Skip to content

Commit

Permalink
Error handling for identity oidc vault calls (hashicorp#1142)
Browse files Browse the repository at this point in the history 
Checks the err from `identityOidcKeyApiWrite()` and adds tests to
exercise the error handling. Updates allowed client id test to satisfy
rotation_period and verification_ttl restrictions that are now
enforced in Vault 1.8.1.
  • Loading branch information
@tvoran @davidmontoyago
tvoran authored and davidmontoyago committed Aug 17, 2021
1 parent 7f99bff commit 15ff097
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 4 deletions.
8 changes: 6 additions & 2 deletions vault/resource_identity_oidc_key.go
View file
Expand Up @@ -93,7 +93,9 @@ func identityOidcKeyCreate(d *schema.ResourceData, meta interface{}) error {
data := make(map[string]interface{})

identityOidcKeyUpdateFields(d, data)
identityOidcKeyApiWrite(name, data, client)
if err := identityOidcKeyApiWrite(name, data, client); err != nil {
return err
}

d.SetId(name)

Expand All @@ -113,7 +115,9 @@ func identityOidcKeyUpdate(d *schema.ResourceData, meta interface{}) error {
data := map[string]interface{}{}

identityOidcKeyUpdateFields(d, data)
identityOidcKeyApiWrite(name, data, client)
if err := identityOidcKeyApiWrite(name, data, client); err != nil {
return err
}

return identityOidcKeyRead(d, meta)
}
Expand Down
13 changes: 11 additions & 2 deletions vault/resource_identity_oidc_key_allowed_client_id_test.go
View file
Expand Up @@ -22,6 +22,9 @@ func TestAccIdentityOidcKeyAllowedClientId(t *testing.T) {
{
Config: testAccIdentityOidcKeyAllowedClientIdConfig(name),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_identity_oidc_key.key", "rotation_period", "86400"),
resource.TestCheckResourceAttr("vault_identity_oidc_key.key", "verification_ttl", "86400"),
resource.TestCheckResourceAttr("vault_identity_oidc_key.key", "algorithm", "RS256"),
testAccIdentityOidcKeyAllowedClientIdCheckAttrs("vault_identity_oidc_key_allowed_client_id.role_one", 3),
testAccIdentityOidcKeyAllowedClientIdCheckAttrs("vault_identity_oidc_key_allowed_client_id.role_two", 3),
testAccIdentityOidcKeyAllowedClientIdCheckAttrs("vault_identity_oidc_key_allowed_client_id.role_three", 3),
Expand All @@ -30,12 +33,18 @@ func TestAccIdentityOidcKeyAllowedClientId(t *testing.T) {
{
Config: testAccIdentityOidcKeyAllowedClientIdRemove(name),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_identity_oidc_key.key", "rotation_period", "86401"),
resource.TestCheckResourceAttr("vault_identity_oidc_key.key", "verification_ttl", "86401"),
resource.TestCheckResourceAttr("vault_identity_oidc_key.key", "algorithm", "RS256"),
testAccIdentityOidcKeyAllowedClientIdCheckAttrs("vault_identity_oidc_key_allowed_client_id.role_one", 1),
),
},
{
Config: testAccIdentityOidcKeyAllowedClientIdRecreate(name),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("vault_identity_oidc_key.key", "rotation_period", "86400"),
resource.TestCheckResourceAttr("vault_identity_oidc_key.key", "verification_ttl", "86400"),
resource.TestCheckResourceAttr("vault_identity_oidc_key.key", "algorithm", "RS256"),
testAccIdentityOidcKeyAllowedClientIdCheckAttrs("vault_identity_oidc_key_allowed_client_id.role", 1),
),
},
Expand Down Expand Up @@ -152,8 +161,8 @@ resource "vault_identity_oidc_key" "key" {
name = "%s"
algorithm = "RS256"
rotation_period = 3600
verification_ttl = 3600
rotation_period = 86401
verification_ttl = 86401
}
resource "vault_identity_oidc_role" "role_one" {
Expand Down
21 changes: 21 additions & 0 deletions vault/resource_identity_oidc_key_test.go
View file
Expand Up @@ -3,6 +3,7 @@ package vault
import (
"encoding/json"
"fmt"
"regexp"
"strconv"
"strings"
"testing"
Expand All @@ -21,6 +22,11 @@ func TestAccIdentityOidcKey(t *testing.T) {
Providers: testProviders,
CheckDestroy: testAccCheckIdentityOidcKeyDestroy,
Steps: []resource.TestStep{
{
// Test a create failure
Config: testAccIdentityOidcKeyConfig_bad(key),
ExpectError: regexp.MustCompile(`unknown signing algorithm "RS123"`),
},
{
Config: testAccIdentityOidcKeyConfig(key),
Check: resource.ComposeTestCheckFunc(
Expand Down Expand Up @@ -75,6 +81,11 @@ func TestAccIdentityOidcKeyUpdate(t *testing.T) {
resource.TestCheckResourceAttr("vault_identity_oidc_key.key", "allowed_client_ids.#", "0"),
),
},
{
// Test an update failure
Config: testAccIdentityOidcKeyConfig_bad(key),
ExpectError: regexp.MustCompile(`unknown signing algorithm "RS123"`),
},
},
})
}
Expand Down Expand Up @@ -204,6 +215,16 @@ resource "vault_identity_oidc_key" "key" {
}`, entityName)
}

func testAccIdentityOidcKeyConfig_bad(entityName string) string {
return fmt.Sprintf(`
resource "vault_identity_oidc_key" "key" {
name = "%s"
algorithm = "RS123"
allowed_client_ids = []
}`, entityName)
}

func testAccIdentityOidcKeyConfigUpdate(entityName string) string {
return fmt.Sprintf(`
resource "vault_identity_oidc_key" "key" {
Expand Down

0 comments on commit 15ff097

Please sign in to comment.