From 2905dbea7316aba781bbd78227e6acca58de172c Mon Sep 17 00:00:00 2001 From: Jason Vanderhoof Date: Thu, 29 Dec 2022 11:21:46 -0700 Subject: [PATCH] Adds status support for V2 OIDC Authenticators This commit adds support for checking a V2 authenticator configuration using the authenticator status endpoint. Previously, status was invalid because the required variables differ between version 1 and 2. --- .../authn_oidc/authenticator.rb | 31 ++++++++++++++++++- .../authn_oidc/validate_status.rb | 9 ++---- 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/app/domain/authentication/authn_oidc/authenticator.rb b/app/domain/authentication/authn_oidc/authenticator.rb index cb00bc2030..ddf165f989 100644 --- a/app/domain/authentication/authn_oidc/authenticator.rb +++ b/app/domain/authentication/authn_oidc/authenticator.rb @@ -23,10 +23,39 @@ def valid?(input) end def status(authenticator_status_input:) - Authentication::AuthnOidc::ValidateStatus.new.( + # The following is intended as a short-term fix for dealing + # with two versions of the OIDC authenticator. In the medium + # term, we need to port the V1 functionality to V2. Once that + # is done, the following check can be removed. + + # Attempt to load the V2 version of the OIDC Authenticator + data_object = if Rails.configuration.feature_flags.enabled?(:pkce_support) + Authentication::AuthnOidc::PkceSupportFeature::DataObjects::Authenticator + else + Authentication::AuthnOidc::V2::DataObjects::Authenticator + end + authenticator = DB::Repository::AuthenticatorRepository.new( + data_object: data_object + ).find( + type: authenticator_status_input.authenticator_name, account: authenticator_status_input.account, service_id: authenticator_status_input.service_id ) + # If successful, validate the new set of required variables + if authenticator.present? + Authentication::AuthnOidc::ValidateStatus.new( + required_variable_names: %w[provider-uri client-id client-secret claim-mapping] + ).( + account: authenticator_status_input.account, + service_id: authenticator_status_input.service_id + ) + else + # Otherwise, perform the default check + Authentication::AuthnOidc::ValidateStatus.new.( + account: authenticator_status_input.account, + service_id: authenticator_status_input.service_id + ) + end end end end diff --git a/app/domain/authentication/authn_oidc/validate_status.rb b/app/domain/authentication/authn_oidc/validate_status.rb index 84d60fc0c3..eb24824df1 100644 --- a/app/domain/authentication/authn_oidc/validate_status.rb +++ b/app/domain/authentication/authn_oidc/validate_status.rb @@ -4,7 +4,8 @@ module AuthnOidc ValidateStatus = CommandClass.new( dependencies: { fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new, - discover_identity_provider: Authentication::OAuth::DiscoverIdentityProvider.new + discover_identity_provider: Authentication::OAuth::DiscoverIdentityProvider.new, + required_variable_names: %w[provider-uri id-token-user-property] }, inputs: %i[account service_id] ) do @@ -29,14 +30,10 @@ def oidc_authenticator_secrets service_id: @service_id, conjur_account: @account, authenticator_name: "authn-oidc", - required_variable_names: required_variable_names + required_variable_names: @required_variable_names ) end - def required_variable_names - @required_variable_names ||= %w[provider-uri id-token-user-property] - end - def validate_provider_is_responsive @discover_identity_provider.( provider_uri: provider_uri