Prevent status webservices from being returned on the providers endpoint

mFelgate · mFelgate · commit 588abed8238f · 2022-10-07T14:20:48.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,11 +13,15 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Added
 - List resources request (`GET /resources`) now produce audit events.
-  ([cyberark/conjur#2652](https://github.com/cyberark/conjur/pull/2652)
+  [cyberark/conjur#2652](https://github.com/cyberark/conjur/pull/2652)
 
 ### Changed
 - AWS Access Key Rotation now preserves only one key
 
+### Fixed
+- Removed Status webservices from the list providers endpoint
+  [cyberark/conjur#2640](https://github.com/cyberark/conjur/pull/2640)
+
 ## [1.18.4] - 2022-09-11
 
 ### Added
diff --git a/app/db/repository/authenticator_repository.rb b/app/db/repository/authenticator_repository.rb
@@ -8,11 +8,18 @@ def initialize(data_object:, resource_repository: ::Resource, logger: Rails.logg
       end
 
       def find_all(type:, account:)
+        identifier = Sequel.function(:identifier, :resource_id)
+
         @resource_repository.where(
           Sequel.like(
             :resource_id,
             "#{account}:webservice:conjur/#{type}/%"
           )
+        ).where(
+          Sequel.like(
+            identifier,
+            Authentication::InstalledAuthenticators::AUTHN_STATUS_FILTER
+          )
         ).all.map do |webservice|
           load_authenticator(account: account, id: webservice.id.split(':').last, type: type)
         end.compact
diff --git a/app/domain/authentication/installed_authenticators.rb b/app/domain/authentication/installed_authenticators.rb
@@ -4,6 +4,7 @@ module Authentication
   class InstalledAuthenticators
 
     AUTHN_RESOURCE_PREFIX = "conjur/authn-"
+    AUTHN_STATUS_FILTER = %r{conjur/(authn(?:-[^/]+)?(?:/[^/]+)?)$}
 
     class << self
       def authenticators(env, authentication_module: ::Authentication)
@@ -28,7 +29,7 @@ def configured_authenticators
           .where(identifier.like("#{AUTHN_RESOURCE_PREFIX}%"))
           .where(kind => "webservice")
           .select_map(identifier)
-          .map { |id| id[%r{^conjur/(authn(?:-[^/]+)?(?:/[^/]+)?)$}, 1] } # filter out nested status webservice
+          .map { |id| id[AUTHN_STATUS_FILTER, 1] } # filter out nested status webservice
           .compact
           .push(::Authentication::Common.default_authenticator_name)
       end
diff --git a/spec/app/db/repository/authenticator_repository_spec.rb b/spec/app/db/repository/authenticator_repository_spec.rb
@@ -89,6 +89,21 @@
               ::Role['rspec:policy:conjur/authn-oidc/baz-abc123'].destroy
             end
           end
+
+          context 'when webservices status are presents' do
+            before(:each) do
+                ::Resource.create(
+                  resource_id: "rspec:webservice:conjur/authn-oidc/foo-abc123/status",
+                  owner_id: "rspec:policy:conjur/authn-oidc/foo-abc123"
+                )
+              end
+
+            it { expect(repo.find_all(type: 'authn-oidc', account: 'rspec').length).to eq(2) }
+
+            after(:each) do
+              ::Resource['rspec:webservice:conjur/authn-oidc/foo-abc123/status'].destroy
+            end
+          end
         end
 
         after(:each) do
