vault: send oidc role payload as json

2026-01-14 03:45:03 -03:00 · 2026-01-14 03:45:03 -03:00 · 8d526e383f
commit 8d526e383f
parent bb2a3ba904
1 changed files with 38 additions and 17 deletions
--- a/services/vault/scripts/vault_oidc_configure.sh
+++ b/services/vault/scripts/vault_oidc_configure.sh
@ -75,6 +75,28 @@ build_bound_claims() {
  printf '%s' "${json}"
 }

+build_json_array() {
+  items="$1"
+  json="["
+  first=1
+  old_ifs=$IFS
+  IFS=,
+  for item in $items; do
+    item="$(printf '%s' "$item" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')"
+    if [ -z "${item}" ]; then
+      continue
+    fi
+    if [ "${first}" -eq 0 ]; then
+      json="${json},"
+    fi
+    json="${json}\"${item}\""
+    first=0
+  done
+  IFS=$old_ifs
+  json="${json}]"
+  printf '%s' "${json}"
+}
+
 configure_role() {
  role_name="$1"
  role_groups="$2"
@ -84,25 +106,24 @@ configure_role() {
    return
  fi
  claims="$(build_bound_claims "${groups_claim}" "${role_groups}")"
-  claims_file="$(mktemp)"
-  printf '%s' "${claims}" > "${claims_file}"
  scopes_csv="$(printf '%s' "${scopes}" | tr ' ' ',' | tr -s ',' | sed 's/^,//;s/,$//')"
-  role_args="user_claim=${user_claim} oidc_scopes=${scopes_csv} token_policies=${role_policies} bound_audiences=${bound_audiences} bound_claims=@${claims_file} bound_claims_type=${bound_claims_type}"
-  if [ -n "${groups_claim}" ]; then
-    role_args="${role_args} groups_claim=${groups_claim}"
-  fi
-  old_ifs=$IFS
-  IFS=,
-  for uri in $redirect_uris; do
-    trimmed="$(printf '%s' "$uri" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')"
-    if [ -n "${trimmed}" ]; then
-      role_args="${role_args} allowed_redirect_uris=${trimmed}"
-    fi
-  done
-  IFS=$old_ifs
+  redirect_json="$(build_json_array "${redirect_uris}")"
+  payload_file="$(mktemp)"
+  cat > "${payload_file}" <<EOF
+{
+  "user_claim": "${user_claim}",
+  "oidc_scopes": "${scopes_csv}",
+  "token_policies": "${role_policies}",
+  "bound_audiences": "${bound_audiences}",
+  "bound_claims": ${claims},
+  "bound_claims_type": "${bound_claims_type}",
+  "groups_claim": "${groups_claim}",
+  "allowed_redirect_uris": ${redirect_json}
+}
+EOF
  log "configuring oidc role ${role_name}"
-  vault write "auth/oidc/role/${role_name}" ${role_args}
-  rm -f "${claims_file}"
+  vault write "auth/oidc/role/${role_name}" @"${payload_file}"
+  rm -f "${payload_file}"
 }

 configure_role "admin" "${admin_group}" "${admin_policies}"