Merge pull request hashicorp#345 from shupp/jwt-config

Added support for jwt_supported_algs
dandandy · Apr 3, 2019 · 85016e9 · 85016e9
2 parents 7846bfe + b707a5e
commit 85016e9
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 4 deletions.
diff --git a/vault/resource_jwt_auth_backend.go b/vault/resource_jwt_auth_backend.go
@@ -69,6 +69,13 @@ func jwtAuthBackendResource() *schema.Resource {
 				Description: "The value against which to match the iss claim in a JWT",
 			},
 
+			"jwt_supported_algs": {
+				Type:        schema.TypeList,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+				Optional:    true,
+				Description: "A list of supported signing algorithms. Defaults to [RS256]",
+			},
+
 			"accessor": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -149,6 +156,7 @@ func jwtAuthBackendRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("bound_issuer", config.Data["bound_issuer"])
 	d.Set("oidc_discovery_url", config.Data["oidc_discovery_url"])
 	d.Set("jwt_validation_pubkeys", config.Data["jwt_validation_pubkeys"])
+	d.Set("jwt_supported_algs", config.Data["jwt_supported_algs"])
 
 	return nil
 
@@ -167,6 +175,7 @@ func jwtAuthBackendUpdate(d *schema.ResourceData, meta interface{}) error {
 
 	oidcDiscoveryUrl, oidcDiscoveryUrlExists := d.GetOk("oidc_discovery_url")
 	jwtValidationPubKeys, jwtValidationPubKeysExists := d.GetOk("jwt_validation_pubkeys")
+	jwtSupportedAlgs, jwtSupportedAlgsExists := d.GetOk("jwt_supported_algs")
 
 	if oidcDiscoveryUrlExists == jwtValidationPubKeysExists {
 		return errors.New("exactly one of oidc_discovery_url and jwt_validation_pubkeys should be provided")
@@ -180,6 +189,10 @@ func jwtAuthBackendUpdate(d *schema.ResourceData, meta interface{}) error {
 		configuration["jwt_validation_pubkeys"] = jwtValidationPubKeys
 	}
 
+	if jwtSupportedAlgsExists {
+		configuration["jwt_supported_algs"] = jwtSupportedAlgs
+	}
+
 	_, err := client.Logical().Write(jwtConfigEndpoint(path), configuration)
 	if err != nil {
 		return fmt.Errorf("error updating configuration to Vault for path %s: %s", path, err)

diff --git a/vault/resource_jwt_auth_backend_test.go b/vault/resource_jwt_auth_backend_test.go
@@ -28,10 +28,19 @@ func TestAccJWTAuthBackend(t *testing.T) {
 				),
 			},
 			{
-				Config: testAccJWTAuthBackendConfigFull(path, "https://myco.auth0.com/", "", "api://default"),
+				Config: testAccJWTAuthBackendConfigFull(path, "https://myco.auth0.com/", "", "api://default", "\"RS512\""),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "oidc_discovery_url", "https://myco.auth0.com/"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "bound_issuer", "api://default"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "jwt_supported_algs.#", "1"),
+				),
+			},
+			{
+				Config: testAccJWTAuthBackendConfigFull(path, "https://myco.auth0.com/", "", "api://default", "\"RS256\",\"RS512\""),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "oidc_discovery_url", "https://myco.auth0.com/"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "bound_issuer", "api://default"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "jwt_supported_algs.#", "2"),
 				),
 			},
 		},
@@ -50,7 +59,7 @@ func TestAccJWTAuthBackend_negative(t *testing.T) {
 				ExpectError: regexp.MustCompile("vault_jwt_auth_backend\\.jwt: cannot write to a path ending in '/'"),
 			},
 			{
-				Config:      testAccJWTAuthBackendConfigFull(path, "https://myco.auth0.com/", "\"key\"", "api://default"),
+				Config:      testAccJWTAuthBackendConfigFull(path, "https://myco.auth0.com/", "\"key\"", "api://default", ""),
 				Destroy:     false,
 				ExpectError: regexp.MustCompile("exactly one of oidc_discovery_url and jwt_validation_pubkeys should be provided"),
 			},
@@ -68,16 +77,17 @@ resource "vault_jwt_auth_backend" "jwt" {
 `, path)
 }
 
-func testAccJWTAuthBackendConfigFull(path string, oidcDiscoveryUrl string, validationPublicKeys string, boundIssuer string) string {
+func testAccJWTAuthBackendConfigFull(path string, oidcDiscoveryUrl string, validationPublicKeys string, boundIssuer string, supportedAlgs string) string {
 	return fmt.Sprintf(`
 resource "vault_jwt_auth_backend" "jwt" {
   description = "JWT backend"
   oidc_discovery_url = "%s"
   jwt_validation_pubkeys = [%s]
   bound_issuer = "%s"
+  jwt_supported_algs = [%s]
   path = "%s"
 }
-`, oidcDiscoveryUrl, validationPublicKeys, boundIssuer, path)
+`, oidcDiscoveryUrl, validationPublicKeys, boundIssuer, supportedAlgs, path)
 }
 
 func testJWTAuthBackend_Destroyed(path string) resource.TestCheckFunc {

diff --git a/website/docs/r/jwt_auth_backend.html.md b/website/docs/r/jwt_auth_backend.html.md
@@ -38,6 +38,8 @@ The following arguments are supported:
 
 * `jwt_validation_pubkeys` - (Optional) A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url`
 
+* `jwt_supported_algs` - (Optional) A list of supported signing algorithms. Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ
+
 ## Attributes Reference
 
 No additional attributes are exposed by this resource.