Added support for jwt_supported_algs

[shupp]

Overview

As of vault 1.0.3, you can configure the list of supported algorithms in a jwt auth backend. This PR adds this support to terraform-provider-vault.

Manual Testing

Config not set:

resource "vault_jwt_auth_backend" "my_jwt_auth" {
  path               = "jwt"
  oidc_discovery_url = "https://myserver.com"
  bound_issuer       = "https://myserver.com"
}

$ vault read auth/jwt/config
Key                       Value
---                       -----
bound_issuer              https://myserver.com
jwt_supported_algs        []
jwt_validation_pubkeys    []
oidc_discovery_ca_pem     n/a
oidc_discovery_url        https://myserver.com

Config with one option:

resource "vault_jwt_auth_backend" "my_jwt_auth" {
  path               = "jwt"
  oidc_discovery_url = "https://myserver.com"
  bound_issuer       = "https://myserver.com"
  jwt_supported_algs = ["RS512"]
}

$ vault read auth/jwt/config
Key                       Value
---                       -----
bound_issuer              https://myserver.com
jwt_supported_algs        [RS512]
jwt_validation_pubkeys    []
oidc_discovery_ca_pem     n/a
oidc_discovery_url        https://myserver.com

Config with two options:

resource "vault_jwt_auth_backend" "my_jwt_auth" {
  path               = "jwt"
  oidc_discovery_url = "https://myserver.com"
  bound_issuer       = "https://myserver.com"
  jwt_supported_algs = ["RS256","RS512"]
}

$ vault read auth/jwt/config
Key                       Value
---                       -----
bound_issuer              https://myserver.com
jwt_supported_algs        [RS256 RS512]
jwt_validation_pubkeys    []
oidc_discovery_ca_pem     n/a
oidc_discovery_url        https://myserver.com

Unit Testing

$ make test
==> Checking that code complies with gofmt requirements...
go test -i $(go list ./... |grep -v 'vendor') || exit 1
echo $(go list ./... |grep -v 'vendor') | \
                xargs -t -n4 go test  -timeout=30s -parallel=4
go test -timeout=30s -parallel=4 github.com/terraform-providers/terraform-provider-vault github.com/terraform-providers/terraform-provider-vault/util github.com/terraform-providers/terraform-provider-vault/vault
?       github.com/terraform-providers/terraform-provider-vault [no test files]
ok      github.com/terraform-providers/terraform-provider-vault/util    0.022s
ok      github.com/terraform-providers/terraform-provider-vault/vault   0.044s

[tyrannosaurus-becks]

This looks very good! Would it be possible to get just one sunny path test displaying how this value should be populated? I see you have it in the PR commentary, which is great, but once it's merged it'll essentially "disappear" in the code itself; yet it's very useful. A test would help the example be evident on an ongoing basis.

[tyrannosaurus-becks]

Since it's being defaulted by Vault rather than by the Terraform Vault Provider, could we note that more explicitly here? Something like Vault 1.1.0 currently defaults to RS256 but future or past versions of Vault may differ?

[shupp]

@tyrannosaurus-becks it's actually the default of the oidc dependency that go-oidc package. The vault-plugin-jwt-auth package depends on that and uses its defaults by using an empty string slice. Not sure if that changes your preference on language, but wanted to be clear here.

[tyrannosaurus-becks]

Totally! Yes, I'm aware of that. I was thinking it'd be good to note that it ties to Vault because of how most people will be using the version of the plugin that's included in the Vault catalog at the time of a particular release. However, if you think it makes more sense to have the language refer to the plugin instead, that's fine with me.

[shupp]

@tyrannosaurus-becks Sure, I can turn the PR contents into a test.

[shupp]

Was not using make to test, will fix this shortly.

[shupp]

@tyrannosaurus-becks tests fixed up, ready for another look when you have a chance.

[tyrannosaurus-becks]

@shupp awesome! Thank you!