diff --git a/changelog/22996.txt b/changelog/22996.txt new file mode 100644 index 0000000000..7b67605864 --- /dev/null +++ b/changelog/22996.txt @@ -0,0 +1,3 @@ +```release-note:improvement +auto-auth/azure: Support setting the `authenticate_from_environment` variable to "true" and "false" string literals, too. +``` diff --git a/command/agentproxyshared/auth/azure/azure.go b/command/agentproxyshared/auth/azure/azure.go index c32e34385b..8db5ff5093 100644 --- a/command/agentproxyshared/auth/azure/azure.go +++ b/command/agentproxyshared/auth/azure/azure.go @@ -10,6 +10,8 @@ import ( "io" "net/http" + "github.com/hashicorp/go-secure-stdlib/parseutil" + policy "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" az "github.com/Azure/azure-sdk-for-go/sdk/azidentity" cleanhttp "github.com/hashicorp/go-cleanhttp" @@ -101,10 +103,11 @@ func NewAzureAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) { authenticateFromEnvironmentRaw, ok := conf.Config["authenticate_from_environment"] if ok { - a.authenticateFromEnvironment, ok = authenticateFromEnvironmentRaw.(bool) - if !ok { - return nil, errors.New("could not convert 'authenticate_from_environment' config value to bool") + authenticateFromEnvironment, err := parseutil.ParseBool(authenticateFromEnvironmentRaw) + if err != nil { + return nil, fmt.Errorf("could not convert 'authenticate_from_environment' config value to bool: %w", err) } + a.authenticateFromEnvironment = authenticateFromEnvironment } switch { diff --git a/command/agentproxyshared/auth/azure/azure_test.go b/command/agentproxyshared/auth/azure/azure_test.go new file mode 100644 index 0000000000..0c9b9985d0 --- /dev/null +++ b/command/agentproxyshared/auth/azure/azure_test.go @@ -0,0 +1,96 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +package azure + +import ( + "testing" + + "github.com/hashicorp/go-hclog" + "github.com/hashicorp/vault/command/agentproxyshared/auth" +) + +// TestAzureAuthMethod tests that NewAzureAuthMethod succeeds +// with valid config. +func TestAzureAuthMethod(t *testing.T) { + t.Parallel() + config := &auth.AuthConfig{ + Logger: hclog.NewNullLogger(), + MountPath: "auth-test", + Config: map[string]interface{}{ + "resource": "test", + "client_id": "test", + "role": "test", + "scope": "test", + "authenticate_from_environment": true, + }, + } + + _, err := NewAzureAuthMethod(config) + if err != nil { + t.Fatal(err) + } +} + +// TestAzureAuthMethod_StringAuthFromEnvironment tests that NewAzureAuthMethod succeeds +// with valid config, where authenticate_from_environment is a string literal. +func TestAzureAuthMethod_StringAuthFromEnvironment(t *testing.T) { + t.Parallel() + config := &auth.AuthConfig{ + Logger: hclog.NewNullLogger(), + MountPath: "auth-test", + Config: map[string]interface{}{ + "resource": "test", + "client_id": "test", + "role": "test", + "scope": "test", + "authenticate_from_environment": "true", + }, + } + + _, err := NewAzureAuthMethod(config) + if err != nil { + t.Fatal(err) + } +} + +// TestAzureAuthMethod_BadConfig tests that NewAzureAuthMethod fails with +// an invalid config. +func TestAzureAuthMethod_BadConfig(t *testing.T) { + t.Parallel() + config := &auth.AuthConfig{ + Logger: hclog.NewNullLogger(), + MountPath: "auth-test", + Config: map[string]interface{}{ + "bad_value": "abc", + }, + } + + _, err := NewAzureAuthMethod(config) + if err == nil { + t.Fatal("Expected error, got none.") + } +} + +// TestAzureAuthMethod_BadAuthFromEnvironment tests that NewAzureAuthMethod fails +// with otherwise valid config, but where authenticate_from_environment is +// an invalid string literal. +func TestAzureAuthMethod_BadAuthFromEnvironment(t *testing.T) { + t.Parallel() + config := &auth.AuthConfig{ + Logger: hclog.NewNullLogger(), + MountPath: "auth-test", + Config: map[string]interface{}{ + "resource": "test", + "client_id": "test", + "role": "test", + "scope": "test", + "authenticate_from_environment": "bad_value", + }, + } + + _, err := NewAzureAuthMethod(config) + if err == nil { + t.Fatal("Expected error, got none.") + } +}