feature: OIDC provider client API (#12272)

* initial commit * add read and delete operations * fix bug in delete and add list unit test * func doc typo fix * add existence check for assignment * remove locking on the assignment resource It is not needed at this time. * convert Callbacks to Operations - convert Callbacks to Operations - add test case for update operations * add CRUD operations and test cases * add client api and tests * remove use of oidcCache * remove use of oidcCache * add template validation and update tests * remove usage of oidcCache * refactor struct and var names * harmonize test name conventions * refactor struct and var names * add changelog and refactor - add changelog - be more explicit in the case where we do not recieve a path field * refactor be more explicit in the case where a field is not provided * remove extra period from changelog * update scope path to be OIDC provider specific * refactor naming conventions * update assignment path * update scope path * enforce key existence on client creation * removed unused name field * removed unused name field * removed unused name field * prevent assignment deletion when ref'ed by a client * enfoce assignment existence on client create/update * update scope template description * error when attempting to created scope with openid reserved name * fix UT failures after requiring assignment existence * disallow key deletion when ref'ed by existing client * generate client_id and client_secret on CreateOp * do not allow key modification on client update * return client_id and client_secret on read ops * small refactor * fix bug in delete assignment op * remove client secret get call
hashicorp · Aug 23, 2021 · fbcc2ab · fbcc2ab
1 parent 1d0008d
commit fbcc2ab
Show file tree

Hide file tree

Showing 4 changed files with 867 additions and 4 deletions.
diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go
@@ -576,7 +576,9 @@ func (i *IdentityStore) pathOIDCReadKey(ctx context.Context, req *logical.Reques
 	}, nil
 }
 
-// rolesReferencingTargetKeyName returns a map of role names to roles referenced by targetKeyName.
+// rolesReferencingTargetKeyName returns a map of role names to roles
+// referencing targetKeyName.
+//
 // Note: this is not threadsafe. It is to be called with Lock already held.
 func (i *IdentityStore) rolesReferencingTargetKeyName(ctx context.Context, req *logical.Request, targetKeyName string) (map[string]role, error) {
 	roleNames, err := req.Storage.List(ctx, roleConfigPath)
@@ -605,7 +607,8 @@ func (i *IdentityStore) rolesReferencingTargetKeyName(ctx context.Context, req *
 }
 
 // roleNamesReferencingTargetKeyName returns a slice of strings of role
-// names referenced by targetKeyName.
+// names referencing targetKeyName.
+//
 // Note: this is not threadsafe. It is to be called with Lock already held.
 func (i *IdentityStore) roleNamesReferencingTargetKeyName(ctx context.Context, req *logical.Request, targetKeyName string) ([]string, error) {
 	roles, err := i.rolesReferencingTargetKeyName(ctx, req, targetKeyName)
@@ -644,6 +647,18 @@ func (i *IdentityStore) pathOIDCDeleteKey(ctx context.Context, req *logical.Requ
 		return logical.ErrorResponse(errorMessage), logical.ErrInvalidRequest
 	}
 
+	clientNames, err := i.clientNamesReferencingTargetKeyName(ctx, req, targetKeyName)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(clientNames) > 0 {
+		errorMessage := fmt.Sprintf("unable to delete key %q because it is currently referenced by these clients: %s",
+			targetKeyName, strings.Join(clientNames, ", "))
+		i.oidcLock.Unlock()
+		return logical.ErrorResponse(errorMessage), logical.ErrInvalidRequest
+	}
+
 	// key can safely be deleted now
 	err = req.Storage.Delete(ctx, namedKeyConfigPath+targetKeyName)
 	if err != nil {