diff --git a/internal/configuration/provider_test.go b/internal/configuration/provider_test.go index 975fccdd4..f60d68651 100644 --- a/internal/configuration/provider_test.go +++ b/internal/configuration/provider_test.go @@ -105,6 +105,9 @@ func TestShouldValidateConfigurationWithFilters(t *testing.T) { testSetEnv(t, "JWT_SECRET", "abc") testSetEnv(t, "AUTHENTICATION_BACKEND_LDAP_PASSWORD", "abc") + t.Setenv("ABC_CLIENT_SECRET", "$plaintext$example-abc") + t.Setenv("XYZ_CLIENT_SECRET", "$plaintext$example-xyz") + t.Setenv("ANOTHER_CLIENT_SECRET", "$plaintext$example-123") t.Setenv("SERVICES_SERVER", "10.10.10.10") t.Setenv("ROOT_DOMAIN", "example.org") @@ -118,6 +121,11 @@ func TestShouldValidateConfigurationWithFilters(t *testing.T) { assert.Equal(t, "api-123456789.example.org", config.DuoAPI.Hostname) assert.Equal(t, "10.10.10.10", config.Notifier.SMTP.Host) assert.Equal(t, "10.10.10.10", config.Session.Redis.Host) + + require.Len(t, config.IdentityProviders.OIDC.Clients, 3) + assert.Equal(t, "$plaintext$example-abc", config.IdentityProviders.OIDC.Clients[0].Secret.String()) + assert.Equal(t, "$plaintext$example-xyz", config.IdentityProviders.OIDC.Clients[1].Secret.String()) + assert.Equal(t, "$plaintext$example-123", config.IdentityProviders.OIDC.Clients[2].Secret.String()) } func TestShouldNotIgnoreInvalidEnvs(t *testing.T) { diff --git a/internal/configuration/test_resources/config.filtered.yml b/internal/configuration/test_resources/config.filtered.yml index eed860eaf..0a5d84daf 100644 --- a/internal/configuration/test_resources/config.filtered.yml +++ b/internal/configuration/test_resources/config.filtered.yml @@ -174,4 +174,21 @@ notifier: port: 1025 sender: 'admin@{{ env "ROOT_DOMAIN" }}' disable_require_tls: true + +identity_providers: + oidc: + cors: + allowed_origins: + - https://google.com + - https://example.com + clients: + - id: abc + secret: '${ABC_CLIENT_SECRET}' + consent_mode: explicit + - id: xyz + secret: '$XYZ_CLIENT_SECRET' + consent_mode: explicit + - id: '123' + secret: $ANOTHER_CLIENT_SECRET + consent_mode: explicit ...