[PPSC-563] feat(auth): remove auth-endpoint flag#98
Merged
yiftach-armis merged 9 commits intomainfrom Mar 15, 2026
Merged
Conversation
Simplify CLI authentication by removing the --auth-endpoint flag entirely. Auth now routes through moose's proxy endpoint automatically, with the base URL derived from the --dev flag or hardcoded production endpoint. Changes: - Replace AuthEndpoint config with BaseURL (derived from getAPIBaseURL) - Update auth client endpoint from /api/v1/authenticate to /api/v1/auth/token - Remove --auth-endpoint flag and ARMIS_AUTH_ENDPOINT environment variable - Add region claim support to JWT parsing for deployment-aware routing - Rename endpoint → baseURL in NewAuthClient for semantic clarity - Update error messages to reflect base URL terminology - Update all tests and documentation This simplifies the auth flow by removing a user-configurable endpoint, reducing attack surface and improving UX when configuring authentication.
|
| Severity | Count |
|---|---|
| 🟠 HIGH | 3 |
| 🟡 MEDIUM | 2 |
Total: 5
View all 5 findings
🟠 HIGH (3)
CWE-522_armis-cli_38295677_internal/auth/auth.go_181_2_181_32 - Insecure Design (CWE-522
Location: internal/auth/auth.go:181
Insufficiently Protected Credentials): The GetRawToken method (lines 169‑182) returns the raw JWT token stored in p.credentials.Token directly to the caller without adding any protection such as encryption, masking, or access controls. This behavior matches CWE‑522, which describes exposing sensitive credentials. Because the method is used by the CLI to print the token to stdout when a user explicitly requests it, the credential can be obtained through a user‑facing interface, constituting an immediate external exposure (exposure level ≥6). No sanitization or masking is applied before the token is returned, so the credential is fully disclosed to any code that invokes this function. This makes the vulnerability exploitable by any attacker who can trigger the CLI command or otherwise call GetRawToken, leading to credential leakage.
Code snippet is redacted as it contains secrets.
CWEs: CWE-522: Insufficiently Protected Credentials
CWE-522_armis-cli_38295677_internal/auth/auth.go_171_3_171_28 - Insecure Design (CWE-522
Location: internal/auth/auth.go:171
Insufficiently Protected Credentials): The GetRawToken method returns the stored authentication token directly without any protection or masking. When the provider is operating in legacy mode, it reads the token from p.config.Token, which originates from external configuration (e.g., command‑line flag or environment variable). The method then returns this value to the caller, making the raw credential available to any code that invokes the function. This behavior matches CWE‑522, as it exposes unprotected credentials. The function is reachable from the CLI tool that can print the token to stdout, providing a user‑facing interface that can be leveraged to extract the token. No sanitization or masking is performed, so the credential flow is unimpeded.
Code snippet is redacted as it contains secrets.
CWEs: CWE-522: Insufficiently Protected Credentials
CWE-522_armis-cli_38295677_internal/auth/client.go_52_2_52_33 - Insecure Design (CWE-522
Location: internal/auth/client.go:52
Insufficiently Protected Credentials): The function NewAuthClient permits HTTP URLs when the host is localhost or 127.0.0.1. Later, Authenticate builds a request that includes the clientSecret argument in the JSON body and sends it to the configured authEndpoint. If the client was created with an HTTP localhost URL, the secret is transmitted over an unencrypted HTTP connection, satisfying CWE‑522 (credentials sent without encryption). The secret originates from the clientSecret parameter, flows through JSON marshaling into the request body, and reaches the network sink (http.Client.Do) without any sanitization. Because the request targets an HTTP endpoint, the exposure level is ≥6, making the vulnerability exploitable by an attacker who can observe local network traffic. This constitutes a true positive for insufficiently protected credentials.
Code snippet is redacted as it contains secrets.
CWEs: CWE-522: Insufficiently Protected Credentials
🟡 MEDIUM (2)
CWE-918_armis-cli_38295677_internal/api/client.go_750_2_750_79 - Server-Side Request Forgery (CWE-918
Location: internal/api/client.go:750
Server Side Request Forgery (SSRF)): The function ValidatePresignedURL (lines 719‑755) is intended to block SSRF by ensuring the URL points to an AWS S3 endpoint. It only checks that the host ends with ".amazonaws.com" and contains the substring "s3". An attacker who can supply a URL (the presignedURL argument passed to DownloadFromPresignedURL) can craft a malicious sub‑domain that satisfies both string checks (e.g., evil-s3.attacker.com.amazonaws.com). Because the validation does not verify that the host truly belongs to AWS, the crafted URL passes the check and reaches the sink at line 769 where an HTTP GET request is issued. This creates a reachable SSRF path, matching the described CWE‑918 pattern. The vulnerability resides in the same functionality as line 750, and no effective sanitization is performed, making it exploitable when user‑controlled input reaches the download routine. The code is part of a client library used by internal scripts or CLI tools, giving it a script‑to‑script exposure level (5) and a corresponding low likelihood of exploitation in typical deployments.
CWEs: CWE-918: Server Side Request Forgery (SSRF)
CWE-522_armis-cli_38295677_internal/cmd/auth.go_62_2_62_19 - Insecure Design (CWE-522
Location: internal/cmd/auth.go:62
Insufficiently Protected Credentials): The function runAuth obtains a JWT token via provider.GetRawToken and then prints the raw token directly to standard output with fmt.Println(token). This exposes the authentication credential to any process or script that can read the command's stdout, logs, or command‑line history, which matches the definition of CWE‑522 (Insufficiently Protected Credentials). The token originates from a credential‑derived source and reaches an insecure sink without any sanitization, making the credential reachable. Because the exposure occurs through a CLI output that can be captured by other scripts or logged locally, it is classified as script‑to‑script interaction (exposure level 5), leading to a low likelihood of exploitation in this context.
Code snippet is redacted as it contains secrets.
CWEs: CWE-522: Insufficiently Protected Credentials
Test Coverage Reporttotal: (statements) 80.8% Coverage by function |
There was a problem hiding this comment.
Pull request overview
This PR updates JWT authentication to use the configured API base URL (Moose) instead of a separate --auth-endpoint, switches the token exchange route to /api/v1/auth/token, and extends JWT parsing to extract an optional region claim.
Changes:
- Removed the
--auth-endpoint/ARMIS_AUTH_ENDPOINTconfiguration path and wired JWT auth to use the API base URL (getAPIBaseURL()/ARMIS_API_URLoverride). - Updated the auth client to call
POST /api/v1/auth/tokenand adjusted command/docs/tests accordingly. - Added
regionclaim parsing +GetRegion()API on the auth provider, with tests for backward compatibility.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/cmd/root.go | Removes authEndpoint flag/var and passes API base URL into auth provider config. |
| internal/cmd/root_test.go | Updates root auth-provider tests to reflect removal of authEndpoint. |
| internal/cmd/auth.go | Removes --auth-endpoint requirement for the (hidden) auth command. |
| internal/cmd/auth_test.go | Updates auth command tests to use ARMIS_API_URL and new route. |
| internal/auth/client.go | Renames endpoint→baseURL and switches token exchange to /api/v1/auth/token. |
| internal/auth/auth.go | Renames config field to BaseURL and adds region extraction + accessor. |
| internal/auth/auth_test.go | Updates tests for BaseURL + new endpoint; adds coverage for region parsing/accessor. |
| docs/FEATURES.md | Removes ARMIS_AUTH_ENDPOINT from documented env vars. |
| CLAUDE.md | Updates internal docs to reflect the new token endpoint and removes ARMIS_AUTH_ENDPOINT. |
Comments suppressed due to low confidence (1)
CLAUDE.md:90
- This environment variable list no longer mentions
ARMIS_AUTH_ENDPOINT, but it also doesn't mentionARMIS_API_URL, which the CLI uses as an override for the Moose/API base URL (and is now also used for JWT token exchange). Please addARMIS_API_URLhere so internal docs match the current configuration knobs.
### Environment Variables
- `ARMIS_CLIENT_ID` - Client ID for JWT authentication (recommended)
- `ARMIS_CLIENT_SECRET` - Client secret for JWT authentication
- `ARMIS_API_TOKEN` - API token for Basic authentication (fallback)
- `ARMIS_TENANT_ID` - Tenant identifier (required only with Basic auth; JWT extracts it from token)
- `ARMIS_FORMAT` - Default output format
- `ARMIS_PAGE_LIMIT` - Results pagination size
- `ARMIS_THEME` - Terminal background theme: auto, dark, light (default: auto)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Update NewAuthProvider comment to say "base URL" instead of "endpoint" - Document ARMIS_API_URL in FEATURES.md and CLAUDE.md env var sections
Add region caching to optimize JWT authentication by persisting the discovered region to disk and reusing it on subsequent CLI invocations. Key changes: - Add --region flag for explicit region override (bypasses auto-discovery) - Implement file-based region cache (~/.cache/armis-cli/region-cache.json) - Add automatic retry without region hint when cached region auth fails - Memoize cached region in AuthProvider to avoid repeated disk I/O - Extract shared cache directory utility (util.GetCacheDir/GetCacheFilePath) - Add comprehensive tests for region cache (client ID mismatch, corrupt JSON, permissions, etc.) Region selection priority: 1. --region flag - explicit override 2. Cached region - from previous successful auth 3. Auto-discovery - server tries regions until one succeeds Addresses review findings: - F1: No tests for region cache → 249 lines of tests added - F2: No retry on stale cache → Retry logic with usingCachedHint flag - F3: Redundant writes → Skip if region unchanged - F4: Repeated disk I/O → Memoization via cachedRegion/regionLoaded - F5: Duplicated cache constant → Extracted to util.CacheDirName
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 14 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Skip file permissions test on Windows (Unix permissions not supported) - Use filepath.Join for platform-agnostic path separators in test assertions
Address PR review comments from Copilot: - Reject absolute paths and path separators in cache filename parameter to prevent filepath.Join from discarding the cache directory - Add containment check to ensure result stays within cache directory - Fix incorrect test assumptions about filepath.Join behavior - Use temp directory in TestPackageLevelFunctions to avoid modifying real user cache during tests - Document ARMIS_REGION environment variable in FEATURES.md and CLAUDE.md
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 14 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Address follow-up PR review comments: - Reject empty, whitespace-only, ".", and ".." filenames in GetCacheFilePath to prevent returning directory path instead of file path - Replace strings.HasPrefix with filepath.Rel for robust path containment check (handles case-insensitivity and path separator edge cases) - Add TestAuthProvider_CachedRegionRetryOnFailure to cover region-caching retry logic when auth fails with stale cached region - Fix CLAUDE.md: ARMIS_REGION is for region-aware authentication, not API URL selection
The CLI was sending raw JWT tokens without the "Bearer" prefix, but the backend middleware expects "Authorization: Bearer <token>" per RFC 6750. This caused 401 errors when using JWT authentication. Changes: - auth.go: Return "Bearer " + token for JWT auth - client.go: Update comments to match actual behavior - auth_test.go: Update tests to expect Bearer prefix
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Fix test containment assertion to use filepath.Rel instead of strings.HasPrefix for robust path-boundary checking - Bound RegionCache.Load file reads with 4KB size limit to prevent memory exhaustion from corrupted cache files - Add typed AuthError with HTTP status code to enable selective retry: only retry on region-specific rejections (not 401/transport errors) - Add deprecation warning when ARMIS_AUTH_ENDPOINT env var is set, directing users to ARMIS_API_URL or --region - Update CI docs to recommend JWT auth credentials
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issue
Type of Change
Problem
The
--auth-endpointflag required users to manually specify the JWT authentication service endpoint, creating unnecessary configuration burden and potential attack surface. Auth credentials now route through moose's unified proxy endpoint automatically.Solution
AuthEndpointconfig withBaseURLderived from--devflag or production defaults/api/v1/auth/token(moose) instead of/api/v1/authenticate(Silk)--auth-endpointflag andARMIS_AUTH_ENDPOINTenvironment variableendpoint→baseURLinNewAuthClient)Testing
Reviewer Notes
This change fixes findings from deep-review analysis:
NewAuthClientnaming to match semantic change from endpoint to base URLIncludes region support groundwork for PPSC-543.