-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support OIDC auth backends #398
Changes from 4 commits
005809d
fc99617
afc5d1c
ebd2fa9
fc58866
44cbc86
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -63,6 +63,14 @@ func jwtAuthBackendRoleResource() *schema.Resource { | |
}, | ||
Description: "Policies to be set on tokens issued using this role.", | ||
}, | ||
"allowed_redirect_uris": { | ||
Type: schema.TypeSet, | ||
Optional: true, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
}, | ||
Description: "The list of allowed values for redirect_uri during OIDC logins.", | ||
}, | ||
"ttl": { | ||
Type: schema.TypeInt, | ||
Optional: true, | ||
|
@@ -98,6 +106,24 @@ func jwtAuthBackendRoleResource() *schema.Resource { | |
Type: schema.TypeString, | ||
}, | ||
}, | ||
"oidc_scopes": { | ||
Type: schema.TypeSet, | ||
Optional: true, | ||
Description: "List of OIDC scopes to be used with an OIDC role. The standard scope \"openid\" is automatically included and need not be specified", | ||
sergeytrasko marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, | ||
}, | ||
}, | ||
"bound_claims": { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. wondering if that should be plural or singular There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Using plurals to be in line with Vault's documentation - https://www.vaultproject.io/api/auth/jwt/index.html |
||
Type: schema.TypeMap, | ||
Optional: true, | ||
Description: "Map of claims/values to match against. The expected value may be a single string or a list of strings.", | ||
}, | ||
"claim_mappings": { | ||
Type: schema.TypeMap, | ||
Optional: true, | ||
Description: "Map of claims (keys) to be copied to specified metadata fields (values).", | ||
}, | ||
"groups_claim": { | ||
Type: schema.TypeString, | ||
Optional: true, | ||
|
@@ -196,6 +222,13 @@ func jwtAuthBackendRoleRead(d *schema.ResourceData, meta interface{}) error { | |
if err != nil { | ||
return fmt.Errorf("error setting policies in state: %s", err) | ||
} | ||
if resp.Data["allowed_redirect_uris"] != nil { | ||
allowedRedirectUris := util.JsonStringArrayToStringArray(resp.Data["allowed_redirect_uris"].([]interface{})) | ||
err = d.Set("allowed_redirect_uris", allowedRedirectUris) | ||
if err != nil { | ||
return fmt.Errorf("error setting allowed_redirect_uris in state: %s", err) | ||
} | ||
} | ||
|
||
tokenTTL, err := resp.Data["ttl"].(json.Number).Int64() | ||
if err != nil { | ||
|
@@ -234,6 +267,24 @@ func jwtAuthBackendRoleRead(d *schema.ResourceData, meta interface{}) error { | |
d.Set("bound_cidrs", make([]string, 0)) | ||
} | ||
|
||
if resp.Data["oidc_scopes"] != nil { | ||
cidrs := util.JsonStringArrayToStringArray(resp.Data["oidc_scopes"].([]interface{})) | ||
err = d.Set("oidc_scopes", cidrs) | ||
if err != nil { | ||
return fmt.Errorf("error setting oidc_scopes in state: %s", err) | ||
} | ||
} else { | ||
d.Set("oidc_scopes", make([]string, 0)) | ||
} | ||
|
||
if resp.Data["bound_claims"] != nil { | ||
d.Set("bound_claims", resp.Data["bound_claims"]) | ||
} | ||
|
||
if resp.Data["claim_mappings"] != nil { | ||
d.Set("claim_mappings", resp.Data["claim_mappings"]) | ||
} | ||
|
||
d.Set("groups_claim", resp.Data["groups_claim"].(string)) | ||
if resp.Data["groups_claim_delimiter_pattern"] != nil { | ||
d.Set("groups_claim_delimiter_pattern", resp.Data["groups_claim_delimiter_pattern"].(string)) | ||
|
@@ -343,6 +394,9 @@ func jwtAuthBackendRoleDataToWrite(d *schema.ResourceData) map[string]interface{ | |
if dataList := util.TerraformSetToStringArray(d.Get("policies")); len(dataList) > 0 { | ||
data["policies"] = dataList | ||
} | ||
if dataList := util.TerraformSetToStringArray(d.Get("allowed_redirect_uris")); len(dataList) > 0 { | ||
data["allowed_redirect_uris"] = dataList | ||
} | ||
|
||
if v, ok := d.GetOk("role_type"); ok { | ||
data["role_type"] = v.(string) | ||
|
@@ -368,6 +422,18 @@ func jwtAuthBackendRoleDataToWrite(d *schema.ResourceData) map[string]interface{ | |
data["bound_cidrs"] = dataList | ||
} | ||
|
||
if dataList := util.TerraformSetToStringArray(d.Get("oidc_scopes")); len(dataList) > 0 { | ||
data["oidc_scopes"] = dataList | ||
} | ||
|
||
if v, ok := d.GetOk("bound_claims"); ok { | ||
data["bound_claims"] = v | ||
} | ||
|
||
if v, ok := d.GetOk("claim_mappings"); ok { | ||
data["claim_mappings"] = v | ||
} | ||
|
||
if v, ok := d.GetOkExists("groups_claim"); ok { | ||
data["groups_claim"] = v.(string) | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be
role_type
to correspond with this?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure... This
type
belongs to auth backend not to a role.