cyberark · egvili · Oct 15, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   (and update the corresponding date), or add a new version.
 
 ## [1.0.11-cloud] - 2023-10-29
+### Changed
+- Make API-key optional for hosts
 
 ## [1.0.10-cloud] - 2023-10-22
 ### Added

diff --git a/app/domain/authentication/optional_api_key.rb b/app/domain/authentication/optional_api_key.rb
@@ -5,12 +5,12 @@ module OptionalApiKey
 
     AUTHN_ANNOTATION = 'authn/api-key'
 
-    def annotation_relevant?(annotation)
+    def api_key_annotation_relevant?(annotation)
       annotation.name == AUTHN_ANNOTATION
     end
 
-    def annotation_true?(annotation)
-      annotation_relevant?(annotation) && annotation.value.downcase == 'true'
+    def api_key_annotation_true?(annotation)
+      api_key_annotation_relevant?(annotation) && annotation.value.downcase == 'true'
     end
 
   end

diff --git a/app/models/loader/types.rb b/app/models/loader/types.rb
@@ -160,34 +160,7 @@ def verify; end
     class Host < Record
       def_delegators :@policy_object, :restricted_to
 
-      # This is a temporary policy validation check to ensure that we're not
-      # creating hosts that will fail API key-based authentication by default
-      # in the future.
-      def future_api_key_auth_will_fail?
-        # The default config value is to allow API key authentication, so if this is
-        # either the default or set to true, then future API key authentication will
-        # continue to work and we don't need to reject this policy.
-        return false if Rails.application.config.conjur_config.authn_api_key_default
-
-        # If the default API authentication config is to disallow it, and the host
-        # does not explicitly state the policy authors intentions with the
-        # `authn/api-key` annotation with value true, then we should reject this until the annotation
-        # is added to the policy object.
-        self.annotations&.[]("authn/api-key").nil? || self.annotations["authn/api-key"].to_s.casecmp?("false")
-      end
-
-      def verify
-        # If policy contains a host with annotation authn/api-key effectively false, either by explicit
-        # value or by default value, then policy load is blocked.
-        if future_api_key_auth_will_fail?
-          message = "API key authentication for hosts is disabled by default and " \
-              "will be removed in a future release. Add the 'authn/api-key' " \
-              "annotation to this host with the value 'true' to " \
-              "ensure authentication works as expected for this host in the " \
-              "future."
-          raise Exceptions::InvalidPolicyObject.new(self.id, message: message)
-        end
-      end
+      def verify; end
 
       def create!
         self.handle_restricted_to(self.roleid, restricted_to)

diff --git a/app/models/role.rb b/app/models/role.rb
@@ -135,9 +135,8 @@ def api_key
   end
 
   def api_key_expected?
-    self.kind == 'user' ||
-    Rails.application.config.conjur_config.authn_api_key_default ||
-    self.annotations.any? { |a| annotation_true?(a) }
+    self.id == 'admin' || self.kind == 'user' ||
+    self.annotations.any? { |a| api_key_annotation_true?(a) }
   end
 
   def login

diff --git a/cucumber/api/features/authenticate.feature b/cucumber/api/features/authenticate.feature
@@ -165,20 +165,20 @@ Feature: Exchange a role's API key for a signed authentication token
       cucumber:host:app failed to authenticate with authenticator authn
     """
 
-  #@negative @acceptance
-  #Scenario: Attempting to use host API key to authenticate host without api key result in 401 error
-  #  Given I save my place in the audit log file for remote
-  #  When I POST "/authn/cucumber/host%2FappNoApiKey/authenticate" with plain text body ""
-  #  Then the HTTP response status code is 401
-  #  And there is an audit record matching:
-  #  """
-  #    <84>1 * * conjur * authn
-  #    [subject@43868 role="cucumber:host:appNoApiKey"]
-  #    [auth@43868 user="cucumber:host:appNoApiKey" authenticator="authn" service="cucumber:webservice:conjur/authn"]
-  #    [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
-  #    [action@43868 result="failure" operation="authenticate"]
-  #    cucumber:host:appNoApiKey failed to authenticate with authenticator authn
-  #  """
+  @negative @acceptance
+  Scenario: Attempting to use host API key to authenticate host without api key result in 401 error
+    Given I save my place in the audit log file for remote
+    When I POST "/authn/cucumber/host%2FappNoApiKey/authenticate" with plain text body ""
+    Then the HTTP response status code is 401
+    And there is an audit record matching:
+    """
+      <84>1 * * conjur * authn
+      [subject@43868 role="cucumber:host:appNoApiKey"]
+      [auth@43868 user="cucumber:host:appNoApiKey" authenticator="authn" service="cucumber:webservice:conjur/authn"]
+      [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+      [action@43868 result="failure" operation="authenticate"]
+      cucumber:host:appNoApiKey failed to authenticate with authenticator authn
+    """
 
   @negative @acceptance
   Scenario: Attempting to use an invalid API key to authenticate with Accept-Encoding base64 result in 401 error

diff --git a/cucumber/api/features/authn_optional_api_key.feature b/cucumber/api/features/authn_optional_api_key.feature
@@ -1,4 +1,4 @@
-@api @skip
+@api
 Feature: API key for host is created and removed based on host's annotation
   Background:
     Given I am the super-user

diff --git a/cucumber/api/features/edge/internal/edge_hosts.feature b/cucumber/api/features/edge/internal/edge_hosts.feature
@@ -62,10 +62,10 @@ Feature: Fetching host from edge endpoint
     """
     [{"name": "authn/api-key", "value": "true"}]
     """
-    #And the JSON at "hosts/2/annotations" should be:
-    #"""
-    #[]
-    #"""
+    And the JSON at "hosts/2/annotations" should be:
+    """
+    []
+    """
 
   @acceptance
   Scenario: Fetching hosts with parameters

diff --git a/cucumber/api/features/host_factory_create_host.feature b/cucumber/api/features/host_factory_create_host.feature
@@ -17,7 +17,7 @@ Feature: Create a host using the host factory.
       "annotations" : [],
       "id": "cucumber:host:host-01",
       "owner": "cucumber:host_factory:the-layer-factory",
-      "api_key": "@response_api_key@",
+      "api_key": null,
       "permissions": [],
       "restricted_to": []
     }

diff --git a/cucumber/api/features/host_factory_rotate_host.feature b/cucumber/api/features/host_factory_rotate_host.feature
@@ -62,6 +62,8 @@ Feature: Rotate a host api key using the host factory.
     - !host
       id: brand-new-host
       owner: !host-factory database/users
+      annotations:
+        authn/api-key: true
     """
     And I create a host factory token for "database/users"
     And I authorize the request with the host factory token
@@ -70,7 +72,7 @@ Feature: Rotate a host api key using the host factory.
     And our JSON should be:
     """
     {
-      "annotations" : [],
+      "annotations" : [{"name": "authn/api-key", "policy": "cucumber:policy:root", "value": "true"}],
       "id": "cucumber:host:brand-new-host",
       "owner": "cucumber:host_factory:database/users",
       "policy": "cucumber:policy:root",

diff --git a/cucumber/api/features/policy_load_response.feature b/cucumber/api/features/policy_load_response.feature
@@ -12,7 +12,10 @@ Feature: Policy load response
       - !layer
 
     - !user bob
-    - !host host-01
+    - !host
+      id: host-01
+      annotations:
+        authn/api-key: true
     """
     Then the JSON should have "created_roles"
     And the JSON at "created_roles" should have 2 entries

diff --git a/cucumber/api/features/retrieve_api_key.feature b/cucumber/api/features/retrieve_api_key.feature
@@ -16,7 +16,7 @@ Feature: Retrieving an API key with conjurctl
     When I retrieve an API key for user "cucumber:user:non-existing-user" using conjurctl
     Then the stderr includes the error "role does not exist"
 
-  @smoke @skip
+  @smoke
   Scenario: Retrieve an API key for a host
     Given I have host "api_key_host"
     And I have host "without_api_key_host" without api key

diff --git a/cucumber/api/features/rotate_api_key.feature b/cucumber/api/features/rotate_api_key.feature
@@ -316,7 +316,7 @@ Feature: Rotate the API key of a role
     cucumber:host:privileged_host successfully rotated their API key
     """
 
-  @negative @acceptance @skip
+  @negative @acceptance
   Scenario: A Host without api key CANNOT rotate their own API key
     Given I save my place in the audit log file
     When I PUT "/authn/cucumber/api_key?role=host:privileged_host_without_apikey" with username "host/privileged_host_without_apikey" and password ":cucumber:host:api_key"
@@ -358,7 +358,7 @@ Feature: Rotate the API key of a role
     """
 
    # A host with update permission rotating host without api key
-  @negative @acceptance @skip
+  @negative @acceptance
   Scenario: A Host with update privilege CANNOT rotate host API key that doesn't have api key
     Given I login as "host/privileged_host"
     And I save my place in the audit log file

diff --git a/cucumber/authenticators_azure/features/authn_azure_bad_configuration.feature b/cucumber/authenticators_azure/features/authn_azure_bad_configuration.feature
@@ -23,7 +23,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error
         resource: !webservice
     """
     And I am the super-user
-    And I have host "test-app"
+    And I have host "test-app" without api key
     And I set Azure annotations to host "test-app"
     And I grant group "conjur/authn-azure/prod/apps" to host "test-app"
     And I fetch a non-assigned-identity Azure access token from inside machine
@@ -55,7 +55,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error
         resource: !webservice
     """
     And I am the super-user
-    And I have host "test-app"
+    And I have host "test-app" without api key
     And I set Azure annotations to host "test-app"
     And I grant group "conjur/authn-azure/prod/apps" to host "test-app"
     And I fetch a non-assigned-identity Azure access token from inside machine
@@ -81,7 +81,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error
       - !group apps
     """
     And I am the super-user
-    And I have host "test-app"
+    And I have host "test-app" without api key
     And I set Azure annotations to host "test-app"
     And I grant group "conjur/authn-azure/prod/apps" to host "test-app"
     And I successfully set Azure provider-uri variable with the correct values
@@ -114,7 +114,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error
           resource: !webservice
     """
     And I am the super-user
-    And I have host "test-app"
+    And I have host "test-app" without api key
     And I set Azure annotations to host "test-app"
     And I grant group "conjur/authn-azure/prod/apps" to host "test-app"
     And I successfully set Azure provider-uri variable with the correct values
@@ -148,7 +148,7 @@ Feature: Azure Authenticator - Bad authenticator configuration leads to an error
     """
     And I am the super-user
     And I add the secret value "http://127.0.0.1.com/" to the resource "cucumber:variable:conjur/authn-azure/prod/provider-uri"
-    And I have host "test-app"
+    And I have host "test-app" without api key
     And I set Azure annotations to host "test-app"
     And I grant group "conjur/authn-azure/prod/apps" to host "test-app"
     And I fetch a non-assigned-identity Azure access token from inside machine

diff --git a/cucumber/authenticators_azure/features/authn_azure_basic_host.feature b/cucumber/authenticators_azure/features/authn_azure_basic_host.feature
@@ -27,7 +27,7 @@ Feature: Azure Authenticator - Hosts can authenticate with Azure authenticator
     """
     And I am the super-user
     And I successfully set Azure provider-uri variable with the correct values
-    And I have host "test-app"
+    And I have host "test-app" without api key
     And I set Azure annotations to host "test-app"
     And I grant group "conjur/authn-azure/prod/apps" to host "test-app"
 

diff --git a/cucumber/authenticators_azure/features/authn_azure_hosts.feature b/cucumber/authenticators_azure/features/authn_azure_hosts.feature
@@ -27,7 +27,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
 
   @smoke
   Scenario: Host with user-assigned-identity annotation is authorized
-    And I have host "user-assigned-identity-app"
+    And I have host "user-assigned-identity-app" without api key
     And I set subscription-id annotation to host "user-assigned-identity-app"
     And I set resource-group annotation to host "user-assigned-identity-app"
     And I set user-assigned-identity annotation to host "user-assigned-identity-app"
@@ -38,7 +38,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
 
   @smoke
   Scenario: Host with system-assigned-identity annotation is authorized
-    And I have host "system-assigned-identity-app"
+    And I have host "system-assigned-identity-app" without api key
     And I set subscription-id annotation to host "system-assigned-identity-app"
     And I set resource-group annotation to host "system-assigned-identity-app"
     And I set system-assigned-identity annotation to host "system-assigned-identity-app"
@@ -49,7 +49,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
 
   @negative @acceptance
   Scenario: Host without resource-group annotation is denied
-    And I have host "no-resource-group-app"
+    And I have host "no-resource-group-app" without api key
     And I set subscription-id annotation to host "no-resource-group-app"
     And I grant group "conjur/authn-azure/prod/apps" to host "no-resource-group-app"
     And I fetch a non-assigned-identity Azure access token from inside machine
@@ -63,7 +63,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
 
   @negative @acceptance
   Scenario: Host without subscription-id annotation is denied
-    And I have host "no-subscription-id-app"
+    And I have host "no-subscription-id-app" without api key
     And I set resource-group annotation to host "no-subscription-id-app"
     And I grant group "conjur/authn-azure/prod/apps" to host "no-subscription-id-app"
     And I fetch a non-assigned-identity Azure access token from inside machine
@@ -77,7 +77,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
 
   @negative @acceptance
   Scenario: Host without any Azure annotation is denied
-    And I have host "no-azure-annotations-app"
+    And I have host "no-azure-annotations-app" without api key
     And I grant group "conjur/authn-azure/prod/apps" to host "no-azure-annotations-app"
     And I fetch a non-assigned-identity Azure access token from inside machine
     And I save my place in the log file
@@ -90,7 +90,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
 
   @negative @acceptance
   Scenario: Host with both identity Azure annotations is denied
-    And I have host "illegal-combination-app"
+    And I have host "illegal-combination-app" without api key
     And I set resource-group annotation to host "illegal-combination-app"
     And I set subscription-id annotation to host "illegal-combination-app"
     And I set system-assigned-identity annotation to host "illegal-combination-app"
@@ -107,7 +107,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
 
   @negative @acceptance
   Scenario: Host with incorrect subscription-id Azure annotation is denied
-    And I have host "incorrect-subscription-id-app"
+    And I have host "incorrect-subscription-id-app" without api key
     And I set resource-group annotation to host "incorrect-subscription-id-app"
     And I set subscription-id annotation with incorrect value to host "incorrect-subscription-id-app"
     And I grant group "conjur/authn-azure/prod/apps" to host "incorrect-subscription-id-app"
@@ -122,7 +122,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
 
   @negative @acceptance
   Scenario: Host with incorrect resource-group Azure annotation is denied
-    And I have host "incorrect-resource-group-app"
+    And I have host "incorrect-resource-group-app" without api key
     And I set subscription-id annotation to host "incorrect-resource-group-app"
     And I set resource-group annotation with incorrect value to host "incorrect-resource-group-app"
     And I grant group "conjur/authn-azure/prod/apps" to host "incorrect-resource-group-app"
@@ -137,7 +137,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
 
   @negative @acceptance
   Scenario: Host with incorrect user-assigned-identity annotation is denied
-    And I have host "incorrect-user-assigned-identity-app"
+    And I have host "incorrect-user-assigned-identity-app" without api key
     And I set subscription-id annotation to host "incorrect-user-assigned-identity-app"
     And I set resource-group annotation to host "incorrect-user-assigned-identity-app"
     And I set user-assigned-identity annotation with incorrect value to host "incorrect-user-assigned-identity-app"
@@ -153,7 +153,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
 
   @negative @acceptance
   Scenario: Host with incorrect system-assigned-identity annotation is denied
-    And I have host "incorrect-system-assigned-identity-app"
+    And I have host "incorrect-system-assigned-identity-app" without api key
     And I set subscription-id annotation to host "incorrect-system-assigned-identity-app"
     And I set resource-group annotation to host "incorrect-system-assigned-identity-app"
     And I set system-assigned-identity annotation with incorrect value to host "incorrect-system-assigned-identity-app"
@@ -184,7 +184,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
 
   @negative @acceptance
   Scenario: Host that is not in the permitted group is denied
-    And I have host "non-permitted-app"
+    And I have host "non-permitted-app" without api key
     And I set Azure annotations to host "non-permitted-app"
     And I fetch a non-assigned-identity Azure access token from inside machine
     And I save my place in the log file
@@ -200,7 +200,7 @@ Feature: Azure Authenticator - Different Hosts can authenticate with Azure authe
   # We run it again here to verify that we write a message to the audit log
   @acceptance
   Scenario: Authentication failure is written to the audit log
-    And I have host "no-resource-group-app"
+    And  I have host "no-resource-group-app" without api key
     And I set subscription-id annotation to host "no-resource-group-app"
     And I grant group "conjur/authn-azure/prod/apps" to host "no-resource-group-app"
     And I fetch a non-assigned-identity Azure access token from inside machine

diff --git a/cucumber/authenticators_azure/features/authn_azure_performance.feature b/cucumber/authenticators_azure/features/authn_azure_performance.feature
@@ -26,7 +26,7 @@ Feature: Azure Authenticator - Performance tests
     """
     And I am the super-user
     And I successfully set Azure provider-uri variable with the correct values
-    And I have host "test-app"
+    And I have host "test-app" without api key
     And I set Azure annotations to host "test-app"
     And I grant group "conjur/authn-azure/prod/apps" to host "test-app"
 
@@ -50,7 +50,7 @@ Feature: Azure Authenticator - Performance tests
 
   @performance @negative
   Scenario: Unsuccessful requests with invalid resource restrictions
-    Given I have host "no-azure-annotations-app"
+    Given I have host "no-azure-annotations-app" without api key
     And I grant group "conjur/authn-azure/prod/apps" to host "no-azure-annotations-app"
     And I fetch a non-assigned-identity Azure access token from inside machine
     When I authenticate 1000 times in 10 threads via Azure with token as host "no-azure-annotations-app"