Giters

cyberark / conjur

CyberArk Conjur automatically secures secrets used by privileged users and machine identities

Home Page:https://conjur.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

500 on login with empty username

hughsaunders opened this issue · comments

commented

Summary

When a user tries to login to conjur with an empty username, the server responds with 500. I would expect 401.

Steps to Reproduce

  1. Deploy conjur via conjur-quickstart.

  2. Exec into the client container and try to login, press enter when prompted for a username and supply any value for the password:

       15:08 $ docker exec -it conjur_client bash 
   root@99eb7ba03fbb:/# conjur authn login
   Enter your username to log into Conjur: 
   Please enter your password (it will not be echoed): 

   error: 500 Internal Server Error

Expected Results

I expect Conjur to reutrn 401 with an empty username. Currently if the password is empty 401 is returned. I think it should be the same for an empty username.

Actual Results (including error logs, if applicable)

Server returns 500.

Example server log:

[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] Started GET "/authn/conjur/login" for 172.21.0.7 at 2021-07-19 15:14:18 +0000
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] Processing by AuthenticateController#login as */*
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50]   Parameters: {:controller=>"authenticate", :action=>"login", :authenticator=>"authn", :account=>"conjur"}
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] CONJ00047I Login Error: #<Dry::Struct::Error: [Authentication::AuthenticatorInput.new] "" (String) has invalid type for :username violates constraints (format?(/\S+/, "") failed)>
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/app/controllers/concerns/basic_authenticator.rb:38:in `login_input'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/app/controllers/concerns/basic_authenticator.rb:31:in `authenticator_login'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/app/controllers/concerns/basic_authenticator.rb:14:in `block in perform_basic_authn'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/app/controllers/concerns/basic_authenticator.rb:13:in `perform_basic_authn'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/app/controllers/authenticate_controller.rb:73:in `login'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/app/controllers/application_controller.rb:79:in `run_with_transaction'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/lib/rack/remove_request_parameters.rb:26:in `call'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] /opt/conjur-server/lib/rack/default_content_type.rb:68:in `call'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] Completed 500 Internal Server Error in 6ms
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50]   
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] Dry::Struct::Error ([Authentication::AuthenticatorInput.new] "" (String) has invalid type for :username violates constraints (format?(/\S+/, "") failed)):
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50]   
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] app/controllers/concerns/basic_authenticator.rb:38:in `login_input'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] app/controllers/concerns/basic_authenticator.rb:31:in `authenticator_login'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] app/controllers/concerns/basic_authenticator.rb:14:in `block in perform_basic_authn'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] app/controllers/concerns/basic_authenticator.rb:13:in `perform_basic_authn'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] app/controllers/authenticate_controller.rb:73:in `login'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] app/controllers/application_controller.rb:79:in `run_with_transaction'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] lib/rack/remove_request_parameters.rb:26:in `call'
[origin=172.21.0.7] [request_id=c5481771-9e44-4feb-b03b-d7c314deb303] [tid=50] lib/rack/default_content_type.rb:68:in `call'

Reproducible

  • Always
  • Sometimes
  • Non-Reproducible

Version/Tag number

This was with cyberark/conjur:edge the specific git commit was:

16:14 $ docker exec -it conjur_server bash -c 'cat conjur_git_commit'
7dbdf99435ef7b5868808c7237636610d676ebe7

Environment setup

Conjur-Quickstart docker-compose environment.

Additional Information

I noticed this while reviewing 500 errors in server logs. I'd rather not have to investigate a potential crash when it was just a failed login attempt.