Skip to content

Commit

Permalink
indicate that token reviewer jwt is set on config read (#221)
Browse files Browse the repository at this point in the history
---------

Co-authored-by: Ben Ash <[email protected]>
  • Loading branch information
thyton and benashz authored Dec 26, 2023
1 parent 3c47be5 commit 6f9c733
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 34 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
### Improvements

* Support bound service account namespace selector [GH-218](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/218)
* Indicate that token reviewer JWT is set on config read [GH-221](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/221)

## 0.17.1 (Sept 7, 2023)

Expand Down
1 change: 1 addition & 0 deletions path_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ func (b *kubeAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reque
"issuer": config.Issuer,
"disable_iss_validation": config.DisableISSValidation,
"disable_local_ca_jwt": config.DisableLocalCAJwt,
"token_reviewer_jwt_set": config.TokenReviewerJWT != "",
},
}

Expand Down
110 changes: 76 additions & 34 deletions path_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,46 +44,88 @@ func setupLocalFiles(t *testing.T, b logical.Backend) func() {
}

func TestConfig_Read(t *testing.T) {
b, storage := getBackend(t)

cleanup := setupLocalFiles(t, b)
defer cleanup()

data := map[string]interface{}{
"pem_keys": []string{testRSACert, testECCert},
"kubernetes_host": "host",
"kubernetes_ca_cert": testCACert,
"issuer": "",
"disable_iss_validation": false,
"disable_local_ca_jwt": false,
tests := []struct {
name string
data map[string]interface{}
want map[string]interface{}
}{
{
name: "token-review-jwt-is-unset",
data: map[string]interface{}{
"pem_keys": []string{testRSACert, testECCert},
"kubernetes_host": "host",
"kubernetes_ca_cert": testCACert,
"issuer": "",
"disable_iss_validation": false,
"disable_local_ca_jwt": false,
},
want: map[string]interface{}{
"pem_keys": []string{testRSACert, testECCert},
"kubernetes_host": "host",
"kubernetes_ca_cert": testCACert,
"issuer": "",
"disable_iss_validation": false,
"disable_local_ca_jwt": false,
"token_reviewer_jwt_set": false,
},
},
{
name: "token-review-jwt-is-set",
data: map[string]interface{}{
"pem_keys": []string{testRSACert, testECCert},
"kubernetes_host": "host",
"kubernetes_ca_cert": testCACert,
"issuer": "",
"disable_iss_validation": false,
"disable_local_ca_jwt": false,
"token_reviewer_jwt": "test-token-review-jwt",
},
want: map[string]interface{}{
"pem_keys": []string{testRSACert, testECCert},
"kubernetes_host": "host",
"kubernetes_ca_cert": testCACert,
"issuer": "",
"disable_iss_validation": false,
"disable_local_ca_jwt": false,
"token_reviewer_jwt_set": true,
},
},
}

req := &logical.Request{
Operation: logical.UpdateOperation,
Path: configPath,
Storage: storage,
Data: data,
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
b, storage := getBackend(t)
cleanup := setupLocalFiles(t, b)
t.Cleanup(cleanup)

resp, err := b.HandleRequest(context.Background(), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%s resp:%#v\n", err, resp)
}
req := &logical.Request{
Operation: logical.UpdateOperation,
Path: configPath,
Storage: storage,
Data: tc.data,
}

req = &logical.Request{
Operation: logical.ReadOperation,
Path: configPath,
Storage: storage,
Data: nil,
}
resp, err := b.HandleRequest(context.Background(), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("got unexpected error %s for resp %#v", err, resp)
}

resp, err = b.HandleRequest(context.Background(), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%s resp:%#v\n", err, resp)
}
req = &logical.Request{
Operation: logical.ReadOperation,
Path: configPath,
Storage: storage,
Data: nil,
}

resp, err = b.HandleRequest(context.Background(), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("got unexpected error %s for resp %#v", err, resp)
}

if !reflect.DeepEqual(resp.Data, data) {
t.Fatalf("Expected did not equal actual: expected %#v\n got %#v\n", data, resp.Data)
if !reflect.DeepEqual(resp.Data, tc.want) {
t.Fatalf("expected %#v, got %#v", tc.want, resp.Data)
}
})
}
}

Expand Down

0 comments on commit 6f9c733

Please sign in to comment.