Adding support for OIDCDisableUserInfo (#429)

In nomad 1.7.3 a new config has been [introduced](hashicorp/nomad#19566) Adding support for this config parameter
hashicorp · Feb 8, 2024 · 180decc · 180decc
1 parent f4a25d2
commit 180decc
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 ## 2.1.2 (Unreleased)
 
+IMPROVEMENTS:
+* resource/acl_auth_method: add support for `oidc_disable_userinfo` ([#429](https://github.com/hashicorp/terraform-provider-nomad/pull/429))
+
 ## 2.1.1 (January 30, 2024)
 
 NOTES:

diff --git a/go.mod b/go.mod
@@ -17,8 +17,8 @@ require (
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-version v1.6.0
-	github.com/hashicorp/nomad v1.7.2
-	github.com/hashicorp/nomad/api v0.0.0-20231219145541-859606a54ade
+	github.com/hashicorp/nomad v1.7.3
+	github.com/hashicorp/nomad/api v0.0.0-20240115165540-60ee328f97d1
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.32.0
 	github.com/hashicorp/vault v0.10.4
 	github.com/shoenig/test v1.7.0

diff --git a/go.sum b/go.sum
@@ -132,8 +132,8 @@ github.com/hashicorp/logutils v1.0.0 h1:dLEQVugN8vlakKOUE3ihGLTZJRB4j+M2cdTm/ORI
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/nomad v0.0.0-20240129172537-56ea3f7cdafd h1:HrO9eleJh0apPsRLNKA/apPXBjFKwcZmicfbmtb9Xy0=
 github.com/hashicorp/nomad v0.0.0-20240129172537-56ea3f7cdafd/go.mod h1:IyUc7EZVCTpavku0fxuz1FNy5FGJNiQFEgZzOzWgNHs=
-github.com/hashicorp/nomad/api v0.0.0-20231219145541-859606a54ade h1:tNZmy3PBf2zmkN62O/PqcVZUmaws+BMEiqjmU7qviUg=
-github.com/hashicorp/nomad/api v0.0.0-20231219145541-859606a54ade/go.mod h1:ijDwa6o1uG1jFSq6kERiX2PamKGpZzTmo0XOFNeFZgw=
+github.com/hashicorp/nomad/api v0.0.0-20240115165540-60ee328f97d1 h1:I4jVcopx8jl5jJ4wVgLAIUfz8WTbLGM9DgSVpgqPYZA=
+github.com/hashicorp/nomad/api v0.0.0-20240115165540-60ee328f97d1/go.mod h1:ijDwa6o1uG1jFSq6kERiX2PamKGpZzTmo0XOFNeFZgw=
 github.com/hashicorp/serf v0.10.1 h1:Z1H2J60yRKvfDYAOZLd2MU0ND4AH/WDz7xYHDWQsIPY=
 github.com/hashicorp/serf v0.10.1/go.mod h1:yL2t6BqATOLGc5HF7qbFkTfXoPIY0WZdWHfEvMqbG+4=
 github.com/hashicorp/terraform-exec v0.20.0 h1:DIZnPsqzPGuUnq6cH8jWcPunBfY+C+M8JyYF3vpnuEo=

diff --git a/nomad/resource_acl_auth_method.go b/nomad/resource_acl_auth_method.go
@@ -95,6 +95,12 @@ func resourceACLAuthMethodConfig() *schema.Resource {
 				Required:    true,
 				Sensitive:   true,
 			},
+			"oidc_disable_userinfo": {
+				Description: "Nomad will not make a request to the identity provider to get OIDC UserInfo.",
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+			},
 			"oidc_scopes": {
 				Description: "List of OIDC scopes.",
 				Type:        schema.TypeList,
@@ -301,6 +307,8 @@ func generateNomadACLAuthMethodConfig(intf interface{}) (*api.ACLAuthMethodConfi
 			authMethodConfig.OIDCClientID = v.(string)
 		case "oidc_client_secret":
 			authMethodConfig.OIDCClientSecret = v.(string)
+		case "oidc_disable_userinfo":
+			authMethodConfig.OIDCDisableUserInfo = v.(bool)
 		case "oidc_scopes":
 			unpacked, err := unpackStringArray(v, "oidc_scopes")
 			if err != nil {
@@ -358,6 +366,7 @@ func flattenACLAuthMethodConfig(cfg *api.ACLAuthMethodConfig) []any {
 		"oidc_client_id":        cfg.OIDCClientID,
 		"oidc_client_secret":    cfg.OIDCClientSecret,
 		"oidc_scopes":           packStringArray(cfg.OIDCScopes),
+		"oidc_disable_userinfo": cfg.OIDCDisableUserInfo,
 		"bound_audiences":       packStringArray(cfg.BoundAudiences),
 		"allowed_redirect_uris": packStringArray(cfg.AllowedRedirectURIs),
 		"discovery_ca_pem":      packStringArray(cfg.DiscoveryCaPem),

diff --git a/nomad/resource_acl_auth_method_test.go b/nomad/resource_acl_auth_method_test.go
@@ -58,6 +58,7 @@ resource "nomad_acl_auth_method" "test" {
     bound_audiences       = ["someclientid"]
     discovery_ca_pem      = ["secretpemcert"]
     signing_algs          = ["rsa256", "hs256"]
+    oidc_disable_userinfo = true
     allowed_redirect_uris = [
       "http://localhost:4649/oidc/callback",
       %q,
@@ -76,13 +77,14 @@ resource "nomad_acl_auth_method" "test" {
 func testResourceACLAuthMethodCheck(name, uiCallback, defaultVal string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		const (
-			expectedType             = "OIDC"
-			expectedTokenLocality    = "global"
-			expectedMaxTokenTTL      = "10m0s"
-			expectedTokenNameFormat  = "${auth_method_type}-${auth_method_name}-${value.user}"
-			expectedOIDCDiscoveryURL = "https://uk.auth0.com/"
-			expectedOIDCClientID     = "someclientid"
-			expectedOIDCClientSecret = "someclientsecret-t"
+			expectedType                = "OIDC"
+			expectedTokenLocality       = "global"
+			expectedMaxTokenTTL         = "10m0s"
+			expectedTokenNameFormat     = "${auth_method_type}-${auth_method_name}-${value.user}"
+			expectedOIDCDiscoveryURL    = "https://uk.auth0.com/"
+			expectedOIDCClientID        = "someclientid"
+			expectedOIDCDisableUserInfo = true
+			expectedOIDCClientSecret    = "someclientsecret-t"
 		)
 		var (
 			expectedBoundAudiences      = []string{"someclientid"}
@@ -182,6 +184,10 @@ func testResourceACLAuthMethodCheck(name, uiCallback, defaultVal string) resourc
 			return fmt.Errorf(`expected OIDC client ID to be %q, is %q" in API`,
 				expectedOIDCClientID, authMethod.Config.OIDCClientID)
 		}
+		if authMethod.Config.OIDCDisableUserInfo != expectedOIDCDisableUserInfo {
+			return fmt.Errorf(`expected OIDC disable userinfo to be %t, is %t" in API`,
+				expectedOIDCDisableUserInfo, authMethod.Config.OIDCDisableUserInfo)
+		}
 		if authMethod.Config.OIDCClientSecret != expectedOIDCClientSecret {
 			return fmt.Errorf(`expected OIDC client secret to be %q, is %q in API`,
 				expectedOIDCClientSecret, authMethod.Config.OIDCDiscoveryURL)

diff --git a/website/docs/r/acl_binding_rule.html.markdown b/website/docs/r/acl_binding_rule.html.markdown
@@ -84,6 +84,11 @@ The following arguments are supported:
 
   - `oidc_scopes`: `([]string: <optional>)` - List of OIDC scopes.
 
+  - `oidc_disable_userinfo`: `(bool: false)` - When set to `true`, Nomad will
+     not make a request to the identity provider to get OIDC `UserInfo`.
+     You may wish to set this if your identity provider doesn't send any
+     additional claims from the `UserInfo` endpoint.
+
   - `bound_audiences`: `([]string: <optional>)` - List of auth claims that are
     valid for login.
 
@@ -95,7 +100,7 @@ The following arguments are supported:
 
   - `signing_algs`: `([]string: <optional>)` - A list of supported signing
     algorithms.
-  
+
   - `claim_mappings`: `(map[string]string: <optional>)` - Mappings of claims (key)
     that will be copied to a metadata field (value).