Replace Conjur Auth Token with a valid JWT token

Gemfile

@@ -46,7 +46,6 @@ gem "loofah", ">= 2.2.3"
 # the branch doesn't immediately break this link
 gem 'conjur-api', '~> 5.pre'
 gem 'conjur-policy-parser', path: 'gems/policy-parser'
-gem 'conjur-rack', path: 'gems/conjur-rack'
 gem 'conjur-rack-heartbeat'
 gem 'rack-rewrite'
 

Gemfile.lock

@@ -1,11 +1,3 @@
-PATH
-  remote: gems/conjur-rack
-  specs:
-    conjur-rack (5.0.0)
-      conjur-api (< 6)
-      rack (~> 2)
-      slosilo (~> 3.0)
-
 PATH
   remote: gems/policy-parser
   specs:
@@ -511,7 +503,6 @@ DEPENDENCIES
   conjur-cli (~> 6.2)
   conjur-debify
   conjur-policy-parser!
-  conjur-rack!
   conjur-rack-heartbeat
   csr
   cucumber (~> 7.1)

app/controllers/concerns/current_user.rb

@@ -2,26 +2,26 @@
 
 module CurrentUser
   extend ActiveSupport::Concern
-  
+
   included do
     include TokenUser
   end
-  
+
   def current_user?
     begin
       current_user
     rescue Forbidden => e
       nil
     end
   end
-  
+
   def current_user
     @current_user ||= find_current_user
   end
-  
+
   private
-  
+
   def find_current_user
-    Role[token_user.roleid] || raise(ApplicationController::Forbidden)
+    Role[token_user.try(:role_id)] || raise(ApplicationController::Forbidden)
   end
-end
+end

app/controllers/concerns/token_user.rb

@@ -4,10 +4,10 @@ module TokenUser
   extend ActiveSupport::Concern
 
   def token_user?
-    Conjur::Rack.identity?
+    request.env['conjur-token-authentication.token_details'].present?
   end
-  
+
   def token_user
-    Conjur::Rack.user
+    request.env['conjur-token-authentication.token_details']
   end
 end

app/controllers/credentials_controller.rb

@@ -63,7 +63,7 @@ def rotate_api_key
   protected
 
   def authenticate_client
-    authentication.authenticated_role = Role[token_user.roleid] if token_user?
+    authentication.authenticated_role = Role[token_user.role_id] if token_user?
     perform_basic_authn
     raise Unauthorized, "Client not authenticated" unless authentication.authenticated?
   rescue => e

app/controllers/status_controller.rb

@@ -21,16 +21,17 @@ def whoami
       client_ip: request.ip,
       user_agent: request.user_agent,
       account: token_user.account,
-      username: token_user.login,
-      token_issued_at: Time.at(token_user.token.claims["iat"])
+      username: token_user.role_id,
+      token_issued_at: Time.at(token_user.claims['iat']),
+      token_expires_at: Time.at(token_user.claims['exp'])
     })
   end
 
   def audit_success
     Audit.logger.log(
       Audit::Event::Whoami.new(
-        client_ip: token_user.remote_ip,
-        role: ::Role.by_login(token_user.login, account: token_user.account),
+        client_ip: token_user.request_ip,
+        role: ::Role[token_user.role_id],
         success: true
       )
     )

app/domain/token_factory.rb

@@ -20,12 +20,35 @@ def signed_token(account:,
                    username:,
                    host_ttl: Rails.application.config.conjur_config.host_authorization_token_ttl,
                    user_ttl: Rails.application.config.conjur_config.user_authorization_token_ttl)
-    signing_key(account).issue_jwt(
-      sub: username,
-      exp: Time.now + offset(
-        ttl: username.starts_with?('host/') ? host_ttl : user_ttl
-      )
-    )
+
+    if username.starts_with?('host/')
+      offset = offset(ttl: host_ttl)
+      hostname = username.split('/')[1..-1].join('/')
+      role = Role["#{account}:host:#{hostname}"]
+    else
+      offset = offset(ttl: user_ttl)
+      role = Role["#{account}:user:#{username}"]
+    end
+
+    raise 'Only hosts and users can use authorization tokens' unless role.present?
+
+    issue_jwt(role: role, expires_in: offset)
+  end
+
+  def issue_jwt(role:, expires_in:)
+    now = Time.now.to_i
+    # binding.pry
+    signing_key = signing_key(role.account)
+    claims = {
+      sub: role.role_id,
+      exp: now + expires_in,
+      nbf: now,
+      iat: now,
+      iss: 'cyberark/conjur'
+    }
+    claims[:restricted_to] = role.restricted_to.split(',').map(&:strip) unless role.restricted_to.blank?
+    # Add signing key to headers so we can descern which account was used to sign the token
+    JWT.encode(claims, signing_key.key, 'RS256', x5t: signing_key.fingerprint)
   end
 
   def offset(ttl:)
@@ -39,6 +62,7 @@ def offset(ttl:)
   def parse_ttl(ttl:)
     # If TTL is an integer, return it
     return ttl.to_i if ttl.to_i.to_s == ttl.to_s
+
     # Attempt to coerce a string into integer
     ttl.to_s.to_i
   end

config/environments/development.rb

@@ -15,7 +15,7 @@
   # https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization
 
   # Accept multiple hosts for parallel tests
-  config.hosts << /^conjur[0-9]*$/
+  config.hosts << /conjur[0-9]*/
 
   # eager_load needed to make authentication work without the hacky
   # loading code...

config/initializers/rack_middleware.rb

@@ -3,24 +3,6 @@
 # This is where we introduce custom middleware that interacts with Rack
 # and Rails to change how requests are handled.
 Rails.application.configure do
-  # This configures which paths do and do not require token authentication.
-  # Token authentication is optional for authn routes, and it's not applied at
-  # all to authentication, host factories, or static assets (e.g. images, CSS)
-  config.middleware.use(Conjur::Rack::Authenticator,
-                        optional: [
-                          %r{^/authn-[^/]+/},
-                          %r{^/authn/},
-                          %r{^/public_keys/}
-                        ],
-                        except: [
-                          %r{^/authn-oidc/.*/providers},
-                          %r{^/authn-[^/]+/.*/authenticate$},
-                          %r{^/authn/.*/authenticate$},
-                          %r{^/host_factories/hosts$},
-                          %r{^/assets/.*},
-                          %r{^/authenticators$},
-                          %r{^/$}
-                        ])
 
   # We want to ensure requests have an expected content type
   # before other middleware runs to make sure any body parsing

config/initializers/token_authentication.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'rack/token_authentication'
+
+Rails.application.configure do
+  # This configures which paths do and do not require token authentication.
+  # Token authentication is optional for authn routes, and it's not applied at
+  # all to authentication, host factories, or static assets (e.g. images, CSS)
+  config.middleware.use(Rack::TokenAuthentication, {
+    optional: [
+      %r{^/authn-[^/]+/},
+      %r{^/authn/},
+      %r{^/public_keys/}
+    ],
+    except: [
+      %r{^/authn-oidc/.*/providers},
+      %r{^/authn-[^/]+/.*/authenticate$},
+      %r{^/authn/.*/authenticate$},
+      %r{^/host_factories/hosts$},
+      %r{^/assets/.*},
+      %r{^/authenticators$},
+      %r{^/$}
+    ]
+  })
+end

dev/start

@@ -6,7 +6,7 @@ set -o pipefail
 
 # CC servers can't find it for some reason.  Local shellcheck is fine.
 # shellcheck disable=SC1091
-source "../ci/oauth/keycloak/keycloak_functions.sh"
+# source "../ci/oauth/keycloak/keycloak_functions.sh"
 
 # SCRIPT GLOBAL STATE
 
@@ -18,7 +18,7 @@ fi
 # Minimal set of services.  We add to this list based on cmd line flags.
 services=(pg conjur client)
 
-# Authenticators to enable. 
+# Authenticators to enable.
 default_authenticators="authn,authn-k8s/test"
 enabled_authenticators="$default_authenticators"
 
@@ -98,7 +98,7 @@ Usage: start [options]
     --authn-gcp     Starts with authn-gcp as authenticator
     --authn-iam     Starts with authn-iam/prod as authenticator
     --authn-jwt     Starts with authn-jwt as authenticator
-    --authn-ldap    Starts OpenLDAP server and loads a demo policy to enable 
+    --authn-ldap    Starts OpenLDAP server and loads a demo policy to enable
                     authentication via:
                     'curl -X POST -d "alice" http://localhost:3000/authn-ldap/test/cucumber/alice/authenticate'
     -h, --help      Shows this help message.