Skip to content

Commit

Permalink
cleanups
Browse files Browse the repository at this point in the history
  • Loading branch information
@suprjinx
suprjinx committed Nov 14, 2024
1 parent fda2d3b commit d7f2614
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 23 deletions.
18 changes: 0 additions & 18 deletions app/lib/clients/vault/oidc.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,24 +19,6 @@ def get_oidc_client_config
client.logical.read("auth/oidc/config")
end

def create_oidc_role(role_name, read_groups, policy_name)
client.logical.write("auth/oidc/role/#{role_name}",
user_claim: "sub",
groups_claim: "groups",
bound_claims: { "groups" => read_groups },
policies: policy_name,
oidc_scopes: "email groups",
allowed_redirect_uris: Config[:oidc_redirect_uris])
end

def remove_oidc_role(role_name)
client.logical.delete("auth/oidc/role/#{role_name}")
end

def read_oidc_role(role_name)
client.logical.read("auth/oidc/role/#{role_name}")
end

private

def create_client_config(issuer, client_id, client_secret)
Expand Down
4 changes: 2 additions & 2 deletions app/lib/utils/oidc_provider.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,9 +81,9 @@ def create_userpass_for_initial_user
end

def map_userpass_to_entity
group = vault_client.logical.read(
entity = vault_client.logical.read(
"identity/entity/name/#{Config[:initial_user_name]}")
entity_id = group.data[:id]
entity_id = entity.data[:id]
auth_list = vault_client.logical.read("/sys/auth")
accessor = auth_list.data[:"userpass/"][:accessor]
vault_client.logical.write("identity/entity-alias",
Expand Down
8 changes: 5 additions & 3 deletions test/lib/clients/vault/policy_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,17 @@ class PolicyTest < ActiveSupport::TestCase
assert_nil @client.verify_policy(@identity, policy_name)
end

test "#verify_policy looks for a role corresponding to consumer policy when supplied" do
test "#verify_policy looks checks groups for consumer_policy when supplied" do
producer_policy = "some/policy/name"
consumer_policy = "some/policy/other"
@identity.groups = [ "my-group" ]
@client.expects(:get_entity_data).with(@identity.sub).returns([ [], nil ])
err = assert_raises { @client.verify_policy(@identity, producer_policy, [ "no-group-match" ], consumer_policy) }
@client.expects(:get_group_data).with("my-group").returns([ [], {} ])
err = assert_raises { @client.verify_policy(@identity, producer_policy, [ "my-group" ], consumer_policy) }
assert_kind_of AuthError, err
end

test "#verify_policy permits identity having group linked to consumer policy role" do
test "#verify_policy permits identity having group which has the consumer policy role" do
producer_policy = "some/policy/name"
consumer_policy = "some/policy/other"
@identity.groups = [ "my-group" ]
Expand Down

0 comments on commit d7f2614

Please sign in to comment.