Remove support for Conjur v4

This version of the Conjur server is no longer supported for authn-k8s
so we can remove its code from the project to ease its readability
and maintainability.

CHANGELOG.md

@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   This change breaks the API.
   [cyberark/conjur-authn-k8s-client#180](https://github.com/cyberark/conjur-authn-k8s-client/issues/180)
 
+### Removed
+- The conjur-authn-k8s-client no longer supports Conjur v4.
+  [cyberark/conjur-authn-k8s-client#183](https://github.com/cyberark/conjur-authn-k8s-client/issues/183)
+
 ## [0.19.0] - 2020-10-08
 ### Added
 - Users can set the `DEBUG` environment variable to run the client in debug mode and view more log messages.

README.md

@@ -33,7 +33,6 @@ questions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/
 - `CONTAINER_MODE`: Set this to `init` to run as an init container that will exit after performing authentication. All other values (including blank) will cause the container to run as a sidecar.
 
 ## Conjur
-- `CONJUR_VERSION`: Conjur version ('4' or '5', defaults to '5'). Must use a string value in the manifest due to YAML parsing not handling integer values well.
 - `CONJUR_ACCOUNT`: Conjur account name
 - `CONJUR_AUTHN_URL`: URL pointing to authenticator service endpoint
 - `CONJUR_AUTHN_LOGIN`: Host login for pod e.g. `namespace/service_account/some_service_account`

pkg/authenticator/authenticator.go

@@ -121,7 +121,7 @@ func (auth *Authenticator) Login() error {
 		Type: "CERTIFICATE REQUEST", Bytes: csrRawBytes,
 	})
 
-	req, err := LoginRequest(auth.Config.URL, auth.Config.ConjurVersion, csrBytes, auth.Config.Username.Prefix)
+	req, err := LoginRequest(auth.Config.URL, csrBytes, auth.Config.Username.Prefix)
 	if err != nil {
 		return err
 	}
@@ -216,12 +216,7 @@ func (auth *Authenticator) Authenticate() error {
 		return err
 	}
 
-	parsedResponse, err := auth.parseAuthenticationResponse(authenticationResponse)
-	if err != nil {
-		return err
-	}
-
-	err = auth.AccessToken.Write(parsedResponse)
+	err = auth.AccessToken.Write(authenticationResponse)
 	if err != nil {
 		return err
 	}
@@ -272,7 +267,6 @@ func (auth *Authenticator) sendAuthenticationRequest() ([]byte, error) {
 
 	req, err := AuthenticateRequest(
 		auth.Config.URL,
-		auth.Config.ConjurVersion,
 		auth.Config.Account,
 		auth.Config.Username.FullUsername,
 	)
@@ -293,25 +287,6 @@ func (auth *Authenticator) sendAuthenticationRequest() ([]byte, error) {
 	return utils.ReadResponseBody(resp)
 }
 
-// parseAuthenticationResponse takes the response from the Authenticate
-// request, decrypts if needed, and returns it
-func (auth *Authenticator) parseAuthenticationResponse(response []byte) ([]byte, error) {
-	var content []byte
-	var err error
-
-	// Token is only encrypted in Conjur v4
-	if auth.Config.ConjurVersion == "4" {
-		content, err = decodeFromPEM(response, auth.PublicCert, auth.privateKey)
-		if err != nil {
-			return nil, log.RecordedError(log.CAKC020)
-		}
-	} else if auth.Config.ConjurVersion == "5" {
-		content = response
-	}
-
-	return content, nil
-}
-
 // generateSANURI returns the formatted uri(SPIFFEE format for now) for the certificate.
 func generateSANURI(namespace, podname string) (string, error) {
 	if namespace == "" || podname == "" {

pkg/authenticator/config/config.go

@@ -1,7 +1,6 @@
 package config
 
 import (
-	"fmt"
 	"io/ioutil"
 	"os"
 	"time"
@@ -17,7 +16,6 @@ type Config struct {
 	ClientCertPath            string
 	ClientCertRetryCountLimit int
 	ContainerMode             string
-	ConjurVersion             string
 	InjectCertLogPath         string
 	PodName                   string
 	PodNamespace              string
@@ -34,8 +32,6 @@ const (
 	DefaultInjectCertLogPath = "/tmp/conjur_copy_text_output.log"
 	DefaultTokenFilePath     = "/run/conjur/access-token"
 
-	DefaultConjurVersion = "5"
-
 	// DefaultTokenRefreshTimeout is the default time the system waits to reauthenticate on error
 	DefaultTokenRefreshTimeout = "6m0s"
 
@@ -127,19 +123,6 @@ func populateConfig() (*Config, error) {
 		URL:           os.Getenv("CONJUR_AUTHN_URL"),
 	}
 
-	// Only versions '4' & '5' are allowed, with '5' being used as the default
-	config.ConjurVersion = DefaultConjurVersion
-	switch os.Getenv("CONJUR_VERSION") {
-	case "4":
-		config.ConjurVersion = "4"
-	case "5":
-		break // Stick with default
-	case "":
-		break // Stick with default
-	default:
-		return nil, log.RecordedError(log.CAKC021, fmt.Errorf("invalid conjur version"))
-	}
-
 	// Parse token refresh rate if one is provided from env
 	tokenRefreshTimeout, err := utils.DurationFromEnvOrDefault(
 		"CONJUR_TOKEN_TIMEOUT",

pkg/authenticator/config/config_test.go

@@ -2,7 +2,6 @@ package config
 
 import (
 	"bytes"
-	"fmt"
 	"log"
 	"os"
 	"testing"
@@ -42,55 +41,7 @@ func TestAuthenticator(t *testing.T) {
 		}
 	}()
 
-	TestCases := []struct {
-		description string
-		envVersion  string
-		expVersion  string
-		expErrStr   string
-	}{
-		{
-			description: "Succeeds if version is 4",
-			envVersion:  "4",
-			expVersion:  "4",
-			expErrStr:   "",
-		},
-		{
-			description: "Succeeds if version is 5",
-			envVersion:  "5",
-			expVersion:  "5",
-			expErrStr:   "",
-		},
-		{
-			description: "Sets the default version for an empty value",
-			envVersion:  "",
-			expVersion:  DefaultConjurVersion,
-			expErrStr:   "",
-		},
-		{
-			description: "Returns error if version is invalid",
-			envVersion:  "3",
-			expVersion:  "",
-			expErrStr:   fmt.Sprintf(logger.CAKC021, "invalid conjur version"),
-		},
-	}
-
-	Convey("NewFromEnv", t, func() {
-		for _, tc := range TestCases {
-			Convey(tc.description, func() {
-				_ = os.Setenv("CONJUR_VERSION", tc.envVersion)
-
-				config, err := FromEnv(successfulMockReadFile)
-
-				if tc.expErrStr == "" {
-					So(err, ShouldBeNil)
-					So(config.ConjurVersion, ShouldEqual, tc.expVersion)
-				} else {
-					So(err, ShouldNotBeNil)
-					So(err.Error(), ShouldEqual, tc.expErrStr)
-				}
-			})
-		}
-
+	Convey("FromEnv", t, func() {
 		Convey("Debug logs are enabled if DEBUG env var is 'true'", func() {
 			_ = os.Setenv("DEBUG", "true")
 

pkg/authenticator/requests.go

@@ -10,14 +10,8 @@ import (
 )
 
 // LoginRequest sends a login request
-func LoginRequest(authnURL string, conjurVersion string, csrBytes []byte, usernamePrefix string) (*http.Request, error) {
-	var authenticateURL string
-
-	if conjurVersion == "4" {
-		authenticateURL = fmt.Sprintf("%s/users/login", authnURL)
-	} else if conjurVersion == "5" {
-		authenticateURL = fmt.Sprintf("%s/inject_client_cert", authnURL)
-	}
+func LoginRequest(authnURL string, csrBytes []byte, usernamePrefix string) (*http.Request, error) {
+	authenticateURL := fmt.Sprintf("%s/inject_client_cert", authnURL)
 
 	log.Debug(log.CAKC045, authenticateURL)
 
@@ -32,16 +26,11 @@ func LoginRequest(authnURL string, conjurVersion string, csrBytes []byte, userna
 }
 
 // AuthenticateRequest sends an authenticate request
-func AuthenticateRequest(authnURL string, conjurVersion string, account string, username string) (*http.Request, error) {
-	var authenticateURL string
+func AuthenticateRequest(authnURL string, account string, username string) (*http.Request, error) {
 	var err error
 	var req *http.Request
 
-	if conjurVersion == "4" {
-		authenticateURL = fmt.Sprintf("%s/users/%s/authenticate", authnURL, url.QueryEscape(username))
-	} else if conjurVersion == "5" {
-		authenticateURL = fmt.Sprintf("%s/%s/%s/authenticate", authnURL, account, url.QueryEscape(username))
-	}
+	authenticateURL := fmt.Sprintf("%s/%s/%s/authenticate", authnURL, account, url.QueryEscape(username))
 
 	log.Debug(log.CAKC046, authenticateURL)
 

pkg/authenticator/requests_test.go

@@ -8,14 +8,13 @@ import (
 
 func TestRequests(t *testing.T) {
 	Convey("LoginRequest", t, func() {
-		conjurVersion := "5"
 		authnURL := "dummyURL"
 		csrBytes := []byte("dummyCSRBytes")
 
 		Convey("Given a host's username prefix", func() {
 			usernamePrefix := "host.path.to.policy"
 
-			req, err := LoginRequest(authnURL, conjurVersion, csrBytes, usernamePrefix)
+			req, err := LoginRequest(authnURL, csrBytes, usernamePrefix)
 			Convey("Finishes without raising an error", func() {
 				So(err, ShouldBeNil)
 			})

pkg/log/log_messages.go

@@ -32,7 +32,6 @@ const CAKC016 string = "CAKC016 Failed to authenticate"
 const CAKC017 string = "CAKC017 Failed to parse key-pair from pem. Reason: %s"
 const CAKC018 string = "CAKC018 Failed to instantiate authenticator configuration"
 const CAKC019 string = "CAKC019 Failed to instantiate authenticator object"
-const CAKC020 string = "CAKC020 Failed to parse authentication response"
 const CAKC021 string = "CAKC021 Failed to read SSL Certificate. Reason: %s"
 const CAKC022 string = "CAKC022 Failed to read body of authenticate HTTP response. Reason: %s"
 const CAKC023 string = "CAKC023 Failed to create new authenticate HTTP request. Reason: %s"