Integrate signing keys builder into main flow

Variables values related to signing keys fetching from one side and values validation and the settings object creation are split to two classes (parameters fetcher and settings builder) both classes are used by CreateSigningKeyProvider class
cyberark · Jan 14, 2022 · ba79c6f · ba79c6f
1 parent 50d952b
commit ba79c6f
Show file tree

Hide file tree

Showing 12 changed files with 297 additions and 346 deletions.
diff --git a/app/domain/authentication/authn_jwt/consts.rb b/app/domain/authentication/authn_jwt/consts.rb
@@ -40,5 +40,13 @@ module AuthnJwt
 
     PURE_CLAIM_NAME_REGEX = /[a-zA-Z|$|_][a-zA-Z|$|_|0-9|.]*/.freeze
     PURE_NESTED_CLAIM_NAME_REGEX = /^#{PURE_CLAIM_NAME_REGEX.source}(#{PATH_DELIMITER}#{PURE_CLAIM_NAME_REGEX.source})*$/.freeze
+
+    SIGNING_KEY_RESOURCES_NAMES = [
+      JWKS_URI_RESOURCE_NAME,
+      PUBLIC_KEYS_RESOURCE_NAME,
+      PROVIDER_URI_RESOURCE_NAME,
+      CA_CERT_RESOURCE_NAME,
+      ISSUER_RESOURCE_NAME
+    ].freeze
   end
 end
diff --git a/app/domain/authentication/authn_jwt/signing_key/create_signing_key_provider.rb b/app/domain/authentication/authn_jwt/signing_key/create_signing_key_provider.rb
@@ -14,7 +14,8 @@ module SigningKey
             max_concurrent_requests: CACHE_MAX_CONCURRENT_REQUESTS,
             logger: Rails.logger
           ),
-          fetch_signing_key_settings: Authentication::AuthnJwt::SigningKey::FetchSigningKeySettingsFromVariables.new,
+          fetch_signing_key_parameters: Authentication::AuthnJwt::SigningKey::FetchSigningKeyParametersFromVariables.new,
+          build_signing_key_settings: Authentication::AuthnJwt::SigningKey::SigningKeySettingsBuilder.new,
           fetch_provider_uri_signing_key_class: Authentication::AuthnJwt::SigningKey::FetchProviderUriSigningKey,
           fetch_jwks_uri_signing_key_class: Authentication::AuthnJwt::SigningKey::FetchJwksUriSigningKey,
           logger: Rails.logger
@@ -23,20 +24,26 @@ module SigningKey
       ) do
         def call
           @logger.debug(LogMessages::Authentication::AuthnJwt::SelectingSigningKeyInterface.new)
-          fetch_signing_key_settings
+          build_signing_key_settings
           create_signing_key_provider
         end
 
         private
 
-        def fetch_signing_key_settings
-          @signing_key_settings ||= @fetch_signing_key_settings.call(
-            authenticator_input: @authenticator_input
-          )
+        def build_signing_key_settings
+          signing_key_settings
         end
 
         def signing_key_settings
-          fetch_signing_key_settings
+          @signing_key_settings ||= @build_signing_key_settings.call(
+            signing_key_parameters: signing_key_parameters
+          )
+        end
+
+        def signing_key_parameters
+          @signing_key_parameters ||= @fetch_signing_key_parameters.call(
+            authenticator_input: @authenticator_input
+          )
         end
 
         def create_signing_key_provider
@@ -46,9 +53,7 @@ def create_signing_key_provider
           when PROVIDER_URI_INTERFACE_NAME
             fetch_provider_uri_signing_key
           else
-            raise Errors::Authentication::AuthnJwt::InvalidSigningKeyType.new(
-              signing_key_settings.type
-            )
+            raise Errors::Authentication::AuthnJwt::InvalidSigningKeyType, signing_key_settings.type
           end
         end
 

diff --git a/...omain/authentication/authn_jwt/signing_key/fetch_signing_key_parameters_from_variables.rb b/...omain/authentication/authn_jwt/signing_key/fetch_signing_key_parameters_from_variables.rb
@@ -0,0 +1,52 @@
+module Authentication
+  module AuthnJwt
+    module SigningKey
+      # This class is responsible for fetching values of all variables related
+      # to signing key settings area
+      FetchSigningKeyParametersFromVariables ||= CommandClass.new(
+        dependencies: {
+          check_authenticator_secret_exists: Authentication::Util::CheckAuthenticatorSecretExists.new,
+          fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new
+        },
+        inputs: %i[authenticator_input]
+      ) do
+        def call
+          fetch_variables_values
+          variables_values
+        end
+
+        private
+
+        def fetch_variables_values
+          SIGNING_KEY_RESOURCES_NAMES.each do |name|
+            variables_values[name] = secret_value(secret_name: name)
+          end
+        end
+
+        def variables_values
+          @variables_values ||= {}
+        end
+
+        def secret_value(secret_name:)
+          return nil unless secret_exists?(secret_name: secret_name)
+
+          @fetch_authenticator_secrets.call(
+            conjur_account: @authenticator_input.account,
+            authenticator_name: @authenticator_input.authenticator_name,
+            service_id: @authenticator_input.service_id,
+            required_variable_names: [secret_name]
+          )[secret_name]
+        end
+
+        def secret_exists?(secret_name:)
+          @check_authenticator_secret_exists.call(
+            conjur_account: @authenticator_input.account,
+            authenticator_name: @authenticator_input.authenticator_name,
+            service_id: @authenticator_input.service_id,
+            var_name: secret_name
+          )
+        end
+      end
+    end
+  end
+end
diff --git a/app/domain/authentication/authn_jwt/signing_key/fetch_signing_key_settings_from_variables.rb b/app/domain/authentication/authn_jwt/signing_key/fetch_signing_key_settings_from_variables.rb
diff --git a/app/domain/errors.rb b/app/domain/errors.rb
@@ -408,11 +408,6 @@ module AuthnJwt
         code: "CONJ00085E"
       )
 
-      InvalidUriConfiguration = ::Util::TrackableErrorClass.new(
-        msg: "Signing key URI configuration is invalid",
-        code: "CONJ00086E"
-      )
-
       FetchJwksKeysFailed = ::Util::TrackableErrorClass.new(
         msg: "Failed to fetch JWKS from '{0-uri}'. Reason: '{1}'",
         code: "CONJ00087E"

diff --git a/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature b/cucumber/authenticators_jwt/features/authn_jwt_check_standard_claims.feature
@@ -258,11 +258,10 @@ Feature: JWT Authenticator - Check registered claim
     """
     And I save my place in the audit log file
     When I authenticate via authn-jwt with the JWT token
-    Then host "myapp" has been authorized by Conjur
-    And I successfully GET "/secrets/cucumber/variable/test-variable" with authorized user
+    Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    cucumber:host:myapp successfully authenticated with authenticator authn-jwt service cucumber:webservice:conjur/authn-jwt/raw
+    CONJ00037E Missing value for resource: cucumber:variable:conjur/authn-jwt/raw/issuer
     """
 
   Scenario: ONYX-8728: jwks-uri configured with correct value, issuer configured with correct value, iss claim with correct value, 200 OK

diff --git a/cucumber/authenticators_jwt/features/authn_jwt_configuration.feature b/cucumber/authenticators_jwt/features/authn_jwt_configuration.feature
@@ -135,7 +135,7 @@ Feature: JWT Authenticator - Configuration Check
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00086E Signing key URI configuration is invalid
+    CONJ00122E Invalid signing key settings: jwks-uri and provider-uri cannot be define simultaneously
     """
 
   Scenario: ONYX-8826: provider-uri configured with correct value, jwks-uri configured with empty value, error
@@ -185,7 +185,7 @@ Feature: JWT Authenticator - Configuration Check
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00086E Signing key URI configuration is invalid
+    CONJ00122E Invalid signing key settings: jwks-uri and provider-uri cannot be define simultaneously
     """
 
   Scenario: ONYX-8698: jwks-uri configured but variable not set
@@ -317,7 +317,7 @@ Feature: JWT Authenticator - Configuration Check
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00086E Signing key URI configuration is invalid
+    CONJ00122E Invalid signing key settings: One of jwks-uri, public-keys, and provider-uri have to be defined
     """
 
   Scenario: ONYX-8695: provider-uri configured with empty value, jwks-uri configured with correct value
@@ -367,7 +367,7 @@ Feature: JWT Authenticator - Configuration Check
     Then the HTTP response status code is 401
     And The following appears in the log after my savepoint:
     """
-    CONJ00086E Signing key URI configuration is invalid
+    CONJ00122E Invalid signing key settings: jwks-uri and provider-uri cannot be define simultaneously
     """
 
   Scenario: ONYX-8694: Both Token identity and host send in URL, error

diff --git a/cucumber/authenticators_jwt/features/authn_status_jwt.feature b/cucumber/authenticators_jwt/features/authn_status_jwt.feature
@@ -122,7 +122,7 @@ Feature: JWT Authenticator - Status Check
     And I save my place in the log file
     When I GET "/authn-jwt/raw/cucumber/status"
     Then the HTTP response status code is 500
-    And the authenticator status check fails with error "CONJ00086E Signing key URI configuration is invalid"
+    And the authenticator status check fails with error "CONJ00122E Invalid signing key settings: One of jwks-uri, public-keys, and provider-uri have to be defined"
 
   Scenario: Signing key is configured with jwks-uri and provider-uri, 500 Error
     Given I load a policy:
@@ -184,7 +184,7 @@ Feature: JWT Authenticator - Status Check
     And I save my place in the log file
     When I GET "/authn-jwt/raw/cucumber/status"
     Then the HTTP response status code is 500
-    And the authenticator status check fails with error "CONJ00086E Signing key URI configuration is invalid"
+    And the authenticator status check fails with error "CONJ00122E Invalid signing key settings: jwks-uri and provider-uri cannot be define simultaneously"
 
   Scenario: ONYX-9142: User doesn't have permissions on webservice, 403 Error
     Given I load a policy:
@@ -338,7 +338,7 @@ Feature: JWT Authenticator - Status Check
     And I save my place in the log file
     When I GET "/authn-jwt/raw/cucumber/status"
     Then the HTTP response status code is 500
-    And the authenticator status check fails with error "CONJ00086E Signing key URI configuration is invalid"
+    And the authenticator status check fails with error "CONJ00122E Invalid signing key settings: One of jwks-uri, public-keys, and provider-uri have to be defined"
 
   Scenario: ONYX-9141: Identity is configured but empty, 500 Error
     Given I load a policy:

diff --git a/spec/app/domain/authentication/authn-jwt/signing_key/create_signing_key_provider_spec.rb b/spec/app/domain/authentication/authn-jwt/signing_key/create_signing_key_provider_spec.rb
@@ -13,17 +13,8 @@
       end)
   }
 
-  let(:authenticator_input) {
-    Authentication::AuthenticatorInput.new(
-      authenticator_name: "authn-jwt",
-      service_id: "my-service",
-      account: "my-account",
-      username: "dummy_identity",
-      credentials: "dummy",
-      client_ip: "dummy",
-      request: "dummy"
-    )
-  }
+  let(:mocked_authenticator_input) { double("mocked_authenticator_input") }
+  let(:mocked_signing_key_parameters) { double("mocked_signing_key_parameters") }
 
   let(:mocked_signing_key_settings_type_is_wrong) {
     Authentication::AuthnJwt::SigningKey::SigningKeySettings.new(
@@ -44,9 +35,10 @@
     )
   }
 
-  let(:mocked_fetch_signing_key_settings_type_is_wrong) { double("MockedFetchSigningKeySettingsTypeIsWrong") }
-  let(:mocked_fetch_signing_key_settings_type_jwks_uri) { double("MockedFetchSigningKeySettingsTypeJwksUri") }
-  let(:mocked_fetch_signing_key_settings_type_provider_uri) { double("MockedFetchSigningKeySettingsTypeProviderUri") }
+  let(:mocked_fetch_signing_key_parameters) { double("MockedFetchSigningKeyParameters") }
+  let(:mocked_build_signing_key_settings_type_is_wrong) { double("MockedBuildSigningKeySettingsTypeIsWrong") }
+  let(:mocked_build_signing_key_settings_type_jwks_uri) { double("MockedBuildSigningKeySettingsTypeJwksUri") }
+  let(:mocked_build_signing_key_settings_type_provider_uri) { double("MockedBuildSigningKeySettingsTypeProviderUri") }
 
   let(:mocked_logger) { double("Mocked logger")  }
 
@@ -59,16 +51,28 @@
       receive(:info).and_return(nil)
     )
 
-    allow(mocked_fetch_signing_key_settings_type_is_wrong).to(
-      receive(:call).and_return(mocked_signing_key_settings_type_is_wrong)
+    allow(mocked_fetch_signing_key_parameters).to(
+      receive(:call)
+        .with(authenticator_input: mocked_authenticator_input)
+        .and_return(mocked_signing_key_parameters)
+    )
+
+    allow(mocked_build_signing_key_settings_type_is_wrong).to(
+      receive(:call)
+        .with(signing_key_parameters: mocked_signing_key_parameters)
+        .and_return(mocked_signing_key_settings_type_is_wrong)
     )
 
-    allow(mocked_fetch_signing_key_settings_type_jwks_uri).to(
-      receive(:call).and_return(mocked_signing_key_settings_type_jwks_uri)
+    allow(mocked_build_signing_key_settings_type_jwks_uri).to(
+      receive(:call)
+        .with(signing_key_parameters: mocked_signing_key_parameters)
+        .and_return(mocked_signing_key_settings_type_jwks_uri)
     )
 
-    allow(mocked_fetch_signing_key_settings_type_provider_uri).to(
-      receive(:call).and_return(mocked_signing_key_settings_type_provider_uri)
+    allow(mocked_build_signing_key_settings_type_provider_uri).to(
+      receive(:call)
+        .with(signing_key_parameters: mocked_signing_key_parameters)
+        .and_return(mocked_signing_key_settings_type_provider_uri)
     )
   end
 
@@ -81,10 +85,11 @@
     context "Signing key settings type is jwks-uri" do
       subject do
         ::Authentication::AuthnJwt::SigningKey::CreateSigningKeyProvider.new(
-          fetch_signing_key_settings: mocked_fetch_signing_key_settings_type_jwks_uri,
+          fetch_signing_key_parameters: mocked_fetch_signing_key_parameters,
+          build_signing_key_settings: mocked_build_signing_key_settings_type_jwks_uri,
           logger: logger
         ).call(
-          authenticator_input: authenticator_input
+          authenticator_input: mocked_authenticator_input
         )
       end
 
@@ -100,10 +105,11 @@
     context "Signing key settings type is provider-uri" do
       subject do
         ::Authentication::AuthnJwt::SigningKey::CreateSigningKeyProvider.new(
-          fetch_signing_key_settings: mocked_fetch_signing_key_settings_type_provider_uri,
+          fetch_signing_key_parameters: mocked_fetch_signing_key_parameters,
+          build_signing_key_settings: mocked_build_signing_key_settings_type_provider_uri,
           logger: logger
         ).call(
-          authenticator_input: authenticator_input
+          authenticator_input: mocked_authenticator_input
         )
       end
 
@@ -119,10 +125,11 @@
     context "Signing key settings type is wrong" do
       subject do
         ::Authentication::AuthnJwt::SigningKey::CreateSigningKeyProvider.new(
-          fetch_signing_key_settings: mocked_fetch_signing_key_settings_type_is_wrong,
+          fetch_signing_key_parameters: mocked_fetch_signing_key_parameters,
+          build_signing_key_settings: mocked_build_signing_key_settings_type_is_wrong,
           logger: mocked_logger
         ).call(
-          authenticator_input: authenticator_input
+          authenticator_input: mocked_authenticator_input
         )
       end