Fix: Only render JWT input field for mounts configured for JWT auth (#…

…8952)

ui/app/components/auth-jwt.js

@@ -11,15 +11,16 @@ const ERROR_WINDOW_CLOSED =
   'The provider window was closed before authentication was complete.  Please click Sign In to try again.';
 const ERROR_MISSING_PARAMS =
   'The callback from the provider did not supply all of the required parameters.  Please click Sign In to try again. If the problem persists, you may want to contact your administrator.';
-
-export { ERROR_WINDOW_CLOSED, ERROR_MISSING_PARAMS };
+const ERROR_JWT_LOGIN = 'OIDC login is not configured for this mount';
+export { ERROR_WINDOW_CLOSED, ERROR_MISSING_PARAMS, ERROR_JWT_LOGIN };
 
 export default Component.extend({
   store: service(),
   selectedAuthPath: null,
   selectedAuthType: null,
   roleName: null,
   role: null,
+  errorMessage: null,
   onRoleName() {},
   onLoading() {},
   onError() {},
@@ -36,13 +37,14 @@ export default Component.extend({
     } else if (shouldDebounce) {
       this.fetchRole.perform(this.roleName);
     }
+    this.set('errorMessage', null);
     this.set('oldSelectedAuthPath', selectedAuthPath);
   },
 
-  // OIDC roles in the JWT/OIDC backend are those with an authUrl,
-  // those that are JWT type will 400 when trying to fetch the role
-  isOIDC: computed('role', 'role.authUrl', function() {
-    return this.role && this.role.authUrl;
+  // Assumes authentication using OIDC until it's known that the mount is
+  // configured for JWT authentication via static keys, JWKS, or OIDC discovery.
+  isOIDC: computed('errorMessage', function() {
+    return this.errorMessage !== ERROR_JWT_LOGIN;
   }),
 
   getWindow() {
@@ -64,6 +66,9 @@ export default Component.extend({
       if (!e.httpStatus || e.httpStatus !== 400) {
         throw e;
       }
+      if (e.errors && e.errors.length > 0) {
+        this.set('errorMessage', e.errors[0]);
+      }
     }
     this.set('role', role);
   })
@@ -152,7 +157,7 @@ export default Component.extend({
       if (e && e.preventDefault) {
         e.preventDefault();
       }
-      if (!this.isOIDC) {
+      if (!this.isOIDC || !this.role || !this.role.authUrl) {
         return;
       }
 

ui/tests/acceptance/auth-test.js

@@ -65,7 +65,6 @@ module('Acceptance | auth', function(hooks) {
         await component.token('token');
       }
       if (backend.type === 'jwt' || backend.type === 'oidc') {
-        await jwtComponent.jwt('1');
         await jwtComponent.role('test');
       }
       await component.login();
@@ -81,7 +80,6 @@ module('Acceptance | auth', function(hooks) {
       } else if (backend.type === 'jwt' || backend.type === 'oidc') {
         let authReq = this.server.passthroughRequests[this.server.passthroughRequests.length - 2];
         body = JSON.parse(authReq.requestBody);
-        assert.ok(Object.keys(body).includes('jwt'), `${backend.type} includes jwt`);
         assert.ok(Object.keys(body).includes('role'), `${backend.type} includes role`);
       } else {
         assert.ok(Object.keys(body).includes('password'), `${backend.type} includes password`);

ui/tests/integration/components/auth-jwt-test.js

@@ -11,7 +11,7 @@ import Pretender from 'pretender';
 import { resolve } from 'rsvp';
 import { create } from 'ember-cli-page-object';
 import form from '../../pages/components/auth-jwt';
-import { ERROR_WINDOW_CLOSED, ERROR_MISSING_PARAMS } from 'vault/components/auth-jwt';
+import { ERROR_WINDOW_CLOSED, ERROR_MISSING_PARAMS, ERROR_JWT_LOGIN } from 'vault/components/auth-jwt';
 
 const component = create(form);
 const windows = [];
@@ -120,7 +120,7 @@ module('Integration | Component | auth jwt', function(hooks) {
             }),
           ];
         }
-        return [400, { 'Content-Type': 'application/json' }, JSON.stringify({ errors: ['nope'] })];
+        return [400, { 'Content-Type': 'application/json' }, JSON.stringify({ errors: [ERROR_JWT_LOGIN] })];
       });
     });
   });