cyberark · jvanderhoof · Aug 9, 2023
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -67,6 +67,7 @@ class UnprocessableEntity < RuntimeError
   rescue_from Errors::Authorization::AccessToResourceIsForbiddenForRole, with: :forbidden
   rescue_from Errors::Conjur::RequestedResourceNotFound, with: :resource_not_found
   rescue_from Errors::Authorization::InsufficientResourcePrivileges, with: :forbidden
+  rescue_from Errors::Conjur::ReadOnly::ActionNotPermitted, with: :method_not_allowed
 
   around_action :run_with_transaction
 

diff --git a/app/domain/errors.rb b/app/domain/errors.rb
@@ -57,6 +57,13 @@ module Conjur
       msg: "Resource '{0-resource}' requested by role '{1-role}' not found",
       code: "CONJ00123E"
     )
+
+    module ReadOnly
+      ActionNotPermitted = ::Util::TrackableErrorClass.new(
+        msg: "This action is not permitted when the server is in read-only mode",
+        code: "CONJ00153E"
+      )
+    end
   end
 
   module Authorization

diff --git a/app/models/read_only.rb b/app/models/read_only.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+# Removes persistence if Conjur is operating as a read-only instance
+class Sequel::Model
+  def before_save
+    check_if_writes_permitted
+    super
+  end
+
+  def before_destroy
+    check_if_writes_permitted
+    super
+  end
+
+  def check_if_writes_permitted
+    return unless Rails.configuration.read_only
+
+    raise ::Errors::Conjur::ReadOnly::ActionNotPermitted
+  end
+end
diff --git a/config/environments/appliance.rb b/config/environments/appliance.rb
@@ -10,4 +10,5 @@
   config.middleware.use(Rack::RememberUuid)
   config.audit_socket = '/run/conjur/audit.socket'
   config.audit_database ||= 'postgres://:5433/audit'
+  config.read_only = false
 end
diff --git a/config/initializers/read_only_mode.rb b/config/initializers/read_only_mode.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+# Put Conjur into "read-only" mode
+Rails.application.configure do
+  config.read_only = true
+end
diff --git a/dev/start b/dev/start
@@ -15,7 +15,7 @@ fi
 # Minimal set of services.  We add to this list based on cmd line flags.
 services=(pg conjur client)
 
-# Authenticators to enable. 
+# Authenticators to enable.
 default_authenticators="authn,authn-k8s/test"
 enabled_authenticators="$default_authenticators"
 
@@ -80,7 +80,7 @@ main() {
 
   # Updates CONJUR_AUTHENTICATORS and restarts required services.
   start_auth_services
-  create_alice
+  # create_alice
   kill_conjur # so dev's can restart it manually
   enter_container
 }
@@ -97,7 +97,7 @@ Usage: start [options]
     --authn-gcp     Starts with authn-gcp as authenticator
     --authn-iam     Starts with authn-iam/prod as authenticator
     --authn-jwt     Starts with authn-jwt as authenticator
-    --authn-ldap    Starts OpenLDAP server and loads a demo policy to enable 
+    --authn-ldap    Starts OpenLDAP server and loads a demo policy to enable
                     authentication via:
                     'curl -X POST -d "alice" http://localhost:3000/authn-ldap/test/cucumber/alice/authenticate'
     -h, --help      Shows this help message.