Remove authenticator for list authenticators

cyberark · Aug 8, 2022 · dcc4954 · dcc4954
1 parent e43e839
commit dcc4954
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 20 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [1.18.1] - 2022-08-01
 
+### Changed
+- Migrates OIDC Provider list to be accessable via an unauthentated
+ endpoint. This is not a concern as logins using this endpoint already
+ display the redirect endpoint on the login page.
+ [cyberark/conjur#2625](https://github.com/cyberark/conjur/pull/2625)
+
 ## [1.18.0] - 2022-08-01
 
 ### Added

diff --git a/app/controllers/providers_controller.rb b/app/controllers/providers_controller.rb
@@ -1,10 +1,6 @@
 # frozen_string_literal: true
 
-class ProvidersController < RestController
- include FindResource
- include AssumedRole
- include CurrentUser
-
+class ProvidersController < ApplicationController
  def index
  namespace = Authentication::Util::NamespaceSelector.select(
  authenticator_type: params[:authenticator]
@@ -16,14 +12,8 @@ def index
  ).find_all(
  account: params[:account],
  type: params[:authenticator]
- ).select { |authenticator| role&.allowed_to?(:read, ::Resource[authenticator.resource_id]) }
+ )
  )
  )
  end
-
- # The v5 API currently sends +acting_as+ when listing resources
- # for a role other than the current user.
- def role
- assumed_role(params[:role].presence) || assumed_role(params[:acting_as].presence)
- end
 end
diff --git a/config/initializers/rack_middleware.rb b/config/initializers/rack_middleware.rb
@@ -13,6 +13,7 @@
  %r{^/public_keys/}
  ],
  except: [
+ %r{^/authn-oidc/.*/providers},
  %r{^/authn-[^/]+/.*/authenticate$},
  %r{^/authn/.*/authenticate$},
  %r{^/host_factories/hosts$},

diff --git a/cucumber/authenticators_oidc/features/list_authenticators.feature b/cucumber/authenticators_oidc/features/list_authenticators.feature
@@ -90,10 +90,4 @@ Feature: A user can view the various authenticators they can use.
  Then I can add a secret to variable resource "conjur/authn-oidc/okta/state"
  When I log in as user "admin"
  Then the list of authenticators contains the service-id "oidceast"
- Then the list of authenticators contains the service-id "okta"
- When I log in as user "alice"
- Then the list of authenticators contains the service-id "oidceast"
- Then the list of authenticators does not contain the service-id "okta"
- When I log in as user "bob"
- Then the list of authenticators does not contain the service-id "oidceast"
- Then the list of authenticators does not contain the service-id "okta"
+ Then the list of authenticators contains the service-id "okta"
diff --git a/cucumber/policy/features/support/client.rb b/cucumber/policy/features/support/client.rb
@@ -128,7 +128,7 @@ def fetch_roles(kind:, id:)
  end
 
  def fetch_authenticators
- resource(uri('authn-oidc', 'providers')).get(auth_header)
+ resource(uri('authn-oidc', 'providers')).get()
  end
 
  def fetch_public_keys(username:)