diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 174f5de3e..424a6bb45 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -78,7 +78,7 @@ jobs: MSSQL_URL: "sqlserver://sa:${{ secrets.MSSQL_SA_PASSWORD }}@mssql:1433" POSTGRES_URL: "postgres://postgres:secret@postgres:5432/database?sslmode=disable" run: | - make testacc-ent TESTARGS='-v' SKIP_MSSQL_MULTI_CI=true SKIP_RAFT_TESTS=true + make testacc-ent TESTARGS='-v' SKIP_MSSQL_MULTI_CI=true SKIP_RAFT_TESTS=true SKIP_VAULT_NEXT_TESTS=true - name: "Generate Vault API Path Coverage Report" run: | go run cmd/coverage/main.go -openapi-doc=./testdata/openapi.json diff --git a/vault/resource_jwt_auth_backend_role.go b/vault/resource_jwt_auth_backend_role.go index 9939b9edb..51fcf1b7a 100644 --- a/vault/resource_jwt_auth_backend_role.go +++ b/vault/resource_jwt_auth_backend_role.go @@ -119,6 +119,17 @@ func jwtAuthBackendRoleResource() *schema.Resource { Default: false, Description: "Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses.", }, + "user_claim_json_pointer": { + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "Specifies if the user_claim value uses JSON pointer syntax for referencing claims. By default, the user_claim value will not use JSON pointer.", + }, + "max_age": { + Type: schema.TypeInt, + Optional: true, + Description: "Specifies the allowable elapsed time in seconds since the last time the user was actively authenticated.", + }, "backend": { Type: schema.TypeString, Optional: true, @@ -277,6 +288,12 @@ func jwtAuthBackendRoleRead(_ context.Context, d *schema.ResourceData, meta inte if v, ok := resp.Data["verbose_oidc_logging"]; ok { d.Set("verbose_oidc_logging", v) } + if v, ok := resp.Data["user_claim_json_pointer"]; ok { + d.Set("user_claim_json_pointer", v) + } + if v, ok := resp.Data["max_age"]; ok { + d.Set("max_age", v) + } d.Set("backend", backend) d.Set("role_name", role) @@ -365,7 +382,12 @@ func jwtAuthBackendRoleDataToWrite(d *schema.ResourceData, create bool) map[stri updateTokenFields(d, data, create) data["bound_audiences"] = util.TerraformSetToStringArray(d.Get("bound_audiences")) - data["user_claim"] = d.Get("user_claim").(string) + data["user_claim"] = d.Get("user_claim") + data["user_claim_json_pointer"] = d.Get("user_claim_json_pointer") + + if v, ok := d.GetOk("max_age"); ok { + data["max_age"] = v + } if dataList := util.TerraformSetToStringArray(d.Get("allowed_redirect_uris")); len(dataList) > 0 { data["allowed_redirect_uris"] = dataList diff --git a/vault/resource_jwt_auth_backend_role_test.go b/vault/resource_jwt_auth_backend_role_test.go index 7dea8bc54..781c87155 100644 --- a/vault/resource_jwt_auth_backend_role_test.go +++ b/vault/resource_jwt_auth_backend_role_test.go @@ -13,6 +13,8 @@ import ( ) func TestAccJWTAuthBackendRole_import(t *testing.T) { + testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) + backend := acctest.RandomWithPrefix("jwt") role := acctest.RandomWithPrefix("test-role") resource.Test(t, resource.TestCase{ @@ -69,6 +71,8 @@ func TestAccJWTAuthBackendRole_import(t *testing.T) { "not_before_leeway", "120"), resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role", "verbose_oidc_logging", "true"), + resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role", + "user_claim_json_pointer", "true"), ), }, { @@ -82,9 +86,10 @@ func TestAccJWTAuthBackendRole_import(t *testing.T) { } func TestAccJWTAuthBackendRole_basic(t *testing.T) { + testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) + backend := acctest.RandomWithPrefix("jwt") role := acctest.RandomWithPrefix("test-role") - resource.Test(t, resource.TestCase{ PreCheck: func() { testutil.TestAccPreCheck(t) }, Providers: testProviders, @@ -117,6 +122,8 @@ func TestAccJWTAuthBackendRole_basic(t *testing.T) { "bound_claims_type", "string"), resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role", "user_claim", "https://vault/user"), + resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role", + "user_claim_json_pointer", "false"), ), }, }, @@ -197,9 +204,10 @@ func TestAccJWTAuthBackendRole_update(t *testing.T) { } func TestAccJWTAuthBackendRole_full(t *testing.T) { + testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) + backend := acctest.RandomWithPrefix("jwt") role := acctest.RandomWithPrefix("test-role") - resource.Test(t, resource.TestCase{ PreCheck: func() { testutil.TestAccPreCheck(t) }, Providers: testProviders, @@ -261,9 +269,10 @@ func TestAccJWTAuthBackendRole_full(t *testing.T) { } func TestAccJWTAuthBackendRoleOIDC_full(t *testing.T) { + testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) + backend := acctest.RandomWithPrefix("oidc") role := acctest.RandomWithPrefix("test-role") - resource.Test(t, resource.TestCase{ PreCheck: func() { testutil.TestAccPreCheck(t) }, Providers: testProviders, @@ -324,6 +333,10 @@ func TestAccJWTAuthBackendRoleOIDC_full(t *testing.T) { "claim_mappings.preferred_language", "language"), resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role", "verbose_oidc_logging", "true"), + resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role", + "user_claim_json_pointer", "true"), + resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role", + "max_age", "120"), ), }, }, @@ -365,6 +378,8 @@ func TestAccJWTAuthBackendRoleOIDC_disableParsing(t *testing.T) { } func TestAccJWTAuthBackendRole_fullUpdate(t *testing.T) { + testutil.SkipTestEnvSet(t, testutil.EnvVarSkipVaultNext) + backend := acctest.RandomWithPrefix("jwt") role := acctest.RandomWithPrefix("test-role") @@ -415,6 +430,8 @@ func TestAccJWTAuthBackendRole_fullUpdate(t *testing.T) { "verbose_oidc_logging", "true"), resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role", "bound_claims.%", "0"), + resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role", + "user_claim_json_pointer", "true"), } resource.Test(t, resource.TestCase{ @@ -479,6 +496,8 @@ func TestAccJWTAuthBackendRole_fullUpdate(t *testing.T) { "not_before_leeway", "0"), resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role", "verbose_oidc_logging", "false"), + resource.TestCheckResourceAttr("vault_jwt_auth_backend_role.role", + "user_claim_json_pointer", "false"), ), }, // Repeat test case again to remove attributes like `bound_claims` @@ -517,8 +536,8 @@ resource "vault_auth_backend" "jwt" { resource "vault_jwt_auth_backend_role" "role" { backend = vault_auth_backend.jwt.path - role_name = "%s" - role_type = "jwt" + role_name = "%s" + role_type = "jwt" bound_audiences = ["https://myco.test"] user_claim = "https://vault/user" @@ -534,8 +553,8 @@ resource "vault_auth_backend" "jwt" { resource "vault_jwt_auth_backend_role" "role" { backend = vault_auth_backend.jwt.path - role_name = "%s" - role_type = "jwt" + role_name = "%s" + role_type = "jwt" bound_audiences = ["https://myco.test"] user_claim = "https://vault/user" @@ -570,6 +589,7 @@ resource "vault_jwt_auth_backend_role" "role" { not_before_leeway = 120 verbose_oidc_logging = true + user_claim_json_pointer = true }`, backend, role) } @@ -614,6 +634,8 @@ resource "vault_jwt_auth_backend_role" "role" { } verbose_oidc_logging = true + user_claim_json_pointer = true + max_age = 120 }`, backend, role) } @@ -658,8 +680,8 @@ resource "vault_auth_backend" "jwt" { resource "vault_jwt_auth_backend_role" "role" { backend = vault_auth_backend.jwt.path - role_name = "%s" - role_type = "jwt" + role_name = "%s" + role_type = "jwt" bound_subject = "sl29dlldsfj3uECzsU3Sbmh0F29Fios1@update" token_bound_cidrs = ["10.150.0.0/20", "10.152.0.0/20"] @@ -675,5 +697,6 @@ resource "vault_jwt_auth_backend_role" "role" { department = "engineering-*-admin" sector = "7g" } + user_claim_json_pointer = false }`, backend, role) } diff --git a/website/docs/r/jwt_auth_backend_role.html.md b/website/docs/r/jwt_auth_backend_role.html.md index f6d47ac10..7c1ca218d 100644 --- a/website/docs/r/jwt_auth_backend_role.html.md +++ b/website/docs/r/jwt_auth_backend_role.html.md @@ -69,6 +69,10 @@ The following arguments are supported: the user; this will be used as the name for the Identity entity alias created due to a successful login. +* `user_claim_json_pointer` - (Optional) Specifies if the `user_claim` value uses + [JSON pointer](https://www.vaultproject.io/docs/auth/jwt#claim-specifications-and-json-pointer) + syntax for referencing claims. By default, the `user_claim` value will not use JSON pointer. + * `bound_subject` - (Optional) If set, requires that the `sub` claim matches this value. @@ -113,6 +117,9 @@ The following arguments are supported: logging is active. Not recommended in production since sensitive information may be present in OIDC responses. +* `max_age` - (Optional) Specifies the allowable elapsed time in seconds since the last time + the user was actively authenticated with the OIDC provider. + ### Common Token Arguments These arguments are common across several Authentication Token resources since Vault 1.2.