From c502e8310d528882e7cdf4020b476abb33f750dd Mon Sep 17 00:00:00 2001
From: Srdjan Grubor <sgnn7@sgnn7.org>
Date: Thu, 14 Feb 2019 16:17:37 -0600
Subject: [PATCH 1/3] Cleaned up whitespace issues in
 authn_iam/authenticator.rb

Lots of inconsistent spacing and newlines along with an unused variable
that were all cleaned up.
---
 .../authentication/authn_iam/authenticator.rb | 27 +++++--------------
 1 file changed, 7 insertions(+), 20 deletions(-)

diff --git a/app/domain/authentication/authn_iam/authenticator.rb b/app/domain/authentication/authn_iam/authenticator.rb
index 883f563c69..853cc7c444 100755
--- a/app/domain/authentication/authn_iam/authenticator.rb
+++ b/app/domain/authentication/authn_iam/authenticator.rb
@@ -5,27 +5,23 @@
 module Authentication
   module AuthnIam
     class Authenticator
-      
-      InvalidAWSHeaders = ::Util::ErrorClass.new(
-        "'Invalid or Expired AWS Headers: {0}")
-  
+
+      InvalidAWSHeaders = ::Util::ErrorClass.new("'Invalid or Expired AWS Headers: {0}")
+
       def initialize(env:)
         @env = env
       end
 
       def valid?(input)
- 
         signed_aws_headers = JSON.parse input.password # input.password is JSON holding the AWS signed headers
 
         response_hash = identity_hash(response_from_signed_request(signed_aws_headers))
         trusted = response_hash != false
 
         trusted && iam_role_matches?(input.username, response_hash)
-
       end
 
       def identity_hash(response)
-
         Rails.logger.debug("AWS IAM get_caller_identity body\n#{response.body} ")
 
         if response.code < 300
@@ -33,14 +29,10 @@ def identity_hash(response)
         else
           Rails.logger.error("Verification of IAM identity failed with HTTP code: #{response.code}")
           false
-        end      
-
+        end
       end
-    
+
       def iam_role_matches?(login, response_hash)
-    
-        is_allowed_role = false
-    
         split_assumed_role = response_hash["GetCallerIdentityResponse"]["GetCallerIdentityResult"]["Arn"].split(":")
 
         # removes the last 2 parts of login to be substituted by the info from getCallerIdentity
@@ -49,19 +41,17 @@ def iam_role_matches?(login, response_hash)
         aws_account_id = response_hash["GetCallerIdentityResponse"]["GetCallerIdentityResult"]["Account"]
         aws_user_id = response_hash["GetCallerIdentityResponse"]["GetCallerIdentityResult"]["UserId"]
         host_to_match = "#{host_prefix}/#{aws_account_id}/#{aws_role_name}"
-        
+
         Rails.logger.debug("IAM Role authentication attempt by AWS user #{aws_user_id} with host to match = #{host_to_match}")
 
         login.eql? host_to_match
-        
-      end      
+      end
 
       def aws_signed_url
         return 'https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15'      
       end
 
       def response_from_signed_request(aws_headers)
-
         Rails.logger.debug("Retrieving IAM identity")
         RestClient.log = Rails.logger
         begin
@@ -70,11 +60,8 @@ def response_from_signed_request(aws_headers)
           Rails.logger.error("Verification of IAM identity Exception #{e.to_s}")
           raise InvalidAWSHeaders, e.to_s
         end
-
       end
-
     end
-
   end
 end
 

From 93815b50aad65ef7cf3d7331f2f4db443be28844 Mon Sep 17 00:00:00 2001
From: Srdjan Grubor <sgnn7@sgnn7.org>
Date: Thu, 14 Feb 2019 16:18:34 -0600
Subject: [PATCH 2/3] Remove IAM response logging

We don't want to log potentially-sensitive information in the
authentication responses from IAM (eg. token).
---
 app/domain/authentication/authn_iam/authenticator.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/domain/authentication/authn_iam/authenticator.rb b/app/domain/authentication/authn_iam/authenticator.rb
index 853cc7c444..6ef2c61596 100755
--- a/app/domain/authentication/authn_iam/authenticator.rb
+++ b/app/domain/authentication/authn_iam/authenticator.rb
@@ -53,7 +53,6 @@ def aws_signed_url
 
       def response_from_signed_request(aws_headers)
         Rails.logger.debug("Retrieving IAM identity")
-        RestClient.log = Rails.logger
         begin
           RestClient.get(aws_signed_url, headers = aws_headers)
         rescue RestClient::ExceptionWithResponse => e

From 92e0b119e10de3d4ae9a8164089e55ef5c8d0a42 Mon Sep 17 00:00:00 2001
From: Srdjan Grubor <sgnn7@sgnn7.org>
Date: Tue, 19 Feb 2019 10:32:41 -0600
Subject: [PATCH 3/3] Updated the changelog and bumped version to v1.3.6

This blob of functionality needs to go out asap so we are readying the
next version.
---
 CHANGELOG.md | 8 ++++++++
 VERSION      | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3e2d73f354..466fde2281 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,14 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [1.3.6] - 2019-02-19
+### Changed
+- Reduced IAM authentication logging
+- Refactored authentication strategies
+
+### Removed
+- Removed OIDC APIs public access
+
 ## [1.3.5] - 2019-02-07
 ### Changed
 - Rails version updated to v4.2.11.
diff --git a/VERSION b/VERSION
index 80e78df683..95b25aee25 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.3.5
+1.3.6