acl: add missing JWT auth method validation (#25757)

Author: pkazmierczak

nomad/structs/acl.go

@@ -1145,7 +1145,11 @@ func (a *ACLAuthMethodConfig) Validate(methodType string) error {
 		}
 
 	case ACLAuthMethodTypeJWT:
-		// TODO: check JWT fields: https://hashicorp.atlassian.net/browse/NET-12309
+		if a.OIDCDiscoveryURL == "" && a.JWKSURL == "" && len(a.JWTValidationPubKeys) == 0 {
+			mErr = multierror.Append(mErr, errors.New(
+				"JWT auth method requires either OIDCDiscoveryURL, or JWKS URL, or JWTValidationPubKeys set"),
+			)
+		}
 	}
 
 	return helper.FlattenMultierror(mErr)

nomad/structs/acl_test.go

@@ -1416,12 +1416,20 @@ func TestACLAuthMethodConfig_Validate(t *testing.T) {
 	must.ErrorContains(t, err, "missing OIDCClientID")
 	am.OIDCClientAssertion = &OIDCClientAssertion{}
 	am.Canonicalize()
+
 	err = am.Validate("OIDC")
 	must.ErrorContains(t, err, "invalid client assertion config:")
-
-	// do not fail, because no JWT validation at the moment
 	err = am.Validate("JWT")
-	must.NoError(t, err)
+	must.ErrorContains(t, err, "either OIDCDiscoveryURL")
+
+	// valid OIDC method config
+	validOIDCclientAssertion := &OIDCClientAssertion{Audience: []string{"foo"}, KeySource: "nomad"}
+	validOIDC := &ACLAuthMethodConfig{OIDCDiscoveryURL: "http://example.com", OIDCClientID: "oidc", OIDCClientAssertion: validOIDCclientAssertion}
+	must.NoError(t, validOIDC.Validate(ACLAuthMethodTypeOIDC))
+
+	// valid JWT method config
+	validJWT := &ACLAuthMethodConfig{JWKSURL: "http://example.com"}
+	must.NoError(t, validJWT.Validate(ACLAuthMethodTypeJWT))
 }
 
 func TestACLAuthMethodConfig_Copy(t *testing.T) {