From 733c6e8b6d5bc9880e9f2c71d976e525175d2ae1 Mon Sep 17 00:00:00 2001
From: JM Faircloth <jmfaircloth@hashicorp.com>
Date: Fri, 26 Apr 2024 09:37:57 -0500
Subject: [PATCH] check if WIF is enabled on this edition of Vault

---
 path_config.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/path_config.go b/path_config.go
index 853d79ce..3879f748 100644
--- a/path_config.go
+++ b/path_config.go
@@ -5,10 +5,12 @@ package azureauth
 
 import (
 	"context"
+	"errors"
 	"time"
 
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/pluginidentityutil"
+	"github.com/hashicorp/vault/sdk/helper/pluginutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
@@ -221,6 +223,19 @@ func (b *azureAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Req
 		return logical.ErrorResponse("only one of 'client_secret' or 'identity_token_audience' can be set"), nil
 	}
 
+	// generate token to check if WIF is enabled on this edition of Vault
+	if config.IdentityTokenAudience != "" {
+		_, err := b.System().GenerateIdentityToken(ctx, &pluginutil.IdentityTokenRequest{
+			Audience: config.IdentityTokenAudience,
+		})
+		if err != nil {
+			if errors.Is(err, pluginidentityutil.ErrPluginWorkloadIdentityUnsupported) {
+				return logical.ErrorResponse(err.Error()), nil
+			}
+			return nil, err
+		}
+	}
+
 	// Create a settings object to validate all required settings
 	// are available
 	if _, err := b.getAzureSettings(ctx, config); err != nil {