From c0198972339e81c806d92b4b8647ac8fee9499d4 Mon Sep 17 00:00:00 2001
From: JM Faircloth <jmfaircloth@hashicorp.com>
Date: Wed, 31 Jul 2024 14:07:23 -0500
Subject: [PATCH] fix integration test jwt audience

---
 integrationTests/basic/jwt_auth.test.js | 54 +++++++++++++++++--------
 1 file changed, 37 insertions(+), 17 deletions(-)

diff --git a/integrationTests/basic/jwt_auth.test.js b/integrationTests/basic/jwt_auth.test.js
index df2703b5..e2744a1c 100644
--- a/integrationTests/basic/jwt_auth.test.js
+++ b/integrationTests/basic/jwt_auth.test.js
@@ -97,6 +97,8 @@ describe('jwt auth', () => {
             }
         });
 
+        // write the jwt config, the jwt role will be written on a per-test
+        // basis since the audience may vary
         await got(`${vaultUrl}/v1/auth/jwt/config`, {
             method: 'POST',
             headers: {
@@ -108,22 +110,6 @@ describe('jwt auth', () => {
             }
         });
 
-        await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
-            method: 'POST',
-            headers: {
-                'X-Vault-Token': vaultToken,
-            },
-            json: {
-                role_type: 'jwt',
-                bound_audiences: null,
-                bound_claims: {
-                    iss: 'vault-action'
-                },
-                user_claim: 'iss',
-                policies: ['reader']
-            }
-        });
-
         await got(`${vaultUrl}/v1/secret/data/test`, {
             method: 'POST',
             headers: {
@@ -138,6 +124,24 @@ describe('jwt auth', () => {
     });
 
     describe('authenticate with private key', () => {
+        beforeAll(async () => {
+            await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    role_type: 'jwt',
+                    bound_audiences: null,
+                    bound_claims: {
+                        iss: 'vault-action'
+                    },
+                    user_claim: 'iss',
+                    policies: ['reader']
+                }
+            });
+        });
+
         beforeEach(() => {
             jest.resetAllMocks();
 
@@ -170,6 +174,22 @@ describe('jwt auth', () => {
 
     describe('authenticate with Github OIDC', () => {
         beforeAll(async () => {
+            await got(`${vaultUrl}/v1/auth/jwt/role/default`, {
+                method: 'POST',
+                headers: {
+                    'X-Vault-Token': vaultToken,
+                },
+                json: {
+                    role_type: 'jwt',
+                    bound_audiences: 'https://github.com/hashicorp/vault-action',
+                    bound_claims: {
+                        iss: 'vault-action'
+                    },
+                    user_claim: 'iss',
+                    policies: ['reader']
+                }
+            });
+
             await got(`${vaultUrl}/v1/auth/jwt/role/default-sigstore`, {
                 method: 'POST',
                 headers: {
@@ -177,7 +197,7 @@ describe('jwt auth', () => {
                 },
                 json: {
                     role_type: 'jwt',
-                    bound_audiences: null,
+                    bound_audiences: 'sigstore',
                     bound_claims: {
                         iss: 'vault-action',
                         aud: 'sigstore',