fix bug with getting default auth method when recovery kms is used fo…

…r provider authentication
hashicorp · May 10, 2023 · 3113d0f · 3113d0f
1 parent ede5377
commit 3113d0f
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 8 deletions.
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -140,9 +140,10 @@ func providerAuthenticate(ctx context.Context, d *schema.ResourceData, md *metaD
 		md.client.SetToken(token.(string))
 	}
 
-	// If auth_method_id is not set, get the default auth method ID for the given scope ID
+	// If auth_method_id is not set, get the default auth method ID for the given scope ID.
+	// Skip getting the default auth_method_id when `recovery_kms_hcl` or `token` is set
 	authMethodId, authMethodIdOk := d.GetOk("auth_method_id")
-	if !authMethodIdOk {
+	if !authMethodIdOk && !recoveryKmsHclOk && md.client.Token() == "" {
 		defaultAuthMethodId, err := getDefaultAuthMethodId(ctx, amClient, providerScope, PASSWORD_AUTH_METHOD_PREFIX)
 		if err != nil {
 			return err

diff --git a/internal/provider/provider_test.go b/internal/provider/provider_test.go
@@ -13,6 +13,7 @@ import (
 	"testing"
 
 	"github.com/hashicorp/boundary/testing/controller"
+	"github.com/hashicorp/cap/oidc"
 	wrapping "github.com/hashicorp/go-kms-wrapping/v2"
 	"github.com/hashicorp/go-kms-wrapping/v2/aead"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
@@ -140,9 +141,6 @@ func testConfigWithRecovery(url string, res ...string) string {
 	provider := fmt.Sprintf(`
 provider "boundary" {
 	addr             = "%s"
-	auth_method_id       = "%s"
-	password_auth_method_login_name = "%s"
-	password_auth_method_password = "%s"
 	recovery_kms_hcl = <<DOC
 	kms "aead" {
 		purpose = ["recovery", "config"]
@@ -151,7 +149,7 @@ provider "boundary" {
 		key_id = "global_recovery"
 	}
 	DOC
-}`, url, tcPAUM, tcLoginName, tcPassword)
+}`, url)
 
 	c := []string{provider}
 	c = append(c, res...)
@@ -236,6 +234,55 @@ func TestConfigWithOIDCAuthMethod(t *testing.T) {
 	})
 }
 
+// Create OIDC auth method and set it as the primary auth method.
+// Attempt to authenticate with recovery to test checks for default auth method
+func TestRecoveryWithOIDCDefaultAuthMethod(t *testing.T) {
+	tp := oidc.StartTestProvider(t)
+	wrapper := testWrapper(context.Background(), t, tcRecoveryKey)
+	tc := controller.NewTestController(t, append(tcConfig, controller.WithRecoveryKms(wrapper))...)
+	defer tc.Shutdown()
+	url := tc.ApiAddrs()[0]
+
+	tpCert := strings.TrimSpace(tp.CACert())
+	createConfig := fmt.Sprintf(fooAuthMethodOidc, fooAuthMethodOidcDesc, tp.Addr(), tpCert)
+	updateConfig := fmt.Sprintf(fooAuthMethodOidcUpdate, fooAuthMethodOidcDescUpdate, fooAuthMethodOidcCaCerts)
+
+	var provider *schema.Provider
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: providerFactories(&provider),
+		CheckDestroy:      testAccCheckAuthMethodResourceDestroy(t, provider, oidcAuthMethodType),
+		Steps: []resource.TestStep{
+			{
+				// create auth method
+				Config: testConfig(url, fooOrg, createConfig),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("boundary_auth_method_oidc.foo", "description", fooAuthMethodOidcDesc),
+					resource.TestCheckResourceAttr("boundary_auth_method_oidc.foo", "name", "test"),
+					resource.TestCheckResourceAttr("boundary_auth_method_oidc.foo", authmethodOidcIssuerKey, tp.Addr()),
+				),
+			},
+			importStep("boundary_auth_method_oidc.foo", "client_secret", "is_primary_for_scope"),
+			{
+				// set auth method as primary auth method
+				Config: testConfig(url, fooOrg, updateConfig),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("boundary_auth_method_oidc.foo", "name", "test"),
+					testAccIsPrimaryForScope(provider, "boundary_auth_method_oidc.foo", true),
+				),
+			},
+			{
+				// authenticate provider with recovery kms with unsupported OIDC primary auth method
+				Config: testConfigWithRecovery(url, fooOrg, updateConfig),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("boundary_auth_method_oidc.foo", "name", "test"),
+					testAccIsPrimaryForScope(provider, "boundary_auth_method_oidc.foo", true),
+				),
+			},
+			importStep("boundary_auth_method_oidc.foo", "client_secret", "is_primary_for_scope", authmethodOidcMaxAgeKey),
+		},
+	})
+}
+
 func testProviderTokenExists(testProvider *schema.Provider) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		md := testProvider.Meta().(*metaData)

diff --git a/internal/provider/resource_auth_method_oidc_test.go b/internal/provider/resource_auth_method_oidc_test.go
@@ -50,7 +50,7 @@ var (
 resource "boundary_auth_method_oidc" "foo" {
 	name        = "test"
 	description = "%s"
-	scope_id    = boundary_scope.org1.id
+	scope_id    = "global"
 	depends_on  = [boundary_role.org1_admin]
 
   issuer            = "%s"
@@ -73,7 +73,7 @@ EOT
 resource "boundary_auth_method_oidc" "foo" {
 	name                 = "test"
 	description          = "%s"
-	scope_id             = boundary_scope.org1.id
+	scope_id             = "global"
 	is_primary_for_scope = true
 	depends_on           = [boundary_role.org1_admin]