feat: add claim scopes attribute

hashicorp · May 24, 2021 · e8cd5b5 · e8cd5b5
1 parent b9df807
commit e8cd5b5
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/internal/provider/resource_auth_method_oidc.go b/internal/provider/resource_auth_method_oidc.go
@@ -25,6 +25,7 @@ const (
 	authmethodOidcSigningAlgorithmsKey                 = "signing_algorithms"
 	authmethodOidcIsPrimaryAuthMethodForScope          = "is_primary_for_scope"
 	authmethodOidcAccountClaimMapsKey                  = "account_claim_maps"
+	authmethodOidcClaimsScopesKey                      = "claims_scopes"
 
 	// computed-only parameters
 	authmethodOidcCallbackUrlKey      = "callback_url"
@@ -132,6 +133,14 @@ func resourceAuthMethodOidc() *schema.Resource {
 				// per comment in https://github.com/hashicorp/boundary/pull/1186
 				ForceNew: true,
 			},
+			authmethodOidcClaimsScopesKey: {
+				Description: "Claims scopes.",
+				Type:        schema.TypeList,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Optional: true,
+			},
 
 			// OIDC specific immutable and computed parameters
 			authmethodOidcClientSecretHmacKey: {
@@ -220,6 +229,10 @@ func setFromOidcAuthMethodResponseMap(d *schema.ResourceData, raw map[string]int
 		if p, ok := attrs[authmethodOidcAccountClaimMapsKey]; ok {
 			d.Set(authmethodOidcAccountClaimMapsKey, p.([]interface{}))
 		}
+
+		if p, ok := attrs[authmethodOidcClaimsScopesKey]; ok {
+			d.Set(authmethodOidcClaimsScopesKey, p.([]interface{}))
+		}
 	}
 
 	d.SetId(raw["id"].(string))
@@ -290,6 +303,14 @@ func resourceAuthMethodOidcCreate(ctx context.Context, d *schema.ResourceData, m
 		opts = append(opts, authmethods.WithOidcAuthMethodAccountClaimMaps(cList))
 	}
 
+	if claimsScopes, ok := d.GetOk(authmethodOidcClaimsScopesKey); ok {
+		cList := []string{}
+		for _, c := range claimsScopes.([]interface{}) {
+			cList = append(cList, c.(string))
+		}
+		opts = append(opts, authmethods.WithOidcAuthMethodClaimsScopes(cList))
+	}
+
 	nameVal, ok := d.GetOk(NameKey)
 	if ok {
 		nameStr := nameVal.(string)
@@ -492,6 +513,15 @@ func resourceAuthMethodOidcUpdate(ctx context.Context, d *schema.ResourceData, m
 			opts = append(opts, authmethods.WithOidcAuthMethodDisableDiscoveredConfigValidation(val.(bool)))
 		}
 	}
+	if d.HasChange(authmethodOidcClaimsScopesKey) {
+		if val, ok := d.GetOk(authmethodOidcClaimsScopesKey); ok {
+			claimsScopes := []string{}
+			for _, c := range val.([]interface{}) {
+				claimsScopes = append(claimsScopes, c.(string))
+			}
+			opts = append(opts, authmethods.WithOidcAuthMethodClaimsScopes(claimsScopes))
+		}
+	}
 
 	if len(opts) > 0 {
 		opts = append(opts, authmethods.WithAutomaticVersioning(true))

diff --git a/internal/provider/resource_auth_method_oidc_test.go b/internal/provider/resource_auth_method_oidc_test.go
@@ -65,6 +65,7 @@ EOT
 	allowed_audiences = ["foo_aud"]
 	signing_algorithms = ["ES256"]
 	account_claim_maps = ["oid=sub"]
+	claims_scopes" = ["profile"]
 }`
 
 	fooAuthMethodOidcUpdate = `
@@ -88,6 +89,7 @@ EOT
   allowed_audiences = ["foo_aud_update"]
   signing_algorithms = ["ES256"]
   account_claim_maps = ["oid=sub"]
+	claims_scopes = ["profile"]
 
   // we need to disable this validatin, since the updated issuer isn't discoverable
   disable_discovered_config_validation = true 
@@ -121,6 +123,7 @@ func TestAccAuthMethodOidc(t *testing.T) {
 					testAccCheckAuthMethodOidcAttrAryValueSet(provider, "boundary_auth_method_oidc.foo", authmethodOidcAllowedAudiencesKey, []string{"foo_aud"}),
 					testAccCheckAuthMethodOidcAttrAryValueSet(provider, "boundary_auth_method_oidc.foo", authmethodOidcSigningAlgorithmsKey, []string{"ES256"}),
 					testAccCheckAuthMethodOidcAttrAryValueSet(provider, "boundary_auth_method_oidc.foo", authmethodOidcAccountClaimMapsKey, []string{"oid=sub"}),
+					testAccCheckAuthMethodOidcAttrAryValueSet(provider, "boundary_auth_method_oidc.foo", authmethodOidcClaimsScopesKey, []string{"profile"}),
 					resource.TestCheckResourceAttr("boundary_auth_method_oidc.foo", authmethodOidcMaxAgeKey, "10"),
 					testAccCheckAuthMethodOidcResourceExists(provider, "boundary_auth_method_oidc.foo"),
 					testAccIsPrimaryForScope(provider, "boundary_auth_method_oidc.foo", false),