When configuring JWT roles, consider bound claims when considering if…

… there is at least one bound constraint
shwuandwing · May 9, 2019 · af3aee5 · af3aee5
1 parent f7b66ba
commit af3aee5
Showing 1 changed file with 96 additions and 0 deletions.
diff --git a/path_role_test.go b/path_role_test.go
@@ -140,6 +140,102 @@ func TestPath_Create(t *testing.T) {
 	if !strings.HasPrefix(resp.Error().Error(), "must have at least one bound constraint") {
 		t.Fatalf("unexpected err: %v", resp)
 	}
+
+	// Test has bound subject
+	data = map[string]interface{}{
+		"role_type":     "jwt",
+		"user_claim":    "user",
+		"policies":      "test",
+		"bound_subject": "testsub",
+	}
+
+	req = &logical.Request{
+		Operation: logical.CreateOperation,
+		Path:      "role/test2",
+		Storage:   storage,
+		Data:      data,
+	}
+
+	resp, err = b.HandleRequest(context.Background(), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp != nil && resp.IsError() {
+		t.Fatalf("did not expect error")
+	}
+
+	// Test has audience
+	data = map[string]interface{}{
+		"role_type":       "jwt",
+		"user_claim":      "user",
+		"policies":        "test",
+		"bound_audiences": "vault",
+	}
+
+	req = &logical.Request{
+		Operation: logical.CreateOperation,
+		Path:      "role/test2",
+		Storage:   storage,
+		Data:      data,
+	}
+
+	resp, err = b.HandleRequest(context.Background(), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp != nil && resp.IsError() {
+		t.Fatalf("did not expect error")
+	}
+
+	// Test has cidr
+	data = map[string]interface{}{
+		"role_type":   "jwt",
+		"user_claim":  "user",
+		"policies":    "test",
+		"bound_cidrs": "127.0.0.1/8",
+	}
+
+	req = &logical.Request{
+		Operation: logical.CreateOperation,
+		Path:      "role/test2",
+		Storage:   storage,
+		Data:      data,
+	}
+
+	resp, err = b.HandleRequest(context.Background(), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp != nil && resp.IsError() {
+		t.Fatalf("did not expect error")
+	}
+
+	// Test has bound claims
+	data = map[string]interface{}{
+		"role_type":  "jwt",
+		"user_claim": "user",
+		"policies":   "test",
+		"bound_claims": map[string]interface{}{
+			"foo": 10,
+			"bar": "baz",
+		},
+	}
+
+	req = &logical.Request{
+		Operation: logical.CreateOperation,
+		Path:      "role/test2",
+		Storage:   storage,
+		Data:      data,
+	}
+
+	resp, err = b.HandleRequest(context.Background(), req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp != nil && resp.IsError() {
+		t.Fatalf("did not expect error")
+	}
+
 }
 
 func TestPath_OIDCCreate(t *testing.T) {