Merge pull request #886 from cyberark/693-reduce-iam-logging

693 reduce iam logging
cyberark · Feb 19, 2019 · 6a3e00c · 6a3e00c
2 parents 1d1e3a1 + 92e0b11
commit 6a3e00c
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 22 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,14 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [1.3.6] - 2019-02-19
+### Changed
+- Reduced IAM authentication logging
+- Refactored authentication strategies
+
+### Removed
+- Removed OIDC APIs public access
+
 ## [1.3.5] - 2019-02-07
 ### Changed
 - Rails version updated to v4.2.11.

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.3.5
+1.3.6
diff --git a/app/domain/authentication/authn_iam/authenticator.rb b/app/domain/authentication/authn_iam/authenticator.rb
@@ -5,42 +5,34 @@
 module Authentication
   module AuthnIam
     class Authenticator
-
-      InvalidAWSHeaders = ::Util::ErrorClass.new(
-        "'Invalid or Expired AWS Headers: {0}")
-
+
+      InvalidAWSHeaders = ::Util::ErrorClass.new("'Invalid or Expired AWS Headers: {0}")
+
       def initialize(env:)
         @env = env
       end
 
       def valid?(input)
-
         signed_aws_headers = JSON.parse input.password # input.password is JSON holding the AWS signed headers
 
         response_hash = identity_hash(response_from_signed_request(signed_aws_headers))
         trusted = response_hash != false
 
         trusted && iam_role_matches?(input.username, response_hash)
-
       end
 
       def identity_hash(response)
-
         Rails.logger.debug("AWS IAM get_caller_identity body\n#{response.body} ")
 
         if response.code < 300
           Hash.from_xml(response.body)
         else
           Rails.logger.error("Verification of IAM identity failed with HTTP code: #{response.code}")
           false
-        end      
-
+        end
       end
-    
+
       def iam_role_matches?(login, response_hash)
-
-        is_allowed_role = false
-
         split_assumed_role = response_hash["GetCallerIdentityResponse"]["GetCallerIdentityResult"]["Arn"].split(":")
 
         # removes the last 2 parts of login to be substituted by the info from getCallerIdentity
@@ -49,32 +41,26 @@ def iam_role_matches?(login, response_hash)
         aws_account_id = response_hash["GetCallerIdentityResponse"]["GetCallerIdentityResult"]["Account"]
         aws_user_id = response_hash["GetCallerIdentityResponse"]["GetCallerIdentityResult"]["UserId"]
         host_to_match = "#{host_prefix}/#{aws_account_id}/#{aws_role_name}"
-        
+
         Rails.logger.debug("IAM Role authentication attempt by AWS user #{aws_user_id} with host to match = #{host_to_match}")
 
         login.eql? host_to_match
-
-      end      
+      end
 
       def aws_signed_url
         return 'https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15'      
       end
 
       def response_from_signed_request(aws_headers)
-
         Rails.logger.debug("Retrieving IAM identity")
-        RestClient.log = Rails.logger
         begin
           RestClient.get(aws_signed_url, headers = aws_headers)
         rescue RestClient::ExceptionWithResponse => e
           Rails.logger.error("Verification of IAM identity Exception #{e.to_s}")
           raise InvalidAWSHeaders, e.to_s
         end
-
       end
-
     end
-
   end
 end