chore(backend)!: remove authentication bypass configuration

- Remove 'DISABLE_TENANT_AUTHENTICATION' and 'DISABLE_ADMIN_AUTHENTICATION' support
- Hardens authentication by removing runtime checks that could bypass auth pipelines
- Removes associated configuration definitions in Edgehog.Config

Signed-off-by: Davide Briani <davide.briani@secomind.com>

Author: davidebriani

backend/lib/edgehog/config.ex

@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2022-2023 SECO Mind Srl
+# Copyright 2022-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -30,14 +30,6 @@ defmodule Edgehog.Config do
   alias Edgehog.Geolocation
   alias Edgehog.Geolocation.Providers.GoogleGeocoding
 
-  @envdoc """
-  Disables admin authentication. CHANGING IT TO TRUE IS GENERALLY A REALLY BAD IDEA IN A PRODUCTION ENVIRONMENT, IF YOU DON'T KNOW WHAT YOU ARE DOING.
-  """
-  app_env :disable_admin_authentication, :edgehog, :disable_admin_authentication,
-    os_env: "DISABLE_ADMIN_AUTHENTICATION",
-    type: :boolean,
-    default: false
-
   @envdoc "The Admin API JWT public key."
   app_env :admin_jwk, :edgehog, :admin_jwk,
     os_env: "ADMIN_JWT_PUBLIC_KEY_PATH",
@@ -67,14 +59,6 @@ defmodule Edgehog.Config do
     type: :boolean,
     default: false
 
-  @envdoc """
-  Disables tenant authentication. CHANGING IT TO TRUE IS GENERALLY A REALLY BAD IDEA IN A PRODUCTION ENVIRONMENT, IF YOU DON'T KNOW WHAT YOU ARE DOING.
-  """
-  app_env :disable_tenant_authentication, :edgehog, :disable_tenant_authentication,
-    os_env: "DISABLE_TENANT_AUTHENTICATION",
-    type: :boolean,
-    default: false
-
   @envdoc "The API key for the ipbase.com geolocation provider."
   app_env :ipbase_api_key, :edgehog, :ipbase_api_key,
     os_env: "IPBASE_API_KEY",
@@ -112,12 +96,6 @@ defmodule Edgehog.Config do
     type: GeocodingProviders,
     default: [GoogleGeocoding]
 
-  @doc """
-  Returns true if admin authentication is disabled.
-  """
-  @spec admin_authentication_disabled?() :: boolean()
-  def admin_authentication_disabled?, do: disable_admin_authentication!()
-
   @doc """
   Returns true if edgehog should use an ssl connection with the database.
   """
@@ -179,12 +157,6 @@ defmodule Edgehog.Config do
       else: false
   end
 
-  @doc """
-  Returns true if tenant authentication is disabled.
-  """
-  @spec tenant_authentication_disabled?() :: boolean()
-  def tenant_authentication_disabled?, do: disable_tenant_authentication!()
-
   @doc """
   Returns the list of geolocation modules to use.
   """
@@ -215,11 +187,7 @@ defmodule Edgehog.Config do
   """
   @spec validate_admin_authentication!() :: :ok | no_return()
   def validate_admin_authentication! do
-    if admin_authentication_disabled?() do
-      :ok
-    else
-      admin_jwk!()
-      :ok
-    end
+    admin_jwk!()
+    :ok
   end
 end

backend/lib/edgehog_web/admin_api/auth/auth.ex

@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2023 SECO Mind Srl
+# Copyright 2023-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,16 +20,14 @@
 
 defmodule EdgehogWeb.AdminAPI.Auth do
   @moduledoc false
-  alias Edgehog.Config
   alias EdgehogWeb.AdminAPI.Auth.Pipeline
 
   def init(opts) do
     Pipeline.init(opts)
   end
 
   def call(conn, opts) do
-    if Config.admin_authentication_disabled?() ||
-         conn.path_info == ["admin-api", "v1", "open_api"] do
+    if conn.path_info == ["admin-api", "v1", "open_api"] do
       conn
     else
       Pipeline.call(conn, opts)

backend/lib/edgehog_web/auth.ex

@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2022-2023 SECO Mind Srl
+# Copyright 2022-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,20 +20,13 @@
 
 defmodule EdgehogWeb.Auth do
   @moduledoc false
-  alias Edgehog.Config
   alias EdgehogWeb.Auth.Pipeline
 
   def init(opts) do
     Pipeline.init(opts)
   end
 
   def call(conn, opts) do
-    if Config.tenant_authentication_disabled?() do
-      # TODO: when we add Authz this path will probably have to
-      # put some type of all-access Authz in the GraphQL context
-      conn
-    else
-      Pipeline.call(conn, opts)
-    end
+    Pipeline.call(conn, opts)
   end
 end

backend/test/edgehog_web/admin_api/auth_test.exs

@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2023 SECO Mind Srl
+# Copyright 2023-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -25,7 +25,6 @@ defmodule EdgehogWeb.AdminAPI.AuthTest do
   import Edgehog.AstarteFixtures
   import Edgehog.TenantsFixtures
 
-  alias Edgehog.Config
   alias Edgehog.Tenants.ReconcilerMock
 
   @valid_pem_public_key :secp256r1
@@ -62,45 +61,6 @@ defmodule EdgehogWeb.AdminAPI.AuthTest do
     {:ok, path: ~p"/admin-api/v1/tenants"}
   end
 
-  describe "disabled Admin authentication" do
-    @describetag :unconfigured
-
-    setup do
-      stub(ReconcilerMock, :reconcile_tenant, fn _tenant -> :ok end)
-      Config.put_disable_admin_authentication(true)
-
-      on_exit(fn ->
-        # Cleanup at the end
-        Config.reload_disable_admin_authentication()
-      end)
-
-      :ok
-    end
-
-    test "returns 201 for request without JWT", %{
-      conn: conn,
-      path: path
-    } do
-      conn = post(conn, path, @valid_tenant_config)
-
-      assert response(conn, :created)
-    end
-
-    test "returns 201 for request with random JWT", %{
-      conn: conn,
-      path: path
-    } do
-      other_private_key = X509.PrivateKey.new_ec(:secp256r1)
-
-      conn =
-        conn
-        |> authenticate_connection(other_private_key)
-        |> post(path, @valid_tenant_config)
-
-      assert response(conn, :created)
-    end
-  end
-
   describe "unconfigured Admin authentication" do
     @describetag :unconfigured
 

backend/test/edgehog_web/auth_test.exs

@@ -1,7 +1,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2022-2024 SECO Mind Srl
+# Copyright 2022-2026 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -22,7 +22,6 @@ defmodule EdgehogWeb.AuthTest do
   # This can't be async: true since it modifies the Application env
   use EdgehogWeb.ConnCase, async: false
 
-  alias Edgehog.Config
   alias Edgehog.Containers.ReconcilerMock
 
   @query """
@@ -47,22 +46,6 @@ defmodule EdgehogWeb.AuthTest do
     assert %{"errors" => %{"detail" => "Unauthorized"}} = json_response(conn, 401)
   end
 
-  test "unauthenticated request with disabled authentication returns 200", %{
-    conn: conn,
-    api_path: api_path
-  } do
-    Config.put_disable_tenant_authentication(true)
-
-    on_exit(fn ->
-      # Cleanup at the end
-      Config.reload_disable_tenant_authentication()
-    end)
-
-    conn = get(conn, api_path, query: @query)
-
-    assert json_response(conn, 200)
-  end
-
   test "request on unexisting tenant returns 403", %{conn: conn} do
     conn = get(conn, "/tenants/notexisting/api", query: @query)