correct required fields in pingfederate_oauth_auth_server_settings re…

…source (#216)
pingidentity · Mar 13, 2024 · 10ddda2 · 10ddda2
1 parent 5ebd848
commit 10ddda2
Show file tree

Hide file tree

Showing 7 changed files with 89 additions and 63 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # v0.8.0 (Unreleased)
 ### BUG FIXES
-* `pingfederate_oauth_client` resource, Provider produced inconsistent result after apply error when applying empty `extended_parameters` map value, require values to match product behavior ([#204](https://github.com/pingidentity/terraform-provider-pingfederate/pull/204))
+* `pingfederate_oauth_auth_server_settings` resource, removed unnecessary requirement for `bypass_activation_code_confirmation`, `default_scope_description`, `device_polling_interval`, `pending_authorization_timeout`, `registered_authorization_path` properties([#216](https://github.com/pingidentity/terraform-provider-pingfederate/pull/216))
+* `pingfederate_oauth_client` resource, Provider produced inconsistent result after apply error when applying empty `extended_parameters` map value, require `values` property within to match product behavior ([#204](https://github.com/pingidentity/terraform-provider-pingfederate/pull/204))([#214](https://github.com/pingidentity/terraform-provider-pingfederate/pull/214))
 
 # v0.7.1 February 29th, 2024
 ### BUG FIXES

diff --git a/docs/resources/oauth_auth_server_settings.md b/docs/resources/oauth_auth_server_settings.md
@@ -93,13 +93,8 @@ resource "pingfederate_oauth_auth_server_settings" "oauthAuthServerSettings" {
 
 - `authorization_code_entropy` (Number) The authorization code entropy, in bytes.
 - `authorization_code_timeout` (Number) The authorization code timeout, in seconds.
-- `bypass_activation_code_confirmation` (Boolean) Indicates if the Activation Code Confirmation page should be bypassed if 'verification_url_complete' is used by the end user to authorize a device.
-- `default_scope_description` (String) The default scope description.
-- `device_polling_interval` (Number) The amount of time client should wait between polling requests, in seconds.
-- `pending_authorization_timeout` (Number) The 'device_code' and 'user_code' timeout, in seconds.
 - `refresh_rolling_interval` (Number) The minimum interval to roll refresh tokens, in hours.
 - `refresh_token_length` (Number) The refresh token length in number of characters.
-- `registered_authorization_path` (String) The Registered Authorization Path is concatenated to PingFederate base URL to generate 'verification_url' and 'verification_url_complete' values in a Device Authorization request. PingFederate listens to this path if specified
 
 ### Optional
 
@@ -111,10 +106,13 @@ resource "pingfederate_oauth_auth_server_settings" "oauthAuthServerSettings" {
 - `approved_authorization_detail_attribute` (String) Attribute from the external consent adapter's contract, intended for storing approved authorization details returned by the external consent page.
 - `approved_scopes_attribute` (String) Attribute from the external consent adapter's contract, intended for storing approved scopes returned by the external consent page.
 - `atm_id_for_oauth_grant_management` (String) The ID of the Access Token Manager used for OAuth enabled grant management.
+- `bypass_activation_code_confirmation` (Boolean) Indicates if the Activation Code Confirmation page should be bypassed if 'verification_url_complete' is used by the end user to authorize a device.
 - `bypass_authorization_for_approved_consents` (Boolean) Bypass authorization for previously approved consents. The default value is false. Supported in PF version 12.0 or later.
 - `bypass_authorization_for_approved_grants` (Boolean) Bypass authorization for previously approved persistent grants. The default value is false.
 - `client_secret_retention_period` (Number) The length of time in minutes that client secrets will be retained as secondary secrets after secret change. The default value is 0, which will disable secondary client secret retention.
 - `consent_lifetime_days` (Number) The consent lifetime in days. The default value is indefinite. -1 indicates an indefinite amount of time. Supported in PF version 12.0 or later.
+- `default_scope_description` (String) The default scope description.
+- `device_polling_interval` (Number) The amount of time client should wait between polling requests, in seconds.
 - `disallow_plain_pkce` (Boolean) Determines whether PKCE's 'plain' code challenge method will be disallowed. The default value is false.
 - `dpop_proof_enforce_replay_prevention` (Boolean) Determines whether Demonstrating Proof-of-Possession (DPoP) proof JWT replay prevention is enforced. The default value is false. Supported in PF version 11.3 or later.
 - `dpop_proof_lifetime_seconds` (Number) The lifetime, in seconds, of the Demonstrating Proof-of-Possession (DPoP) proof JWT. The default value is 120. Supported in PF version 11.3 or later.
@@ -126,13 +124,15 @@ resource "pingfederate_oauth_auth_server_settings" "oauthAuthServerSettings" {
 - `par_reference_length` (Number) The entropy of pushed authorization request references, in bytes. The default value is 24.
 - `par_reference_timeout` (Number) The timeout, in seconds, of the pushed authorization request reference. The default value is 60.
 - `par_status` (String) The status of pushed authorization request support. The default value is ENABLED.
+- `pending_authorization_timeout` (Number) The 'device_code' and 'user_code' timeout, in seconds.
 - `persistent_grant_contract` (Attributes) The persistent grant contract defines attributes that are associated with OAuth persistent grants. (see [below for nested schema](#nestedatt--persistent_grant_contract))
 - `persistent_grant_idle_timeout` (Number) The persistent grant idle timeout. The default value is 30 (days). -1 indicates an indefinite amount of time.
 - `persistent_grant_idle_timeout_time_unit` (String) The persistent grant idle timeout time unit. The default value is DAYS
 - `persistent_grant_lifetime` (Number) The persistent grant lifetime. The default value is indefinite. -1 indicates an indefinite amount of time.
 - `persistent_grant_lifetime_unit` (String) The persistent grant lifetime unit.
 - `persistent_grant_reuse_grant_types` (Set of String) The grant types that the OAuth AS can reuse rather than creating a new grant for each request. Only 'IMPLICIT' or 'AUTHORIZATION_CODE' or 'RESOURCE_OWNER_CREDENTIALS' are valid grant types.
 - `refresh_token_rolling_grace_period` (Number) The grace period that a rolled refresh token remains valid in seconds. The default value is 60.
+- `registered_authorization_path` (String) The Registered Authorization Path is concatenated to PingFederate base URL to generate 'verification_url' and 'verification_url_complete' values in a Device Authorization request. PingFederate listens to this path if specified
 - `roll_refresh_token_values` (Boolean) The roll refresh token values default policy. The default value is true.
 - `scope_for_oauth_grant_management` (String) The OAuth scope to validate when accessing grant management service.
 - `scope_groups` (Attributes Set) The list of common scope groups. (see [below for nested schema](#nestedatt--scope_groups))

diff --git a/go.mod b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/hashicorp/terraform-plugin-testing v1.7.0
 	github.com/katbyte/terrafmt v0.5.2
 	github.com/pavius/impi v0.0.3
-	github.com/pingidentity/pingfederate-go-client/v1200 v1200.1.2
+	github.com/pingidentity/pingfederate-go-client/v1200 v1200.1.3
 	github.com/terraform-linters/tflint v0.50.3
 )
 
@@ -278,7 +278,7 @@ require (
 	golang.org/x/exp/typeparams v0.0.0-20231219180239-dc181d75b848 // indirect
 	golang.org/x/mod v0.15.0 // indirect
 	golang.org/x/net v0.21.0 // indirect
-	golang.org/x/oauth2 v0.16.0 // indirect
+	golang.org/x/oauth2 v0.17.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect

diff --git a/go.sum b/go.sum
@@ -811,8 +811,8 @@ github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3v
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml/v2 v2.0.5 h1:ipoSadvV8oGUjnUbMub59IDPPwfxF694nG/jwbMiyQg=
 github.com/pelletier/go-toml/v2 v2.0.5/go.mod h1:OMHamSCAODeSsVrwwvcJOaoN0LIUIaFVNZzmWyNfXas=
-github.com/pingidentity/pingfederate-go-client/v1200 v1200.1.2 h1:MFXAkWdHJimrRnQY8XSP0nid2Cp2z0B1y+QLyLtCrWQ=
-github.com/pingidentity/pingfederate-go-client/v1200 v1200.1.2/go.mod h1:qrVI9uRarjXFyztGIQxFp79bzAjaa2ZJaZ3krDmMKXc=
+github.com/pingidentity/pingfederate-go-client/v1200 v1200.1.3 h1:ZK6wcMMPCBnIdr/LtitRT8UT3DpWGQ5x+V+2Hd0TQrg=
+github.com/pingidentity/pingfederate-go-client/v1200 v1200.1.3/go.mod h1:/RJCbMZzCOcwIyY/BrpySIqApTi/o0Oyatfk5xxJTZU=
 github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
 github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -1197,8 +1197,8 @@ golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri
 golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A=
-golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
-golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
+golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
+golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

diff --git a/internal/acctest/config/oauth/authserversettings/oauth_auth_server_settings_test.go b/internal/acctest/config/oauth/authserversettings/oauth_auth_server_settings_test.go
@@ -2,6 +2,7 @@ package oauthauthserversettings_test
 
 import (
 	"fmt"
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-framework/providerserver"
@@ -29,23 +30,18 @@ type oauthAuthServerSettingsResourceModel struct {
 func TestAccOauthAuthServerSettings(t *testing.T) {
 	resourceName := "myOauthAuthServerSettings"
 	initialResourceModel := oauthAuthServerSettingsResourceModel{
-		defaultScopeDescription:          "example scope description",
-		authorizationCodeTimeout:         50,
-		authorizationCodeEntropy:         20,
-		refreshTokenLength:               40,
-		refreshRollingInterval:           1,
-		registeredAuthorizationPath:      "/example",
-		pendingAuthorizationTimeout:      550,
-		devicePollingInterval:            4,
-		bypassActivationCodeConfirmation: false,
+		authorizationCodeTimeout: 50,
+		authorizationCodeEntropy: 20,
+		refreshTokenLength:       40,
+		refreshRollingInterval:   1,
 	}
 	updatedResourceModel := oauthAuthServerSettingsResourceModel{
 		defaultScopeDescription:          "example updated scope description",
 		authorizationCodeTimeout:         60,
 		authorizationCodeEntropy:         30,
 		refreshTokenLength:               50,
 		refreshRollingInterval:           2,
-		registeredAuthorizationPath:      "/updatedexample",
+		registeredAuthorizationPath:      "/example",
 		pendingAuthorizationTimeout:      650,
 		devicePollingInterval:            3,
 		bypassActivationCodeConfirmation: true,
@@ -83,6 +79,25 @@ func TestAccOauthAuthServerSettings(t *testing.T) {
 }
 
 func testAccOauthAuthServerSettings(resourceName string, resourceModel oauthAuthServerSettingsResourceModel, includeAllAttributes bool) string {
+	addUpdatedResourceModelFields := []string{}
+	if resourceModel.bypassActivationCodeConfirmation == true {
+		addUpdatedResourceModelFields = append(addUpdatedResourceModelFields, fmt.Sprintf("bypass_activation_code_confirmation = %t", resourceModel.bypassActivationCodeConfirmation))
+	}
+	if resourceModel.defaultScopeDescription != "" {
+		addUpdatedResourceModelFields = append(addUpdatedResourceModelFields, fmt.Sprintf("default_scope_description = \"%s\"", resourceModel.defaultScopeDescription))
+	}
+	if resourceModel.devicePollingInterval == 3 {
+		addUpdatedResourceModelFields = append(addUpdatedResourceModelFields, fmt.Sprintf("device_polling_interval = %d", resourceModel.devicePollingInterval))
+	}
+	if resourceModel.pendingAuthorizationTimeout == 650 {
+		addUpdatedResourceModelFields = append(addUpdatedResourceModelFields, fmt.Sprintf("pending_authorization_timeout = %d", resourceModel.pendingAuthorizationTimeout))
+	}
+	if resourceModel.registeredAuthorizationPath != "" {
+		addUpdatedResourceModelFields = append(addUpdatedResourceModelFields, fmt.Sprintf("registered_authorization_path = \"%s\"", resourceModel.registeredAuthorizationPath))
+	}
+
+	updatedResourceModelFields := strings.Join(addUpdatedResourceModelFields[:], "\n")
+
 	optionalHcl := ""
 	if includeAllAttributes {
 		optionalHcl = `
@@ -165,16 +180,12 @@ func testAccOauthAuthServerSettings(resourceName string, resourceModel oauthAuth
 
 	return fmt.Sprintf(`
 resource "pingfederate_oauth_auth_server_settings" "%[1]s" {
-  authorization_code_entropy          = %[2]d
-  authorization_code_timeout          = %[3]d
-  registered_authorization_path       = "%[4]s"
-  default_scope_description           = "%[5]s"
-  device_polling_interval             = %[6]d
-  pending_authorization_timeout       = %[7]d
-  refresh_rolling_interval            = %[8]d
-  refresh_token_length                = %[9]d
-  bypass_activation_code_confirmation = %[10]t
-  %[11]s
+  authorization_code_entropy = %[2]d
+  authorization_code_timeout = %[3]d
+  refresh_rolling_interval   = %[4]d
+  refresh_token_length       = %[5]d
+  %[6]s
+	%[7]s
 }
 data "pingfederate_oauth_auth_server_settings" "%[1]s" {
   depends_on = [
@@ -183,14 +194,10 @@ data "pingfederate_oauth_auth_server_settings" "%[1]s" {
 }`, resourceName,
 		resourceModel.authorizationCodeEntropy,
 		resourceModel.authorizationCodeTimeout,
-		resourceModel.registeredAuthorizationPath,
-		resourceModel.defaultScopeDescription,
-		resourceModel.devicePollingInterval,
-		resourceModel.pendingAuthorizationTimeout,
 		resourceModel.refreshRollingInterval,
 		resourceModel.refreshTokenLength,
-		resourceModel.bypassActivationCodeConfirmation,
 		optionalHcl,
+		updatedResourceModelFields,
 	)
 }
 
@@ -220,26 +227,31 @@ func testAccCheckExpectedOauthAuthServerSettingsAttributes(config oauthAuthServe
 		}
 
 		err = acctest.TestAttributesMatchString(resourceType, nil, "registered_authorization_path",
-			config.registeredAuthorizationPath, response.RegisteredAuthorizationPath)
+			config.registeredAuthorizationPath, *response.RegisteredAuthorizationPath)
 		if err != nil {
 			return err
 		}
 
 		err = acctest.TestAttributesMatchString(resourceType, nil, "default_scope_description",
-			config.defaultScopeDescription, response.DefaultScopeDescription)
+			config.defaultScopeDescription, *response.DefaultScopeDescription)
 		if err != nil {
 			return err
 		}
 
-		err = acctest.TestAttributesMatchInt(resourceType, nil, "device_polling_interval",
-			config.devicePollingInterval, response.DevicePollingInterval)
-		if err != nil {
-			return err
+		if config.devicePollingInterval != 0 {
+			err = acctest.TestAttributesMatchInt(resourceType, nil, "device_polling_interval",
+				config.devicePollingInterval, *response.DevicePollingInterval)
+			if err != nil {
+				return err
+			}
 		}
-		err = acctest.TestAttributesMatchInt(resourceType, nil, "pending_authorization_timeout",
-			config.pendingAuthorizationTimeout, response.PendingAuthorizationTimeout)
-		if err != nil {
-			return err
+
+		if config.pendingAuthorizationTimeout != 0 {
+			err = acctest.TestAttributesMatchInt(resourceType, nil, "pending_authorization_timeout",
+				config.pendingAuthorizationTimeout, *response.PendingAuthorizationTimeout)
+			if err != nil {
+				return err
+			}
 		}
 
 		err = acctest.TestAttributesMatchInt(resourceType, nil, "refresh_rolling_interval",
@@ -255,7 +267,7 @@ func testAccCheckExpectedOauthAuthServerSettingsAttributes(config oauthAuthServe
 		}
 
 		err = acctest.TestAttributesMatchBool(resourceType, nil, "bypass_activation_code_confirmation",
-			config.bypassActivationCodeConfirmation, response.BypassActivationCodeConfirmation)
+			config.bypassActivationCodeConfirmation, *response.BypassActivationCodeConfirmation)
 		if err != nil {
 			return err
 		}

diff --git a/internal/resource/config/oauth/authserversettings/oauth_auth_server_settings_common.go b/internal/resource/config/oauth/authserversettings/oauth_auth_server_settings_common.go
@@ -90,7 +90,7 @@ func readOauthAuthServerSettingsResponse(ctx context.Context, r *client.Authoriz
 	} else {
 		state.Id = id.GenerateUUIDToState(existingId)
 	}
-	state.DefaultScopeDescription = types.StringValue(r.DefaultScopeDescription)
+	state.DefaultScopeDescription = types.StringPointerValue(r.DefaultScopeDescription)
 	state.Scopes, respDiags = scopeentry.ToState(ctx, r.Scopes)
 	diags.Append(respDiags...)
 	state.ScopeGroups, respDiags = scopegroupentry.ToState(ctx, r.ScopeGroups)
@@ -127,11 +127,11 @@ func readOauthAuthServerSettingsResponse(ctx context.Context, r *client.Authoriz
 	state.ScopeForOAuthGrantManagement = types.StringPointerValue(r.ScopeForOAuthGrantManagement)
 	state.AllowedOrigins = internaltypes.GetStringList(r.AllowedOrigins)
 	state.UserAuthorizationUrl = types.StringPointerValue(r.UserAuthorizationUrl)
-	state.RegisteredAuthorizationPath = types.StringValue(r.RegisteredAuthorizationPath)
-	state.PendingAuthorizationTimeout = types.Int64Value(r.PendingAuthorizationTimeout)
-	state.DevicePollingInterval = types.Int64Value(r.DevicePollingInterval)
+	state.RegisteredAuthorizationPath = types.StringPointerValue(r.RegisteredAuthorizationPath)
+	state.PendingAuthorizationTimeout = types.Int64PointerValue(r.PendingAuthorizationTimeout)
+	state.DevicePollingInterval = types.Int64PointerValue(r.DevicePollingInterval)
 	state.ActivationCodeCheckMode = types.StringPointerValue(r.ActivationCodeCheckMode)
-	state.BypassActivationCodeConfirmation = types.BoolValue(r.BypassActivationCodeConfirmation)
+	state.BypassActivationCodeConfirmation = types.BoolPointerValue(r.BypassActivationCodeConfirmation)
 	state.UserAuthorizationConsentPageSetting = types.StringPointerValue(r.UserAuthorizationConsentPageSetting)
 	state.UserAuthorizationConsentAdapter = types.StringPointerValue(r.UserAuthorizationConsentAdapter)
 	state.ApprovedScopesAttribute = types.StringPointerValue(r.ApprovedScopesAttribute)