From 5fabe9a535d5900526249acbaaa3a52179f9f7b5 Mon Sep 17 00:00:00 2001 From: Sasha Chernomordik Date: Wed, 12 Jan 2022 21:45:22 +0200 Subject: [PATCH] Integrate signing keys builder into main flow Variables values related to signing keys fetching from one side and values validation and the settings object creation are split to two classes (parameters fetcher and settings builder) both classes are used by CreateSigningKeyProvider class --- app/domain/authentication/authn_jwt/consts.rb | 8 + .../create_signing_key_provider.rb | 25 +- ...h_signing_key_parameters_from_variables.rb | 55 +++++ ...tch_signing_key_settings_from_variables.rb | 77 ------- app/domain/errors.rb | 5 - .../authn_jwt_check_standard_claims.feature | 5 +- .../features/authn_jwt_configuration.feature | 8 +- .../features/authn_status_jwt.feature | 6 +- .../create_signing_key_provider_spec.rb | 59 ++--- ...ning_key_parameters_from_variables_spec.rb | 180 +++++++++++++++ ...igning_key_settings_from_variables_spec.rb | 217 ------------------ .../signing_key_settings_builder_spec.rb | 1 - 12 files changed, 300 insertions(+), 346 deletions(-) create mode 100644 app/domain/authentication/authn_jwt/signing_key/fetch_signing_key_parameters_from_variables.rb delete mode 100644 app/domain/authentication/authn_jwt/signing_key/fetch_signing_key_settings_from_variables.rb create mode 100644 spec/app/domain/authentication/authn-jwt/signing_key/fetch_signing_key_parameters_from_variables_spec.rb delete mode 100644 spec/app/domain/authentication/authn-jwt/signing_key/fetch_signing_key_settings_from_variables_spec.rb diff --git a/app/domain/authentication/authn_jwt/consts.rb b/app/domain/authentication/authn_jwt/consts.rb index 9bedc4a9da..b56cc9ae14 100644 --- a/app/domain/authentication/authn_jwt/consts.rb +++ b/app/domain/authentication/authn_jwt/consts.rb @@ -40,5 +40,13 @@ module AuthnJwt PURE_CLAIM_NAME_REGEX = /[a-zA-Z|$|_][a-zA-Z|$|_|0-9|.]*/.freeze PURE_NESTED_CLAIM_NAME_REGEX = /^#{PURE_CLAIM_NAME_REGEX.source}(#{PATH_DELIMITER}#{PURE_CLAIM_NAME_REGEX.source})*$/.freeze + + SIGNING_KEY_RESOURCES_NAMES = [ + JWKS_URI_RESOURCE_NAME, + PUBLIC_KEYS_RESOURCE_NAME, + PROVIDER_URI_RESOURCE_NAME, + CA_CERT_RESOURCE_NAME, + ISSUER_RESOURCE_NAME + ].freeze end end diff --git a/app/domain/authentication/authn_jwt/signing_key/create_signing_key_provider.rb b/app/domain/authentication/authn_jwt/signing_key/create_signing_key_provider.rb index a45f4750e5..e738da07b9 100644 --- a/app/domain/authentication/authn_jwt/signing_key/create_signing_key_provider.rb +++ b/app/domain/authentication/authn_jwt/signing_key/create_signing_key_provider.rb @@ -14,7 +14,8 @@ module SigningKey max_concurrent_requests: CACHE_MAX_CONCURRENT_REQUESTS, logger: Rails.logger ), - fetch_signing_key_settings: Authentication::AuthnJwt::SigningKey::FetchSigningKeySettingsFromVariables.new, + fetch_signing_key_parameters: Authentication::AuthnJwt::SigningKey::FetchSigningKeyParametersFromVariables.new, + build_signing_key_settings: Authentication::AuthnJwt::SigningKey::SigningKeySettingsBuilder.new, fetch_provider_uri_signing_key_class: Authentication::AuthnJwt::SigningKey::FetchProviderUriSigningKey, fetch_jwks_uri_signing_key_class: Authentication::AuthnJwt::SigningKey::FetchJwksUriSigningKey, logger: Rails.logger @@ -23,20 +24,26 @@ module SigningKey ) do def call @logger.debug(LogMessages::Authentication::AuthnJwt::SelectingSigningKeyInterface.new) - fetch_signing_key_settings + build_signing_key_settings create_signing_key_provider end private - def fetch_signing_key_settings - @signing_key_settings ||= @fetch_signing_key_settings.call( - authenticator_input: @authenticator_input - ) + def build_signing_key_settings + signing_key_settings end def signing_key_settings - fetch_signing_key_settings + @signing_key_settings ||= @build_signing_key_settings.call( + signing_key_parameters: signing_key_parameters + ) + end + + def signing_key_parameters + @signing_key_parameters ||= @fetch_signing_key_parameters.call( + authenticator_input: @authenticator_input + ) end def create_signing_key_provider @@ -46,9 +53,7 @@ def create_signing_key_provider when PROVIDER_URI_INTERFACE_NAME fetch_provider_uri_signing_key else - raise Errors::Authentication::AuthnJwt::InvalidSigningKeyType.new( - signing_key_settings.type - ) + raise Errors::Authentication::AuthnJwt::InvalidSigningKeyType, signing_key_settings.type end end diff --git a/app/domain/authentication/authn_jwt/signing_key/fetch_signing_key_parameters_from_variables.rb b/app/domain/authentication/authn_jwt/signing_key/fetch_signing_key_parameters_from_variables.rb new file mode 100644 index 0000000000..307f5f3106 --- /dev/null +++ b/app/domain/authentication/authn_jwt/signing_key/fetch_signing_key_parameters_from_variables.rb @@ -0,0 +1,55 @@ +module Authentication + module AuthnJwt + module SigningKey + # This class is responsible for fetching values of all variables related + # to signing key settings area + FetchSigningKeyParametersFromVariables ||= CommandClass.new( + dependencies: { + check_authenticator_secret_exists: Authentication::Util::CheckAuthenticatorSecretExists.new, + fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new + }, + inputs: %i[authenticator_input] + ) do + extend(Forwardable) + def_delegators(:@authenticator_input, :account, :authenticator_name, :service_id) + + def call + fetch_variables_values + variables_values + end + + private + + def fetch_variables_values + SIGNING_KEY_RESOURCES_NAMES.each do |name| + variables_values[name] = secret_value(secret_name: name) + end + end + + def variables_values + @variables_values ||= {} + end + + def secret_value(secret_name:) + return nil unless secret_exists?(secret_name: secret_name) + + @fetch_authenticator_secrets.call( + conjur_account: account, + authenticator_name: authenticator_name, + service_id: service_id, + required_variable_names: [secret_name] + )[secret_name] + end + + def secret_exists?(secret_name:) + @check_authenticator_secret_exists.call( + conjur_account: account, + authenticator_name: authenticator_name, + service_id: service_id, + var_name: secret_name + ) + end + end + end + end +end diff --git a/app/domain/authentication/authn_jwt/signing_key/fetch_signing_key_settings_from_variables.rb b/app/domain/authentication/authn_jwt/signing_key/fetch_signing_key_settings_from_variables.rb deleted file mode 100644 index 10dac62b21..0000000000 --- a/app/domain/authentication/authn_jwt/signing_key/fetch_signing_key_settings_from_variables.rb +++ /dev/null @@ -1,77 +0,0 @@ -module Authentication - module AuthnJwt - module SigningKey - # This class is responsible for variables permutation validation - FetchSigningKeySettingsFromVariables ||= CommandClass.new( - dependencies: { - check_authenticator_secret_exists: Authentication::Util::CheckAuthenticatorSecretExists.new, - fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new - }, - inputs: %i[authenticator_input] - ) do - def call - fetch_signing_key_settings - end - - private - - def fetch_signing_key_settings - if provider_uri_resource_exists? && !jwks_uri_has_resource_exists? - SigningKeySettings.new(uri: fetch_provider_uri_signing_key, - type: PROVIDER_URI_INTERFACE_NAME) - elsif jwks_uri_has_resource_exists? && !provider_uri_resource_exists? - SigningKeySettings.new(uri: fetch_jwks_uri_signing_key, - type: JWKS_URI_INTERFACE_NAME) - else - raise Errors::Authentication::AuthnJwt::InvalidUriConfiguration.new( - PROVIDER_URI_RESOURCE_NAME, - JWKS_URI_RESOURCE_NAME - ) - end - end - - def provider_uri_resource_exists? - # defined? is needed for memoization of boolean value - return @provider_uri_resource_exists if defined?(@provider_uri_resource_exists) - - @provider_uri_resource_exists = @check_authenticator_secret_exists.call( - conjur_account: @authenticator_input.account, - authenticator_name: @authenticator_input.authenticator_name, - service_id: @authenticator_input.service_id, - var_name: PROVIDER_URI_RESOURCE_NAME - ) - end - - def jwks_uri_has_resource_exists? - # defined? is needed for memoization of boolean value - return @jwks_uri_has_resource_exists if defined?(@jwks_uri_has_resource_exists) - - @jwks_uri_has_resource_exists = @check_authenticator_secret_exists.call( - conjur_account: @authenticator_input.account, - authenticator_name: @authenticator_input.authenticator_name, - service_id: @authenticator_input.service_id, - var_name: JWKS_URI_RESOURCE_NAME - ) - end - - def fetch_provider_uri_signing_key - @provider_uri_secret ||= @fetch_authenticator_secrets.call( - conjur_account: @authenticator_input.account, - authenticator_name: @authenticator_input.authenticator_name, - service_id: @authenticator_input.service_id, - required_variable_names: [PROVIDER_URI_RESOURCE_NAME] - )[PROVIDER_URI_RESOURCE_NAME] - end - - def fetch_jwks_uri_signing_key - @jwks_uri_secret ||= @fetch_authenticator_secrets.call( - conjur_account: @authenticator_input.account, - authenticator_name: @authenticator_input.authenticator_name, - service_id: @authenticator_input.service_id, - required_variable_names: [JWKS_URI_RESOURCE_NAME] - )[JWKS_URI_RESOURCE_NAME] - end - end - end - end -end diff --git a/app/domain/errors.rb b/app/domain/errors.rb index 622187dcbd..47bcd6398b 100644 --- a/app/domain/errors.rb +++ b/app/domain/errors.rb @@ -408,11 +408,6 @@ module AuthnJwt code: "CONJ00085E" ) - InvalidUriConfiguration = ::Util::TrackableErrorClass.new( - msg: "Signing key URI configuration is invalid", - code: "CONJ00086E" - ) - FetchJwksKeysFailed = ::Util::TrackableErrorClass.new( msg: "Failed to fetch JWKS from '{0-uri}'. Reason: '{1}'", code: "CONJ00087E" diff --git a/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature b/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature index da0bb39ab8..f0815e05d9 100644 --- a/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature +++ b/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature @@ -258,11 +258,10 @@ Feature: JWT Authenticator - Check registered claim """ And I save my place in the audit log file When I authenticate via authn-jwt with the JWT token - Then host "myapp" has been authorized by Conjur - And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user + Then the HTTP response status code is 401 And The following appears in the log after my savepoint: """ - cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw + CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/issuer """ Scenario: ONYX-8728: jwks-uri configured with correct value, issuer configured with correct value, iss claim with correct value, 200 OK diff --git a/cucumber/authenticators_jwt/features/authn_jwt_configuration.feature b/cucumber/authenticators_jwt/features/authn_jwt_configuration.feature index de45b9dc65..7a65c4109d 100644 --- a/cucumber/authenticators_jwt/features/authn_jwt_configuration.feature +++ b/cucumber/authenticators_jwt/features/authn_jwt_configuration.feature @@ -135,7 +135,7 @@ Feature: JWT Authenticator - Configuration Check Then the HTTP response status code is 401 And The following appears in the log after my savepoint: """ - CONJ00086E Signing key URI configuration is invalid + CONJ00122E Invalid signing key settings: jwks-uri and provider-uri cannot be define simultaneously """ Scenario: ONYX-8826: provider-uri configured with correct value, jwks-uri configured with empty value, error @@ -185,7 +185,7 @@ Feature: JWT Authenticator - Configuration Check Then the HTTP response status code is 401 And The following appears in the log after my savepoint: """ - CONJ00086E Signing key URI configuration is invalid + CONJ00122E Invalid signing key settings: jwks-uri and provider-uri cannot be define simultaneously """ Scenario: ONYX-8698: jwks-uri configured but variable not set @@ -317,7 +317,7 @@ Feature: JWT Authenticator - Configuration Check Then the HTTP response status code is 401 And The following appears in the log after my savepoint: """ - CONJ00086E Signing key URI configuration is invalid + CONJ00122E Invalid signing key settings: One of jwks-uri, public-keys, and provider-uri have to be defined """ Scenario: ONYX-8695: provider-uri configured with empty value, jwks-uri configured with correct value @@ -367,7 +367,7 @@ Feature: JWT Authenticator - Configuration Check Then the HTTP response status code is 401 And The following appears in the log after my savepoint: """ - CONJ00086E Signing key URI configuration is invalid + CONJ00122E Invalid signing key settings: jwks-uri and provider-uri cannot be define simultaneously """ Scenario: ONYX-8694: Both Token identity and host send in URL, error diff --git a/cucumber/authenticators_jwt/features/authn_status_jwt.feature b/cucumber/authenticators_jwt/features/authn_status_jwt.feature index f7e8e11b32..14dda5a906 100644 --- a/cucumber/authenticators_jwt/features/authn_status_jwt.feature +++ b/cucumber/authenticators_jwt/features/authn_status_jwt.feature @@ -122,7 +122,7 @@ Feature: JWT Authenticator - Status Check And I save my place in the log file When I GET "/authn-jwt/raw/cucumber/status" Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00086E Signing key URI configuration is invalid" + And the authenticator status check fails with error "CONJ00122E Invalid signing key settings: One of jwks-uri, public-keys, and provider-uri have to be defined" Scenario: Signing key is configured with jwks-uri and provider-uri, 500 Error Given I load a policy: @@ -184,7 +184,7 @@ Feature: JWT Authenticator - Status Check And I save my place in the log file When I GET "/authn-jwt/raw/cucumber/status" Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00086E Signing key URI configuration is invalid" + And the authenticator status check fails with error "CONJ00122E Invalid signing key settings: jwks-uri and provider-uri cannot be define simultaneously" Scenario: ONYX-9142: User doesn't have permissions on webservice, 403 Error Given I load a policy: @@ -338,7 +338,7 @@ Feature: JWT Authenticator - Status Check And I save my place in the log file When I GET "/authn-jwt/raw/cucumber/status" Then the HTTP response status code is 500 - And the authenticator status check fails with error "CONJ00086E Signing key URI configuration is invalid" + And the authenticator status check fails with error "CONJ00122E Invalid signing key settings: One of jwks-uri, public-keys, and provider-uri have to be defined" Scenario: ONYX-9141: Identity is configured but empty, 500 Error Given I load a policy: diff --git a/spec/app/domain/authentication/authn-jwt/signing_key/create_signing_key_provider_spec.rb b/spec/app/domain/authentication/authn-jwt/signing_key/create_signing_key_provider_spec.rb index a55f51d877..1994dfbdee 100644 --- a/spec/app/domain/authentication/authn-jwt/signing_key/create_signing_key_provider_spec.rb +++ b/spec/app/domain/authentication/authn-jwt/signing_key/create_signing_key_provider_spec.rb @@ -13,17 +13,8 @@ end) } - let(:authenticator_input) { - Authentication::AuthenticatorInput.new( - authenticator_name: "authn-jwt", - service_id: "my-service", - account: "my-account", - username: "dummy_identity", - credentials: "dummy", - client_ip: "dummy", - request: "dummy" - ) - } + let(:mocked_authenticator_input) { double("mocked_authenticator_input") } + let(:mocked_signing_key_parameters) { double("mocked_signing_key_parameters") } let(:mocked_signing_key_settings_type_is_wrong) { Authentication::AuthnJwt::SigningKey::SigningKeySettings.new( @@ -44,9 +35,10 @@ ) } - let(:mocked_fetch_signing_key_settings_type_is_wrong) { double("MockedFetchSigningKeySettingsTypeIsWrong") } - let(:mocked_fetch_signing_key_settings_type_jwks_uri) { double("MockedFetchSigningKeySettingsTypeJwksUri") } - let(:mocked_fetch_signing_key_settings_type_provider_uri) { double("MockedFetchSigningKeySettingsTypeProviderUri") } + let(:mocked_fetch_signing_key_parameters) { double("MockedFetchSigningKeyParameters") } + let(:mocked_build_signing_key_settings_type_is_wrong) { double("MockedBuildSigningKeySettingsTypeIsWrong") } + let(:mocked_build_signing_key_settings_type_jwks_uri) { double("MockedBuildSigningKeySettingsTypeJwksUri") } + let(:mocked_build_signing_key_settings_type_provider_uri) { double("MockedBuildSigningKeySettingsTypeProviderUri") } let(:mocked_logger) { double("Mocked logger") } @@ -59,16 +51,28 @@ receive(:info).and_return(nil) ) - allow(mocked_fetch_signing_key_settings_type_is_wrong).to( - receive(:call).and_return(mocked_signing_key_settings_type_is_wrong) + allow(mocked_fetch_signing_key_parameters).to( + receive(:call) + .with(authenticator_input: mocked_authenticator_input) + .and_return(mocked_signing_key_parameters) + ) + + allow(mocked_build_signing_key_settings_type_is_wrong).to( + receive(:call) + .with(signing_key_parameters: mocked_signing_key_parameters) + .and_return(mocked_signing_key_settings_type_is_wrong) ) - allow(mocked_fetch_signing_key_settings_type_jwks_uri).to( - receive(:call).and_return(mocked_signing_key_settings_type_jwks_uri) + allow(mocked_build_signing_key_settings_type_jwks_uri).to( + receive(:call) + .with(signing_key_parameters: mocked_signing_key_parameters) + .and_return(mocked_signing_key_settings_type_jwks_uri) ) - allow(mocked_fetch_signing_key_settings_type_provider_uri).to( - receive(:call).and_return(mocked_signing_key_settings_type_provider_uri) + allow(mocked_build_signing_key_settings_type_provider_uri).to( + receive(:call) + .with(signing_key_parameters: mocked_signing_key_parameters) + .and_return(mocked_signing_key_settings_type_provider_uri) ) end @@ -81,10 +85,11 @@ context "Signing key settings type is jwks-uri" do subject do ::Authentication::AuthnJwt::SigningKey::CreateSigningKeyProvider.new( - fetch_signing_key_settings: mocked_fetch_signing_key_settings_type_jwks_uri, + fetch_signing_key_parameters: mocked_fetch_signing_key_parameters, + build_signing_key_settings: mocked_build_signing_key_settings_type_jwks_uri, logger: logger ).call( - authenticator_input: authenticator_input + authenticator_input: mocked_authenticator_input ) end @@ -100,10 +105,11 @@ context "Signing key settings type is provider-uri" do subject do ::Authentication::AuthnJwt::SigningKey::CreateSigningKeyProvider.new( - fetch_signing_key_settings: mocked_fetch_signing_key_settings_type_provider_uri, + fetch_signing_key_parameters: mocked_fetch_signing_key_parameters, + build_signing_key_settings: mocked_build_signing_key_settings_type_provider_uri, logger: logger ).call( - authenticator_input: authenticator_input + authenticator_input: mocked_authenticator_input ) end @@ -119,10 +125,11 @@ context "Signing key settings type is wrong" do subject do ::Authentication::AuthnJwt::SigningKey::CreateSigningKeyProvider.new( - fetch_signing_key_settings: mocked_fetch_signing_key_settings_type_is_wrong, + fetch_signing_key_parameters: mocked_fetch_signing_key_parameters, + build_signing_key_settings: mocked_build_signing_key_settings_type_is_wrong, logger: mocked_logger ).call( - authenticator_input: authenticator_input + authenticator_input: mocked_authenticator_input ) end diff --git a/spec/app/domain/authentication/authn-jwt/signing_key/fetch_signing_key_parameters_from_variables_spec.rb b/spec/app/domain/authentication/authn-jwt/signing_key/fetch_signing_key_parameters_from_variables_spec.rb new file mode 100644 index 0000000000..d99d3cc75a --- /dev/null +++ b/spec/app/domain/authentication/authn-jwt/signing_key/fetch_signing_key_parameters_from_variables_spec.rb @@ -0,0 +1,180 @@ + +require 'spec_helper' +RSpec.describe('Authentication::AuthnJwt::SigningKey::FetchSigningKeyParametersFromVariables') do + + let(:authenticator_name) { 'authn-jwt' } + let(:service_id) { "my-service" } + let(:account) { 'my-account' } + let(:mocked_authenticator_input) { + Authentication::AuthenticatorInput.new( + authenticator_name: authenticator_name, + service_id: service_id, + account: account, + username: "dummy_identity", + credentials: "dummy", + client_ip: "dummy", + request: "dummy" + ) + } + + let(:jwks_uri_key) { "jwks-uri" } + let(:jwks_uri_value) { "https://jwks-uri.com/jwks" } + let(:jwks_key_value_pair) { + { + jwks_uri_key => jwks_uri_value + } + } + + let(:provider_uri_key) { "provider-uri" } + let(:provider_uri_value) { "https://provider-uri.com" } + let(:provider_key_value_pair) { + { + provider_uri_key => provider_uri_value + } + } + + let(:jwks_only_hash) { + { + "ca-cert" => nil, + "issuer" => nil, + "jwks-uri" => "https://jwks-uri.com/jwks", + "provider-uri" => nil, + "public-keys" => nil + } + } + + let(:jwks_and_provider_hash) { + { + "ca-cert" => nil, + "issuer" => nil, + "jwks-uri" => "https://jwks-uri.com/jwks", + "provider-uri" => "https://provider-uri.com", + "public-keys" => nil + } + } + + let(:mocked_check_authenticator_secret_exists_valid_settings) { double("mocked_check_authenticator_secret_exists_valid_settings") } + let(:mocked_fetch_authenticator_secrets_valid_settings) { double("mocked_fetch_authenticator_secrets_valid_settings") } + + let(:mocked_check_authenticator_secret_exists_invalid_settings) { double("mocked_check_authenticator_secret_exists_invalid_settings") } + let(:mocked_fetch_authenticator_secrets_invalid_settings) { double("mocked_fetch_authenticator_secrets_invalid_settings") } + + let(:mocked_fetch_authenticator_secrets_empty_value) { double("mocked_fetch_authenticator_secrets_empty_value") } + let(:empty_value_error) { "empty value error" } + + before(:each) do + allow(mocked_check_authenticator_secret_exists_valid_settings).to( + receive(:call).and_return(false) + ) + + allow(mocked_check_authenticator_secret_exists_valid_settings).to( + receive(:call).with( + conjur_account: account, + authenticator_name: authenticator_name, + service_id: service_id, + var_name: jwks_uri_key + ).and_return(true) + ) + + allow(mocked_fetch_authenticator_secrets_valid_settings).to( + receive(:call).and_return(jwks_key_value_pair) + ) + + allow(mocked_check_authenticator_secret_exists_invalid_settings).to( + receive(:call).and_return(false) + ) + + allow(mocked_check_authenticator_secret_exists_invalid_settings).to( + receive(:call).with( + conjur_account: account, + authenticator_name: authenticator_name, + service_id: service_id, + var_name: jwks_uri_key + ).and_return(true) + ) + + allow(mocked_check_authenticator_secret_exists_invalid_settings).to( + receive(:call).with( + conjur_account: account, + authenticator_name: authenticator_name, + service_id: service_id, + var_name: provider_uri_key + ).and_return(true) + ) + + allow(mocked_fetch_authenticator_secrets_invalid_settings).to( + receive(:call).with( + conjur_account: account, + authenticator_name: authenticator_name, + service_id: service_id, + required_variable_names: [jwks_uri_key] + ).and_return(jwks_key_value_pair) + ) + + allow(mocked_fetch_authenticator_secrets_invalid_settings).to( + receive(:call).with( + conjur_account: account, + authenticator_name: authenticator_name, + service_id: service_id, + required_variable_names: [provider_uri_key] + ).and_return(provider_key_value_pair) + ) + + allow(mocked_fetch_authenticator_secrets_empty_value).to( + receive(:call).and_raise(empty_value_error) + ) + end + + + # ____ _ _ ____ ____ ____ ___ ____ ___ + # (_ _)( )_( )( ___) (_ _)( ___)/ __)(_ _)/ __) + # )( ) _ ( )__) )( )__) \__ \ )( \__ \ + # (__) (_) (_)(____) (__) (____)(___/ (__) (___/ + + context "FetchSigningKeyParametersFromVariables call" do + context "with jwks-uri variable only" do + subject do + ::Authentication::AuthnJwt::SigningKey::FetchSigningKeyParametersFromVariables.new( + check_authenticator_secret_exists: mocked_check_authenticator_secret_exists_valid_settings, + fetch_authenticator_secrets: mocked_fetch_authenticator_secrets_valid_settings + ).call( + authenticator_input: mocked_authenticator_input + ) + end + + it "returns signing key settings hash" do + expect(subject).to eq(jwks_only_hash) + end + end + + context "with jwks and provider URIs variables" do + subject do + ::Authentication::AuthnJwt::SigningKey::FetchSigningKeyParametersFromVariables.new( + check_authenticator_secret_exists: mocked_check_authenticator_secret_exists_invalid_settings, + fetch_authenticator_secrets: mocked_fetch_authenticator_secrets_invalid_settings + ).call( + authenticator_input: mocked_authenticator_input + ) + end + + it "returns signing key settings hash" do + expect(subject).to eq(jwks_and_provider_hash) + end + end + + context "when one of variable values is empty" do + subject do + ::Authentication::AuthnJwt::SigningKey::FetchSigningKeyParametersFromVariables.new( + check_authenticator_secret_exists: mocked_check_authenticator_secret_exists_invalid_settings, + fetch_authenticator_secrets: mocked_fetch_authenticator_secrets_empty_value + ).call( + authenticator_input: mocked_authenticator_input + ) + end + + it "raises an error" do + expect { subject }.to raise_error(empty_value_error) + end + end + end +end diff --git a/spec/app/domain/authentication/authn-jwt/signing_key/fetch_signing_key_settings_from_variables_spec.rb b/spec/app/domain/authentication/authn-jwt/signing_key/fetch_signing_key_settings_from_variables_spec.rb deleted file mode 100644 index f7c8d29bbb..0000000000 --- a/spec/app/domain/authentication/authn-jwt/signing_key/fetch_signing_key_settings_from_variables_spec.rb +++ /dev/null @@ -1,217 +0,0 @@ - -require 'spec_helper' -RSpec.describe('Authentication::AuthnJwt::SigningKey::FetchSigningKeySettingsFromVariables') do - - let(:authenticator_name) { 'authn-jwt' } - let(:service_id) { "my-service" } - let(:account) { 'my-account' } - let(:mocked_authenticator_input) { - Authentication::AuthenticatorInput.new( - authenticator_name: authenticator_name, - service_id: service_id, - account: account, - username: "dummy_identity", - credentials: "dummy", - client_ip: "dummy", - request: "dummy" - ) - } - let(:mocked_provider_type) { Authentication::AuthnJwt::PROVIDER_URI_INTERFACE_NAME } - let(:mocked_provider_uri) { 'https://provider-uri.com/provider' } - let(:mocked_jwks_type) { Authentication::AuthnJwt::JWKS_URI_INTERFACE_NAME } - let(:mocked_jwks_uri) { 'http://jwks-uri.com/jwks' } - - let(:mocked_check_authenticator_secret_exists_nothing_exists) { double("mockedCheckAuthenticatorSecretExistsNothingExists") } - let(:mocked_check_authenticator_secret_exists_everything_exists) { double("mockedCheckAuthenticatorSecretExistsEverythingExists") } - let(:mocked_check_authenticator_secret_exists_jwks) { double("mockedCheckAuthenticatorSecretExistsJwks") } - let(:mocked_check_authenticator_secret_exists_provider) { double("mockedCheckAuthenticatorSecretExistsProvider") } - let(:mocked_fetch_authenticator_secrets_exist_jwks) { double("mockedFetchAuthenticatorSecretsExistJwks") } - let(:mocked_fetch_authenticator_secrets_not_exist_jwks) { double("mockedFetchAuthenticatorSecretsExistJwks")} - let(:mocked_fetch_authenticator_secrets_empty_provider) { double("mockedFetchAuthenticatorSecretsEmptyProvider")} - let(:mocked_fetch_authenticator_secrets_exist_provider) { double("MockedFetchAuthenticatorSecretsExistProvider") } - let(:mocked_logger) { double("mockedLogger") } - let(:mocked_required_secret_missing_error) { "mockedRequiredSecretMissingError" } - - before(:each) do - allow(mocked_check_authenticator_secret_exists_nothing_exists).to( - receive(:call).and_return(false) - ) - - allow(mocked_check_authenticator_secret_exists_everything_exists).to( - receive(:call).and_return(true) - ) - - allow(mocked_check_authenticator_secret_exists_jwks).to( - receive(:call).with( - conjur_account: anything, - authenticator_name: anything, - service_id: anything, - var_name: "jwks-uri" - ).and_return(true) - ) - - allow(mocked_check_authenticator_secret_exists_jwks).to( - receive(:call).with( - conjur_account: anything, - authenticator_name: anything, - service_id: anything, - var_name: "provider-uri" - ).and_return(false) - ) - - allow(mocked_check_authenticator_secret_exists_provider).to( - receive(:call).with( - conjur_account: anything, - authenticator_name: anything, - service_id: anything, - var_name: "jwks-uri" - ).and_return(false) - ) - - allow(mocked_check_authenticator_secret_exists_provider).to( - receive(:call).with( - conjur_account: anything, - authenticator_name: anything, - service_id: anything, - var_name: "provider-uri" - ).and_return(true) - ) - - allow(mocked_fetch_authenticator_secrets_exist_jwks).to( - receive(:call).and_return('jwks-uri' => mocked_jwks_uri) - ) - - allow(mocked_fetch_authenticator_secrets_not_exist_jwks).to( - receive(:call).and_raise(mocked_required_secret_missing_error) - ) - - allow(mocked_fetch_authenticator_secrets_exist_provider).to( - receive(:call).and_return('provider-uri' => mocked_provider_uri) - ) - - allow(mocked_fetch_authenticator_secrets_empty_provider).to( - receive(:call).and_raise(mocked_required_secret_missing_error) - ) - - allow(mocked_logger).to( - receive(:call).and_return(true) - ) - - allow(mocked_logger).to( - receive(:debug).and_return(true) - ) - - allow(mocked_logger).to( - receive(:info).and_return(true) - ) - end - - # ____ _ _ ____ ____ ____ ___ ____ ___ - # (_ _)( )_( )( ___) (_ _)( ___)/ __)(_ _)/ __) - # )( ) _ ( )__) )( )__) \__ \ )( \__ \ - # (__) (_) (_)(____) (__) (____)(___/ (__) (___/ - - context "fetchiSigningKeySettingsFromVariables " do - context "'jwks-uri' and 'provider-uri' exist" do - subject do - ::Authentication::AuthnJwt::SigningKey::FetchSigningKeySettingsFromVariables.new( - check_authenticator_secret_exists: mocked_check_authenticator_secret_exists_everything_exists - ).call( - authenticator_input: mocked_authenticator_input - ) - end - - it "raises an error" do - expect { subject }.to raise_error( - Errors::Authentication::AuthnJwt::InvalidUriConfiguration, - "CONJ00086E Signing key URI configuration is invalid") - end - end - - context "'jwks-uri' and 'provider-uri' do not exist" do - subject do - ::Authentication::AuthnJwt::SigningKey::FetchSigningKeySettingsFromVariables.new( - check_authenticator_secret_exists: mocked_check_authenticator_secret_exists_nothing_exists - ).call( - authenticator_input: mocked_authenticator_input - ) - end - - it "raises an error" do - expect { subject }.to raise_error( - Errors::Authentication::AuthnJwt::InvalidUriConfiguration, - "CONJ00086E Signing key URI configuration is invalid") - end - end - - context "'jwks-uri' exits and 'provider-uri' do not exist" do - context "fetching 'jwks-uri' successfully" do - subject do - ::Authentication::AuthnJwt::SigningKey::FetchSigningKeySettingsFromVariables.new( - check_authenticator_secret_exists: mocked_check_authenticator_secret_exists_jwks, - fetch_authenticator_secrets: mocked_fetch_authenticator_secrets_exist_jwks, - logger: mocked_logger - ).call( - authenticator_input: mocked_authenticator_input - ) - end - - it "equals to expected signing key settings" do - expect(subject.uri).to eql(mocked_jwks_uri) - expect(subject.type).to eql(mocked_jwks_type) - end - end - - context "fetching 'jwks-uri' not successfully" do - subject do - ::Authentication::AuthnJwt::SigningKey::FetchSigningKeySettingsFromVariables.new( - check_authenticator_secret_exists: mocked_check_authenticator_secret_exists_jwks, - fetch_authenticator_secrets: mocked_fetch_authenticator_secrets_not_exist_jwks, - logger: mocked_logger - ).call( - authenticator_input: mocked_authenticator_input - ) - end - - it "raise an error" do - expect { subject }.to raise_error(mocked_required_secret_missing_error) - end - end - end - - context "'jwks-uri' does not exist and 'provider-uri' exists" do - context "fetching 'provider-uri' successfully" do - subject do - ::Authentication::AuthnJwt::SigningKey::FetchSigningKeySettingsFromVariables.new( - check_authenticator_secret_exists: mocked_check_authenticator_secret_exists_provider, - fetch_authenticator_secrets: mocked_fetch_authenticator_secrets_exist_provider, - logger: mocked_logger, - ).call( - authenticator_input: mocked_authenticator_input - ) - end - - it "equals to expected signing key settings" do - expect(subject.uri).to eql(mocked_provider_uri) - expect(subject.type).to eql(mocked_provider_type) - end - end - - context "fetching 'provider-uri' not successfully" do - subject do - ::Authentication::AuthnJwt::SigningKey::FetchSigningKeySettingsFromVariables.new( - check_authenticator_secret_exists: mocked_check_authenticator_secret_exists_provider, - fetch_authenticator_secrets: mocked_fetch_authenticator_secrets_empty_provider, - logger: mocked_logger - ).call( - authenticator_input: mocked_authenticator_input - ) - end - - it "raise an error" do - expect { subject }.to raise_error(mocked_required_secret_missing_error) - end - end - end - end -end diff --git a/spec/app/domain/authentication/authn-jwt/signing_key/signing_key_settings_builder_spec.rb b/spec/app/domain/authentication/authn-jwt/signing_key/signing_key_settings_builder_spec.rb index 863c47aa7d..d0183ff81a 100644 --- a/spec/app/domain/authentication/authn-jwt/signing_key/signing_key_settings_builder_spec.rb +++ b/spec/app/domain/authentication/authn-jwt/signing_key/signing_key_settings_builder_spec.rb @@ -149,4 +149,3 @@ end end end -