Merge pull request #215 from cyberark/enable-authenticator

Add new route for enabling authenticator with default service
cyberark · Dec 22, 2021 · 082e7a3 · 082e7a3
2 parents c6455ca + 8997e7c
commit 082e7a3
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 0 deletions.
diff --git a/spec/authentication.yml b/spec/authentication.yml
@@ -980,6 +980,68 @@ components:
           - basicAuth: []
             conjurAuth: []
 
+    EnableAuthenticator:
+      parameters:
+        - $ref: 'openapi.yml#/components/parameters/RequestID'
+      patch:
+        tags:
+          - "authentication"
+        summary: "Enables or disables authenticator defined without service_id."
+        description: |
+          Allows you to either enable or disable a given authenticator that does not have service_id (For example: authn-gcp).
+
+          When you enable or disable an authenticator via this
+          endpoint, the status of the authenticator is stored
+          in the Conjur database. The enablement status of the authenticator
+          service may be overridden by setting the `CONJUR_AUTHENTICATORS`
+          environment variable on the Conjur server; in the case where this
+          environment variable is set, the database record of whether the
+          authenticator service is enabled will be ignored.
+
+          **This endpoint is part of an early implementation of support for enabling Conjur
+          authenticators via the API, and is currently available at the Community
+          (or early alpha) level. This endpoint is still subject to breaking
+          changes in the future.**
+        operationId: "enableAuthenticator"
+        parameters:
+          - name: "authenticator"
+            in: "path"
+            description: "The authenticator to update"
+            required: true
+            schema:
+              $ref: '#/components/schemas/ServiceAuthenticators'
+            example: "authn-gcp"
+
+          - name: "account"
+            in: "path"
+            description: "Organization account name"
+            required: true
+            schema:
+              type: string
+            example: "dev"
+
+        requestBody:
+          description: |
+            Contains either `enabled=true` or `enabled=false` to
+            enable or disable an authenticator
+          required: true
+          content:
+            application/x-www-form-urlencoded:
+              schema:
+                $ref: '#/components/schemas/EnableAuthenticatorSetting'
+
+        responses:
+          "204":
+            description: "The config was updated properly"
+          "400":
+            $ref: 'openapi.yml#/components/responses/BadRequest'
+          "401":
+            $ref: 'openapi.yml#/components/responses/UnauthorizedError'
+          "404":
+            $ref: 'openapi.yml#/components/responses/ResourceNotFound'
+          "500":
+            $ref: 'openapi.yml#/components/responses/InternalServerError'
+
     EnableAuthenticatorInstance:
       parameters:
         - $ref: 'openapi.yml#/components/parameters/RequestID'

diff --git a/spec/openapi.yml b/spec/openapi.yml
@@ -215,6 +215,9 @@ paths:
   '/authn/{account}/api_key':
     $ref: 'authentication.yml#/components/paths/RotateApiKey'
 
+  '/{authenticator}/{account}':
+    $ref: 'authentication.yml#/components/paths/EnableAuthenticator'
+
   '/{authenticator}/{service_id}/{account}':
     $ref: 'authentication.yml#/components/paths/EnableAuthenticatorInstance'
 

diff --git a/test/config/policy.yaml b/test/config/policy.yaml
@@ -4,6 +4,18 @@
 - !user alice
 - !user bob
 
+- !policy
+  id: conjur/authn-gcp
+  body:
+    - !webservice
+
+    - !group users
+
+    - !permit
+      role: !group users
+      privilege: [ read, authenticate ]
+      resource: !webservice
+
 - !policy
   id: conjur/authn-ldap/test
   body:
@@ -20,6 +32,10 @@
   role: !group conjur/authn-ldap/test/users
   member: !user alice
 
+- !grant
+  role: !group conjur/authn-gcp/users
+  member: !user alice
+
 - !permit
   role: !user alice
   privileges: [ read ]

diff --git a/test/python/auth/test_authentication_external_api.py b/test/python/auth/test_authentication_external_api.py
@@ -73,6 +73,19 @@ def test_enable_authenticator_instance_404(self):
 
         self.assertEqual(context.exception.status, 404)
 
+    def test_enable_authenticator_204(self):
+        """Test case for enable_authenticator 204 response
+
+        Updates the authenticators configuration
+        """
+        _, status, _ = self.api.enable_authenticator_with_http_info(
+            'authn-gcp',
+            self.account,
+            enabled=True
+        )
+
+        self.assertEqual(status, 204)
+
     def test_get_api_key_via_ldap_200(self):
         """Test case for get_api_key_via_ldap 200 response"""
         alice_config = api_config.get_api_config(username='alice')