Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for breached_password_detection.stage on auth0_attack_protection resource #445

Merged
merged 12 commits into from
Jan 27, 2023
Next Next commit
inital logic for breached_password_detection stage support
nialdaly committed Jan 27, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
commit 1baee73b12df0aa4e9953c2871e0deef7ab1459b
22 changes: 22 additions & 0 deletions docs/resources/attack_protection.md
Original file line number Diff line number Diff line change
@@ -41,6 +41,11 @@ resource "auth0_attack_protection" "my_protection" {
enabled = true
method = "standard"
shields = ["admin_notification", "block"]
stage {
pre_user_registration {
shields = ["block"]
}
}
}
}
```
@@ -67,6 +72,23 @@ Optional:
- `enabled` (Boolean) Whether breached password detection is active.
- `method` (String) The subscription level for breached password detection methods. Use "enhanced" to enable Credential Guard. Possible values: `standard`, `enhanced`.
- `shields` (Set of String) Action to take when a breached password is detected.
- `stage` (Block List) (see [below for nested schema](#nestedblock--breached_password_detection--stage))

<a id="nestedblock--breached_password_detection--stage"></a>
### Nested Schema for `breached_password_detection.stage`

Read-Only:

- `pre_user_registration` (List of Object) (see [below for nested schema](#nestedatt--breached_password_detection--stage--pre_user_registration))

<a id="nestedatt--breached_password_detection--stage--pre_user_registration"></a>
### Nested Schema for `breached_password_detection.stage.pre_user_registration`

Read-Only:

- `shields` (Set of String) Action to take when a breached password is detected during a signup. Possible values: `block`, `admin_notification`.
nialdaly marked this conversation as resolved.
Show resolved Hide resolved




<a id="nestedblock--brute_force_protection"></a>
6 changes: 6 additions & 0 deletions examples/resources/auth0_attack_protection/resource.tf
Original file line number Diff line number Diff line change
@@ -28,5 +28,11 @@ resource "auth0_attack_protection" "my_protection" {
enabled = true
method = "standard"
shields = ["admin_notification", "block"]

stage {
pre_user_registration = {
shields = ["block"]
}
}
}
}
74 changes: 74 additions & 0 deletions internal/provider/resource_auth0_attack_protection.go
Original file line number Diff line number Diff line change
@@ -82,6 +82,36 @@ func newAttackProtection() *schema.Resource {
Description: "The subscription level for breached password detection methods. " +
"Use \"enhanced\" to enable Credential Guard. Possible values: `standard`, `enhanced`.",
},
"stage": {
Type: schema.TypeList,
Optional: true,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"pre_user_registration": {
Type: schema.TypeList,
Computed: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"shields": {
Type: schema.TypeSet,
Optional: true,
Computed: true,
Elem: &schema.Schema{
Type: schema.TypeString,
ValidateFunc: validation.StringInSlice([]string{
"block",
"admin_notification",
}, false),
},
Description: "Action to take when a breached password is detected during a signup.",
},
},
},
},
},
},
},
},
},
},
@@ -371,6 +401,21 @@ func flattenBreachedPasswordProtection(bpd *management.BreachedPasswordDetection
"method": bpd.GetMethod(),
"admin_notification_frequency": bpd.GetAdminNotificationFrequency(),
"shields": bpd.GetShields(),
nialdaly marked this conversation as resolved.
Show resolved Hide resolved
"stage": flattenBreachedPasswordProtectionStage(bpd.GetStage()),
},
}
}

func flattenBreachedPasswordProtectionStage(breachedPasswordDetectionStage *management.BreachedPasswordDetectionStage) []interface{} {
if breachedPasswordDetectionStage == nil {
return nil
}

return []interface{}{
map[string]interface{}{
"pre-user-registration": map[string]interface{}{
"shields": breachedPasswordDetectionStage.GetPreUserRegistration().GetShields(),
},
},
}
}
@@ -488,6 +533,7 @@ func expandBreachedPasswordDetection(d *schema.ResourceData) *management.Breache
Method: value.String(breach.GetAttr("method")),
Shields: value.Strings(breach.GetAttr("shields")),
AdminNotificationFrequency: value.Strings(breach.GetAttr("admin_notification_frequency")),
Stage: expandBreachedPasswordDetectionStage(breach.GetAttr("stage")),
}

return stop
@@ -496,3 +542,31 @@ func expandBreachedPasswordDetection(d *schema.ResourceData) *management.Breache

return bpd
}

func expandBreachedPasswordDetectionStage(stageMap cty.Value) *management.BreachedPasswordDetectionStage {
var breachedPasswordDetectionStage *management.BreachedPasswordDetectionStage

stageMap.ForEachElement(func(_ cty.Value, stage cty.Value) (stop bool) {
breachedPasswordDetectionStage = &management.BreachedPasswordDetectionStage{
PreUserRegistration: expandBreachedPasswordDetectionPreUserRegistration(stage.GetAttr("pre-user-registration")),
}

return stop
})

return breachedPasswordDetectionStage
}

func expandBreachedPasswordDetectionPreUserRegistration(preUserRegistrationMap cty.Value) *management.BreachedPasswordDetectionPreUserRegistration {
var breachedPasswordDetectionStagePreUserRegistration *management.BreachedPasswordDetectionPreUserRegistration

preUserRegistrationMap.ForEachElement(func(_ cty.Value, preUserRegistration cty.Value) (stop bool) {
breachedPasswordDetectionStagePreUserRegistration = &management.BreachedPasswordDetectionPreUserRegistration{
Shields: value.Strings(preUserRegistration.GetAttr("shields")),
}

return stop
})

return breachedPasswordDetectionStagePreUserRegistration
}
6 changes: 6 additions & 0 deletions internal/provider/resource_auth0_attack_protection_test.go
Original file line number Diff line number Diff line change
@@ -34,6 +34,11 @@ resource "auth0_attack_protection" "my_protection" {
shields = ["user_notification", "block", "admin_notification"]
admin_notification_frequency = ["daily", "monthly", "immediately", "weekly"]
method = "standard"
stage = {
pre_user_registration = {
shields = ["block"]
}
}
}
}
`
@@ -93,6 +98,7 @@ func TestAccAttackProtectionBreachedPasswordDetection(t *testing.T) {
resource.TestCheckTypeSetElemAttr("auth0_attack_protection.my_protection", "breached_password_detection.0.admin_notification_frequency.*", "immediately"),
resource.TestCheckTypeSetElemAttr("auth0_attack_protection.my_protection", "breached_password_detection.0.admin_notification_frequency.*", "weekly"),
resource.TestCheckResourceAttr("auth0_attack_protection.my_protection", "breached_password_detection.0.method", "standard"),
resource.TestCheckResourceAttr("auth0_attack_protection.my_protection", "breached_password_detection.0.stage.0.pre_user_registration.0.shields.*", "block"),
),
},
{