From 4351e31b7cc45df04c1ac1d4bb19b24854234f8b Mon Sep 17 00:00:00 2001
From: Gary James <13685708+GtheSheep@users.noreply.github.com>
Date: Sat, 16 Nov 2024 22:01:12 +0000
Subject: [PATCH] feature - Add Project Permissions Resource (#25)

---
 docs/resources/project_permission.md          |  48 ++++
 .../tableau_project_permission/import.sh      |   1 +
 .../tableau_project_permission/resource.tf    |   6 +
 tableau/project_permission.go                 | 146 ++++++++++
 tableau/project_permission_resource.go        | 259 ++++++++++++++++++
 tableau/project_permission_resource_test.go   |  54 ++++
 tableau/provider.go                           |   3 +-
 7 files changed, 516 insertions(+), 1 deletion(-)
 create mode 100644 docs/resources/project_permission.md
 create mode 100644 examples/resources/tableau_project_permission/import.sh
 create mode 100644 examples/resources/tableau_project_permission/resource.tf
 create mode 100644 tableau/project_permission.go
 create mode 100644 tableau/project_permission_resource.go
 create mode 100644 tableau/project_permission_resource_test.go

diff --git a/docs/resources/project_permission.md b/docs/resources/project_permission.md
new file mode 100644
index 0000000..58b19c4
--- /dev/null
+++ b/docs/resources/project_permission.md
@@ -0,0 +1,48 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "tableau_project_permission Resource - terraform-provider-tableau"
+subcategory: ""
+description: |-
+  
+---
+
+# tableau_project_permission (Resource)
+
+
+
+## Example Usage
+
+```terraform
+resource "tableau_project_permission" "test_permission" {
+  project_id = "xxxxx-xxxxx-xxxxx"
+	user_id = "xxxxx-xxxxx-xxxxx"
+  capability_name = "Write"
+	capability_mode = "Deny"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `capability_mode` (String) Capability mode, Allow or Deny (case sensitive)
+- `capability_name` (String) The capability to assign permissions to, one of ProjectLeader/Read/Write
+- `project_id` (String) Project ID
+
+### Optional
+
+- `group_id` (String) Group ID to grant to
+- `user_id` (String) User ID to grant to
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import tableau_project_permission.example "projects/<project_id>/permissions/<entity_type>/<entity_id>/<capability_name>/<capability_mode>"
+```
diff --git a/examples/resources/tableau_project_permission/import.sh b/examples/resources/tableau_project_permission/import.sh
new file mode 100644
index 0000000..6b86d2a
--- /dev/null
+++ b/examples/resources/tableau_project_permission/import.sh
@@ -0,0 +1 @@
+terraform import tableau_project_permission.example "projects/<project_id>/permissions/<entity_type>/<entity_id>/<capability_name>/<capability_mode>"
diff --git a/examples/resources/tableau_project_permission/resource.tf b/examples/resources/tableau_project_permission/resource.tf
new file mode 100644
index 0000000..dc728ab
--- /dev/null
+++ b/examples/resources/tableau_project_permission/resource.tf
@@ -0,0 +1,6 @@
+resource "tableau_project_permission" "test_permission" {
+  project_id = "xxxxx-xxxxx-xxxxx"
+	user_id = "xxxxx-xxxxx-xxxxx"
+  capability_name = "Write"
+	capability_mode = "Deny"
+}
diff --git a/tableau/project_permission.go b/tableau/project_permission.go
new file mode 100644
index 0000000..64141b8
--- /dev/null
+++ b/tableau/project_permission.go
@@ -0,0 +1,146 @@
+package tableau
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+type Capability struct {
+	Name string `json:"name"`
+	Mode string `json:"mode"`
+}
+
+type Capabilities struct {
+	Capabilities []Capability `json:"capability"`
+}
+
+type GranteeCapability struct {
+	User         *User        `json:"user,omitempty"`
+	Group        *Group       `json:"group,omitempty"`
+	Capabilities Capabilities `json:"capabilities"`
+}
+
+type ProjectPermission struct {
+	ProjectID      string
+	EntityID       string
+	EntityType     string
+	CapabilityName string
+	CapabilityMode string
+}
+
+type ProjectPermissions struct {
+	GranteeCapabilities []GranteeCapability `json:"granteeCapabilities"`
+}
+
+type ProjectPermissionsRequest struct {
+	ProjectPermissions ProjectPermissions `json:"permissions"`
+}
+
+type ProjectPermissionsResponse struct {
+	ProjectPermissions ProjectPermissions `json:"permissions"`
+}
+
+func (c *Client) GetProjectPermission(projectID, entityID, entityType, capabilityName, capabilityMode string) (*ProjectPermission, error) {
+	req, err := http.NewRequest("GET", fmt.Sprintf("%s/projects/%s/permissions", c.ApiUrl, projectID), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := c.doRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	projectPermissionsResponse := ProjectPermissionsResponse{}
+	err = json.Unmarshal(body, &projectPermissionsResponse)
+	if err != nil {
+		return nil, err
+	}
+	for _, granteeCapabilitie := range projectPermissionsResponse.ProjectPermissions.GranteeCapabilities {
+		for _, capabilities := range granteeCapabilitie.Capabilities.Capabilities {
+			var permissionEntityID string
+			if granteeCapabilitie.User != nil {
+				entity := granteeCapabilitie.User
+				permissionEntityID = entity.ID
+			} else {
+				entity := granteeCapabilitie.Group
+				permissionEntityID = entity.ID
+			}
+			if entityType == "users" && permissionEntityID == entityID && capabilityName == capabilities.Name && capabilities.Mode == capabilityMode {
+				return &ProjectPermission{
+					ProjectID:      projectID,
+					EntityID:       permissionEntityID,
+					EntityType:     "users",
+					CapabilityName: capabilities.Name,
+					CapabilityMode: capabilities.Mode,
+				}, nil
+			}
+			if entityType == "groups" && permissionEntityID == entityID && capabilityName == capabilities.Name && capabilities.Mode == capabilityMode {
+				return &ProjectPermission{
+					ProjectID:      projectID,
+					EntityID:       permissionEntityID,
+					EntityType:     "groups",
+					CapabilityName: capabilities.Name,
+					CapabilityMode: capabilities.Mode,
+				}, nil
+			}
+		}
+	}
+	return nil, nil
+}
+
+func (c *Client) CreateProjectPermissions(projectID string, projectPermissions ProjectPermissions) (*ProjectPermissions, error) {
+
+	projectPermissionsRequest := ProjectPermissionsRequest{
+		ProjectPermissions: projectPermissions,
+	}
+
+	newProjectPermissionsJson, err := json.Marshal(projectPermissionsRequest)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest("PUT", fmt.Sprintf("%s/projects/%s/permissions", c.ApiUrl, projectID), strings.NewReader(string(newProjectPermissionsJson)))
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := c.doRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	projectPermissionsResponse := ProjectPermissionsResponse{}
+	err = json.Unmarshal(body, &projectPermissionsResponse)
+	if err != nil {
+		return nil, err
+	}
+
+	return &projectPermissionsResponse.ProjectPermissions, nil
+}
+
+func (c *Client) DeleteProjectPermission(userID, groupID *string, projectID, capabilityName, capabilityMode string) error {
+	var entityID string
+	entityType := "users"
+	if userID != nil {
+		entityID = *userID
+	} else {
+		entityType = "groups"
+		entityID = *groupID
+	}
+
+	req, err := http.NewRequest("DELETE", fmt.Sprintf("%s/projects/%s/permissions/%s/%s/%s/%s", c.ApiUrl, projectID, entityType, entityID, capabilityName, capabilityMode), nil)
+
+	if err != nil {
+		return err
+	}
+
+	_, err = c.doRequest(req)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/tableau/project_permission_resource.go b/tableau/project_permission_resource.go
new file mode 100644
index 0000000..8bf3c7b
--- /dev/null
+++ b/tableau/project_permission_resource.go
@@ -0,0 +1,259 @@
+package tableau
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/path"
+	"github.com/hashicorp/terraform-plugin-framework/resource"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+var (
+	_ resource.Resource                = &projectPermissionResource{}
+	_ resource.ResourceWithConfigure   = &projectPermissionResource{}
+	_ resource.ResourceWithImportState = &projectPermissionResource{}
+)
+
+func NewProjectPermissionResource() resource.Resource {
+	return &projectPermissionResource{}
+}
+
+type projectPermissionResource struct {
+	client *Client
+}
+
+type projectPermissionResourceModel struct {
+	ID             types.String `tfsdk:"id"`
+	ProjectID      types.String `tfsdk:"project_id"`
+	UserID         types.String `tfsdk:"user_id"`
+	GroupID        types.String `tfsdk:"group_id"`
+	CapabilityName types.String `tfsdk:"capability_name"`
+	CapabilityMode types.String `tfsdk:"capability_mode"`
+}
+
+func (r *projectPermissionResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_project_permission"
+}
+
+func (r *projectPermissionResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		Attributes: map[string]schema.Attribute{
+			"id": schema.StringAttribute{
+				Computed: true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+				},
+			},
+			"project_id": schema.StringAttribute{
+				Required:    true,
+				Description: "Project ID",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"user_id": schema.StringAttribute{
+				Optional:    true,
+				Description: "User ID to grant to",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"group_id": schema.StringAttribute{
+				Optional:    true,
+				Description: "Group ID to grant to",
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"capability_name": schema.StringAttribute{
+				Required:    true,
+				Description: "The capability to assign permissions to, one of ProjectLeader/Read/Write",
+				Validators: []validator.String{
+					stringvalidator.OneOf([]string{
+						"ProjectLeader",
+						"Read",
+						"Write",
+					}...),
+				},
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+			"capability_mode": schema.StringAttribute{
+				Required:    true,
+				Description: "Capability mode, Allow or Deny (case sensitive)",
+				Validators: []validator.String{
+					stringvalidator.OneOf([]string{
+						"Allow",
+						"Deny",
+					}...),
+				},
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.RequiresReplace(),
+				},
+			},
+		},
+	}
+}
+
+func (r *projectPermissionResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
+	var plan projectPermissionResourceModel
+	diags := req.Plan.Get(ctx, &plan)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	projectID := string(plan.ProjectID.ValueString())
+	capability := Capability{
+		Name: string(plan.CapabilityName.ValueString()),
+		Mode: string(plan.CapabilityMode.ValueString()),
+	}
+	capabilities := Capabilities{
+		Capabilities: []Capability{capability},
+	}
+	granteeCapability := GranteeCapability{
+		Capabilities: capabilities,
+	}
+
+	entityType := "users"
+	entityID := string(plan.UserID.ValueString())
+	if plan.UserID.ValueString() != "" {
+		granteeCapability.User = &User{ID: entityID}
+	} else {
+		entityID = string(plan.GroupID.ValueString())
+		entityType = "groups"
+		granteeCapability.Group = &Group{ID: entityID}
+	}
+	projectPermissions := ProjectPermissions{
+		GranteeCapabilities: []GranteeCapability{granteeCapability},
+	}
+
+	_, err := r.client.CreateProjectPermissions(projectID, projectPermissions)
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Error creating project permission",
+			"Could not create project permission, unexpected error: "+err.Error(),
+		)
+		return
+	}
+
+	plan.ID = types.StringValue(getProjectPermissionID(projectID, entityType, entityID, capability.Name, capability.Mode))
+
+	diags = resp.State.Set(ctx, plan)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+}
+
+func (r *projectPermissionResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+	var state projectPermissionResourceModel
+	diags := req.State.Get(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	permission := getProjectPermissionFromID(state.ID.ValueString())
+	projectPermission, err := r.client.GetProjectPermission(permission.ProjectID, permission.EntityID, permission.EntityType, permission.CapabilityName, permission.CapabilityMode)
+	if err != nil {
+		resp.State.RemoveResource(ctx)
+		return
+	}
+
+	if projectPermission.EntityType == "users" {
+		state.UserID = types.StringValue(projectPermission.EntityID)
+	} else {
+		state.GroupID = types.StringValue(projectPermission.EntityID)
+	}
+	state.ID = types.StringValue(getProjectPermissionID(projectPermission.ProjectID, projectPermission.EntityType, projectPermission.EntityID, projectPermission.CapabilityName, projectPermission.CapabilityMode))
+	state.ProjectID = types.StringValue(projectPermission.ProjectID)
+	state.CapabilityName = types.StringValue(projectPermission.CapabilityName)
+	state.CapabilityMode = types.StringValue(projectPermission.CapabilityMode)
+
+	diags = resp.State.Set(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+}
+
+func (r *projectPermissionResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
+	var plan projectPermissionResourceModel
+	diags := req.Plan.Get(ctx, &plan)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	diags = resp.State.Set(ctx, plan)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+}
+
+func (r *projectPermissionResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
+	var state projectPermissionResourceModel
+	diags := req.State.Get(ctx, &state)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	permission := getProjectPermissionFromID(state.ID.ValueString())
+	if permission.EntityType == "users" {
+		err := r.client.DeleteProjectPermission(&permission.EntityID, nil, permission.ProjectID, permission.CapabilityName, permission.CapabilityMode)
+		if err != nil {
+			resp.Diagnostics.AddError(
+				"Error Deleting Tableau Project",
+				"Could not delete project, unexpected error: "+err.Error(),
+			)
+			return
+		}
+	} else {
+		err := r.client.DeleteProjectPermission(nil, &permission.EntityID, permission.ProjectID, permission.CapabilityName, permission.CapabilityMode)
+		if err != nil {
+			resp.Diagnostics.AddError(
+				"Error Deleting Tableau Project",
+				"Could not delete project, unexpected error: "+err.Error(),
+			)
+			return
+		}
+	}
+}
+
+func (r *projectPermissionResource) Configure(_ context.Context, req resource.ConfigureRequest, _ *resource.ConfigureResponse) {
+	if req.ProviderData == nil {
+		return
+	}
+
+	r.client = req.ProviderData.(*Client)
+}
+
+func (r *projectPermissionResource) ImportState(ctx context.Context, req resource.ImportStateRequest, resp *resource.ImportStateResponse) {
+	resource.ImportStatePassthroughID(ctx, path.Root("id"), req, resp)
+}
+
+func getProjectPermissionID(projectID, entityType, entityID, capabilityName, capabilityMode string) string {
+	return fmt.Sprintf("projects/%s/permissions/%s/%s/%s/%s", projectID, entityType, entityID, capabilityName, capabilityMode)
+}
+
+func getProjectPermissionFromID(projectPermissionID string) ProjectPermission {
+	parts := strings.Split(projectPermissionID, "/")
+	return ProjectPermission{
+		ProjectID:      parts[1],
+		EntityID:       parts[4],
+		EntityType:     parts[3],
+		CapabilityName: parts[5],
+		CapabilityMode: parts[6],
+	}
+}
diff --git a/tableau/project_permission_resource_test.go b/tableau/project_permission_resource_test.go
new file mode 100644
index 0000000..86c1744
--- /dev/null
+++ b/tableau/project_permission_resource_test.go
@@ -0,0 +1,54 @@
+package tableau
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAccProjectPermissionResource(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			// Create and Read testing
+			{
+				Config: providerConfig + `
+resource "tableau_project" "test_perm_project" {
+  name = "test_project_permission"
+  content_permissions = "ManagedByOwner"
+}
+resource "tableau_user" "new_person" {
+	name = "test_person_project_perms@test.test"
+  full_name = "test_person_project_perms@test.test"
+  email = "test_person_project_perms@test.test"
+  site_role = "Creator"
+  auth_setting = "SAML"
+}
+resource "tableau_project_permission" "test_permission" {
+  project_id = tableau_project.test_perm_project.id
+	user_id = tableau_user.new_person.id
+  capability_name = "Write"
+	capability_mode = "Deny"
+}
+`,
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttrSet("tableau_project_permission.test_permission", "id"),
+					resource.TestCheckResourceAttrSet("tableau_project_permission.test_permission", "project_id"),
+					resource.TestCheckResourceAttrSet("tableau_project_permission.test_permission", "user_id"),
+					resource.TestCheckResourceAttrSet("tableau_project_permission.test_permission", "capability_name"),
+					resource.TestCheckResourceAttrSet("tableau_project_permission.test_permission", "capability_mode"),
+					resource.TestCheckResourceAttr("tableau_project_permission.test_permission", "capability_name", "Write"),
+					resource.TestCheckResourceAttr("tableau_project_permission.test_permission", "capability_mode", "Deny"),
+				),
+			},
+			// ImportState testing
+			{
+				ResourceName:      "tableau_project_permission.test_permission",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			// Update and Read testing
+			// Delete testing automatically occurs in TestCase
+		},
+	})
+}
diff --git a/tableau/provider.go b/tableau/provider.go
index 836a7be..7fdf9fd 100644
--- a/tableau/provider.go
+++ b/tableau/provider.go
@@ -59,7 +59,7 @@ func (p *tableauProvider) Schema(_ context.Context, _ provider.SchemaRequest, re
 			},
 			"site": schema.StringAttribute{
 				Optional:    true,
-				Description: "Site name from your Tableau URL - TABLEAU_SITE_NAME env var",
+				Description: "Site name from your Tableau URL - TABLEAU_SITE_NAME env var - for Tableau Server default sites leave as ''",
 			},
 		},
 	}
@@ -262,5 +262,6 @@ func (p *tableauProvider) Resources(_ context.Context) []func() resource.Resourc
 		NewGroupUserResource,
 		NewProjectResource,
 		NewSiteResource,
+		NewProjectPermissionResource,
 	}
 }