Better validation for CONJUR_AUTHN_LOGIN

[doodlesbykumbi]

Is your feature request related to a problem? Please describe.

When the service broker has a CONJUR_AUTHN_LOGIN value that is not a host (e.g. admin or any user), and attempts to create a space host using the policy template the endpoint under question errors with a 404. The 404 is a side-effect to the root cause, and so is confusing.

Here I explain the underlying error. The code for creating a space host can be found at https://github.com/cyberark/conjur-service-broker/blob/master/app/models/space_host_policy.rb#L24-L52. When the template is evaluated for a non-host CONJUR_AUTHN_LOGIN it results in the policy file below. Note role: !host / under !permit, this is because ConjurClient.login_host_id evaluates to nil for non-host CONJUR_AUTHN_LOGIN, see https://github.com/cyberark/conjur-service-broker/blob/master/lib/conjur_client.rb#L55. This is the underlying issue !host / generally doesn't exist, and even if it did this would not be the intended behavior by the caller.

- !host

- !grant
 role: !layer
 member: !host

- !variable
 id: space-host-api-key

- !permit
 role: !host /
 privileges: [read]
 resource: !variable space-host-api-key

Describe the solution you would like

Granted, we do specify the following in the README, but it would be good to fail-fast and provide clear errors where possible.

CONJUR_AUTHN_LOGIN: the identity of a Conjur Host (of the form host/host-id) with create and update privileges on CONJUR_POLICY. This account is used to add and remove Hosts from Conjur policy as apps are deployed to or removed from the platform.

Some possible solutions are

1. A clear error message with a more appropriate status code (e.g. 400) from the service broker when CONJUR_AUTHN_LOGIN is not a host.
2. Health check fails if CONJUR_AUTHN_LOGIN is not a host.