auth/jwt: adds user_claim_json_pointer and max_age to roles

vault/resource_jwt_auth_backend_role.go

@@ -119,6 +119,17 @@ func jwtAuthBackendRoleResource() *schema.Resource {
 			Default:     false,
 			Description: "Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.",
 		},
+		"user_claim_json_pointer": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Default:     false,
+			Description: "Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.",
+		},
+		"max_age": {
+			Type:        schema.TypeInt,
+			Optional:    true,
+			Description: "Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.",
+		},
 		"backend": {
 			Type:        schema.TypeString,
 			Optional:    true,
@@ -277,6 +288,12 @@ func jwtAuthBackendRoleRead(_ context.Context, d *schema.ResourceData, meta inte
 	if v, ok := resp.Data["verbose_oidc_logging"]; ok {
 		d.Set("verbose_oidc_logging", v)
 	}
+	if v, ok := resp.Data["user_claim_json_pointer"]; ok {
+		d.Set("user_claim_json_pointer", v)
+	}
+	if v, ok := resp.Data["max_age"]; ok {
+		d.Set("max_age", v)
+	}
 
 	d.Set("backend", backend)
 	d.Set("role_name", role)
@@ -365,7 +382,12 @@ func jwtAuthBackendRoleDataToWrite(d *schema.ResourceData, create bool) map[stri
 	updateTokenFields(d, data, create)
 
 	data["bound_audiences"] = util.TerraformSetToStringArray(d.Get("bound_audiences"))
-	data["user_claim"] = d.Get("user_claim").(string)
+	data["user_claim"] = d.Get("user_claim")
+	data["user_claim_json_pointer"] = d.Get("user_claim_json_pointer")
+
+	if v, ok := d.GetOk("max_age"); ok {
+		data["max_age"] = v
+	}
 
 	if dataList := util.TerraformSetToStringArray(d.Get("allowed_redirect_uris")); len(dataList) > 0 {
 		data["allowed_redirect_uris"] = dataList

vault/resource_jwt_auth_backend_role_test.go

@@ -16,7 +16,10 @@ func TestAccJWTAuthBackendRole_import(t *testing.T) {
 	backend := acctest.RandomWithPrefix("jwt")
 	role := acctest.RandomWithPrefix("test-role")
 	resource.Test(t, resource.TestCase{
-		PreCheck:     func() { testutil.TestAccPreCheck(t) },
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
+		},
 		Providers:    testProviders,
 		CheckDestroy: testAccCheckJWTAuthBackendRoleDestroy,
 		Steps: []resource.TestStep{
@@ -69,6 +72,8 @@ func TestAccJWTAuthBackendRole_import(t *testing.T) {
 						"not_before_leeway", "120"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
 						"verbose_oidc_logging", "true"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
+						"user_claim_json_pointer", "true"),
 				),
 			},
 			{
@@ -86,7 +91,10 @@ func TestAccJWTAuthBackendRole_basic(t *testing.T) {
 	role := acctest.RandomWithPrefix("test-role")
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:     func() { testutil.TestAccPreCheck(t) },
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
+		},
 		Providers:    testProviders,
 		CheckDestroy: testAccCheckJWTAuthBackendRoleDestroy,
 		Steps: []resource.TestStep{
@@ -117,6 +125,8 @@ func TestAccJWTAuthBackendRole_basic(t *testing.T) {
 						"bound_claims_type", "string"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
 						"user_claim", "https://vault/user"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
+						"user_claim_json_pointer", "false"),
 				),
 			},
 		},
@@ -201,7 +211,10 @@ func TestAccJWTAuthBackendRole_full(t *testing.T) {
 	role := acctest.RandomWithPrefix("test-role")
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:     func() { testutil.TestAccPreCheck(t) },
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
+		},
 		Providers:    testProviders,
 		CheckDestroy: testAccCheckJWTAuthBackendRoleDestroy,
 		Steps: []resource.TestStep{
@@ -265,7 +278,10 @@ func TestAccJWTAuthBackendRoleOIDC_full(t *testing.T) {
 	role := acctest.RandomWithPrefix("test-role")
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:     func() { testutil.TestAccPreCheck(t) },
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
+		},
 		Providers:    testProviders,
 		CheckDestroy: testAccCheckJWTAuthBackendRoleDestroy,
 		Steps: []resource.TestStep{
@@ -324,6 +340,10 @@ func TestAccJWTAuthBackendRoleOIDC_full(t *testing.T) {
 						"claim_mappings.preferred_language", "language"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
 						"verbose_oidc_logging", "true"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
+						"user_claim_json_pointer", "true"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
+						"max_age", "120"),
 				),
 			},
 		},
@@ -415,10 +435,15 @@ func TestAccJWTAuthBackendRole_fullUpdate(t *testing.T) {
 			"verbose_oidc_logging", "true"),
 		resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
 			"bound_claims.%", "0"),
+		resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
+			"user_claim_json_pointer", "true"),
 	}
 
 	resource.Test(t, resource.TestCase{
-		PreCheck:     func() { testutil.TestAccPreCheck(t) },
+		PreCheck: func() {
+			testutil.TestAccPreCheck(t)
+			testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext)
+		},
 		Providers:    testProviders,
 		CheckDestroy: testAccCheckJWTAuthBackendRoleDestroy,
 		Steps: []resource.TestStep{
@@ -479,6 +504,8 @@ func TestAccJWTAuthBackendRole_fullUpdate(t *testing.T) {
 						"not_before_leeway", "0"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
 						"verbose_oidc_logging", "false"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role",
+						"user_claim_json_pointer", "false"),
 				),
 			},
 			// Repeat test case again to remove attributes like `bound_claims`
@@ -517,8 +544,8 @@ resource "vault_auth_backend" "jwt" {
 
 resource "vault_jwt_auth_backend_role" "role" {
   backend = vault_auth_backend.jwt.path
-	role_name = "%s"
-	role_type = "jwt"
+  role_name = "%s"
+  role_type = "jwt"
 
   bound_audiences = ["https://myco.test"]
   user_claim = "https://vault/user"
@@ -534,8 +561,8 @@ resource "vault_auth_backend" "jwt" {
 
 resource "vault_jwt_auth_backend_role" "role" {
   backend = vault_auth_backend.jwt.path
-	role_name = "%s"
-	role_type = "jwt"
+  role_name = "%s"
+  role_type = "jwt"
 
   bound_audiences = ["https://myco.test"]
   user_claim = "https://vault/user"
@@ -570,6 +597,7 @@ resource "vault_jwt_auth_backend_role" "role" {
   not_before_leeway = 120
 
   verbose_oidc_logging = true
+  user_claim_json_pointer = true
 }`, backend, role)
 }
 
@@ -614,6 +642,8 @@ resource "vault_jwt_auth_backend_role" "role" {
   }
 
   verbose_oidc_logging = true
+  user_claim_json_pointer = true
+  max_age = 120
 }`, backend, role)
 }
 
@@ -658,8 +688,8 @@ resource "vault_auth_backend" "jwt" {
 
 resource "vault_jwt_auth_backend_role" "role" {
   backend = vault_auth_backend.jwt.path
-	role_name = "%s"
-	role_type = "jwt"
+  role_name = "%s"
+  role_type = "jwt"
 
   bound_subject = "sl29dlldsfj3uECzsU3Sbmh0F29Fios1@update"
   token_bound_cidrs = ["10.150.0.0/20", "10.152.0.0/20"]
@@ -675,5 +705,6 @@ resource "vault_jwt_auth_backend_role" "role" {
     department = "engineering-*-admin"
     sector = "7g"
   }
+  user_claim_json_pointer = false
 }`, backend, role)
 }

website/docs/r/jwt_auth_backend_role.html.md

@@ -69,6 +69,10 @@ The following arguments are supported:
   the user; this will be used as the name for the Identity entity alias created
   due to a successful login.
 
+* `user_claim_json_pointer` - (Optional) Specifies if the `user_claim` value uses
+  [JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer) 
+  syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer.
+
 * `bound_subject` - (Optional) If set, requires that the `sub` claim matches
   this value.
 
@@ -113,6 +117,9 @@ The following arguments are supported:
   logging is active. Not recommended in production since sensitive information may be present
   in OIDC responses.
 
+* `max_age` - (Optional) Specifies the allowable elapsed time in seconds since the last time 
+  the user was actively authenticated with the OIDC provider.
+
 ### Common Token Arguments
 
 These arguments are common across several Authentication Token resources since Vault 1.2.