auth/jwt: adds user_claim_json_pointer and max_age to roles (#1478)

* auth/jwt: adds user_claim_json_pointer and max_age to roles * remove type assertions * assert default false for user_claim_json_pointer when missing from config * skip vault next in tests * use d.Get() instead of d.GetOkExists() * move SkipTestEnvSet out of PreCheck; set SKIP_VAULT_NEXT_TESTS=true in ci tests
hashicorp · Jun 2, 2022 · 4fcdefb · 4fcdefb
1 parent 7205d99
commit 4fcdefb
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 11 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -78,7 +78,7 @@ jobs:
           MSSQL_URL: "sqlserver://sa:${{ secrets.MSSQL_SA_PASSWORD }}@mssql:1433"
           POSTGRES_URL: "postgres://postgres:secret@postgres:5432/database?sslmode=disable"
         run: |
-          make testacc-ent TESTARGS='-v' SKIP_MSSQL_MULTI_CI=true SKIP_RAFT_TESTS=true
+          make testacc-ent TESTARGS='-v' SKIP_MSSQL_MULTI_CI=true SKIP_RAFT_TESTS=true SKIP_VAULT_NEXT_TESTS=true
       - name: "Generate Vault API Path Coverage Report"
         run: |
           go run cmd/coverage/main.go -openapi-doc=./testdata/openapi.json
diff --git a/vault/resource_jwt_auth_backend_role.go b/vault/resource_jwt_auth_backend_role.go
@@ -119,6 +119,17 @@ func jwtAuthBackendRoleResource() *schema.Resource {
 			Default:     false,
 			Description: "Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.",
 		},
+		"user_claim_json_pointer": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Default:     false,
+			Description: "Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.",
+		},
+		"max_age": {
+			Type:        schema.TypeInt,
+			Optional:    true,
+			Description: "Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.",
+		},
 		"backend": {
 			Type:        schema.TypeString,
 			Optional:    true,
@@ -277,6 +288,12 @@ func jwtAuthBackendRoleRead(_ context.Context, d *schema.ResourceData, meta inte
 	if v, ok := resp.Data["verbose_oidc_logging"]; ok {
 		d.Set("verbose_oidc_logging", v)
 	}
+	if v, ok := resp.Data["user_claim_json_pointer"]; ok {
+		d.Set("user_claim_json_pointer", v)
+	}
+	if v, ok := resp.Data["max_age"]; ok {
+		d.Set("max_age", v)
+	}
 
 	d.Set("backend", backend)
 	d.Set("role_name", role)
@@ -365,7 +382,12 @@ func jwtAuthBackendRoleDataToWrite(d *schema.ResourceData, create bool) map[stri
 	updateTokenFields(d, data, create)
 
 	data["bound_audiences"] = util.TerraformSetToStringArray(d.Get("bound_audiences"))
-	data["user_claim"] = d.Get("user_claim").(string)
+	data["user_claim"] = d.Get("user_claim")
+	data["user_claim_json_pointer"] = d.Get("user_claim_json_pointer")
+
+	if v, ok := d.GetOk("max_age"); ok {
+		data["max_age"] = v
+	}
 
 	if dataList := util.TerraformSetToStringArray(d.Get("allowed_redirect_uris")); len(dataList) > 0 {
 		data["allowed_redirect_uris"] = dataList

diff --git a/vault/resource_jwt_auth_backend_role_test.go b/vault/resource_jwt_auth_backend_role_test.go
@@ -13,6 +13,8 @@ import (
 )
 
 func TestAccJWTAuthBackendRole_import(t *testing.T) {
+	testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
+
 	backend := acctest.RandomWithPrefix("jwt")
 	role := acctest.RandomWithPrefix("test-role")
 	resource.Test(t, resource.TestCase{
@@ -69,6 +71,8 @@ func TestAccJWTAuthBackendRole_import(t *testing.T) {
 						"not_before_leeway", "120"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
 						"verbose_oidc_logging", "true"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
+						"user_claim_json_pointer", "true"),
 				),
 			},
 			{
@@ -82,9 +86,10 @@ func TestAccJWTAuthBackendRole_import(t *testing.T) {
 }
 
 func TestAccJWTAuthBackendRole_basic(t *testing.T) {
+	testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
+
 	backend := acctest.RandomWithPrefix("jwt")
 	role := acctest.RandomWithPrefix("test-role")
-
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testutil.TestAccPreCheck(t) },
 		Providers:    testProviders,
@@ -117,6 +122,8 @@ func TestAccJWTAuthBackendRole_basic(t *testing.T) {
 						"bound_claims_type", "string"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
 						"user_claim", "https://vault/user"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
+						"user_claim_json_pointer", "false"),
 				),
 			},
 		},
@@ -197,9 +204,10 @@ func TestAccJWTAuthBackendRole_update(t *testing.T) {
 }
 
 func TestAccJWTAuthBackendRole_full(t *testing.T) {
+	testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
+
 	backend := acctest.RandomWithPrefix("jwt")
 	role := acctest.RandomWithPrefix("test-role")
-
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testutil.TestAccPreCheck(t) },
 		Providers:    testProviders,
@@ -261,9 +269,10 @@ func TestAccJWTAuthBackendRole_full(t *testing.T) {
 }
 
 func TestAccJWTAuthBackendRoleOIDC_full(t *testing.T) {
+	testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
+
 	backend := acctest.RandomWithPrefix("oidc")
 	role := acctest.RandomWithPrefix("test-role")
-
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testutil.TestAccPreCheck(t) },
 		Providers:    testProviders,
@@ -324,6 +333,10 @@ func TestAccJWTAuthBackendRoleOIDC_full(t *testing.T) {
 						"claim_mappings.preferred_language", "language"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
 						"verbose_oidc_logging", "true"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
+						"user_claim_json_pointer", "true"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
+						"max_age", "120"),
 				),
 			},
 		},
@@ -365,6 +378,8 @@ func TestAccJWTAuthBackendRoleOIDC_disableParsing(t *testing.T) {
 }
 
 func TestAccJWTAuthBackendRole_fullUpdate(t *testing.T) {
+	testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
+
 	backend := acctest.RandomWithPrefix("jwt")
 	role := acctest.RandomWithPrefix("test-role")
 
@@ -415,6 +430,8 @@ func TestAccJWTAuthBackendRole_fullUpdate(t *testing.T) {
 			"verbose_oidc_logging", "true"),
 		resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
 			"bound_claims.%", "0"),
+		resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
+			"user_claim_json_pointer", "true"),
 	}
 
 	resource.Test(t, resource.TestCase{
@@ -479,6 +496,8 @@ func TestAccJWTAuthBackendRole_fullUpdate(t *testing.T) {
 						"not_before_leeway", "0"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
 						"verbose_oidc_logging", "false"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
+						"user_claim_json_pointer", "false"),
 				),
 			},
 			// Repeat test case again to remove attributes like `bound_claims`
@@ -517,8 +536,8 @@ resource "vault_auth_backend" "jwt" {
 
 resource "vault_jwt_auth_backend_role" "role" {
   backend = vault_auth_backend.jwt.path
-	role_name = "%s"
-	role_type = "jwt"
+  role_name = "%s"
+  role_type = "jwt"
 
   bound_audiences = ["https://myco.test"]
   user_claim = "https://vault/user"
@@ -534,8 +553,8 @@ resource "vault_auth_backend" "jwt" {
 
 resource "vault_jwt_auth_backend_role" "role" {
   backend = vault_auth_backend.jwt.path
-	role_name = "%s"
-	role_type = "jwt"
+  role_name = "%s"
+  role_type = "jwt"
 
   bound_audiences = ["https://myco.test"]
   user_claim = "https://vault/user"
@@ -570,6 +589,7 @@ resource "vault_jwt_auth_backend_role" "role" {
   not_before_leeway = 120
 
   verbose_oidc_logging = true
+  user_claim_json_pointer = true
 }`, backend, role)
 }
 
@@ -614,6 +634,8 @@ resource "vault_jwt_auth_backend_role" "role" {
   }
 
   verbose_oidc_logging = true
+  user_claim_json_pointer = true
+  max_age = 120
 }`, backend, role)
 }
 
@@ -658,8 +680,8 @@ resource "vault_auth_backend" "jwt" {
 
 resource "vault_jwt_auth_backend_role" "role" {
   backend = vault_auth_backend.jwt.path
-	role_name = "%s"
-	role_type = "jwt"
+  role_name = "%s"
+  role_type = "jwt"
 
   bound_subject = "sl29dlldsfj3uECzsU3Sbmh0F29Fios1@update"
   token_bound_cidrs = ["10.150.0.0/20", "10.152.0.0/20"]
@@ -675,5 +697,6 @@ resource "vault_jwt_auth_backend_role" "role" {
     department = "engineering-*-admin"
     sector = "7g"
   }
+  user_claim_json_pointer = false
 }`, backend, role)
 }
diff --git a/website/docs/r/jwt_auth_backend_role.html.md b/website/docs/r/jwt_auth_backend_role.html.md
@@ -69,6 +69,10 @@ The following arguments are supported:
   the user; this will be used as the name for the Identity entity alias created
   due to a successful login.
 
+* `user_claim_json_pointer` - (Optional) Specifies if the `user_claim` value uses
+  [JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer) 
+  syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
+
 * `bound_subject` - (Optional) If set, requires that the `sub` claim matches
   this value.
 
@@ -113,6 +117,9 @@ The following arguments are supported:
   logging is active. Not recommended in production since sensitive information may be present
   in OIDC responses.
 
+* `max_age` - (Optional) Specifies the allowable elapsed time in seconds since the last time 
+  the user was actively authenticated with the OIDC provider.
+
 ### Common Token Arguments
 
 These arguments are common across several Authentication Token resources since Vault 1.2.