Merge pull request from GHSA-r4hr-29c8-c4p4

Gcp bugfix

CHANGELOG.md

@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
 
 ### Security
+- GCP Authenticator: When defining the host using the instance-name annotation,
+  you now need to define at least one additional annotation.
+  [cyberark/ONYX-9442](https://ca-il-jira.il.cyber-ark.com:8443/browse/ONYX-9442)
 - Updated nokogiri to 1.12.5 in both Gemfile.lock and docs/Gemfile.lock to resolve 
   [CVE-2021-41098](https://github.com/advisories/GHSA-2rr5-8q37-2w7h)
   [cyberark/conjur#2376](https://github.com/cyberark/conjur/pull/2376)

app/domain/authentication/authn_gcp/consts.rb

@@ -12,10 +12,12 @@ module Restrictions
       SERVICE_ACCOUNT_ID = "service-account-id"
       SERVICE_ACCOUNT_EMAIL = "service-account-email"
 
-      PERMITTED = [PROJECT_ID, INSTANCE_NAME, SERVICE_ACCOUNT_ID, SERVICE_ACCOUNT_EMAIL].freeze
+      ANY = [PROJECT_ID, SERVICE_ACCOUNT_ID, SERVICE_ACCOUNT_EMAIL].freeze
+      OPTIONAL = [INSTANCE_NAME].freeze
+      PERMITTED = ANY + OPTIONAL
 
       CONSTRAINTS = Constraints::MultipleConstraint.new(
-        Constraints::AnyConstraint.new(any: PERMITTED),
+        Constraints::AnyConstraint.new(any: ANY),
         Constraints::PermittedConstraint.new(permitted: PERMITTED)
       )
 

ci/test_suites/authenticators_gcp/get_gcp_id_tokens.sh

@@ -18,7 +18,7 @@
 PROGNAME=$(basename "$0")
 INSTANCE_ZONE=""
 TOKENS_OUT_DIR_PATH="$(dirname "$0")/tokens"
-TOKEN_FILE_NAME_PREFIX=gcp_token_
+TOKEN_FILE_NAME_PREFIX=gce_
 INSTANCE_EXISTS=0
 INSTANCE_RUNNING=0
 

cucumber/authenticators_gcp/features/authn_gce.feature

@@ -83,18 +83,18 @@ Feature: GCP Authenticator - GCE flow, hosts can authenticate with GCP authentic
     cucumber:host:test-app successfully authenticated with authenticator authn-gcp service cucumber:webservice:conjur/authn-gcp
     """
 
-  Scenario: Host can authenticate with only instance-name annotation set
+  Scenario: Host can not authenticate with only instance-name annotation set
     Given I have host "test-app"
     And I grant group "conjur/authn-gcp/apps" to host "test-app"
     And I remove all annotations from host "test-app"
     And I set "authn-gcp/instance-name" GCE annotation to host "test-app"
     And I obtain a valid GCE identity token
     And I save my place in the log file
     When I authenticate with authn-gcp using valid GCE token and existing account
-    Then host "test-app" has been authorized by Conjur
-    And The following appears in the audit log after my savepoint:
+    Then it is unauthorized
+    And The following appears in the log after my savepoint:
     """
-    cucumber:host:test-app successfully authenticated with authenticator authn-gcp service cucumber:webservice:conjur/authn-gcp
+    CONJ00069E Role must have at least one of the following constraints: ["project-id", "service-account-id", "service-account-email"]
     """
 
   Scenario: Non-existing account in token audience claim is denied

cucumber/authenticators_gcp/features/authn_gce_token_errors.feature

@@ -132,5 +132,5 @@ Feature: GCP Authenticator - GCE flow, test token error handling
     Then it is unauthorized
     And The following appears in the log after my savepoint:
     """
-    CONJ00068E Claim 'instance-name' is missing from Google's JWT token. Verify that you configured the host with permitted restrictions. In case of Compute Engine token, verify that you requested the token using 'format=full'
+    CONJ00069E Role must have at least one of the following constraints: ["project-id", "service-account-id", "service-account-email"]
     """

dev/cli

@@ -48,7 +48,7 @@ GLOBAL OPTIONS
     --help                                    - Show this message
 COMMANDS
     --gce     Google compute engine instance name
-    --gcf     Google cloud function URL (Predefined ci/authn-gcp/function/main.py code as GCF)
+    --gcf     Google cloud function URL (Predefined ci/test_suites/authenticators_gcp/function/main.py code as GCF)
 USAGE
     ./cli exec --authn-gcp --gce [GCE_INSTANCE_NAME] --gcf [GCF_URL]
 EOF
@@ -121,14 +121,13 @@ function enable_gcp() {
 function fetch_gce_tokens() {
   local gce_instance_name="$1"
 
- "../ci/authn-gcp/get_gcp_id_tokens.sh" "$gce_instance_name"
-  local decoded_gce_token_payload=$(_get_gcp_token_payload "../ci/authn-gcp/tokens/gce_token_valid")
-
+ "../ci/test_suites/authenticators_gcp/get_gcp_id_tokens.sh" "$gce_instance_name"
+  _set_gcp_token_payload "../ci/test_suites/authenticators_gcp/tokens/gce_token_valid"
   echo "Setting GCE details as env variables"
-  local gce_project_id="$(echo "$decoded_gce_token_payload" | jq -r '.google.compute_engine.project_id')"
-  local gce_instance_name="$(echo "$decoded_gce_token_payload" | jq -r '.google.compute_engine.instance_name')"
-  local gce_service_account_id="$(echo "$decoded_gce_token_payload" | jq -r '.sub')"
-  local gce_service_account_email="$(echo "$decoded_gce_token_payload" | jq -r '.email')"
+  local gce_project_id="$(echo "$DECODED_GCP_TOKEN_PAYLOAD" | jq -r '.google.compute_engine.project_id')"
+  local gce_instance_name="$(echo "$DECODED_GCP_TOKEN_PAYLOAD" | jq -r '.google.compute_engine.instance_name')"
+  local gce_service_account_id="$(echo "$DECODED_GCP_TOKEN_PAYLOAD" | jq -r '.sub')"
+  local gce_service_account_email="$(echo "$DECODED_GCP_TOKEN_PAYLOAD" | jq -r '.email')"
 
   local gce_env_args="-e GCE_INSTANCE_NAME=$gce_instance_name \
                       -e GCE_SERVICE_ACCOUNT_ID=$gce_service_account_id \
@@ -138,7 +137,7 @@ function fetch_gce_tokens() {
   env_args="$env_args $gce_env_args"
 }
 
-_get_gcp_token_payload() {
+_set_gcp_token_payload() {
   local gcp_token_file="$1"
 
   if ! [ -f "$gcp_token_file" ]; then
@@ -151,9 +150,7 @@ _get_gcp_token_payload() {
 
   source ../ci/jwt/decode_token.sh
 
-  decoded_gcp_token_payload=$(decode_jwt_payload "$gcp_token")
-
-  echo "$decoded_gcp_token_payload"
+  DECODED_GCP_TOKEN_PAYLOAD=$(decode_jwt_payload "$gcp_token")
 }
 
 function fetch_gcf_tokens() {
@@ -166,10 +163,10 @@ function fetch_gcf_tokens() {
 
   validate_gcf_url_accessible "$gcp_func_url" || exit 1
 
-  cd ../ci/authn-gcp/
+  cd ../ci/test_suites/authenticators_gcp/
   sh ./get_tokens_to_files.sh "$gcp_func_url" "$token_prefix" || exit 1
   cd -
-  local decoded_gcf_token_payload=$(_get_gcp_token_payload "../ci/authn-gcp/tokens/gcf_token_valid")
+  local decoded_gcf_token_payload=$(_get_gcp_token_payload "../ci/test_suites/authenticators_gcp/tokens/gcf_token_valid")
 
   echo "Setting GCF details as env variables"
   local gcf_service_account_id="$(echo "$decoded_gcf_token_payload" | jq -r '.sub')"
@@ -188,7 +185,7 @@ function validate_gcf_url_accessible() {
   local gcp_func_url=$1
   local audience="dummy_host"
 
-  sh ../ci/authn-gcp/validate_gcf_url_accessible.sh "$gcp_func_url" "$audience" || exit 1
+  sh ../ci/test_suites/authenticators_gcp/validate_gcf_url_accessible.sh "$gcp_func_url" "$audience" || exit 1
 }
 
 function enable_oidc() {