Adds consumer_by field to oidc plugin (#54)

alexashley · Jan 9, 2019 · d40540c · d40540c
1 parent ab5bfcd
commit d40540c
Show file tree

Hide file tree

Showing 6 changed files with 70 additions and 3 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -9,7 +9,7 @@ jobs:
       environment:
       - POSTGRES_USER=kong
       - POSTGRES_DB=kong
-    - image: alexashley/tf-provider-custom-kong:0.0.6
+    - image: alexashley/tf-provider-custom-kong:0.0.7
       environment:
       - KONG_DATABASE=postgres
       - KONG_PG_HOST=localhost

diff --git a/Makefile b/Makefile
@@ -4,7 +4,7 @@ MAKEFLAGS += --silent
 
 KONG ?= "http://localhost:8001"
 
-IMAGE_VERSION="0.0.6"
+IMAGE_VERSION="0.0.7"
 
 build:
 	 GO111MODULE=on go build -o terraform-provider-kong

diff --git a/docs/kong_plugin_openid_connect.md b/docs/kong_plugin_openid_connect.md
@@ -21,6 +21,7 @@ The following fields are supported:
 |`issuer`|URL of the OpenId Connect server |`string`| | Y|
 |`anonymous`|Anonymous consumer id. This is useful if you need to enable multiple auth plugins -- failing to authenticate will cause this consumer to be set. |`string`| | N|
 |`auth_methods`|Allowed authentication methods |`set[string]`| | N|
+|`consumer_by`|A JWT claim used to lookup a Kong consumer. Used with consumer_claim to control the process of identifying a Kong consumer. |`set[string]`| | N|
 |`consumer_claim`|JWT claims to use to map to a Kong consumer. Typically set to `sub` |`set[string]`| | N|
 |`enabled`|Toggle whether the plugin will run |`bool`| true| N|
 |`route_id`|Unique identifier of the associated route. |`string`| | N|

diff --git a/kong-docker/plugins/openid-connect/schema.lua b/kong-docker/plugins/openid-connect/schema.lua
@@ -30,6 +30,7 @@ return {
         anonymous = { type = "string" },
         auth_methods = { type = "array", func = allowed_methods },
         issuer = { type = "url", required = true },
-        consumer_claim = { type = "array" }
+        consumer_claim = { type = "array" },
+        consumer_by = { type = "array" }
     }
 }
diff --git a/kong/provider/resource_kong_plugin_openid_connect.go b/kong/provider/resource_kong_plugin_openid_connect.go
@@ -28,6 +28,15 @@ func resourceKongPluginOpenidConnect() *schema.Resource {
 				},
 				Set: schema.HashString,
 			},
+			"consumer_by": {
+				Description: "A JWT claim used to lookup a Kong consumer. Used with consumer_claim to control the process of identifying a Kong consumer.",
+				Type:        schema.TypeSet,
+				Optional:    true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Set: schema.HashString,
+			},
 			"consumer_claim": {
 				Description: "JWT claims to use to map to a Kong consumer. Typically set to `sub`",
 				Type:        schema.TypeSet,
@@ -65,6 +74,15 @@ func resourceKongPluginOpenidConnect() *schema.Resource {
 				config["auth_methods"] = methods
 			}
 
+			if consumerBys, ok := data.GetOk("consumer_by"); ok {
+				consumerBy := setToStringArray(consumerBys.(*schema.Set))
+				if err := validateConsumerBy(consumerBy); err != nil {
+					return nil, err
+				}
+
+				config["consumer_by"] = consumerBy
+			}
+
 			return config, nil
 		},
 		MapApiModelToResource: func(plugin *kong.KongPlugin, data *schema.ResourceData) error {
@@ -112,3 +130,13 @@ func validateAuthMethods(authMethods []string) error {
 
 	return nil
 }
+
+func validateConsumerBy(consumerByFields []string) error {
+	for _, consumerBy := range consumerByFields {
+		if !(consumerBy == "username" || consumerBy == "consumer") {
+			return fmt.Errorf("invalid value for consumer_by: must be one of custom_id or username")
+		}
+	}
+
+	return nil
+}
diff --git a/kong/provider/resource_kong_plugin_openid_connect_test.go b/kong/provider/resource_kong_plugin_openid_connect_test.go
@@ -113,6 +113,27 @@ func TestAccKongPluginOpenIdConnect_validate_auth_methods(t *testing.T) {
 	})
 }
 
+func TestAccKongPluginOpenIdConnect_validate_consumer_by(t *testing.T) {
+	issuer := fmt.Sprintf("https://%s.com", acctest.RandString(10))
+	consumerBy := acctest.RandString(10)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		CheckDestroy: test_util.TestAccCheckGenericKongPluginDestroy(
+			testAccProvider,
+			"kong_plugin_openid_connect",
+			"kong_plugin_openid_connect.oidc-test",
+			"openid-connect"),
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccKongPluginOpenIdConnect_consumer_by(issuer, consumerBy),
+				ExpectError: regexp.MustCompile("invalid value for consumer_by: must be one of custom_id or username"),
+			},
+		},
+	})
+}
+
 func testAccKongPluginOpenIdConnect_basic(issuer string) string {
 	return fmt.Sprintf(`
 	resource "kong_service" "test-service" {
@@ -160,3 +181,19 @@ func testAccKongPluginOpenIdConnect_auth(issuer, authMethod string) string {
 	}
 `, acctest.RandString(5), issuer, authMethod)
 }
+
+func testAccKongPluginOpenIdConnect_consumer_by(issuer, consumerBy string) string {
+	return fmt.Sprintf(`
+	resource "kong_service" "test-service" {
+		name	= "mockbin-%s"
+		url		= "https://mockbin.org/request"
+	}
+
+	resource "kong_plugin_openid_connect" "oidc-test" {
+		service_id		= "${kong_service.test-service.id}"
+		issuer 			= "%s"
+		consumer_by 	= ["%s"]
+		
+	}
+`, acctest.RandString(5), issuer, consumerBy)
+}