Include roleName in Entity Alias metadata (#160)

hashicorp · Jan 2, 2024 · 3bb8ab9 · 3bb8ab9
1 parent c0d5229
commit 3bb8ab9
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 6 deletions.
diff --git a/path_login.go b/path_login.go
@@ -162,7 +162,7 @@ func (b *jwtAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d
 		return logical.ErrorResponse("audience claim found in JWT but no audiences bound to the role"), nil
 	}
 
-	alias, groupAliases, err := b.createIdentity(ctx, allClaims, role, nil)
+	alias, groupAliases, err := b.createIdentity(ctx, allClaims, roleName, role, nil)
 	if err != nil {
 		return logical.ErrorResponse(err.Error()), nil
 	}
@@ -171,7 +171,7 @@ func (b *jwtAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d
 		return logical.ErrorResponse("error validating claims: %s", err.Error()), nil
 	}
 
-	tokenMetadata := map[string]string{"role": roleName}
+	tokenMetadata := make(map[string]string)
 	for k, v := range alias.Metadata {
 		tokenMetadata[k] = v
 	}
@@ -217,7 +217,7 @@ func (b *jwtAuthBackend) pathLoginRenew(ctx context.Context, req *logical.Reques
 
 // createIdentity creates an alias and set of groups aliases based on the role
 // definition and received claims.
-func (b *jwtAuthBackend) createIdentity(ctx context.Context, allClaims map[string]interface{}, role *jwtRole, tokenSource oauth2.TokenSource) (*logical.Alias, []*logical.Alias, error) {
+func (b *jwtAuthBackend) createIdentity(ctx context.Context, allClaims map[string]interface{}, roleName string, role *jwtRole, tokenSource oauth2.TokenSource) (*logical.Alias, []*logical.Alias, error) {
 	var userClaimRaw interface{}
 	if role.UserClaimJSONPointer {
 		userClaimRaw = getClaim(b.Logger(), allClaims, role.UserClaim)
@@ -246,6 +246,8 @@ func (b *jwtAuthBackend) createIdentity(ctx context.Context, allClaims map[strin
 	if err != nil {
 		return nil, nil, err
 	}
+	// add role name to the Entity Alias metadata
+	metadata["role"] = roleName
 
 	alias := &logical.Alias{
 		Name:     userName,

diff --git a/path_login_test.go b/path_login_test.go
@@ -409,14 +409,14 @@ func testLogin_JWT(t *testing.T, jwks bool) {
 			metadata := map[string]string{
 				"name":        "jeff2",
 				"primary_org": "engineering",
+				"role":        "plugin-test",
 			}
 
 			if diff := deep.Equal(auth.Alias.Metadata, metadata); diff != nil {
 				t.Fatal(diff)
 			}
 
 			// check token metadata
-			metadata["role"] = "plugin-test"
 			if diff := deep.Equal(auth.Metadata, metadata); diff != nil {
 				t.Fatal(diff)
 			}

diff --git a/path_oidc.go b/path_oidc.go
@@ -318,7 +318,7 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
 		}
 	}
 
-	alias, groupAliases, err := b.createIdentity(ctx, allClaims, role, tokenSource)
+	alias, groupAliases, err := b.createIdentity(ctx, allClaims, roleName, role, tokenSource)
 	if err != nil {
 		return logical.ErrorResponse(err.Error()), nil
 	}
@@ -327,7 +327,7 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
 		return logical.ErrorResponse("error validating claims: %s", err.Error()), nil
 	}
 
-	tokenMetadata := map[string]string{"role": roleName}
+	tokenMetadata := make(map[string]string)
 	for k, v := range alias.Metadata {
 		tokenMetadata[k] = v
 	}

diff --git a/path_oidc_test.go b/path_oidc_test.go
@@ -790,6 +790,7 @@ func TestOIDC_Callback(t *testing.T) {
 				Alias: &logical.Alias{
 					Name: "[email protected]",
 					Metadata: map[string]string{
+						"role":  "test",
 						"color": "green",
 						"size":  "medium",
 					},