bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault: send oidc role payload as json

Browse Source
This commit is contained in:
Brad Stein 2026-01-14 03:45:03 -03:00
parent bb2a3ba904
commit 8d526e383f
1 changed files with 38 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
services/vault/scripts/vault_oidc_configure.sh
View File

@ -75,6 +75,28 @@ build_bound_claims() {
printf '%s' "${json}" printf '%s' "${json}"
} }
build_json_array() {
items="$1"
json="["
first=1
old_ifs=$IFS
IFS=,
for item in $items; do
item="$(printf '%s' "$item" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')"
if [ -z "${item}" ]; then
continue
fi
if [ "${first}" -eq 0 ]; then
json="${json},"
fi
json="${json}\"${item}\""
first=0
done
IFS=$old_ifs
json="${json}]"
printf '%s' "${json}"
}
configure_role() { configure_role() {
role_name="$1" role_name="$1"
role_groups="$2" role_groups="$2"
@ -84,25 +106,24 @@ configure_role() {
return return
fi fi
claims="$(build_bound_claims "${groups_claim}" "${role_groups}")" claims="$(build_bound_claims "${groups_claim}" "${role_groups}")"
claims_file="$(mktemp)"
printf '%s' "${claims}" > "${claims_file}"
scopes_csv="$(printf '%s' "${scopes}" | tr ' ' ',' | tr -s ',' | sed 's/^,//;s/,$//')" scopes_csv="$(printf '%s' "${scopes}" | tr ' ' ',' | tr -s ',' | sed 's/^,//;s/,$//')"
role_args="user_claim=${user_claim} oidc_scopes=${scopes_csv} token_policies=${role_policies} bound_audiences=${bound_audiences} bound_claims=@${claims_file} bound_claims_type=${bound_claims_type}" redirect_json="$(build_json_array "${redirect_uris}")"
if [ -n "${groups_claim}" ]; then payload_file="$(mktemp)"
role_args="${role_args} groups_claim=${groups_claim}" cat > "${payload_file}" <<EOF
fi {
old_ifs=$IFS "user_claim": "${user_claim}",
IFS=, "oidc_scopes": "${scopes_csv}",
for uri in $redirect_uris; do "token_policies": "${role_policies}",
trimmed="$(printf '%s' "$uri" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')" "bound_audiences": "${bound_audiences}",
if [ -n "${trimmed}" ]; then "bound_claims": ${claims},
role_args="${role_args} allowed_redirect_uris=${trimmed}" "bound_claims_type": "${bound_claims_type}",
fi "groups_claim": "${groups_claim}",
done "allowed_redirect_uris": ${redirect_json}
IFS=$old_ifs }
EOF
log "configuring oidc role ${role_name}" log "configuring oidc role ${role_name}"
vault write "auth/oidc/role/${role_name}" ${role_args} vault write "auth/oidc/role/${role_name}" @"${payload_file}"
rm -f "${claims_file}" rm -f "${payload_file}"
} }
configure_role "admin" "${admin_group}" "${admin_policies}" configure_role "admin" "${admin_group}" "${admin_policies}"