     end
   end

diff --git a/app/domain/authentication/authn_oidc/validate_status.rb b/app/domain/authentication/authn_oidc/validate_status.rb
@@ -4,7 +4,8 @@ module AuthnOidc
     ValidateStatus = CommandClass.new(
       dependencies: {
         fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new,
-        discover_identity_provider: Authentication::OAuth::DiscoverIdentityProvider.new
+        discover_identity_provider: Authentication::OAuth::DiscoverIdentityProvider.new,
+        required_variable_names: %w[provider-uri id-token-user-property]
       },
       inputs: %i[account service_id]
     ) do
@@ -29,14 +30,10 @@ def oidc_authenticator_secrets
           service_id: @service_id,
           conjur_account: @account,
           authenticator_name: "authn-oidc",
-          required_variable_names: required_variable_names
+          required_variable_names: @required_variable_names
         )
       end
 
-      def required_variable_names
-        @required_variable_names ||= %w[provider-uri id-token-user-property]
-      end
-
       def validate_provider_is_responsive
         @discover_identity_provider.(
           provider_uri: provider_uri