Skip to content

Commit

Permalink
issue#428: Add support for ping federate connections (#527)
Browse files Browse the repository at this point in the history 
Co-authored-by: Rita Zerrizuela <[email protected]>
  • Loading branch information
@sergiught @Widcket
sergiught and Widcket authored Mar 17, 2023
1 parent 2eb2677 commit 73204bf
Show file tree
Hide file tree
Showing 7 changed files with 548 additions and 0 deletions.
1 change: 1 addition & 0 deletions docs/data-sources/connection.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ Read-Only:
- `password_history` (List of Object) (see [below for nested schema](#nestedobjatt--options--password_history))
- `password_no_personal_info` (List of Object) (see [below for nested schema](#nestedobjatt--options--password_no_personal_info))
- `password_policy` (String)
- `ping_federate_base_url` (String)
- `pkce_enabled` (Boolean)
- `protocol_binding` (String)
- `provider` (String)
Expand Down
1 change: 1 addition & 0 deletions docs/resources/connection.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -667,6 +667,7 @@ Optional:
- `password_history` (Block List) Configuration settings for the password history that is maintained for each user to prevent the reuse of passwords. (see [below for nested schema](#nestedblock--options--password_history))
- `password_no_personal_info` (Block List, Max: 1) Configuration settings for the password personal info check, which does not allow passwords that contain any part of the user's personal data, including user's `name`, `username`, `nickname`, `user_metadata.name`, `user_metadata.first`, `user_metadata.last`, user's `email`, or first part of the user's `email`. (see [below for nested schema](#nestedblock--options--password_no_personal_info))
- `password_policy` (String) Indicates level of password strength to enforce during authentication. A strong password policy will make it difficult, if not improbable, for someone to guess a password through either manual or automated means. Options include `none`, `low`, `fair`, `good`, `excellent`.
- `ping_federate_base_url` (String) Ping Federate Server URL.
- `pkce_enabled` (Boolean) Enables Proof Key for Code Exchange (PKCE) functionality for OAuth2 connections.
- `protocol_binding` (String) The SAML Response Binding: how the SAML token is received by Auth0 from the IdP.
- `provider` (String) Defines the custom `sms_gateway` provider.
Expand Down
36 changes: 36 additions & 0 deletions internal/auth0/connection/expand.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,9 @@ func expandConnection(d *schema.ResourceData, api *management.Management) (*mana
case management.ConnectionStrategyADFS:
connection.ShowAsButton = showAsButton
connection.Options, diagnostics = expandConnectionOptionsADFS(options)
case management.ConnectionStrategyPingFederate:
connection.ShowAsButton = showAsButton
connection.Options, diagnostics = expandConnectionOptionsPingFederate(options)
default:
diagnostics = append(diagnostics, diag.Diagnostic{
Severity: diag.Error,
Expand Down Expand Up @@ -723,6 +726,39 @@ func expandConnectionOptionsADFS(config cty.Value) (*management.ConnectionOption
return options, diag.FromErr(err)
}

func expandConnectionOptionsPingFederate(
config cty.Value,
) (*management.ConnectionOptionsPingFederate, diag.Diagnostics) {
options := &management.ConnectionOptionsPingFederate{
SigningCert: value.String(config.GetAttr("signing_cert")),
LogoURL: value.String(config.GetAttr("icon_url")),
TenantDomain: value.String(config.GetAttr("tenant_domain")),
DomainAliases: value.Strings(config.GetAttr("domain_aliases")),
SignInEndpoint: value.String(config.GetAttr("sign_in_endpoint")),
DigestAlgorithm: value.String(config.GetAttr("digest_algorithm")),
SignSAMLRequest: value.Bool(config.GetAttr("sign_saml_request")),
SignatureAlgorithm: value.String(config.GetAttr("signature_algorithm")),
PingFederateBaseURL: value.String(config.GetAttr("ping_federate_base_url")),
NonPersistentAttrs: value.Strings(config.GetAttr("non_persistent_attrs")),
SetUserAttributes: value.String(config.GetAttr("set_user_root_attributes")),
}

config.GetAttr("idp_initiated").ForEachElement(func(_ cty.Value, idp cty.Value) (stop bool) {
options.IdpInitiated = &management.ConnectionOptionsSAMLIdpInitiated{
ClientID: value.String(idp.GetAttr("client_id")),
ClientProtocol: value.String(idp.GetAttr("client_protocol")),
ClientAuthorizeQuery: value.String(idp.GetAttr("client_authorize_query")),
}

return stop
})

var err error
options.UpstreamParams, err = value.MapFromJSON(config.GetAttr("upstream_params"))

return options, diag.FromErr(err)
}

type scoper interface {
Scopes() []string
SetScopes(enable bool, scopes ...string)
Expand Down
41 changes: 41 additions & 0 deletions internal/auth0/connection/flatten.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ func flattenConnectionOptions(d *schema.ResourceData, options interface{}) ([]in
m, diags = flattenConnectionOptionsAzureAD(connectionOptions)
case *management.ConnectionOptionsADFS:
m, diags = flattenConnectionOptionsADFS(connectionOptions)
case *management.ConnectionOptionsPingFederate:
m, diags = flattenConnectionOptionsPingFederate(connectionOptions)
case *management.ConnectionOptionsSAML:
m, diags = flattenConnectionOptionsSAML(d, connectionOptions)
}
Expand Down Expand Up @@ -601,3 +603,42 @@ func flattenConnectionOptionsSAML(

return m, nil
}

func flattenConnectionOptionsPingFederate(
options *management.ConnectionOptionsPingFederate,
) (interface{}, diag.Diagnostics) {
signingCert := options.GetSigningCert()
if signingCert == "" {
signingCert = options.GetCert()
}

m := map[string]interface{}{
"signing_cert": signingCert,
"tenant_domain": options.GetTenantDomain(),
"domain_aliases": options.GetDomainAliases(),
"sign_in_endpoint": options.GetSignInEndpoint(),
"signature_algorithm": options.GetSignatureAlgorithm(),
"digest_algorithm": options.GetDigestAlgorithm(),
"sign_saml_request": options.GetSignSAMLRequest(),
"ping_federate_base_url": options.GetPingFederateBaseURL(),
"icon_url": options.GetLogoURL(),
"set_user_root_attributes": options.GetSetUserAttributes(),
"non_persistent_attrs": options.GetNonPersistentAttrs(),
}

m["idp_initiated"] = []interface{}{
map[string]interface{}{
"client_id": options.GetIdpInitiated().GetClientID(),
"client_protocol": options.GetIdpInitiated().GetClientProtocol(),
"client_authorize_query": options.GetIdpInitiated().GetClientAuthorizeQuery(),
},
}

upstreamParams, err := structure.FlattenJsonToString(options.UpstreamParams)
if err != nil {
return nil, diag.FromErr(err)
}
m["upstream_params"] = upstreamParams

return m, nil
}
173 changes: 173 additions & 0 deletions internal/auth0/connection/resource_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1719,3 +1719,176 @@ resource "auth0_connection" "twitter" {
}
}
`

func TestAccConnectionPingFederate(t *testing.T) {
acctest.Test(t, resource.TestCase{
Steps: []resource.TestStep{
{
Config: acctest.ParseTestName(testConnectionPingFederateConfigCreate, t.Name()),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("auth0_connection.my_connection", "name", fmt.Sprintf("Acceptance-Test-PingFederate-%s", t.Name())),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "display_name", fmt.Sprintf("Acceptance-Test-PingFederate-%s", t.Name())),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "strategy", "pingfederate"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "show_as_button", "false"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.#", "1"),
resource.TestCheckResourceAttrSet("auth0_connection.my_connection", "options.0.signing_cert"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.tenant_domain", "example.com"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.ping_federate_base_url", "https://pingfederate.example.com"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.sign_in_endpoint", "https://pingfederate.example.com"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.domain_aliases.#", "2"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.domain_aliases.0", "example.com"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.domain_aliases.1", "example.coz"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.signature_algorithm", "rsa-sha256"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.sign_saml_request", "false"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.digest_algorithm", "sha256"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.icon_url", "https://example.com/logo.svg"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.set_user_root_attributes", "on_first_login"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.non_persistent_attrs.#", "2"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.non_persistent_attrs.0", "gender"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.non_persistent_attrs.1", "hair_color"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.idp_initiated.#", "1"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.idp_initiated.0.client_id", "client_id"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.idp_initiated.0.client_protocol", "samlp"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.idp_initiated.0.client_authorize_query", "type=code&timeout=30"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.upstream_params", "{\"screen_name\":{\"alias\":\"login_hint\"}}"),
),
},
{
Config: acctest.ParseTestName(testConnectionPingFederateConfigUpdate, t.Name()),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("auth0_connection.my_connection", "name", fmt.Sprintf("Acceptance-Test-PingFederate-%s", t.Name())),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "display_name", fmt.Sprintf("Acceptance-Test-PingFederate-%s", t.Name())),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "strategy", "pingfederate"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "show_as_button", "true"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.#", "1"),
resource.TestCheckResourceAttrSet("auth0_connection.my_connection", "options.0.signing_cert"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.tenant_domain", "example.com"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.ping_federate_base_url", "https://pingfederate.example.com"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.sign_in_endpoint", "https://pingfederate.example.com"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.domain_aliases.#", "2"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.domain_aliases.0", "example.com"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.domain_aliases.1", "example.coz"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.signature_algorithm", "rsa-sha256"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.sign_saml_request", "true"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.digest_algorithm", "sha256"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.icon_url", ""),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.set_user_root_attributes", "on_first_login"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.non_persistent_attrs.#", "2"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.non_persistent_attrs.0", "gender"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.non_persistent_attrs.1", "hair_color"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.idp_initiated.#", "1"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.idp_initiated.0.client_id", "client_id"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.idp_initiated.0.client_protocol", "samlp"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.idp_initiated.0.client_authorize_query", "type=code&timeout=60"),
resource.TestCheckResourceAttr("auth0_connection.my_connection", "options.0.upstream_params", ""),
),
},
},
})
}

const testConnectionPingFederateConfigCreate = `
resource "auth0_connection" "my_connection" {
name = "Acceptance-Test-PingFederate-{{.testName}}"
display_name = "Acceptance-Test-PingFederate-{{.testName}}"
strategy = "pingfederate"
show_as_button = false
options {
signing_cert = <<EOF
-----BEGIN CERTIFICATE-----
MIID6TCCA1ICAQEwDQYJKoZIhvcNAQEFBQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRQwEgYDVQQK
EwtHb29nbGUgSW5jLjEMMAoGA1UECxMDRW5nMQwwCgYDVQQDEwNhZ2wxHTAbBgkq
hkiG9w0BCQEWDmFnbEBnb29nbGUuY29tMB4XDTA5MDkwOTIyMDU0M1oXDTEwMDkw
OTIyMDU0M1owajELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAf
BgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEjMCEGA1UEAxMaZXVyb3Bh
LnNmby5jb3JwLmdvb2dsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQC6pgYt7/EibBDumASF+S0qvqdL/f+nouJw2T1Qc8GmXF/iiUcrsgzh/Fd8
pDhz/T96Qg9IyR4ztuc2MXrmPra+zAuSf5bevFReSqvpIt8Duv0HbDbcqs/XKPfB
uMDe+of7a9GCywvAZ4ZUJcp0thqD9fKTTjUWOBzHY1uNE4RitrhmJCrbBGXbJ249
bvgmb7jgdInH2PU7PT55hujvOoIsQW2osXBFRur4pF1wmVh4W4lTLD6pjfIMUcML
ICHEXEN73PDic8KS3EtNYCwoIld+tpIBjE1QOb1KOyuJBNW6Esw9ALZn7stWdYcE
qAwvv20egN2tEXqj7Q4/1ccyPZc3PQgC3FJ8Be2mtllM+80qf4dAaQ/fWvCtOrQ5
pnfe9juQvCo8Y0VGlFcrSys/MzSg9LJ/24jZVgzQved/Qupsp89wVidwIzjt+WdS
fyWfH0/v1aQLvu5cMYuW//C0W2nlYziL5blETntM8My2ybNARy3ICHxCBv2RNtPI
WQVm+E9/W5rwh2IJR4DHn2LHwUVmT/hHNTdBLl5Uhwr4Wc7JhE7AVqb14pVNz1lr
5jxsp//ncIwftb7mZQ3DF03Yna+jJhpzx8CQoeLT6aQCHyzmH68MrHHT4MALPyUs
Pomjn71GNTtDeWAXibjCgdL6iHACCF6Htbl0zGlG0OAK+bdn0QIDAQABMA0GCSqG
SIb3DQEBBQUAA4GBAOKnQDtqBV24vVqvesL5dnmyFpFPXBn3WdFfwD6DzEb21UVG
5krmJiu+ViipORJPGMkgoL6BjU21XI95VQbun5P8vvg8Z+FnFsvRFY3e1CCzAVQY
ZsUkLw2I7zI/dNlWdB8Xp7v+3w9sX5N3J/WuJ1KOO5m26kRlHQo7EzT3974g
-----END CERTIFICATE-----
EOF
tenant_domain = "example.com"
ping_federate_base_url = "https://pingfederate.example.com"
sign_in_endpoint = "https://pingfederate.example.com"
domain_aliases = ["example.com", "example.coz"]
signature_algorithm = "rsa-sha256"
sign_saml_request = false
digest_algorithm = "sha256"
icon_url = "https://example.com/logo.svg"
set_user_root_attributes = "on_first_login"
non_persistent_attrs = ["gender","hair_color"]
upstream_params = jsonencode({
"screen_name": {
"alias": "login_hint"
}
})
idp_initiated {
client_id = "client_id"
client_protocol = "samlp"
client_authorize_query = "type=code&timeout=30"
}
}
}
`

const testConnectionPingFederateConfigUpdate = `
resource "auth0_connection" "my_connection" {
name = "Acceptance-Test-PingFederate-{{.testName}}"
display_name = "Acceptance-Test-PingFederate-{{.testName}}"
strategy = "pingfederate"
show_as_button = true
options {
signing_cert = <<EOF
-----BEGIN CERTIFICATE-----
MIID6TCCA1ICAQEwDQYJKoZIhvcNAQEFBQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRQwEgYDVQQK
EwtHb29nbGUgSW5jLjEMMAoGA1UECxMDRW5nMQwwCgYDVQQDEwNhZ2wxHTAbBgkq
hkiG9w0BCQEWDmFnbEBnb29nbGUuY29tMB4XDTA5MDkwOTIyMDU0M1oXDTEwMDkw
OTIyMDU0M1owajELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAf
BgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEjMCEGA1UEAxMaZXVyb3Bh
LnNmby5jb3JwLmdvb2dsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQC6pgYt7/EibBDumASF+S0qvqdL/f+nouJw2T1Qc8GmXF/iiUcrsgzh/Fd8
pDhz/T96Qg9IyR4ztuc2MXrmPra+zAuSf5bevFReSqvpIt8Duv0HbDbcqs/XKPfB
uMDe+of7a9GCywvAZ4ZUJcp0thqD9fKTTjUWOBzHY1uNE4RitrhmJCrbBGXbJ249
bvgmb7jgdInH2PU7PT55hujvOoIsQW2osXBFRur4pF1wmVh4W4lTLD6pjfIMUcML
ICHEXEN73PDic8KS3EtNYCwoIld+tpIBjE1QOb1KOyuJBNW6Esw9ALZn7stWdYcE
qAwvv20egN2tEXqj7Q4/1ccyPZc3PQgC3FJ8Be2mtllM+80qf4dAaQ/fWvCtOrQ5
pnfe9juQvCo8Y0VGlFcrSys/MzSg9LJ/24jZVgzQved/Qupsp89wVidwIzjt+WdS
fyWfH0/v1aQLvu5cMYuW//C0W2nlYziL5blETntM8My2ybNARy3ICHxCBv2RNtPI
WQVm+E9/W5rwh2IJR4DHn2LHwUVmT/hHNTdBLl5Uhwr4Wc7JhE7AVqb14pVNz1lr
5jxsp//ncIwftb7mZQ3DF03Yna+jJhpzx8CQoeLT6aQCHyzmH68MrHHT4MALPyUs
Pomjn71GNTtDeWAXibjCgdL6iHACCF6Htbl0zGlG0OAK+bdn0QIDAQABMA0GCSqG
SIb3DQEBBQUAA4GBAOKnQDtqBV24vVqvesL5dnmyFpFPXBn3WdFfwD6DzEb21UVG
5krmJiu+ViipORJPGMkgoL6BjU21XI95VQbun5P8vvg8Z+FnFsvRFY3e1CCzAVQY
ZsUkLw2I7zI/dNlWdB8Xp7v+3w9sX5N3J/WuJ1KOO5m26kRlHQo7EzT3974g
-----END CERTIFICATE-----
EOF
tenant_domain = "example.com"
ping_federate_base_url = "https://pingfederate.example.com"
sign_in_endpoint = "https://pingfederate.example.com"
domain_aliases = ["example.com", "example.coz"]
signature_algorithm = "rsa-sha256"
sign_saml_request = true
digest_algorithm = "sha256"
set_user_root_attributes = "on_first_login"
non_persistent_attrs = ["gender","hair_color"]
idp_initiated {
client_id = "client_id"
client_protocol = "samlp"
client_authorize_query = "type=code&timeout=60"
}
}
}
`
6 changes: 6 additions & 0 deletions internal/auth0/connection/schema.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,12 @@ var resourceSchema = map[string]*schema.Schema{
Optional: true,
Description: "Icon URL.",
},
"ping_federate_base_url": {
Type: schema.TypeString,
Optional: true,
ValidateFunc: validation.IsURLWithHTTPorHTTPS,
Description: "Ping Federate Server URL.",
},
"identity_api": {
Type: schema.TypeString,
Optional: true,
Expand Down
Loading

0 comments on commit 73204bf

Please sign in to comment.