Merge pull request #1080 from Conjur-Enterprise/patch13.6.2

kmacinnis · GitHub Enterprise · commit 2fccd7358c72 · 2025-06-30T14:27:08.000-06:00
CNJR-10287: prepare patch 13.6.2
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -1,4 +1,10 @@
-789e1d752e6a81676bfc7badea86f524a83e3e0d:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:aws-access-token:27
-789e1d752e6a81676bfc7badea86f524a83e3e0d:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:generic-api-key:27
-789e1d752e6a81676bfc7badea86f524a83e3e0d:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:aws-access-token:37
-789e1d752e6a81676bfc7badea86f524a83e3e0d:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:generic-api-key:37
+7275c9fb67c307a36ef02f18bd4e7e625cd7a93f:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:generic-api-key:33
+7275c9fb67c307a36ef02f18bd4e7e625cd7a93f:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:aws-access-token:33
+7275c9fb67c307a36ef02f18bd4e7e625cd7a93f:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:generic-api-key:34
+7275c9fb67c307a36ef02f18bd4e7e625cd7a93f:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:aws-access-token:34
+7275c9fb67c307a36ef02f18bd4e7e625cd7a93f:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:generic-api-key:35
+7275c9fb67c307a36ef02f18bd4e7e625cd7a93f:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:aws-access-token:35
+7275c9fb67c307a36ef02f18bd4e7e625cd7a93f:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:aws-access-token:36
+7275c9fb67c307a36ef02f18bd4e7e625cd7a93f:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:generic-api-key:46
+7275c9fb67c307a36ef02f18bd4e7e625cd7a93f:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:aws-access-token:49
+7275c9fb67c307a36ef02f18bd4e7e625cd7a93f:spec/app/domain/authentication/authn_iam/authenticator_spec.rb:aws-access-token:50
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
+## [1.22.2] - 2025-06-30
+### Added
+- Allow conjur administrator to enable additional signed headers for IAM authenticator. CNJR-10217
+
 ## [1.22.1] - 2025-05-02
 ### Security
 - Improve headers handling in AWS IAM authenticator. CONJSE-2023
@@ -33,8 +37,6 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Attempt to authenticate using the built-in authenticator (`authn`) with a GET
   request now results in a `404` response, rather than logging an authenticator
   not enabled message. CNJR-5854
-- Attempt to load a policy that references a non-existent resource now
-  results in a `422` response, rather than a `404` error. CNJR-9122
 - Set the default and maximal limit value for resources list API to 1000 in order
   to align with the documentation. CNJR-8485
 - Ensure Kubernetes authenticator websocket connections are closed when a
@@ -47,8 +49,6 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   the secret's value. CNJR-7680
 - Use both database and environment configuration for the enabled authenticators.
   CNJR-8724
-
-### Security
 - Update rack to 2.2.13 to address CVE-2025-27610.
   CONJSE-1956
 - Update nokogiri to 1.18.4 to address GHSA-mrxw-mxhj-p664.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -45,6 +45,7 @@ These are defined in runConjurTests, and also include the one-offs
     conjur_rack
     azure_authenticator
     gcp_authenticator
+    iam_authenticator
 */
 @Library("product-pipelines-shared-library") _
 
@@ -1099,6 +1100,7 @@ pipeline {
                 authenticators_gcp/cucumber_results.html,
                 authenticators_status/cucumber_results.html,
                 authenticators_k8s/cucumber_results.html,
+                authenticators_iam/cucumber_results.html,
                 policy/cucumber_results.html,
                 rotators/cucumber_results.html
               ''',
@@ -1293,6 +1295,11 @@ def conjurTests(infrapool) {
         infrapool.agentSh 'ci/test authenticators_ldap'
       }
     ],
+    "authenticators_iam": [
+      "IAM Authenticator - ${env.STAGE_NAME}": {
+        infrapool.agentSh 'ci/test authenticators_iam'
+      }
+    ],
     "api": [
       "API - ${env.STAGE_NAME}": {
         infrapool.agentSh 'ci/test api'
diff --git a/app/controllers/secrets_controller.rb b/app/controllers/secrets_controller.rb
@@ -28,6 +28,8 @@ def create
 
     value = request.raw_post
 
+    validate_public_key(value) if params[:kind] == 'public_key'
+
     raise ArgumentError, "'value' may not be empty" if value.blank?
 
     # Only create a new secret version if the value is changed
@@ -174,6 +176,12 @@ def expire
 
   private
 
+  def validate_public_key(value)
+    unless value.match?(/\Assh-(rsa|ed25519|ecdsa-[a-z0-9-]+) [A-Za-z0-9+\/=]+ ?.*\z/)
+      raise ArgumentError, "Invalid public key format"
+    end
+  end
+
   def variable_ids
     return @variable_ids if @variable_ids
 
diff --git a/app/domain/authentication/authn_iam/authenticator.rb b/app/domain/authentication/authn_iam/authenticator.rb
@@ -6,21 +6,29 @@ module Authentication
   module AuthnIam
     class Authenticator
 
-      def initialize(env:, logger: Rails.logger, client: Net::HTTP)
+      def initialize(
+        env:,
+        logger: Rails.logger,
+        client: Net::HTTP,
+        fetch_authenticator_secrets: Authentication::Util::FetchAuthenticatorSecrets.new(
+          optional_variable_names: %w[optional-signed-headers]
+        ))
         @env = env
         @logger = logger
         @client = client
+        @fetch_authenticator_secrets = fetch_authenticator_secrets
       end
 
-      VALID_KEYS = %w[host authorization x-amz-date x-amz-security-token x-amz-content-sha256].freeze
+      REQUIRED_KEYS = %w[
+        host
+        authorization
+        x-amz-date
+        x-amz-security-token
+        x-amz-content-sha256].freeze
 
       def valid?(input)
-        # input.credentials is JSON holding the AWS signed headers
-        signed_aws_headers = JSON.parse(input.credentials)
-                                 .transform_keys(&:downcase)
-                                 .select { |k, _| VALID_KEYS.include?(k) }
-        raise Errors::Authentication::AuthnIam::InvalidAWSHeaders,
-              "Headers validation failed" unless valid_headers?(signed_aws_headers)
+        @authenticator_input = input
+        signed_aws_headers = extract_signed_headers
 
         aws_response = response_from_signed_request(signed_aws_headers)
 
@@ -78,7 +86,7 @@ def attempt_signed_request(signed_headers)
           return fallback_response if fallback_response.code.to_i == 200
         end
 
-        return response
+        response
       end
 
       def aws_call(region:, headers:)
@@ -138,12 +146,57 @@ def valid_region?(region)
         /\A([a-z]{2}(-gov)?-[a-z]+-\d)\z/.match?(region)
       end
 
-      def valid_headers?(signed_aws_headers)
+      def valid_host_header?(signed_aws_headers)
         host = signed_aws_headers['host']
         return true if host.nil? || host.empty?
         uri = URI("https://#{host}")
         uri.host&.end_with?('.amazonaws.com')
       end
+
+      def iam_authenticator_secrets
+        @iam_authenticator_secrets ||= @fetch_authenticator_secrets.call(
+          service_id: @authenticator_input.service_id,
+          conjur_account: @authenticator_input.account,
+          authenticator_name: @authenticator_input.authenticator_name,
+          required_variable_names: [],
+        )
+      end
+
+      def optional_signed_headers
+        @optional_signed_headers ||=
+          (iam_authenticator_secrets&.dig('optional-signed-headers')
+            &.to_s&.split(';')
+            &.map(&:downcase)
+            &.map(&:strip)) || []
+      end
+
+      def extract_signed_headers
+        input = JSON.parse(@authenticator_input.credentials).transform_keys(&:downcase)
+        match = input['authorization']&.match(%r{SignedHeaders=([A-Za-z0-9;_-]+)})
+        raise Errors::Authentication::AuthnIam::InvalidAWSHeaders,
+              "Failed to extract signed headers" unless match
+        signed_headers = match[1].split(';').map(&:downcase)
+
+        missing = signed_headers - input.keys
+        raise Errors::Authentication::AuthnIam::InvalidAWSHeaders,
+              "Missing required signed headers: #{missing.join(', ')}" unless missing.empty?
+
+        allowed_keys = REQUIRED_KEYS
+        allowed_keys = allowed_keys | optional_signed_headers unless optional_signed_headers.empty?
+
+        unexpected = signed_headers - allowed_keys
+        raise Errors::Authentication::AuthnIam::InvalidAWSHeaders,
+          "Unexpected signed headers found: #{unexpected.join(', ')}. " +
+          "Please use only permitted headers in the signature. " +
+          "If you need to include optional headers, please ensure " +
+          "they are secure and then add them to the authenticator " +
+          "configuration." unless unexpected.empty?
+
+        raise Errors::Authentication::AuthnIam::InvalidAWSHeaders,
+              "Host header validation failed" unless valid_host_header?(input)
+
+         input.select { |k, _| allowed_keys.include?(k) }
+      end
     end
   end
 end
diff --git a/ci/docker-compose.yml b/ci/docker-compose.yml
@@ -71,7 +71,7 @@ services:
       RAILS_ENV: development
       REQUIRE_SIMPLECOV: "true"
       CONJUR_LOG_LEVEL: debug
-      CONJUR_AUTHENTICATORS: authn,authn-ldap/test,authn-ldap/secure,authn-oidc/keycloak,authn-oidc,authn-k8s/test,authn-azure/prod,authn-gcp,authn-jwt/raw,authn-jwt/keycloak,authn-oidc/keycloak2,authn-oidc/okta-2,authn-oidc/okta,authn-oidc/keycloak2-long-lived,authn-oidc/identity
+      CONJUR_AUTHENTICATORS: authn,authn-ldap/test,authn-ldap/secure,authn-oidc/keycloak,authn-oidc,authn-k8s/test,authn-azure/prod,authn-gcp,authn-jwt/raw,authn-jwt/keycloak,authn-oidc/keycloak2,authn-oidc/okta-2,authn-oidc/okta,authn-oidc/keycloak2-long-lived,authn-oidc/identity,authn-iam/prod
       CONJUR_FEATURE_DYNAMIC_SECRETS_ENABLED: 'true'
       LDAP_URI: ldap://ldap-server:389
       LDAP_BASE: dc=conjur,dc=net
@@ -108,7 +108,7 @@ services:
       RAILS_ENV: development
       REQUIRE_SIMPLECOV: "true"
       CONJUR_LOG_LEVEL: debug
-      CONJUR_AUTHENTICATORS: authn-ldap/test,authn-ldap/secure,authn-oidc/keycloak,authn-oidc,authn-k8s/test,authn-azure/prod,authn-gcp,authn-jwt/raw,authn-jwt/keycloak,authn-oidc/keycloak2,authn-oidc/okta-2,authn-oidc/okta,authn-oidc/keycloak2-long-lived,authn-oidc/identity
+      CONJUR_AUTHENTICATORS: authn-ldap/test,authn-ldap/secure,authn-oidc/keycloak,authn-oidc,authn-k8s/test,authn-azure/prod,authn-gcp,authn-jwt/raw,authn-jwt/keycloak,authn-oidc/keycloak2,authn-oidc/okta-2,authn-oidc/okta,authn-oidc/keycloak2-long-lived,authn-oidc/identity,authn-iam/prod
       CONJUR_FEATURE_DYNAMIC_SECRETS_ENABLED: 'true'
       LDAP_URI: ldap://ldap-server:389
       LDAP_BASE: dc=conjur,dc=net
diff --git a/ci/test b/ci/test
@@ -61,6 +61,7 @@ SUBCOMMANDS
     authenticators_azure   - Runs Cucumber Azure Authenticator features
     authenticators_config  - Runs Cucumber Authenticator configuration features
     authenticators_gcp     - Runs Cucumber GCP Authenticator features
+    authenticators_iam     - Runs Cucumber IAM Authenticator features
     authenticators_k8s     - Runs Cucumber K8s Authenticator features
     authenticators_ldap    - Runs Cucumber LDAP Authenticator features
     authenticators_oidc    - Runs Cucumber OIDC Authenticator features
diff --git a/ci/test_suites/authenticators_iam/secrets.yml b/ci/test_suites/authenticators_iam/secrets.yml
@@ -0,0 +1,3 @@
+AWS_ACCESS_KEY_ID: !var ci/aws/iam/users/dev_limited_user/access_key_id
+AWS_SECRET_ACCESS_KEY: !var ci/aws/iam/users/dev_limited_user/secret_access_key
+AWS_REGION: !var ci/aws/iam/users/dev_limited_user/region
diff --git a/ci/test_suites/authenticators_iam/test b/ci/test_suites/authenticators_iam/test
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -e
+
+# This is executed by the main "ci/test" script after cd-ing into "ci".
+# shellcheck disable=SC1091
+source "./shared.sh"
+
+# The single arg is a nameref, which this function sets to an array containing
+# items of the form "KEY=VAL".
+_hydrate_iam_env_args() {
+  # Note: Both shellcheck errors are just because arr is a nameref.
+  # shellcheck disable=SC2178
+  local -n arr=$1
+  # shellcheck disable=SC2034
+  arr=(
+    "AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY"
+    "AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID"
+    "AWS_REGION=$AWS_REGION"
+  )
+}
+
+# Load AWS secrets from summon into the current shell
+eval "$(summon -f ./test_suites/authenticators_iam/secrets.yml env | grep AWS_)"
+
+# Note: We pass the name of the function as the last arg, since we're
+# using namerefs.
+additional_services=''
+
+_run_cucumber_tests authenticators_iam "$additional_services" _hydrate_iam_env_args
diff --git a/config/routes.rb b/config/routes.rb
@@ -89,9 +89,9 @@ def matches?(request)
           get     "/resources/:account/:kind/*identifier" => 'resources#permitted_roles', :constraints => QueryParameterActionRecognizer.new("permitted_roles")
           get     "/resources/:account/:kind/*identifier" => "resources#show"
           get     "/resources/:account/:kind"             => "resources#index"
+          get     "/resources/:account"                   => "resources#index"
+          get     "/resources"                            => "resources#index"
         end
-        get     "/resources/:account"                   => "resources#index"
-        get     "/resources"                            => "resources#index"
 
         get     "/:authenticator/:account/providers"  => "providers#index"
 
@@ -110,15 +110,15 @@ def matches?(request)
         post    "/secrets/:account/:kind/*identifier" => "secrets#expire",
                 :constraints => QueryParameterActionRecognizer.new("expirations")
         get     "/secrets/:account/:kind/*identifier" => 'secrets#show', constraints: { kind: /variable/ }
-        post    "/secrets/:account/:kind/*identifier" => 'secrets#create', constraints: { kind: /variable|public_key|user|host|layer|group|policy|webservice/ }
+        post    "/secrets/:account/:kind/*identifier" => 'secrets#create', constraints: { kind: /variable|public_key/ }
         get     "/secrets"                            => 'secrets#batch'
 
         get     "/policies/:account/:kind/*identifier" => 'policies#get', constraints: { kind: /policy/ }
         put     "/policies/:account/:kind/*identifier" => 'policies#put', constraints: { kind: /policy/ }
         patch   "/policies/:account/:kind/*identifier" => 'policies#patch', constraints: { kind: /policy/ }
         post    "/policies/:account/:kind/*identifier" => 'policies#post', constraints: { kind: /policy/ }
 
-        get     "/public_keys/:account/:kind/*identifier" => 'public_keys#show', constraints: { kind: /variable|public_key|user|host|layer|group|policy|webservice/ }
+        get     "/public_keys/:account/:kind/*identifier" => 'public_keys#show', constraints: { kind: /public_key|user/ }
 
         post     "/ca/:account/:service_id/sign" => 'certificate_authority#sign'
       end
diff --git a/cucumber.yml b/cucumber.yml
@@ -111,6 +111,25 @@ authenticators_gcp: >
   -r cucumber/authenticators_gcp
   cucumber/authenticators_gcp
 
+authenticators_iam: >
+  --tags @authenticators_iam
+  --format pretty
+  -r cucumber/api/features/support/step_def_transforms.rb
+  -r cucumber/api/features/support/rest_helpers.rb
+  -r cucumber/api/features/support/ssh_helpers.rb
+  -r cucumber/api/features/step_definitions/request_steps.rb
+  -r cucumber/api/features/step_definitions/user_steps.rb
+  -r cucumber/api/features/support/logs_helpers.rb
+  -r cucumber/api/features/step_definitions/logs_steps.rb
+  -r cucumber/api/features/support/authz_helpers.rb
+  -r cucumber/api/features/step_definitions/authz_steps.rb
+  -r cucumber/policy/features/support/policy_helpers.rb
+  -r cucumber/policy/features/step_definitions/policy_steps.rb
+  -r cucumber/_authenticators_common
+  -r cucumber/authenticators_status/features/step_definitions/authn_status_steps.rb
+  -r cucumber/authenticators_iam
+  cucumber/authenticators_iam
+
 authenticators_azure: >
   --tags @authenticators_azure
   --format pretty
diff --git a/cucumber/api/features/secrets.feature b/cucumber/api/features/secrets.feature
@@ -200,13 +200,11 @@ Feature: Adding and fetching secrets
     Then the HTTP response status code is 404
 
   @negative @acceptance
-  Scenario: When creating a secret, the kind is not validated due to public keys feature, but reading is not allowed.
+  Scenario: Creating a secret value with kind group is not allowed.
     Given I save my place in the audit log file for remote
     And I create a new "group" resource called "test-group"
     When I POST "/secrets/cucumber/group/test-group" with body:
     """
     value
     """
-    Then the HTTP response status code is 201
-    When I GET "/secrets/cucumber/group/test-group"
     Then the HTTP response status code is 404
diff --git a/cucumber/authenticators_iam/features/authn_iam.feature b/cucumber/authenticators_iam/features/authn_iam.feature
@@ -0,0 +1,39 @@
+@authenticators_iam
+Feature: IAM Authenticator
+
+  In this feature we define a IAM authenticator in policy and perform authentication
+
+  Background:
+    Given I load a policy:
+    """
+    - !policy
+      id: conjur/authn-iam/prod
+      body:
+      - !webservice
+
+      - !group apps
+      - !variable optional-signed-headers
+
+      - !permit
+        role: !group apps
+        privilege: [ read, authenticate ]
+        resource: !webservice
+    """
+    And I have host "188945769008/dev_limited_user"
+    And I grant group "conjur/authn-iam/prod/apps" to host "188945769008/dev_limited_user"
+    And I add the secret value "content-type;date" to the resource "cucumber:variable:conjur/authn-iam/prod/optional-signed-headers"
+
+  @smoke
+  Scenario: Hosts can authenticate with IAM authenticator and fetch secret
+    Given I have a "variable" resource called "test-variable"
+    And I add the secret value "test-secret" to the resource "cucumber:variable:test-variable"
+    And I permit host "188945769008/dev_limited_user" to "execute" it
+    And I obtain a valid IAM identity token
+    And I save my place in the log file
+    When I authenticate with authn-iam using a valid identity token for "host/188945769008/dev_limited_user"
+    Then host "188945769008/dev_limited_user" has been authorized by Conjur
+    And I can GET "/secrets/cucumber/variable/test-variable" with authorized user
+    And The following appears in the audit log after my savepoint:
+    """
+    cucumber:host:188945769008/dev_limited_user successfully authenticated with authenticator authn-iam service cucumber:webservice:conjur/authn-iam/prod
+    """
diff --git a/cucumber/authenticators_iam/features/step_definitions/authn_iam_steps.rb b/cucumber/authenticators_iam/features/step_definitions/authn_iam_steps.rb
@@ -0,0 +1,7 @@
+Given(/^I obtain a valid IAM identity token$/) do
+  iam_identity_access_token
+end
+
+Given(/I authenticate with authn-iam using a valid identity token for "([^"]*)"/) do |username|
+  authenticate_iam_token(username)
+end
diff --git a/cucumber/authenticators_iam/features/support/authn_iam_helper.rb b/cucumber/authenticators_iam/features/support/authn_iam_helper.rb
diff --git a/dev/docker-compose.yml b/dev/docker-compose.yml
diff --git a/dev/secrets.yml b/dev/secrets.yml
diff --git a/dev/start b/dev/start
diff --git a/spec/app/domain/authentication/authn_iam/authenticator_spec.rb b/spec/app/domain/authentication/authn_iam/authenticator_spec.rb
diff --git a/spec/routing/secrets_routing_spec.rb b/spec/routing/secrets_routing_spec.rb

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+AWS_ACCESS_KEY_ID: !var ci/aws/iam/users/dev_limited_user/access_key_id`
	`2`	`+AWS_SECRET_ACCESS_KEY: !var ci/aws/iam/users/dev_limited_user/secret_access_key`
	`3`	`+AWS_REGION: !var ci/aws/iam/users/dev_limited_user/region`