Integrate signing key settings and settings fetcher to main flow

cyberark · Jan 11, 2022 · 06047d7 · 06047d7
1 parent 28c998b
commit 06047d7
Show file tree

Hide file tree

Showing 7 changed files with 165 additions and 279 deletions.
diff --git a/app/domain/authentication/authn_jwt/signing_key/create_signing_key_provider.rb b/app/domain/authentication/authn_jwt/signing_key/create_signing_key_provider.rb
@@ -14,73 +14,60 @@ module SigningKey
             max_concurrent_requests: CACHE_MAX_CONCURRENT_REQUESTS,
             logger: Rails.logger
           ),
+          fetch_signing_key_settings: Authentication::AuthnJwt::SigningKey::FetchSigningKeySettingsFromVariables.new,
           fetch_provider_uri_signing_key_class: Authentication::AuthnJwt::SigningKey::FetchProviderUriSigningKey,
           fetch_jwks_uri_signing_key_class: Authentication::AuthnJwt::SigningKey::FetchJwksUriSigningKey,
-          check_authenticator_secret_exists: Authentication::Util::CheckAuthenticatorSecretExists.new,
           logger: Rails.logger
         },
         inputs: %i[authenticator_input]
       ) do
         def call
           @logger.debug(LogMessages::Authentication::AuthnJwt::SelectingSigningKeyInterface.new)
+          fetch_signing_key_settings
           create_signing_key_provider
         end
 
         private
 
+        def fetch_signing_key_settings
+          @signing_key_settings ||= @fetch_signing_key_settings.call(
+            authenticator_input: @authenticator_input
+          )
+        end
+
+        def signing_key_settings
+          fetch_signing_key_settings
+        end
+
         def create_signing_key_provider
-          if provider_uri_resource_exists? and !jwks_uri_has_resource_exists?
-            fetch_provider_uri_signing_key
-          elsif jwks_uri_has_resource_exists? and !provider_uri_resource_exists?
+          case signing_key_settings.type
+          when JWKS_URI_INTERFACE_NAME
             fetch_jwks_uri_signing_key
+          when PROVIDER_URI_INTERFACE_NAME
+            fetch_provider_uri_signing_key
           else
-            raise Errors::Authentication::AuthnJwt::InvalidUriConfiguration.new(
-              PROVIDER_URI_RESOURCE_NAME,
-              JWKS_URI_RESOURCE_NAME
+            raise Errors::Authentication::AuthnJwt::InvalidSigningKeyType.new(
+              signing_key_settings.type
             )
           end
         end
 
-        def provider_uri_resource_exists?
-          # defined? is needed for memoization of boolean value
-          return @provider_uri_resource_exists if defined?(@provider_uri_resource_exists)
-
-          @provider_uri_resource_exists = @check_authenticator_secret_exists.call(
-            conjur_account: @authenticator_input.account,
-            authenticator_name: @authenticator_input.authenticator_name,
-            service_id: @authenticator_input.service_id,
-            var_name: PROVIDER_URI_RESOURCE_NAME
-          )
-        end
-
         def fetch_provider_uri_signing_key
           @logger.info(
             LogMessages::Authentication::AuthnJwt::SelectedSigningKeyInterface.new(PROVIDER_URI_INTERFACE_NAME)
           )
           @fetch_provider_uri_signing_key ||= @fetch_provider_uri_signing_key_class.new(
-            authenticator_input: @authenticator_input,
+            provider_uri: signing_key_settings.uri,
             fetch_signing_key: @fetch_signing_key
           )
         end
 
-        def jwks_uri_has_resource_exists?
-          # defined? is needed for memoization of boolean value
-          return @jwks_uri_has_resource_exists if defined?(@jwks_uri_has_resource_exists)
-
-          @jwks_uri_has_resource_exists = @check_authenticator_secret_exists.call(
-            conjur_account: @authenticator_input.account,
-            authenticator_name: @authenticator_input.authenticator_name,
-            service_id: @authenticator_input.service_id,
-            var_name: JWKS_URI_RESOURCE_NAME
-          )
-        end
-
         def fetch_jwks_uri_signing_key
           @logger.info(
             LogMessages::Authentication::AuthnJwt::SelectedSigningKeyInterface.new(JWKS_URI_INTERFACE_NAME)
           )
           @fetch_jwks_uri_signing_key ||= @fetch_jwks_uri_signing_key_class.new(
-            authenticator_input: @authenticator_input,
+            jwks_uri: signing_key_settings.uri,
             fetch_signing_key: @fetch_signing_key
           )
         end

diff --git a/app/domain/authentication/authn_jwt/signing_key/fetch_jwks_uri_signing_key.rb b/app/domain/authentication/authn_jwt/signing_key/fetch_jwks_uri_signing_key.rb
@@ -9,66 +9,46 @@ module SigningKey
       class FetchJwksUriSigningKey
 
         def initialize(
-          authenticator_input:,
+          jwks_uri:,
           fetch_signing_key:,
           ca_cert: nil,
-          fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new,
           http_lib: Net::HTTP,
           create_jwks_from_http_response: CreateJwksFromHttpResponse.new,
           logger: Rails.logger
         )
           @logger = logger
           @http_lib = http_lib
           @create_jwks_from_http_response = create_jwks_from_http_response
-          @fetch_authenticator_secrets = fetch_authenticator_secrets
 
-          @authenticator_input = authenticator_input
+          @jwks_uri = jwks_uri
           @fetch_signing_key = fetch_signing_key
           @ca_cert = ca_cert
         end
 
         def call(force_fetch:)
           @fetch_signing_key.call(
             refresh: force_fetch,
-            cache_key: jwks_uri,
+            cache_key: @jwks_uri,
             signing_key_provider: self
           )
         end
 
         def fetch_signing_key
-          fetch_jwks_uri
           fetch_jwks_keys
           create_jwks_from_http_response
         end
 
         private
 
-        def fetch_jwks_uri
-          jwks_uri
-        end
-
-        def jwks_uri
-          @jwks_uri ||= jwks_uri_secret
-        end
-
-        def jwks_uri_secret
-          @jwks_uri_secret ||= @fetch_authenticator_secrets.call(
-            conjur_account: @authenticator_input.account,
-            authenticator_name: @authenticator_input.authenticator_name,
-            service_id: @authenticator_input.service_id,
-            required_variable_names: [JWKS_URI_RESOURCE_NAME]
-          )[JWKS_URI_RESOURCE_NAME]
-        end
-
         def fetch_jwks_keys
           jwks_keys
         end
 
         def jwks_keys
           return @jwks_keys if defined?(@jwks_keys)
 
-          uri = URI(jwks_uri)
-          @logger.info(LogMessages::Authentication::AuthnJwt::FetchingJwksFromProvider.new(jwks_uri))
+          uri = URI(@jwks_uri)
+          @logger.info(LogMessages::Authentication::AuthnJwt::FetchingJwksFromProvider.new(@jwks_uri))
           @jwks_keys = net_http_start(
             uri.host,
             uri.port,
@@ -77,15 +57,15 @@ def jwks_keys
           @logger.debug(LogMessages::Authentication::AuthnJwt::FetchJwtUriKeysSuccess.new)
         rescue => e
           raise Errors::Authentication::AuthnJwt::FetchJwksKeysFailed.new(
-            jwks_uri,
+            @jwks_uri,
             e.inspect
           )
         end
 
         def net_http_start(host, port, use_ssl, &block)
           if @ca_cert && !use_ssl
             raise Errors::Authentication::AuthnJwt::FetchJwksKeysFailed.new(
-              jwks_uri,
+              @jwks_uri,
               "TLS misconfiguration - ca-cert is provided but jwks-uri URI scheme is http"
             )
           end
@@ -117,7 +97,7 @@ def net_http_start_without_ca_cert(host, port, use_ssl, &block)
         end
 
         def create_jwks_from_http_response
-          @create_jwks_from_http_response.call(http_response: jwks_keys)
+          @create_jwks_from_http_response.call(http_response: @jwks_keys)
         end
       end
     end

diff --git a/app/domain/authentication/authn_jwt/signing_key/fetch_provider_uri_signing_key.rb b/app/domain/authentication/authn_jwt/signing_key/fetch_provider_uri_signing_key.rb
@@ -5,24 +5,22 @@ module SigningKey
       class FetchProviderUriSigningKey
 
         def initialize(
-          authenticator_input:,
+          provider_uri:,
           fetch_signing_key:,
-          fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new,
           discover_identity_provider: Authentication::OAuth::DiscoverIdentityProvider.new,
           logger: Rails.logger
         )
           @logger = logger
-          @fetch_authenticator_secrets = fetch_authenticator_secrets
           @discover_identity_provider = discover_identity_provider
 
-          @authenticator_input = authenticator_input
+          @provider_uri = provider_uri
           @fetch_signing_key = fetch_signing_key
         end
 
         def call(force_fetch:)
           @fetch_signing_key.call(
             refresh: force_fetch,
-            cache_key: provider_uri,
+            cache_key: @provider_uri,
             signing_key_provider: self
           )
         end
@@ -35,36 +33,23 @@ def fetch_signing_key
         private
 
         def discover_provider
-          @logger.info(LogMessages::Authentication::AuthnJwt::FetchingJwksFromProvider.new(provider_uri))
+          @logger.info(LogMessages::Authentication::AuthnJwt::FetchingJwksFromProvider.new(@provider_uri))
           discovered_provider
         end
 
         def discovered_provider
           @discovered_provider ||= @discover_identity_provider.call(
-            provider_uri: provider_uri
+            provider_uri: @provider_uri
           )
         end
 
-        def provider_uri
-          @provider_uri ||= provider_uri_secret
-        end
-
-        def provider_uri_secret
-          @provider_uri_secret ||= @fetch_authenticator_secrets.call(
-            conjur_account: @authenticator_input.account,
-            authenticator_name: @authenticator_input.authenticator_name,
-            service_id: @authenticator_input.service_id,
-            required_variable_names: [PROVIDER_URI_RESOURCE_NAME]
-          )[PROVIDER_URI_RESOURCE_NAME]
-        end
-
         def fetch_provider_keys
           keys = { keys: discovered_provider.jwks }
           @logger.debug(LogMessages::Authentication::OAuth::FetchProviderKeysSuccess.new)
           keys
         rescue => e
           raise Errors::Authentication::OAuth::FetchProviderKeysFailed.new(
-            provider_uri,
+            @provider_uri,
             e.inspect
           )
         end

diff --git a/app/domain/errors.rb b/app/domain/errors.rb
@@ -583,6 +583,11 @@ module AuthnJwt
         msg: "Failed to parse 'public-keys': {0-parse-error}",
         code: "CONJ00120E"
       )
+
+      InvalidSigningKeyType = ::Util::TrackableErrorClass.new(
+        msg: "Signing key type '{0-type}' is invalid",
+        code: "CONJ00121E"
+      )
     end
 
     module ResourceRestrictions