From 6f9c733333c1d5f86166db8db0016eda7bfb21bf Mon Sep 17 00:00:00 2001
From: Thy Ton <maithytonn@gmail.com>
Date: Tue, 26 Dec 2023 22:17:33 +0700
Subject: [PATCH] indicate that token reviewer jwt is set on config read (#221)

---------

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
---
 CHANGELOG.md        |   1 +
 path_config.go      |   1 +
 path_config_test.go | 110 ++++++++++++++++++++++++++++++--------------
 3 files changed, 78 insertions(+), 34 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9eb7ef5e..d2e2267d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,7 @@
 ### Improvements
 
 * Support bound service account namespace selector [GH-218](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/218)
+* Indicate that token reviewer JWT is set on config read [GH-221](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/221)
 
 ## 0.17.1 (Sept 7, 2023)
 
diff --git a/path_config.go b/path_config.go
index a61474ba..c2d4d9f9 100644
--- a/path_config.go
+++ b/path_config.go
@@ -128,6 +128,7 @@ func (b *kubeAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reque
 				"issuer":                 config.Issuer,
 				"disable_iss_validation": config.DisableISSValidation,
 				"disable_local_ca_jwt":   config.DisableLocalCAJwt,
+				"token_reviewer_jwt_set": config.TokenReviewerJWT != "",
 			},
 		}
 
diff --git a/path_config_test.go b/path_config_test.go
index ac6145f8..d29bc82e 100644
--- a/path_config_test.go
+++ b/path_config_test.go
@@ -44,46 +44,88 @@ func setupLocalFiles(t *testing.T, b logical.Backend) func() {
 }
 
 func TestConfig_Read(t *testing.T) {
-	b, storage := getBackend(t)
-
-	cleanup := setupLocalFiles(t, b)
-	defer cleanup()
-
-	data := map[string]interface{}{
-		"pem_keys":               []string{testRSACert, testECCert},
-		"kubernetes_host":        "host",
-		"kubernetes_ca_cert":     testCACert,
-		"issuer":                 "",
-		"disable_iss_validation": false,
-		"disable_local_ca_jwt":   false,
+	tests := []struct {
+		name string
+		data map[string]interface{}
+		want map[string]interface{}
+	}{
+		{
+			name: "token-review-jwt-is-unset",
+			data: map[string]interface{}{
+				"pem_keys":               []string{testRSACert, testECCert},
+				"kubernetes_host":        "host",
+				"kubernetes_ca_cert":     testCACert,
+				"issuer":                 "",
+				"disable_iss_validation": false,
+				"disable_local_ca_jwt":   false,
+			},
+			want: map[string]interface{}{
+				"pem_keys":               []string{testRSACert, testECCert},
+				"kubernetes_host":        "host",
+				"kubernetes_ca_cert":     testCACert,
+				"issuer":                 "",
+				"disable_iss_validation": false,
+				"disable_local_ca_jwt":   false,
+				"token_reviewer_jwt_set": false,
+			},
+		},
+		{
+			name: "token-review-jwt-is-set",
+			data: map[string]interface{}{
+				"pem_keys":               []string{testRSACert, testECCert},
+				"kubernetes_host":        "host",
+				"kubernetes_ca_cert":     testCACert,
+				"issuer":                 "",
+				"disable_iss_validation": false,
+				"disable_local_ca_jwt":   false,
+				"token_reviewer_jwt":     "test-token-review-jwt",
+			},
+			want: map[string]interface{}{
+				"pem_keys":               []string{testRSACert, testECCert},
+				"kubernetes_host":        "host",
+				"kubernetes_ca_cert":     testCACert,
+				"issuer":                 "",
+				"disable_iss_validation": false,
+				"disable_local_ca_jwt":   false,
+				"token_reviewer_jwt_set": true,
+			},
+		},
 	}
 
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      configPath,
-		Storage:   storage,
-		Data:      data,
-	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			b, storage := getBackend(t)
+			cleanup := setupLocalFiles(t, b)
+			t.Cleanup(cleanup)
 
-	resp, err := b.HandleRequest(context.Background(), req)
-	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("err:%s resp:%#v\n", err, resp)
-	}
+			req := &logical.Request{
+				Operation: logical.UpdateOperation,
+				Path:      configPath,
+				Storage:   storage,
+				Data:      tc.data,
+			}
 
-	req = &logical.Request{
-		Operation: logical.ReadOperation,
-		Path:      configPath,
-		Storage:   storage,
-		Data:      nil,
-	}
+			resp, err := b.HandleRequest(context.Background(), req)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("got unexpected error %s for resp %#v", err, resp)
+			}
 
-	resp, err = b.HandleRequest(context.Background(), req)
-	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("err:%s resp:%#v\n", err, resp)
-	}
+			req = &logical.Request{
+				Operation: logical.ReadOperation,
+				Path:      configPath,
+				Storage:   storage,
+				Data:      nil,
+			}
+
+			resp, err = b.HandleRequest(context.Background(), req)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("got unexpected error %s for resp %#v", err, resp)
+			}
 
-	if !reflect.DeepEqual(resp.Data, data) {
-		t.Fatalf("Expected did not equal actual: expected %#v\n got %#v\n", data, resp.Data)
+			if !reflect.DeepEqual(resp.Data, tc.want) {
+				t.Fatalf("expected %#v, got %#v", tc.want, resp.Data)
+			}
+		})
 	}
 }