Add support for rotate / trim admin OIDC endpoints

Author: mpminardi

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ## Enhancements
 * Adds `ManageMembership` permission to team `OrganizationAccess` by @JarrettSpiker [#652](https://github.com/hashicorp/go-tfe/pull/652)
+* Adds `RotateKey` and `TrimKey` Admin endpoints by @mpminardi [#666](https://github.com/hashicorp/go-tfe/pull/666)
 
 # v1.20.0
 

admin_setting.go

@@ -14,6 +14,7 @@ type AdminSettings struct {
 	SMTP           SMTPSettings
 	Twilio         TwilioSettings
 	Customization  CustomizationSettings
+	OIDC           OIDCSettings
 }
 
 func newAdminSettings(client *Client) *AdminSettings {
@@ -24,5 +25,6 @@ func newAdminSettings(client *Client) *AdminSettings {
 		SMTP:           &adminSMTPSettings{client: client},
 		Twilio:         &adminTwilioSettings{client: client},
 		Customization:  &adminCustomizationSettings{client: client},
+		OIDC:           &adminOIDCSettings{client: client},
 	}
 }

admin_setting_oidc.go

@@ -0,0 +1,45 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package tfe
+
+import (
+	"context"
+)
+
+// Compile-time proof of interface implementation.
+var _ OIDCSettings = (*adminOIDCSettings)(nil)
+
+// OidcSettings describes all the OIDC admin settings for the Admin Setting API.
+// https://developer.hashicorp.com/terraform/enterprise/api-docs/admin/settings
+type OIDCSettings interface {
+	// Rotate the key used for signing OIDC tokens for workload identity
+	RotateKey(ctx context.Context) error
+
+	// Trim old version of the key used for signing OIDC tokens for workload identity
+	TrimKey(ctx context.Context) error
+}
+
+type adminOIDCSettings struct {
+	client *Client
+}
+
+// Rotate the key used for signing OIDC tokens for workload identity
+func (a *adminOIDCSettings) RotateKey(ctx context.Context) error {
+	req, err := a.client.NewRequest("POST", "admin/oidc-settings/actions/rotate-key", nil)
+	if err != nil {
+		return err
+	}
+
+	return req.Do(ctx, nil)
+}
+
+// Trim old version of the key used for signing OIDC tokens for workload identity
+func (a *adminOIDCSettings) TrimKey(ctx context.Context) error {
+	req, err := a.client.NewRequest("POST", "admin/oidc-settings/actions/trim-key", nil)
+	if err != nil {
+		return err
+	}
+
+	return req.Do(ctx, nil)
+}

admin_setting_oidc_integration_test.go

@@ -0,0 +1,134 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package tfe
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type Jwks struct {
+	Keys []Key `json:"keys"`
+}
+
+type Key struct {
+	Kid string `json:"kid"`
+}
+
+func TestAdminSettings_Oidc_RotateKey(t *testing.T) {
+	skipUnlessEnterprise(t)
+
+	client := testClient(t)
+	jwksClient := http.Client{
+		Timeout: time.Second * 2,
+	}
+	baseURL := client.baseURL
+	token := client.token
+
+	ctx := context.Background()
+
+	jwks, err := getJwks(jwksClient, baseURL, token)
+	require.NoError(t, err)
+
+	// Don't assume there is only 1 key to start
+	originalNumKeys := len(jwks.Keys)
+
+	err = client.Admin.Settings.OIDC.RotateKey(ctx)
+	require.NoError(t, err)
+
+	jwks, err = getJwks(jwksClient, baseURL, token)
+	require.NoError(t, err)
+
+	newNumKeys := len(jwks.Keys)
+
+	// Rotate should add 1 additional key
+	assert.Equal(t, originalNumKeys+1, newNumKeys)
+}
+
+func TestAdminSettings_Oidc_TrimKey(t *testing.T) {
+	skipUnlessEnterprise(t)
+
+	client := testClient(t)
+	jwksClient := http.Client{
+		Timeout: time.Second * 2,
+	}
+	baseURL := client.baseURL
+	token := client.token
+
+	ctx := context.Background()
+
+	jwks, err := getJwks(jwksClient, baseURL, token)
+	require.NoError(t, err)
+
+	// Don't assume there is only 1 key to start
+	originalNumKeys := len(jwks.Keys)
+
+	originalKids := make([]string, originalNumKeys)
+
+	for i := 0; i < originalNumKeys; i++ {
+		originalKids[i] = jwks.Keys[i].Kid
+	}
+
+	err = client.Admin.Settings.OIDC.RotateKey(ctx)
+	require.NoError(t, err)
+
+	jwks, err = getJwks(jwksClient, baseURL, token)
+	require.NoError(t, err)
+
+	beforeTrimNumKeys := len(jwks.Keys)
+
+	assert.Equal(t, originalNumKeys+1, beforeTrimNumKeys)
+
+	err = client.Admin.Settings.OIDC.TrimKey(ctx)
+	require.NoError(t, err)
+
+	jwks, err = getJwks(jwksClient, baseURL, token)
+	require.NoError(t, err)
+
+	afterTrimNumKeys := len(jwks.Keys)
+
+	assert.Equal(t, 1, afterTrimNumKeys)
+
+	// Make sure we actually trimmed the keys
+	assert.NotContains(t, originalKids, jwks.Keys[0].Kid)
+}
+
+func getJwks(client http.Client, baseURL *url.URL, token string) (*Jwks, error) {
+	jwksEndpoint, err := baseURL.Parse("/.well-known/jwks")
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(http.MethodGet, jwksEndpoint.String(), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Authorization", "Bearer "+token)
+	req.Header.Set("Accept", "application/json")
+
+	res, getErr := client.Do(req)
+	if getErr != nil {
+		return nil, getErr
+	}
+
+	if res.Body != nil {
+		defer res.Body.Close()
+	}
+
+	var result Jwks
+	jsonErr := json.NewDecoder(res.Body).Decode(&result)
+	if jsonErr != nil {
+		return nil, jsonErr
+	}
+
+	return &result, nil
+}