From 95fa0c2e3c74062a37d45c09ce4ca6c8ce6a461a Mon Sep 17 00:00:00 2001 From: Iain Adams Date: Tue, 3 Sep 2019 11:25:43 +0100 Subject: [PATCH 1/3] Add support for pingaccess_auth_token_management resource and tweaked the functional tests to user either a predefined license file or the PING_IDENTITY_DEVOPS_USER/KEY environment variables --- pingaccess/provider.go | 1 + pingaccess/provider_test.go | 21 +++- ...source_pingaccess_auth_token_management.go | 109 ++++++++++++++++++ ...e_pingaccess_auth_token_management_test.go | 103 +++++++++++++++++ 4 files changed, 231 insertions(+), 3 deletions(-) create mode 100644 pingaccess/resource_pingaccess_auth_token_management.go create mode 100644 pingaccess/resource_pingaccess_auth_token_management_test.go diff --git a/pingaccess/provider.go b/pingaccess/provider.go index c9e5e9a3..284cb6d0 100644 --- a/pingaccess/provider.go +++ b/pingaccess/provider.go @@ -42,6 +42,7 @@ func Provider() terraform.ResourceProvider { }, ResourcesMap: map[string]*schema.Resource{ "pingaccess_access_token_validator": resourcePingAccessAccessTokenValidator(), + "pingaccess_auth_token_management": resourcePingAccessAuthTokenManagement(), "pingaccess_certificate": resourcePingAccessCertificate(), "pingaccess_identity_mapping": resourcePingAccessIdentityMapping(), "pingaccess_keypair": resourcePingAccessKeyPair(), diff --git a/pingaccess/provider_test.go b/pingaccess/provider_test.go index f3b3cbd2..2d4d830e 100644 --- a/pingaccess/provider_test.go +++ b/pingaccess/provider_test.go @@ -28,9 +28,24 @@ func TestMain(m *testing.M) { log.Fatalf("Could not connect to docker: %s", err) } - options := &dockertest.RunOptions{ - Repository: "pingidentity/pingaccess", - Tag: "5.2.2-edge", + devOpsUser, devOpsUserExists := os.LookupEnv("PING_IDENTITY_DEVOPS_USER") + devOpsKey, devOpsKeyExists := os.LookupEnv("PING_IDENTITY_DEVOPS_KEY") + + var options *dockertest.RunOptions + + if devOpsUserExists && devOpsKeyExists { + options = &dockertest.RunOptions{ + Repository: "pingidentity/pingaccess", + Env: []string{fmt.Sprintf("PING_IDENTITY_DEVOPS_USER=%s", devOpsUser), fmt.Sprintf("PING_IDENTITY_DEVOPS_KEY=%s", devOpsKey)}, + Tag: "5.2.2-edge", + } + } else { + dir, _ := os.Getwd() + options = &dockertest.RunOptions{ + Repository: "pingidentity/pingaccess", + Mounts: []string{dir + "/pingaccess.lic:/opt/in/instance/conf/pingaccess.lic"}, + Tag: "5.2.2-edge", + } } // pulls an image, creates a container based on it and runs it diff --git a/pingaccess/resource_pingaccess_auth_token_management.go b/pingaccess/resource_pingaccess_auth_token_management.go new file mode 100644 index 00000000..d007ea81 --- /dev/null +++ b/pingaccess/resource_pingaccess_auth_token_management.go @@ -0,0 +1,109 @@ +package pingaccess + +import ( + "fmt" + + pa "github.com/iwarapter/pingaccess-sdk-go/pingaccess" + + "github.com/hashicorp/terraform/helper/schema" +) + +func resourcePingAccessAuthTokenManagement() *schema.Resource { + return &schema.Resource{ + Create: resourcePingAccessAuthTokenManagementCreate, + Read: resourcePingAccessAuthTokenManagementRead, + Update: resourcePingAccessAuthTokenManagementUpdate, + Delete: resourcePingAccessAuthTokenManagementDelete, + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, + + Schema: resourcePingAccessAuthTokenManagementSchema(), + } +} + +func resourcePingAccessAuthTokenManagementSchema() map[string]*schema.Schema { + return map[string]*schema.Schema{ + "issuer": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "PingAccessAuthToken", + Description: "The issuer value to include in auth tokens. PingAccess inserts this value as the iss claim within the auth tokens.", + }, + "key_roll_enabled": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Default: true, + Description: "This field is true if key rollover is enabled. When false, PingAccess will not rollover keys at the configured interval.", + }, + "key_roll_period_in_hours": &schema.Schema{ + Type: schema.TypeInt, + Optional: true, + Default: 24, + Description: "The interval (in hours) at which PingAccess will roll the keys. Key rollover updates keys at regular intervals to ensure the security of signed auth tokens.", + }, + "signing_algorithm": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Default: "P-256", + Description: "The signing algorithm used when creating signed auth tokens.", + }, + } +} + +func resourcePingAccessAuthTokenManagementCreate(d *schema.ResourceData, m interface{}) error { + d.SetId("auth_token_management") + return resourcePingAccessAuthTokenManagementUpdate(d, m) +} + +func resourcePingAccessAuthTokenManagementRead(d *schema.ResourceData, m interface{}) error { + svc := m.(*pa.Client).AuthTokenManagements + result, _, err := svc.GetAuthTokenManagementCommand() + if err != nil { + return fmt.Errorf("Error reading auth token management settings: %s", err) + } + + return resourcePingAccessAuthTokenManagementReadResult(d, result) +} + +func resourcePingAccessAuthTokenManagementUpdate(d *schema.ResourceData, m interface{}) error { + svc := m.(*pa.Client).AuthTokenManagements + input := pa.UpdateAuthTokenManagementCommandInput{ + Body: *resourcePingAccessAuthTokenManagementReadData(d), + } + result, _, err := svc.UpdateAuthTokenManagementCommand(&input) + if err != nil { + return fmt.Errorf("Error updating auth token management settings: %s", err.Error()) + } + + d.SetId("auth_token_management") + return resourcePingAccessAuthTokenManagementReadResult(d, result) +} + +func resourcePingAccessAuthTokenManagementDelete(d *schema.ResourceData, m interface{}) error { + svc := m.(*pa.Client).AuthTokenManagements + _, err := svc.DeleteAuthTokenManagementCommand() + if err != nil { + return fmt.Errorf("Error resetting auth token management: %s", err) + } + return nil +} + +func resourcePingAccessAuthTokenManagementReadResult(d *schema.ResourceData, input *pa.AuthTokenManagementView) (err error) { + setResourceDataString(d, "issuer", input.Issuer) + setResourceDataBool(d, "key_roll_enabled", input.KeyRollEnabled) + setResourceDataInt(d, "key_roll_period_in_hours", input.KeyRollPeriodInHours) + setResourceDataString(d, "signing_algorithm", input.SigningAlgorithm) + return nil +} + +func resourcePingAccessAuthTokenManagementReadData(d *schema.ResourceData) *pa.AuthTokenManagementView { + atm := &pa.AuthTokenManagementView{ + Issuer: String(d.Get("issuer").(string)), + KeyRollEnabled: Bool(d.Get("key_roll_enabled").(bool)), + KeyRollPeriodInHours: Int(d.Get("key_roll_period_in_hours").(int)), + SigningAlgorithm: String(d.Get("signing_algorithm").(string)), + } + + return atm +} diff --git a/pingaccess/resource_pingaccess_auth_token_management_test.go b/pingaccess/resource_pingaccess_auth_token_management_test.go new file mode 100644 index 00000000..c28fdccf --- /dev/null +++ b/pingaccess/resource_pingaccess_auth_token_management_test.go @@ -0,0 +1,103 @@ +package pingaccess + +import ( + "fmt" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/hashicorp/terraform/helper/resource" + "github.com/hashicorp/terraform/helper/schema" + "github.com/hashicorp/terraform/terraform" + pa "github.com/iwarapter/pingaccess-sdk-go/pingaccess" +) + +func TestAccPingAccessAuthTokenManagement(t *testing.T) { + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckPingAccessAuthTokenManagementDestroy, + Steps: []resource.TestStep{ + { + Config: testAccPingAccessAuthTokenManagementConfig("PingAccessAuthToken"), + Check: resource.ComposeTestCheckFunc( + testAccCheckPingAccessAuthTokenManagementExists("pingaccess_auth_token_management.demo"), + ), + }, + { + Config: testAccPingAccessAuthTokenManagementConfig("PingAccessAuthToken2"), + Check: resource.ComposeTestCheckFunc( + testAccCheckPingAccessAuthTokenManagementExists("pingaccess_auth_token_management.demo"), + ), + }, + }, + }) +} + +func testAccCheckPingAccessAuthTokenManagementDestroy(s *terraform.State) error { + return nil +} + +func testAccPingAccessAuthTokenManagementConfig(issuer string) string { + return fmt.Sprintf(` + resource "pingaccess_auth_token_management" "demo" { + key_roll_enabled = true + key_roll_period_in_hours = 24 + issuer = "%s" + signing_algorithm = "P-256" + }`, issuer) +} + +func testAccCheckPingAccessAuthTokenManagementExists(n string) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" || rs.Primary.ID == "0" { + return fmt.Errorf("No auth token management ID is set") + } + + conn := testAccProvider.Meta().(*pa.Client).AuthTokenManagements + result, _, err := conn.GetAuthTokenManagementCommand() + + if err != nil { + return fmt.Errorf("Error: AuthTokenManagement (%s) not found", n) + } + + if *result.Issuer != rs.Primary.Attributes["issuer"] { + return fmt.Errorf("Error: AuthTokenManagement response (%s) didnt match state (%s)", *result.Issuer, rs.Primary.Attributes["issuer"]) + } + + return nil + } +} + +func Test_resourcePingAccessAuthTokenManagementReadData(t *testing.T) { + cases := []struct { + AuthTokenManagementView pa.AuthTokenManagementView + }{ + { + AuthTokenManagementView: pa.AuthTokenManagementView{ + Issuer: String("PingAccessAuthTokenDemo"), + KeyRollEnabled: Bool(false), + KeyRollPeriodInHours: Int(23), + SigningAlgorithm: String("P-512"), + }, + }, + } + for i, tc := range cases { + t.Run(fmt.Sprintf("tc:%v", i), func(t *testing.T) { + + resourceSchema := resourcePingAccessAuthTokenManagementSchema() + resourceLocalData := schema.TestResourceDataRaw(t, resourceSchema, map[string]interface{}{}) + resourcePingAccessAuthTokenManagementReadResult(resourceLocalData, &tc.AuthTokenManagementView) + + if got := *resourcePingAccessAuthTokenManagementReadData(resourceLocalData); !cmp.Equal(got, tc.AuthTokenManagementView) { + t.Errorf("resourcePingAccessAuthTokenManagementReadData() = %v", cmp.Diff(got, tc.AuthTokenManagementView)) + } + + resourcePingAccessAuthTokenManagementReadResult(resourceLocalData, &tc.AuthTokenManagementView) + }) + } +} From d9eaaec6cd2e97dfa8606a86311bd3f9109baf8f Mon Sep 17 00:00:00 2001 From: Iain Adams Date: Tue, 3 Sep 2019 14:32:33 +0100 Subject: [PATCH 2/3] update the docs for pingaccess_auth_token_management resource --- .../pingaccess_auth_token_management.md | 22 +++++++++++++++++++ mkdocs.yml | 1 + .../test_cases/auth_token_management.tf | 6 +++++ 3 files changed, 29 insertions(+) create mode 100644 docs/resources/pingaccess_auth_token_management.md create mode 100644 pingaccess/test_cases/auth_token_management.tf diff --git a/docs/resources/pingaccess_auth_token_management.md b/docs/resources/pingaccess_auth_token_management.md new file mode 100644 index 00000000..8041d89f --- /dev/null +++ b/docs/resources/pingaccess_auth_token_management.md @@ -0,0 +1,22 @@ +Provides a auth token management. + +## Example Usage +```terraform +{!../pingaccess/test_cases/auth_token_management.tf!} +``` + +## Argument Attributes + +The following arguments are supported: + +- [`key_roll_enabled`](#key_roll_enabled) - The issuer value to include in auth tokens. PingAccess inserts this value as the iss claim within the auth tokens. + +- [`key_roll_period_in_hours`](#key_roll_period_in_hours) - This field is true if key rollover is enabled. When false, PingAccess will not rollover keys at the configured interval. + +- [`issuer`](#issuer) - The interval (in hours) at which PingAccess will roll the keys. Key rollover updates keys at regular intervals to ensure the security of signed auth tokens. + +- [`signing_algorithm`](#signing_algorithm) - The signing algorithm used when creating signed auth tokens. + +### Attributes Reference + +No additional attributes are provided. diff --git a/mkdocs.yml b/mkdocs.yml index c84c38cf..180221ec 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -6,6 +6,7 @@ nav: - pingaccess_trusted_certificate_group: data_sources/pingaccess_trusted_certificate_group.md - Supported Resources: - pingaccess_access_token_validator: resources/pingaccess_access_token_validator.md + - pingaccess_auth_token_management: resources/pingaccess_auth_token_management.md - pingaccess_application: resources/pingaccess_application.md - pingaccess_application_resource: resources/pingaccess_application_resource.md - pingaccess_certificate: resources/pingaccess_certificate.md diff --git a/pingaccess/test_cases/auth_token_management.tf b/pingaccess/test_cases/auth_token_management.tf new file mode 100644 index 00000000..0058c38c --- /dev/null +++ b/pingaccess/test_cases/auth_token_management.tf @@ -0,0 +1,6 @@ +resource "pingaccess_auth_token_management" "demo" { + key_roll_enabled = true + key_roll_period_in_hours = 24 + issuer = "PingAccessAuthToken" + signing_algorithm = "P-256" +} From 5ea5fd7b8b240f1a1c6dd74d37551429f8f02400 Mon Sep 17 00:00:00 2001 From: Iain Adams Date: Sun, 8 Sep 2019 19:26:55 +0100 Subject: [PATCH 3/3] Update changelog for pingaccess_auth_token_management --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3595f615..7e1a7fc9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ FEATURES: * **New DataSource:** `pingaccess_keypair` ([#4](https://github.com/iwarapter/terraform-provider-pingaccess/issues/4)) * **New Resource:** `pingaccess_access_token_validator` * **New Resource:** `pingaccess_keypair` ([#4](https://github.com/iwarapter/terraform-provider-pingaccess/issues/4)) +* * **New Resource:** `pingaccess_auth_token_management` ([#11](https://github.com/iwarapter/terraform-provider-pingaccess/issues/11)) BUG FIXES: