Attempting to rotate a non-existent entity's with basic auth (API key/pass) rotates your own API key

[sgnn7]

Summary

Currently, when using http basic-auth when attempting to rotate another entity's (host/user's) API key rotates your own key. While rotating of another's API key is not supported with an API key, the UX for the current behavior makes it appear that it worked even though it should not. Compounded problem for this is that after the action succeeds, the invocation user's API key is rotated. Interestingly enough, if the user exists and basic auth is used, we get the proper error that another user's API key cannot be rotated this way.

Steps to Reproduce

curl -v -k -f -X PUT --user alice:<api_key> 'https://<conjur_host>/authn/dev/api_key?role=dev:user:doesnotexist'

Expected Results

One of the following:

• An error that specifies that you cannot change another user's/host's API key using basic auth, just like it happens when you target an existing entity (other than self).
• Or allow change of another user's API key via your own API key and using the same logic for the query param as we do when a token is used for auth.

Actual Results (including error logs, if applicable)

Successful response with a rotated API key (of your own key)

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

1.10.0

Environment setup

Full minimal setup can be found here: https://gist.github.com/sgnn7/7f59f12c99b18d3a0e9d5af9cafcc08a

Additional Information