-
Notifications
You must be signed in to change notification settings - Fork 545
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for jwt_supported_algs #345
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks very good! Would it be possible to get just one sunny path test displaying how this value should be populated? I see you have it in the PR commentary, which is great, but once it's merged it'll essentially "disappear" in the code itself; yet it's very useful. A test would help the example be evident on an ongoing basis.
@@ -38,6 +38,8 @@ The following arguments are supported: | |||
|
|||
* `jwt_validation_pubkeys` - (Optional) A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with `oidc_discovery_url` | |||
|
|||
* `jwt_supported_algs` - (Optional) A list of supported signing algorithms. Defaults to [RS256] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since it's being defaulted by Vault rather than by the Terraform Vault Provider, could we note that more explicitly here? Something like Vault 1.1.0 currently defaults to RS256 but future or past versions of Vault may differ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tyrannosaurus-becks it's actually the default of the oidc dependency that go-oidc package. The vault-plugin-jwt-auth package depends on that and uses its defaults by using an empty string slice. Not sure if that changes your preference on language, but wanted to be clear here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Totally! Yes, I'm aware of that. I was thinking it'd be good to note that it ties to Vault because of how most people will be using the version of the plugin that's included in the Vault catalog at the time of a particular release. However, if you think it makes more sense to have the language refer to the plugin instead, that's fine with me.
@tyrannosaurus-becks Sure, I can turn the PR contents into a test. |
Was not using make to test, will fix this shortly. |
@tyrannosaurus-becks tests fixed up, ready for another look when you have a chance. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shupp awesome! Thank you!
Added support for jwt_supported_algs
Overview
As of vault 1.0.3, you can configure the list of supported algorithms in a jwt auth backend. This PR adds this support to terraform-provider-vault.
Manual Testing
Config not set:
Config with one option:
Config with two options:
Unit Testing