500 on login with empty username
hughsaunders opened this issue · comments
Summary
When a user tries to login to conjur with an empty username, the server responds with 500. I would expect 401.
Steps to Reproduce
-
Deploy conjur via conjur-quickstart.
-
Exec into the client container and try to login, press enter when prompted for a username and supply any value for the password:
15:08 $ docker exec -it conjur_client bash root@99eb7ba03fbb:/# conjur authn login Enter your username to log into Conjur: Please enter your password (it will not be echoed): error: 500 Internal Server Error
Expected Results
I expect Conjur to reutrn 401 with an empty username. Currently if the password is empty 401 is returned. I think it should be the same for an empty username.
Actual Results (including error logs, if applicable)
Server returns 500.
Example server log:
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] Started GET "/authn/conjur/login" for 172.21.0.7 at 2021-07-19 15:14:18 +0000
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] Processing by AuthenticateController#login as */*
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] Parameters: {:controller=>"authenticate", :action=>"login", :authenticator=>"authn", :account=>"conjur"}
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] CONJ00047I Login Error: #<Dry::Struct::Error: [Authentication::AuthenticatorInput.new] "" (String) has invalid type for :username violates constraints (format?(/\S+/, "") failed)>
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/app/controllers/concerns/basic_authenticator.rb:38:in `login_input'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/app/controllers/concerns/basic_authenticator.rb:31:in `authenticator_login'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/app/controllers/concerns/basic_authenticator.rb:14:in `block in perform_basic_authn'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/app/controllers/concerns/basic_authenticator.rb:13:in `perform_basic_authn'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/app/controllers/authenticate_controller.rb:73:in `login'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/app/controllers/application_controller.rb:79:in `run_with_transaction'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/lib/rack/remove_request_parameters.rb:26:in `call'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/lib/rack/default_content_type.rb:68:in `call'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] Completed 500 Internal Server Error in 6ms
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50]
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] Dry::Struct::Error ([Authentication::AuthenticatorInput.new] "" (String) has invalid type for :username violates constraints (format?(/\S+/, "") failed)):
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50]
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] app/controllers/concerns/basic_authenticator.rb:38:in `login_input'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] app/controllers/concerns/basic_authenticator.rb:31:in `authenticator_login'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] app/controllers/concerns/basic_authenticator.rb:14:in `block in perform_basic_authn'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] app/controllers/concerns/basic_authenticator.rb:13:in `perform_basic_authn'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] app/controllers/authenticate_controller.rb:73:in `login'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] app/controllers/application_controller.rb:79:in `run_with_transaction'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] lib/rack/remove_request_parameters.rb:26:in `call'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] lib/rack/default_content_type.rb:68:in `call'
Reproducible
- Always
- Sometimes
- Non-Reproducible
Version/Tag number
This was with cyberark/conjur:edge
the specific git commit was:
16:14 $ docker exec -it conjur_server bash -c 'cat conjur_git_commit'
7dbdf99435ef7b5868808c7237636610d676ebe7
Environment setup
Conjur-Quickstart docker-compose environment.
Additional Information
I noticed this while reviewing 500 errors in server logs. I'd rather not have to investigate a potential crash when it was just a failed login attempt.