cyberark / conjur-action Goto Github PK

Summary

When attempting to utilize Conjur actions against Conjur EE, accessible through Cloudflare WAF, we encounter an issue where we are unable to retrieve a base64 token.

Reproducible

• Always
• Sometimes
• Non-Reproducible

Error in GitHub actions pipeline:

Malformed authorization token

Steps to Reproduce

In order to troubleshoot this issue we have created two tests:

1. The first test is directly going to Conjur without any interference of a proxy
2. The second test (and this is our main case) connecting to Conjur via the Cloudflare WAF.

We performed the test with the following code:

token=$(curl --request POST --data "$INPUT_API_KEY" "$INPUT_URL/authn/$INPUT_ACCOUNT/$hostId/authenticate" --header "Content-Type: application/x-www-form-urlencoded" --header "Accept-Encoding: base64")

echo $token

Output of test scenario one (directly to Conjur via LAN)

eyJwcm90ZWN0ZWQiOiJleUpoYkdjaU9pSmpiMjVxZFhJdWIzSm5MM05zYjNOcGJHOHZkaklpTENKcmFXUWlPaUl3TUdRd1l6TTJORFZoTkRZeVl6RTFaR1ppTnpka1lXVmlNR0UxTURoa01qRTBZVFpqWmprMFlURmpOVEV4WXpnNFpHSmtNVGt5TVRNMU5tRTFaVFl6SW4wPSIsInBheWxvYWQiOiJleUp6ZFdJaU9pSm9iM04wTDFaaGRXeDBMMkYxZEdodUwwTnZibXAxY2w5RFRrcFNYMEZrYldsdVgxQXZaR1ZzWldkaGRHbHZiaTluYVhSb2RXSXRjMlZ5ZG1WeU1TSXNJbVY0Y0NJNk1UWTVPVEE1TURBeE5Dd2lhV0YwSWpveE5qazVNRGc1TlRNMGZRPT0iLCJzaWduYXR1cmUiOiJaQVFMajV2c2tyOFBMTndpclZDUlBQeVYzM3pTdXUyQzZyZGVJTi1YRDZ6U2ZfbWRCV1pQMF8wQWs4RzNKMEltUWRLNndkcU1GM2otQkJQRDlvVk1ST09oN0NoRVJSaEV2RGp3SUNJWi1obE53STdxV1JsajFPeHdPT2loWERYWVNSZEJsZFZSQzB0X2JYNW5lZ0FkUFlRekRqSFk3cEJPRHRvSTQtdWc1ZVNEbEc5SDFFYjlIM2VMMnc0M1dOM3paX081QThhRE1MQmxVLTlFVTRCT0t3OU02bXpkNV96YzZ4ZUxrRDVLWEh1UEtfY1REdDhTYTlyRUgwb01tbXBBYXN6bnVTR3JzVk1KNC1yaVVpM19OQ014ZE10LVF5OU1XbXU5SXlGNFZQVDdTMnVUbGc1a1FuWG44clhEUi1pWFJkenRnTVBGQ2hfUkotbmsxU2t3dy1Fd0J0M19yeWdfdEpGdEhRNG02QjNRY2NMbFpvSFd5TWRsN3RSNm5sbGIifQ==

Output of test scenario two (to Conjur via Cloudflare WAF)

{
  "protected": "eyJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiIwMGQwYzM2NDVhNDYyYzE1ZGZiNzdkYWViMGE1MDhkMjE0YTZjZjk0YTFjNTExYzg4ZGJkMTkyMTM1NmE1ZTYzIn0=",
  "payload": "eyJzdWIiOiJob3N0L1ZhdWx0L2F1dGhuL0Nvbmp1cl9DTkpSX0FkbWluX1AvZGVsZWdhdGlvbi9naXRodWItc2VydmVyMSIsImV4cCI6MTY5OTA5MDE0MiwiaWF0IjoxNjk5MDg5NjYyfQ==",
  "signature": "XLlXS_wxJp86wji74DMBxkd-qOe7bqeB3JMeWW0Ty4xwULBmzzVlCpTUrzymHxxY2BcLcEXOit2kmsSk_0q-P1C4PsqOxfJoY72U-xDr0gQp1HQ02I5WCAX7YzheQkG0z_b-H8XqJsDtuAv8k2BbmwBw80o6FP70BghRY6ku6DwHmkqklHzfTMpeaUEA8hNeSWbSwDR84iGU2MXY9b0AW4-JfL1UbUlwtOYKWCJERpRoQ72jYcOymPaIkLuH55PbKMiIHAbdrgOKJizxhwDERlymnsMW9LBEN9djjYAGt-X9fEGvg57hN3F948uAPYRMPRW30g0p2WncIeuZiR-Zw13wvn0fqk48mECIlkAGvh1uvHsj34gRHz7InPolo6uV"
}

As you can see the output (which is JSON) is not converted to base64. The reason of this is that Cloudflare consistently overrides the "Accept-Encoding: base64" header with "Accept-Encoding: gzip". Which means that the base64 request never arrives at the Conjur server.

Click here to see the documentation regarding this "feature".

Solution

In order to fix this issue the entrypoint.sh should check if the output that contains the token is base64, if not (then it is JSON) it should be encoded to base64.

Our temporary solution is converting the token to base64, since we always connect via the WAF this temporary solution is sufficient.

token=$(curl --request POST --data "$INPUT_API_KEY" "$INPUT_URL/authn/$INPUT_ACCOUNT/$hostId/authenticate" --header "Content-Type: application/x-www-form-urlencoded" --header "Accept-Encoding: base64" | base64 | tr -d '[:space:]')

Version/Tag number

Conjur EE: 13.0
Conur-Action: 2.05

Environment setup

Conjur is being accessed via the Cloudflare WAF

Consideration

We have also encountered this issue with the Red Hat Ansible Automation Platform integration. It seems that the header Accept-Encoding sometimes (always with the Cloudflare WAF) is overridden by proxies. Probably, instead of solving this issue in all scripts/applications/integrations, CyberArk might want to consider returning base64 as a default in the response, instead of the plain JSON.