Skip to content

Commit

Permalink
feat: add claim scopes attribute
Browse files Browse the repository at this point in the history
  • Loading branch information
malnick committed May 24, 2021
1 parent 8bfac9f commit 7aa3664
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 0 deletions.
30 changes: 30 additions & 0 deletions internal/provider/resource_auth_method_oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ const (
authmethodOidcSigningAlgorithmsKey = "signing_algorithms"
authmethodOidcIsPrimaryAuthMethodForScope = "is_primary_for_scope"
authmethodOidcAccountClaimMapsKey = "account_claim_maps"
authmethodOidcClaimsScopesKey = "claims_scopes"

// computed-only parameters
authmethodOidcCallbackUrlKey = "callback_url"
Expand Down Expand Up @@ -132,6 +133,14 @@ func resourceAuthMethodOidc() *schema.Resource {
// per comment in https://github.com/hashicorp/boundary/pull/1186
ForceNew: true,
},
authmethodOidcClaimsScopesKey: {
Description: "Claims scopes.",
Type: schema.TypeList,
Elem: &schema.Schema{
Type: schema.TypeString,
},
Optional: true,
},

// OIDC specific immutable and computed parameters
authmethodOidcClientSecretHmacKey: {
Expand Down Expand Up @@ -220,6 +229,10 @@ func setFromOidcAuthMethodResponseMap(d *schema.ResourceData, raw map[string]int
if p, ok := attrs[authmethodOidcAccountClaimMapsKey]; ok {
d.Set(authmethodOidcAccountClaimMapsKey, p.([]interface{}))
}

if p, ok := attrs[authmethodOidcClaimsScopesKey]; ok {
d.Set(authmethodOidcClaimsScopesKey, p.([]interface{}))
}
}

d.SetId(raw["id"].(string))
Expand Down Expand Up @@ -290,6 +303,14 @@ func resourceAuthMethodOidcCreate(ctx context.Context, d *schema.ResourceData, m
opts = append(opts, authmethods.WithOidcAuthMethodAccountClaimMaps(cList))
}

if claimsScopes, ok := d.GetOk(authmethodOidcClaimsScopesKey); ok {
cList := []string{}
for _, c := range claimsScopes.([]interface{}) {
cList = append(cList, c.(string))
}
opts = append(opts, authmethods.WithOidcAuthMethodClaimsScopes(cList))
}

nameVal, ok := d.GetOk(NameKey)
if ok {
nameStr := nameVal.(string)
Expand Down Expand Up @@ -492,6 +513,15 @@ func resourceAuthMethodOidcUpdate(ctx context.Context, d *schema.ResourceData, m
opts = append(opts, authmethods.WithOidcAuthMethodDisableDiscoveredConfigValidation(val.(bool)))
}
}
if d.HasChange(authmethodOidcClaimsScopesKey) {
if val, ok := d.GetOk(authmethodOidcClaimsScopesKey); ok {
claimsScopes := []string{}
for _, c := range val.([]interface{}) {
claimsScopes = append(claimsScopes, c.(string))
}
opts = append(opts, authmethods.WithOidcAuthMethodClaimsScopes(claimsScopes))
}
}

if len(opts) > 0 {
opts = append(opts, authmethods.WithAutomaticVersioning(true))
Expand Down
3 changes: 3 additions & 0 deletions internal/provider/resource_auth_method_oidc_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ EOT
allowed_audiences = ["foo_aud"]
signing_algorithms = ["ES256"]
account_claim_maps = ["oid=sub"]
claims_scopes" = ["profile"]
}`

fooAuthMethodOidcUpdate = `
Expand All @@ -88,6 +89,7 @@ EOT
allowed_audiences = ["foo_aud_update"]
signing_algorithms = ["ES256"]
account_claim_maps = ["oid=sub"]
claims_scopes = ["profile"]
// we need to disable this validatin, since the updated issuer isn't discoverable
disable_discovered_config_validation = true
Expand Down Expand Up @@ -121,6 +123,7 @@ func TestAccAuthMethodOidc(t *testing.T) {
testAccCheckAuthMethodOidcAttrAryValueSet(provider, "boundary_auth_method_oidc.foo", authmethodOidcAllowedAudiencesKey, []string{"foo_aud"}),
testAccCheckAuthMethodOidcAttrAryValueSet(provider, "boundary_auth_method_oidc.foo", authmethodOidcSigningAlgorithmsKey, []string{"ES256"}),
testAccCheckAuthMethodOidcAttrAryValueSet(provider, "boundary_auth_method_oidc.foo", authmethodOidcAccountClaimMapsKey, []string{"oid=sub"}),
testAccCheckAuthMethodOidcAttrAryValueSet(provider, "boundary_auth_method_oidc.foo", authmethodOidcClaimsScopesKey, []string{"profile"}),
resource.TestCheckResourceAttr("boundary_auth_method_oidc.foo", authmethodOidcMaxAgeKey, "10"),
testAccCheckAuthMethodOidcResourceExists(provider, "boundary_auth_method_oidc.foo"),
testAccIsPrimaryForScope(provider, "boundary_auth_method_oidc.foo", false),
Expand Down

0 comments on commit 7aa3664

Please sign in to comment.