From 4fcd92a330d87d588fc96a69c1568c2b05a60aad Mon Sep 17 00:00:00 2001 From: Jason Vanderhoof Date: Thu, 29 Dec 2022 11:21:46 -0700 Subject: [PATCH] Adds status support for V2 OIDC Authenticators This commit adds support for checking a V2 authenticator configuration using the authenticator status endpoint. Previously, status was invalid because the required variables differ between version 1 and 2. --- CHANGELOG.md | 3 ++ .../authn_oidc/authenticator.rb | 31 ++++++++++++++++++- .../authn_oidc/validate_status.rb | 9 ++---- 3 files changed, 36 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b586d7f7e..4818b14335 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. the OIDC provider endpoint would include duplicate OIDC authenticators. This change resolves ONYX-25530. [cyberark/conjur#2678](https://github.com/cyberark/conjur/pull/2678) +- Allows V2 OIDC authenticators to be checked through the authenticator status + endpoint. This change resolves ONYX-25531. + [cyberark/conjur#2692](https://github.com/cyberark/conjur/pull/2692) ### Added - Provides support for PKCE in the OIDC Authenticator code redirect workflow. diff --git a/app/domain/authentication/authn_oidc/authenticator.rb b/app/domain/authentication/authn_oidc/authenticator.rb index cb00bc2030..ddf165f989 100644 --- a/app/domain/authentication/authn_oidc/authenticator.rb +++ b/app/domain/authentication/authn_oidc/authenticator.rb @@ -23,10 +23,39 @@ def valid?(input) end def status(authenticator_status_input:) - Authentication::AuthnOidc::ValidateStatus.new.( + # The following is intended as a short-term fix for dealing + # with two versions of the OIDC authenticator. In the medium + # term, we need to port the V1 functionality to V2. Once that + # is done, the following check can be removed. + + # Attempt to load the V2 version of the OIDC Authenticator + data_object = if Rails.configuration.feature_flags.enabled?(:pkce_support) + Authentication::AuthnOidc::PkceSupportFeature::DataObjects::Authenticator + else + Authentication::AuthnOidc::V2::DataObjects::Authenticator + end + authenticator = DB::Repository::AuthenticatorRepository.new( + data_object: data_object + ).find( + type: authenticator_status_input.authenticator_name, account: authenticator_status_input.account, service_id: authenticator_status_input.service_id ) + # If successful, validate the new set of required variables + if authenticator.present? + Authentication::AuthnOidc::ValidateStatus.new( + required_variable_names: %w[provider-uri client-id client-secret claim-mapping] + ).( + account: authenticator_status_input.account, + service_id: authenticator_status_input.service_id + ) + else + # Otherwise, perform the default check + Authentication::AuthnOidc::ValidateStatus.new.( + account: authenticator_status_input.account, + service_id: authenticator_status_input.service_id + ) + end end end end diff --git a/app/domain/authentication/authn_oidc/validate_status.rb b/app/domain/authentication/authn_oidc/validate_status.rb index 84d60fc0c3..eb24824df1 100644 --- a/app/domain/authentication/authn_oidc/validate_status.rb +++ b/app/domain/authentication/authn_oidc/validate_status.rb @@ -4,7 +4,8 @@ module AuthnOidc ValidateStatus = CommandClass.new( dependencies: { fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new, - discover_identity_provider: Authentication::OAuth::DiscoverIdentityProvider.new + discover_identity_provider: Authentication::OAuth::DiscoverIdentityProvider.new, + required_variable_names: %w[provider-uri id-token-user-property] }, inputs: %i[account service_id] ) do @@ -29,14 +30,10 @@ def oidc_authenticator_secrets service_id: @service_id, conjur_account: @account, authenticator_name: "authn-oidc", - required_variable_names: required_variable_names + required_variable_names: @required_variable_names ) end - def required_variable_names - @required_variable_names ||= %w[provider-uri id-token-user-property] - end - def validate_provider_is_responsive @discover_identity_provider.( provider_uri: provider_uri