cyberark · mFelgate · Apr 20, 2022 · Apr 20, 2022 · Apr 22, 2022 · May 10, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,15 +9,24 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
+## [1.17.6] - 2022-04-07
+
+### Changed
+- Adds `CONJUR_USERS_IN_ROOT_POLICY_ONLY` environment variable to prevent users from being created outside the root policy.
+
 ## [1.17.5] - 2022-04-07
 
 ### Changed
 - Fixed promotion behavior
 
+### Security
+- Updated nokogiri to 1.13.4 to resolve CVE-2022-24836
+  [cyberark/conjur#2534](https://github.com/cyberark/conjur/pull/2534)
+
 ## [1.17.3] - 2022-04-04
 
 ### Changed
-- Fixed issue where an invalid content type sent by our .NET SDK was causing 
+- Fixed issue where an invalid content type sent by our .NET SDK was causing
   Conjur to error - but this wasn't the case before the Ruby 3 upgrade
   [#2525](https://github.com/cyberark/conjur/pull/2525)
 - Verify non user or host resources do not have credentials.
@@ -49,7 +58,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   [#2450](https://github.com/cyberark/conjur/pull/2450)
   [#2447](https://github.com/cyberark/conjur/pull/2447)
   [#2437](https://github.com/cyberark/conjur/pull/2437))
-- Added support for SNI certificates when talking to the Kubernetes API 
+- Added support for SNI certificates when talking to the Kubernetes API
   server through the web socket client.
   [#2482](https://github.com/cyberark/conjur/pull/2482)
 - Added support for http(s)_proxy for Kubernetes client in Kubernetes
@@ -64,7 +73,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Fixed
 - IAM Authn bug fix - Take rexml gem to production configuration [#2493](https://github.com/cyberark/conjur/pull/2493)
-- Previously, a stale puma pid file would prevent the Conjur server from starting 
+- Previously, a stale puma pid file would prevent the Conjur server from starting
   successfully. Conjur now removes a stale pid file at startup, if it exists.
   [#2498](https://github.com/cyberark/conjur/pull/2498)
 - Use entirety of configured Kubernetes endpoint URL in Kubernetes authenticator's
@@ -80,7 +89,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   [cyberark/conjur#2486](https://github.com/cyberark/conjur/pull/2486)
 - Updated Rails to 6.1.4.6 to resolve CVE-2022-23633
 - Updated Puma to 5.6.2 to resolve CVE-2022-23634
-  [cyberark/conjur#2492](https://github.com/cyberark/conjur/pull/2492)  
+  [cyberark/conjur#2492](https://github.com/cyberark/conjur/pull/2492)
 - Updated Puma to 5.6.4 to resolve CVE-2022-24790
   [cyberark/conjur#2534](https://github.com/cyberark/conjur/pull/2534)
 
@@ -105,9 +114,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   [#2418](https://github.com/cyberark/conjur/pull/2418)
 
 ### Fixed
-- Return 401 instead of 500 for invalid basic auth header. 
+- Return 401 instead of 500 for invalid basic auth header.
   [#1990](https://github.com/cyberark/conjur/issues/1990)
-- Added check to stop hosts from setting passwords 
+- Added check to stop hosts from setting passwords
   [#1920](https://github/cyberark/conjur/issues/1920)
 
 ### Security
@@ -138,7 +147,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [1.13.2] - 2021-10-13
 
 ### Security
-- Updated puma to 5.5.1 to close 
+- Updated puma to 5.5.1 to close
   [GHSA-48w2-rm65-62xx](https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx).
   We were not vulnerable to this issue. [cyberark/conjur#2385](https://github.com/cyberark/conjur/pull/2385)
 - GCP Authenticator: When defining the host using the instance-name annotation,

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -270,9 +270,9 @@ GEM
     net-ssh (6.1.0)
     netrc (0.11.0)
     nio4r (2.5.8)
-    nokogiri (1.13.3-x86_64-darwin)
+    nokogiri (1.13.4-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.13.3-x86_64-linux)
+    nokogiri (1.13.4-x86_64-linux)
       racc (~> 1.4)
     openid_connect (1.3.0)
       activemodel

diff --git a/NOTICES.txt b/NOTICES.txt
@@ -42,7 +42,7 @@ Section 4: MIT
 >>> https://rubygems.org/gems/listen/versions/3.7.0
 >>> https://rubygems.org/gems/loofah/versions/2.13.0
 >>> https://rubygems.org/gems/net-ldap/versions/0.17.0
->>> https://rubygems.org/gems/nokogiri/versions/1.13.3
+>>> https://rubygems.org/gems/nokogiri/versions/1.13.4
 >>> https://rubygems.org/gems/openid_connect/versions/1.3.0
 >>> https://rubygems.org/gems/rack-rewrite/versions/1.5.1
 >>> https://rubygems.org/gems/rails/versions/6.1.4.7
@@ -680,7 +680,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
->>> https://rubygems.org/gems/nokogiri/versions/1.13.3
+>>> https://rubygems.org/gems/nokogiri/versions/1.13.4
 
 Copyright 2008 -- 2018 by Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada, Akinori MUSHA, John Shahid, Lars Kanis
 

diff --git a/app/controllers/authenticate_controller.rb b/app/controllers/authenticate_controller.rb
@@ -3,6 +3,60 @@
 class AuthenticateController < ApplicationController
   include BasicAuthenticator
   include AuthorizeResource
+  include CurrentUser
+  include FindResource
+  include AssumedRole
+
+  def list_authenticators
+    # Rails 5 requires parameters to be explicitly permitted before converting
+    # to Hash.  See: https://stackoverflow.com/a/46029524
+    allowed_params = %i[account service_id]
+
+    begin
+      scope =  authenticators(
+        assumed_role(query_role),
+        repo = DB::Repository::AuthenticatorRepository.new,
+        handler = Authentication::Handler::OidcAuthenticationHandler.new,
+        **options(allowed_params)
+      )
+    rescue ApplicationController::Forbidden
+      raise
+    rescue ArgumentError => e
+      raise ApplicationController::UnprocessableEntity, e.message
+    end
+
+    render(json: scope)
+  end
+
+  def authenticators(role, repo, handler, account:, service_id: nil)
+    unless service_id.present?
+      return repo.find_all(
+        account: account,
+        type: "oidc"
+      ).map do |authn|
+        {
+          name: authn.authenticator_name,
+          redirect_url: handler.generate_login_url(authn)
+        }
+      end
+    end
+
+    authn = repo.find(role: role, account: account, type: "oidc", service_id: service_id)
+    return {} unless authn
+
+    handler.generate_login_url(authn)
+  end
+
+  # The v5 API currently sends +acting_as+ when listing resources
+  # for a role other than the current user.
+  def query_role
+    params[:role].presence || params[:acting_as].presence
+  end
+
+  def options(allowed_params)
+    params.permit(*allowed_params)
+          .slice(*allowed_params).to_h.symbolize_keys
+  end
 
   def index
     authenticators = {
@@ -113,21 +167,20 @@ def authenticate_jwt
 
   # Update the input to have the username from the token and authenticate
   def authenticate_oidc
-    params[:authenticator] = "authn-oidc"
-    input = Authentication::AuthnOidc::UpdateInputWithUsernameFromIdToken.new.(
-      authenticator_input: authenticator_input
+    auth_token = Authentication::Handler::OidcAuthenticationHandler.authenticate(
+      service_id: params[:service_id],
+      account: params[:account],
+      parameters: {
+        state: params[:state],
+        client_ip: request.ip,
+        credentials: request.body.read,
+        code: params[:code]
+      }
     )
-    # We don't audit success here as the authentication process is not done
+
+    render_authn_token(auth_token)
   rescue => e
-    # At this point authenticator_input.username is always empty (e.g. cucumber:user:USERNAME_MISSING)
-    log_audit_failure(
-      authn_params: authenticator_input,
-      audit_event_class: Audit::Event::Authn::Authenticate,
-      error: e
-    )
     handle_authentication_error(e)
-  else
-    authenticate(input)
   end
 
   def authenticate_gcp

diff --git a/app/db/repository/authenticator_repository.rb b/app/db/repository/authenticator_repository.rb
@@ -0,0 +1,79 @@
+module DB
+  module Repository
+    class AuthenticatorRepository
+      def initialize(resource_repository: ::Resource)
+        @resource_repository = resource_repository
+      end
+
+      def find_all(type:, account:, role: nil)
+        args_list = []
+        variables = fetch_authenticators(account: account, type: type, service_id: nil, role: role)
+        variables.each do |variable|
+          next unless variable.secret
+
+          args = {}
+          args[:service_id] = variable.owner_id.split('/')[-1].underscore.to_sym
+          args[:account] = account
+          args[variable.resource_id.split('/')[-1].underscore.to_sym] =
+            variable.secret.value
+          args_list.push(args)
+        end
+        args_list.group_by{|authn| authn[:service_id]}.map do |_, authn|
+          "Authenticator::#{type.camelize}Authenticator".constantize.new(**authn.reduce({}, :merge))
+        end
+      end
+
+      def find(type:, account:, service_id:, role: nil)
+        return nil unless exists?(
+          type: type,
+          account: account,
+          service_id: service_id
+        )
+
+        variables = fetch_authenticators(account: account, type: type, service_id: service_id, role: role)
+
+        args_list = {}.tap do |args|
+          args[:account] = account
+          args[:service_id] = service_id
+          variables.each do |variable|
+            next unless variable.secret
+
+            args[variable.resource_id.split('/')[-1].underscore.to_sym] = variable.secret.value
+          end
+        end
+
+        "Authenticator::#{type.camelize}Authenticator".constantize.new(**args_list)
+      end
+
+      def resources(role:)
+        unless role
+          return @resource_repository
+        end
+
+        @resource_repository.visible_to(role)
+      end
+
+      def fetch_authenticators(account:, type:, service_id:, role:)
+        puts account, type, service_id, role
+        resources(role: role).where(
+          Sequel.like(
+            :resource_id,
+            authn_search(account, type, service_id)
+          )
+        ).eager(:secrets).all
+      end
+
+      def authn_search(account, type, service_id)
+        search = "#{account}:variable:conjur/authn-#{type}"
+        puts search
+        return "#{search}/%" unless service_id
+
+        "#{search}/#{service_id}/%"
+      end
+
+      def exists?(type:, account:, service_id:)
+        @resource_repository.with_pk("#{account}:webservice:conjur/authn-#{type}/#{service_id}") != nil
+      end
+    end
+  end
+end