From 5998b02f84ed0cc3c1aaba6739d3a81177021ff5 Mon Sep 17 00:00:00 2001 From: Bill Shupp Date: Fri, 8 Mar 2019 16:40:25 -0800 Subject: [PATCH] Added support for jwt_supported_algs --- vault/resource_jwt_auth_backend.go | 13 +++++++++++++ vault/resource_jwt_auth_backend_test.go | 18 ++++++++++++++---- website/docs/r/jwt_auth_backend.html.md | 2 ++ 3 files changed, 29 insertions(+), 4 deletions(-) diff --git a/vault/resource_jwt_auth_backend.go b/vault/resource_jwt_auth_backend.go index fe73862f8..26f40daf4 100644 --- a/vault/resource_jwt_auth_backend.go +++ b/vault/resource_jwt_auth_backend.go @@ -69,6 +69,13 @@ func jwtAuthBackendResource() *schema.Resource { Description: "The value against which to match the iss claim in a JWT", }, + "jwt_supported_algs": { + Type: schema.TypeList, + Elem: &schema.Schema{Type: schema.TypeString}, + Optional: true, + Description: "A list of supported signing algorithms. Defaults to [RS256]", + }, + "accessor": { Type: schema.TypeString, Computed: true, @@ -149,6 +156,7 @@ func jwtAuthBackendRead(d *schema.ResourceData, meta interface{}) error { d.Set("bound_issuer", config.Data["bound_issuer"]) d.Set("oidc_discovery_url", config.Data["oidc_discovery_url"]) d.Set("jwt_validation_pubkeys", config.Data["jwt_validation_pubkeys"]) + d.Set("jwt_supported_algs", config.Data["jwt_supported_algs"]) return nil @@ -167,6 +175,7 @@ func jwtAuthBackendUpdate(d *schema.ResourceData, meta interface{}) error { oidcDiscoveryUrl, oidcDiscoveryUrlExists := d.GetOk("oidc_discovery_url") jwtValidationPubKeys, jwtValidationPubKeysExists := d.GetOk("jwt_validation_pubkeys") + jwtSupportedAlgs, jwtSupportedAlgsExists := d.GetOk("jwt_supported_algs") if oidcDiscoveryUrlExists == jwtValidationPubKeysExists { return errors.New("exactly one of oidc_discovery_url and jwt_validation_pubkeys should be provided") @@ -180,6 +189,10 @@ func jwtAuthBackendUpdate(d *schema.ResourceData, meta interface{}) error { configuration["jwt_validation_pubkeys"] = jwtValidationPubKeys } + if jwtSupportedAlgsExists { + configuration["jwt_supported_algs"] = jwtSupportedAlgs + } + _, err := client.Logical().Write(jwtConfigEndpoint(path), configuration) if err != nil { return fmt.Errorf("error updating configuration to Vault for path %s: %s", path, err) diff --git a/vault/resource_jwt_auth_backend_test.go b/vault/resource_jwt_auth_backend_test.go index 519f95a0c..db2481533 100644 --- a/vault/resource_jwt_auth_backend_test.go +++ b/vault/resource_jwt_auth_backend_test.go @@ -28,10 +28,19 @@ func TestAccJWTAuthBackend(t *testing.T) { ), }, { - Config: testAccJWTAuthBackendConfigFull(path, "https://myco.auth0.com/", "", "api://default"), + Config: testAccJWTAuthBackendConfigFull(path, "https://myco.auth0.com/", "", "api://default", "\"RS512\""), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "oidc_discovery_url", "https://myco.auth0.com/"), resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "bound_issuer", "api://default"), + resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "jwt_supported_algs.#", "1"), + ), + }, + { + Config: testAccJWTAuthBackendConfigFull(path, "https://myco.auth0.com/", "", "api://default", "\"RS256\",\"RS512\""), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "oidc_discovery_url", "https://myco.auth0.com/"), + resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "bound_issuer", "api://default"), + resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "jwt_supported_algs.#", "2"), ), }, }, @@ -50,7 +59,7 @@ func TestAccJWTAuthBackend_negative(t *testing.T) { ExpectError: regexp.MustCompile("vault_jwt_auth_backend\\.jwt: cannot write to a path ending in '/'"), }, { - Config: testAccJWTAuthBackendConfigFull(path, "https://myco.auth0.com/", "\"key\"", "api://default"), + Config: testAccJWTAuthBackendConfigFull(path, "https://myco.auth0.com/", "\"key\"", "api://default", ""), Destroy: false, ExpectError: regexp.MustCompile("exactly one of oidc_discovery_url and jwt_validation_pubkeys should be provided"), }, @@ -68,16 +77,17 @@ resource "vault_jwt_auth_backend" "jwt" { `, path) } -func testAccJWTAuthBackendConfigFull(path string, oidcDiscoveryUrl string, validationPublicKeys string, boundIssuer string) string { +func testAccJWTAuthBackendConfigFull(path string, oidcDiscoveryUrl string, validationPublicKeys string, boundIssuer string, supportedAlgs string) string { return fmt.Sprintf(` resource "vault_jwt_auth_backend" "jwt" { description = "JWT backend" oidc_discovery_url = "%s" jwt_validation_pubkeys = [%s] bound_issuer = "%s" + jwt_supported_algs = [%s] path = "%s" } -`, oidcDiscoveryUrl, validationPublicKeys, boundIssuer, path) +`, oidcDiscoveryUrl, validationPublicKeys, boundIssuer, supportedAlgs, path) } func testJWTAuthBackend_Destroyed(path string) resource.TestCheckFunc { diff --git a/website/docs/r/jwt_auth_backend.html.md b/website/docs/r/jwt_auth_backend.html.md index af97b9738..dd3ca07c5 100644 --- a/website/docs/r/jwt_auth_backend.html.md +++ b/website/docs/r/jwt_auth_backend.html.md @@ -38,6 +38,8 @@ The following arguments are supported: * `jwt_validation_pubkeys` - (Optional) A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url` +* `jwt_supported_algs` - (Optional) A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ + ## Attributes Reference No additional attributes are exposed by this resource.