From c0032990cc1512a7fff06aa0f6c70e01c0425bb0 Mon Sep 17 00:00:00 2001 From: Jason Vanderhoof Date: Wed, 9 Aug 2023 16:59:43 -0600 Subject: [PATCH] Initial PoC for managing write-only permission at the Sequel level --- app/controllers/application_controller.rb | 1 + app/domain/errors.rb | 7 +++++++ app/models/read_only.rb | 20 ++++++++++++++++++++ config/environments/appliance.rb | 1 + config/initializers/read_only_mode.rb | 6 ++++++ dev/start | 6 +++--- 6 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 app/models/read_only.rb create mode 100644 config/initializers/read_only_mode.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 2b53930016..b786c75cbd 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -67,6 +67,7 @@ class UnprocessableEntity < RuntimeError rescue_from Errors::Authorization::AccessToResourceIsForbiddenForRole, with: :forbidden rescue_from Errors::Conjur::RequestedResourceNotFound, with: :resource_not_found rescue_from Errors::Authorization::InsufficientResourcePrivileges, with: :forbidden + rescue_from Errors::Conjur::ReadOnly::ActionNotPermitted, with: :method_not_allowed around_action :run_with_transaction diff --git a/app/domain/errors.rb b/app/domain/errors.rb index c86787881d..7635a2e176 100644 --- a/app/domain/errors.rb +++ b/app/domain/errors.rb @@ -57,6 +57,13 @@ module Conjur msg: "Resource '{0-resource}' requested by role '{1-role}' not found", code: "CONJ00123E" ) + + module ReadOnly + ActionNotPermitted = ::Util::TrackableErrorClass.new( + msg: "This action is not permitted when the server is in read-only mode", + code: "CONJ00153E" + ) + end end module Authorization diff --git a/app/models/read_only.rb b/app/models/read_only.rb new file mode 100644 index 0000000000..0bcbc599d2 --- /dev/null +++ b/app/models/read_only.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +# Removes persistence if Conjur is operating as a read-only instance +class Sequel::Model + def before_save + check_if_writes_permitted + super + end + + def before_destroy + check_if_writes_permitted + super + end + + def check_if_writes_permitted + return unless Rails.configuration.read_only + + raise ::Errors::Conjur::ReadOnly::ActionNotPermitted + end +end diff --git a/config/environments/appliance.rb b/config/environments/appliance.rb index edb0340ffb..d65f633c8f 100644 --- a/config/environments/appliance.rb +++ b/config/environments/appliance.rb @@ -10,4 +10,5 @@ config.middleware.use(Rack::RememberUuid) config.audit_socket = '/run/conjur/audit.socket' config.audit_database ||= 'postgres://:5433/audit' + config.read_only = false end diff --git a/config/initializers/read_only_mode.rb b/config/initializers/read_only_mode.rb new file mode 100644 index 0000000000..52cf9636ed --- /dev/null +++ b/config/initializers/read_only_mode.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true + +# Put Conjur into "read-only" mode +Rails.application.configure do + config.read_only = true +end diff --git a/dev/start b/dev/start index a18f9b120b..74a93851f1 100755 --- a/dev/start +++ b/dev/start @@ -15,7 +15,7 @@ fi # Minimal set of services. We add to this list based on cmd line flags. services=(pg conjur client) -# Authenticators to enable. +# Authenticators to enable. default_authenticators="authn,authn-k8s/test" enabled_authenticators="$default_authenticators" @@ -80,7 +80,7 @@ main() { # Updates CONJUR_AUTHENTICATORS and restarts required services. start_auth_services - create_alice + # create_alice kill_conjur # so dev's can restart it manually enter_container } @@ -97,7 +97,7 @@ Usage: start [options] --authn-gcp Starts with authn-gcp as authenticator --authn-iam Starts with authn-iam/prod as authenticator --authn-jwt Starts with authn-jwt as authenticator - --authn-ldap Starts OpenLDAP server and loads a demo policy to enable + --authn-ldap Starts OpenLDAP server and loads a demo policy to enable authentication via: 'curl -X POST -d "alice" http://localhost:3000/authn-ldap/test/cucumber/alice/authenticate' -h, --help Shows this help message.