Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vault_jwt_auth_backend_role: unexpected comma seperation for bound_claims value #956

Closed
xinau opened this issue Jan 27, 2021 · 0 comments · Fixed by #1200
Closed

vault_jwt_auth_backend_role: unexpected comma seperation for bound_claims value #956

xinau opened this issue Jan 27, 2021 · 0 comments · Fixed by #1200

Comments

@xinau
Copy link

xinau commented Jan 27, 2021
edited
Loading

Hi there,

While configuring the vault_jwt_auth_backend_role we noticed a slightly odd behavior with the bound_claims parameter when our value contains a ,. With a , in our value the value get's split into a list of strings, which isn't the desired behaviour.

The documentation states that the bound_claims can be either a map with values of string or list of strings.

bound_claims - (Optional) If set, a map of claims/values to match against. The expected value may be a single string or a list of strings.

I would like to help on this issue. But I'm unsure what's the best way to fix the bug.

  • the bound_claims value could be implemented as stated by the documentation to accept both strings and list of strings
  • an escape sequence could be specified for the comma separation.

Terraform Version

$ terraform -v   
Terraform v0.14.5
+ provider registry.terraform.io/hashicorp/vault v2.18.0

Affected Resource(s)

  • vault_jwt_auth_backend_role

Terraform Configuration Files

resource "vault_jwt_auth_backend" "oidc" {
  description        = "example"
  path               = "oidc"
  type               = "oidc"
  oidc_discovery_url = ""
  oidc_client_id     = ""
  oidc_client_secret = ""
  default_role       = "example"
}

resource "vault_jwt_auth_backend_role" "main" {
  backend        = vault_jwt_auth_backend.oidc.path
  role_name      = "example"
  token_policies = ["example"]

  user_claim      = "example"
  groups_claim    = "groups"
  bound_claims    = { "groups" = "/cn=example,ou=security,ou=groups,o=example" }
  role_type       = "oidc"
  bound_audiences = ["example"]
  allowed_redirect_uris = ["http://localhost:8250/oidc/callback"]
  token_ttl             = 28800
}

Expected Behavior

The configuration for the example role should look as follows.

$ vault read auth/oidc/role/example
Key                        Value
---                        -----
allowed_redirect_uris      [http://localhost:8250/oidc/callback]
bound_audiences            [example]
bound_claims               map[groups:[/cn=example,ou=security,ou=groups,o=example]]
...

Actual Behavior

The claim value get's split at the ,

$ vault read auth/oidc/role/example
Key                        Value
---                        -----
allowed_redirect_uris      [http://localhost:8250/oidc/callback]
bound_audiences            [example]
bound_claims               map[groups:[/cn=example ou=security ou=groups o=example]]
...

Important Factoids

terraform-provider-vault/vault/resource_jwt_auth_backend_role.go

Lines 544 to 552 in 3a348ea

if strings.Contains(valStr, ",") {
vals := strings.Split(valStr, ",")
for i := range vals {
vals[i] = strings.TrimSpace(vals[i])
}
boundClaims[key] = vals
} else {
boundClaims[key] = valStr
}

References
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@xinau