cyberark
diff --git a/‎app/db/repository/authenticator_repository.rb
Lines changed: 7 additions & 4 deletions b/‎app/db/repository/authenticator_repository.rb
Lines changed: 7 additions & 4 deletions
diff --git a/‎app/domain/authentication/authn_jwt/v2/data_objects/authenticator.rb
Lines changed: 18 additions & 4 deletions b/‎app/domain/authentication/authn_jwt/v2/data_objects/authenticator.rb
Lines changed: 18 additions & 4 deletions
diff --git a/‎app/domain/authentication/authn_jwt/v2/strategy.rb
Lines changed: 22 additions & 0 deletions b/‎app/domain/authentication/authn_jwt/v2/strategy.rb
Lines changed: 22 additions & 0 deletions
diff --git a/‎app/domain/authentication/handler/authentication_handler.rb
Lines changed: 4 additions & 0 deletions b/‎app/domain/authentication/handler/authentication_handler.rb
Lines changed: 4 additions & 0 deletions
@@ -63,14 +63,16 @@ def load_authenticator(type:, account:, service_id:)
             "#{account}:variable:conjur/#{type}/#{service_id}/%"
           )
         ).eager(:secrets).all
-
         args_list = {}.tap do |args|
           args[:account] = account
           args[:service_id] = service_id
           variables.each do |variable|
-            next unless variable.secret
 
-            args[variable.resource_id.split('/')[-1].underscore.to_sym] = variable.secret.value
+            # If variable exists but does not have a secret, set the value to an empty string.
+            # This is used downstream for validating if a variable has been set or not, and thus,
+            # what error to raise.
+            value = variable.secret ? variable.secret.value : ''
+            args[variable.resource_id.split('/')[-1].underscore.to_sym] = value
           end
         end
 
@@ -79,7 +81,8 @@ def load_authenticator(type:, account:, service_id:)
             allowed_args = %i[account service_id] +
                           @data_object.const_get(:REQUIRED_VARIABLES) +
                           @data_object.const_get(:OPTIONAL_VARIABLES)
-            args_list = args_list.select{ |key, value| allowed_args.include?(key) && value.present? }
+            # Ensure only defined parameters are added
+            args_list = args_list.select{ |key, _| allowed_args.include?(key) }
           end
           @data_object.new(**args_list)
         rescue ArgumentError => e
 
@@ -20,12 +20,12 @@ class Authenticator
             :ca_cert,
             :identity_path,
             :issuer,
-            :claim_aliases,
             :audience
 
             # moved to methods below to allow for "validation"
             # :enforced_claims,
             # :token_app_property,
+            # :claim_aliases,
           )
 
           def initialize(
@@ -54,7 +54,7 @@ def initialize(
             @issuer = issuer
             @enforced_claims = enforced_claims
             # ensure we have a string so we can split safely to generate the hash lookup
-            @claim_aliases = claim_aliases.to_s
+            @claim_aliases = claim_aliases
             @audience = audience
             @token_ttl = token_ttl
           end
@@ -69,6 +69,15 @@ def token_ttl
             raise Errors::Authentication::DataObjects::InvalidTokenTTL.new(resource_id, @token_ttl)
           end
 
+          def claim_aliases
+            if @claim_aliases == ''
+              raise Errors::Conjur::RequiredSecretMissing,
+                "#{@account}:variable:conjur/authn-jwt/#{@service_id}/claim-aliases"
+            end
+
+            @claim_aliases
+          end
+
           def token_app_property
             token_app_property = @token_app_property.to_s
             # Ensure claim contain only "allowed" characters (alpha-numeric, and: "-", "_", "/", ".")
@@ -81,6 +90,11 @@ def token_app_property
           end
 
           def enforced_claims
+            if @enforced_claims == ''
+              raise Errors::Conjur::RequiredSecretMissing,
+                "#{@account}:variable:conjur/authn-jwt/#{@service_id}/enforced-claims"
+            end
+
             @claims ||= begin
               claims = @enforced_claims.to_s.split(',').map(&:strip)
 
@@ -105,8 +119,8 @@ def denylist
           def claim_aliases_lookup
             @claim_aliases_lookup ||= begin
               {}.tap do |rtn|
-                @claim_aliases.split(',').each do |claim_alias|
-                  key, value = claim_alias.split(':').map(&:strip)
+                @claim_aliases.to_s.split(',').each do |claim_alias|
+                  key, value = claim_alias.to_s.split(':').map(&:strip)
 
                   # If alias is defined multiple times
                   if rtn.key?(key)
 
@@ -37,7 +37,27 @@ def callback(parameters:, request_body:)
               "jwks-uri and provider-uri cannot be defined simultaneously"
           end
 
+          if @authenticator.issuer == ''
+            raise Errors::Conjur::RequiredSecretMissing,
+              "#{@authenticator.account}:variable:conjur/authn-jwt/#{@authenticator.service_id}/issuer"
+          end
+
+          # Need to trigger an error if this variable is present, but has not been set...
+          # TODO: fix with validation
+          @authenticator.claim_aliases
+          # binding.pry
+
+          if @authenticator.jwks_uri == '' && @authenticator.provider_uri.nil? && @authenticator.public_keys.nil?
+            raise Errors::Conjur::RequiredSecretMissing,
+              "#{@authenticator.account}:variable:conjur/authn-jwt/#{@authenticator.service_id}/jwks-uri"
+          end
+
           if @authenticator.jwks_uri.blank? && @authenticator.provider_uri.blank? && @authenticator.public_keys.blank?
+            if @authenticator.jwks_uri.nil? && @authenticator.provider_uri.nil? && @authenticator.public_keys.nil?
+              raise Errors::Authentication::AuthnJwt::InvalidSigningKeySettings,
+                'One of the following must be defined: jwks-uri, public-keys, or provider-uri'
+            end
+
             raise Errors::Authentication::AuthnJwt::InvalidSigningKeySettings,
               'Failed to find a JWT decode option. Either `jwks-uri` or `public-keys` variable must be set'
           end
@@ -64,6 +84,8 @@ def callback(parameters:, request_body:)
               keys = @json.parse(@authenticator.public_keys)&.deep_symbolize_keys
               hash[:jwks] = keys[:value]
             elsif @authenticator.provider_uri.present?
+              # If we're validating with Provider URI, it means we're operating
+              # against an OIDC enpoint.
               begin
                 if @authenticator.issuer.present?
                   hash[:iss] = @authenticator.issuer
 
@@ -123,6 +123,10 @@ def call(request_ip:, parameters: nil, request_body: nil, action: nil)
       end
 
       def handle_error(err)
+        # Log authentication errors (but don't raise...)
+        authentication_error = LogMessages::Authentication::AuthenticationError.new(err.inspect)
+        @logger.info(authentication_error)
+
         @logger.info("#{err.class.name}: #{err.message}")
         err.backtrace.each {|l| @logger.info(l) }