hashicorp · thyton · Dec 26, 2023 · Dec 18, 2023 · Dec 18, 2023 · Dec 19, 2023
@@ -21,6 +21,7 @@
 ### Improvements
 
 * Support bound service account namespace selector [GH-218](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/218)
+* Indicate that token reviewer jwt is set on config read [GH-221](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/221)
 
 ## 0.17.1 (Sept 7, 2023)
 

@@ -119,6 +119,11 @@ func (b *kubeAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reque
 	} else if config == nil {
 		return nil, nil
 	} else {
+		var tokenReviewerJWTSet bool
+		if config.TokenReviewerJWT != "" {
+			tokenReviewerJWTSet = true
+		}
+
 		// Create a map of data to be returned
 		resp := &logical.Response{
 			Data: map[string]interface{}{
@@ -128,6 +133,7 @@ func (b *kubeAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reque
 				"issuer":                 config.Issuer,
 				"disable_iss_validation": config.DisableISSValidation,
 				"disable_local_ca_jwt":   config.DisableLocalCAJwt,
+				"token_reviewer_jwt_set": tokenReviewerJWTSet,
 			},
 		}
 

@@ -44,46 +44,92 @@ func setupLocalFiles(t *testing.T, b logical.Backend) func() {
 }
 
 func TestConfig_Read(t *testing.T) {
-	b, storage := getBackend(t)
-
-	cleanup := setupLocalFiles(t, b)
-	defer cleanup()
-
-	data := map[string]interface{}{
-		"pem_keys":               []string{testRSACert, testECCert},
-		"kubernetes_host":        "host",
-		"kubernetes_ca_cert":     testCACert,
-		"issuer":                 "",
-		"disable_iss_validation": false,
-		"disable_local_ca_jwt":   false,
-	}
-
-	req := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Path:      configPath,
-		Storage:   storage,
-		Data:      data,
-	}
-
-	resp, err := b.HandleRequest(context.Background(), req)
-	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("err:%s resp:%#v\n", err, resp)
+	type args struct {
+		data map[string]interface{}
 	}
-
-	req = &logical.Request{
-		Operation: logical.ReadOperation,
-		Path:      configPath,
-		Storage:   storage,
-		Data:      nil,
-	}
-
-	resp, err = b.HandleRequest(context.Background(), req)
-	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("err:%s resp:%#v\n", err, resp)
+	tests := []struct {
+		name string
+		args args
+		want map[string]interface{}
+	}{
+		{
+			name: "token-review-jwt-is-unset",
+			args: args{
+				data: map[string]interface{}{
+					"pem_keys":               []string{testRSACert, testECCert},
+					"kubernetes_host":        "host",
+					"kubernetes_ca_cert":     testCACert,
+					"issuer":                 "",
+					"disable_iss_validation": false,
+					"disable_local_ca_jwt":   false,
+				},
+			},
+			want: map[string]interface{}{
+				"pem_keys":               []string{testRSACert, testECCert},
+				"kubernetes_host":        "host",
+				"kubernetes_ca_cert":     testCACert,
+				"issuer":                 "",
+				"disable_iss_validation": false,
+				"disable_local_ca_jwt":   false,
+				"token_reviewer_jwt_set": false,
+			},
+		},
+		{
+			name: "token-review-jwt-is-set",
+			args: args{
+				data: map[string]interface{}{
+					"pem_keys":               []string{testRSACert, testECCert},
+					"kubernetes_host":        "host",
+					"kubernetes_ca_cert":     testCACert,
+					"issuer":                 "",
+					"disable_iss_validation": false,
+					"disable_local_ca_jwt":   false,
+					"token_reviewer_jwt":     "test-token-review-jwt",
+				},
+			},
+			want: map[string]interface{}{
+				"pem_keys":               []string{testRSACert, testECCert},
+				"kubernetes_host":        "host",
+				"kubernetes_ca_cert":     testCACert,
+				"issuer":                 "",
+				"disable_iss_validation": false,
+				"disable_local_ca_jwt":   false,
+				"token_reviewer_jwt_set": true,
+			},
+		},
 	}
 
-	if !reflect.DeepEqual(resp.Data, data) {
-		t.Fatalf("Expected did not equal actual: expected %#v\n got %#v\n", data, resp.Data)
+	for _, tc := range tests {
+		b, storage := getBackend(t)
+		cleanup := setupLocalFiles(t, b)
+		defer cleanup()
+		req := &logical.Request{
+			Operation: logical.UpdateOperation,
+			Path:      configPath,
+			Storage:   storage,
+			Data:      tc.args.data,
+		}
+
+		resp, err := b.HandleRequest(context.Background(), req)
+		if err != nil || (resp != nil && resp.IsError()) {
+			t.Fatalf("err:%s resp:%#v\n", err, resp)
+		}
+
+		req = &logical.Request{
+			Operation: logical.ReadOperation,
+			Path:      configPath,
+			Storage:   storage,
+			Data:      nil,
+		}
+
+		resp, err = b.HandleRequest(context.Background(), req)
+		if err != nil || (resp != nil && resp.IsError()) {
+			t.Fatalf("err:%s resp:%#v\n", err, resp)
+		}
+
+		if !reflect.DeepEqual(resp.Data, tc.want) {
+			t.Fatalf("Expected did not equal actual: expected %#v\n got %#v\n", tc.want, resp.Data)
+		}
 	}
 }