Skip to content

Commit

Permalink
add support for catch_all = deny
Browse files Browse the repository at this point in the history
Signed-off-by: Tien Nguyen <[email protected]>
  • Loading branch information
duytiennguyen-okta committed Dec 12, 2024
1 parent 4c3a207 commit f4a3050
Show file tree
Hide file tree
Showing 14 changed files with 369 additions and 107 deletions.
1 change: 0 additions & 1 deletion GNUmakefile
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ DEFAULT_SMOKE_TESTS?=\
TestAccResourceOktaMfaPolicy_crud \
TestAccResourceOktaOrgConfiguration \
TestAccResourceOktaPolicyRulePassword_crud \
TestAccResourceOktaPolicySignOn_crud \
TestAccResourceOktaUser_updateAllAttributes

ifeq ($(strip $(SMOKE_TESTS)),)
Expand Down
7 changes: 6 additions & 1 deletion docs/resources/app_signon_policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,9 +92,14 @@ resource "okta_app_signon_policy_rule" "some_rule" {
- `description` (String) Description of the policy.
- `name` (String) Name of the policy.

### Optional

- `catch_all` (Boolean) Default rules of the policy set to `DENY` or not. If `false`, it is set to `DENY`. **WARNING** setting this attribute to false change the OKTA default behavior. Use at your own risk. This is only apply during creation, so import or update will not work

### Read-Only

- `id` (String) The ID of this resource.
- `default_rule_id` (String) Default rules id of the policy
- `id` (String) Policy id

## Import

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -145,18 +145,21 @@ resource "okta_app_signon_policy_rule" "test" {
jsonencode({
"knowledge" : {
"reauthenticateIn" : "PT2H",
"types" : ["password"]
"types" : ["password"],
"required" : false
},
"possession" : {
"deviceBound" : "REQUIRED"
"deviceBound" : "REQUIRED",
"required" : false
}
}),
jsonencode({
"possession" : {
"deviceBound" : "REQUIRED",
"hardwareProtection" : "REQUIRED",
"userPresence" : "OPTIONAL",
"userVerification" : "OPTIONAL"
"userVerification" : "OPTIONAL",
"required" : false
}
})
]
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ require (
github.com/kelseyhightower/envconfig v1.4.0
github.com/lestrrat-go/jwx v1.2.29
github.com/okta/okta-sdk-golang/v4 v4.1.2
github.com/okta/okta-sdk-golang/v5 v5.0.2
github.com/okta/okta-sdk-golang/v5 v5.0.4
github.com/patrickmn/go-cache v2.1.0+incompatible
github.com/stretchr/testify v1.9.0
gopkg.in/dnaeon/go-vcr.v3 v3.1.2
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -213,8 +213,8 @@ github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
github.com/okta/okta-sdk-golang/v4 v4.1.2 h1:gSycAYWGrvYeXBW8HakMZnNu/ptMuTvTQ/zZ7lgmtPI=
github.com/okta/okta-sdk-golang/v4 v4.1.2/go.mod h1:01oiHDXvZQHlZo1Uw084VDYwXIqJe19z34b53PBZpUY=
github.com/okta/okta-sdk-golang/v5 v5.0.2 h1:eecvycE/XDX56IWTsOVhqfj5txCgqryTXzKy7wKEq78=
github.com/okta/okta-sdk-golang/v5 v5.0.2/go.mod h1:T/vmECtJX33YPZSVD+sorebd8LLhe38Bi/VrFTjgVX0=
github.com/okta/okta-sdk-golang/v5 v5.0.4 h1:HDq1L+3vECjTZRPmsRYxgeWOGRuaxk1+tdRkdscAeLQ=
github.com/okta/okta-sdk-golang/v5 v5.0.4/go.mod h1:T/vmECtJX33YPZSVD+sorebd8LLhe38Bi/VrFTjgVX0=
github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
Expand Down
1 change: 1 addition & 0 deletions okta/data_source_okta_apps.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ type OktaApp interface {
GetSignOnMode() string
GetFeatures() []string
GetVisibility() okta.ApplicationVisibility
GetLinks() okta.ApplicationLinks
}

func (d *AppsDataSource) Metadata(ctx context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
Expand Down
1 change: 0 additions & 1 deletion okta/data_source_okta_device_assurance_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,6 @@ func (d *deviceAssurancePolicyDataSource) Schema(ctx context.Context, req dataso
resp.Schema = schema.Schema{
Description: "Get a policy assurance from Okta.",
Attributes: map[string]schema.Attribute{
// TODU
"id": schema.StringAttribute{
Description: "ID of the user type to retrieve, conflicts with `name`.",
Optional: true,
Expand Down
83 changes: 82 additions & 1 deletion okta/framework_provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,22 @@ package okta

import (
"context"
"errors"
"fmt"

"github.com/hashicorp/terraform-plugin-framework-validators/int64validator"
"github.com/hashicorp/terraform-plugin-framework-validators/setvalidator"
"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
"github.com/hashicorp/terraform-plugin-framework/datasource"
"github.com/hashicorp/terraform-plugin-framework/diag"
"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/hashicorp/terraform-plugin-framework/provider"
"github.com/hashicorp/terraform-plugin-framework/provider/schema"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/schema/validator"
"github.com/hashicorp/terraform-plugin-framework/tfsdk"
"github.com/hashicorp/terraform-plugin-framework/types"
"github.com/okta/okta-sdk-golang/v5/okta"
)

// Ensure the implementation satisfies the expected interfaces.
Expand Down Expand Up @@ -271,7 +274,8 @@ func (p *FrameworkProvider) Resources(_ context.Context) []func() resource.Resou
NewPolicyDeviceAssuranceWindowsResource,
NewCustomizedSigninResource,
NewPreviewSigninResource,
GroupOwnerResource,
NewGroupOwnerResource,
NewAppSignOnPolicyResource,
}
}

Expand Down Expand Up @@ -308,3 +312,80 @@ func resourceConfiguration(req resource.ConfigureRequest, resp *resource.Configu

return p
}

func frameworkResourceOIEOnlyFeatureError(name string) diag.Diagnostics {
return frameworkOIEOnlyFeatureError("resources", name)
}

func frameworkOIEOnlyFeatureError(kind, name string) diag.Diagnostics {
url := fmt.Sprintf("https://registry.terraform.io/providers/okta/okta/latest/docs/%s/%s", kind, string(name[5:]))
if kind == "resources" {
kind = "resource"
}
if kind == "data-sources" {
kind = "datasource"
}
var diags diag.Diagnostics
diags.AddError(fmt.Sprintf("%q is a %s for OIE Orgs only", name, kind), fmt.Sprintf(", see %s", url))
return diags
}

func frameworkIsClassicOrg(ctx context.Context, config *Config) bool {
return config.IsClassicOrg(ctx)
}

func frameworkFindDefaultAccessPolicy(ctx context.Context, config *Config) (okta.ListPolicies200ResponseInner, error) {
if frameworkIsClassicOrg(ctx, config) {
return okta.ListPolicies200ResponseInner{}, nil
}
policies, err := framworkFindSystemPolicyByType(ctx, config, "ACCESS_POLICY")
if err != nil {
return okta.ListPolicies200ResponseInner{}, fmt.Errorf("error finding default ACCESS_POLICY %+v", err)
}
if len(policies) != 1 {
return okta.ListPolicies200ResponseInner{}, errors.New("cannot find default ACCESS_POLICY policy")
}
return policies[0], nil
}

type OktaPolicy interface {
GetId() string
GetSystem() bool
}

func framworkFindSystemPolicyByType(ctx context.Context, config *Config, _type string) ([]okta.ListPolicies200ResponseInner, error) {
res := []okta.ListPolicies200ResponseInner{}
policies, _, err := config.oktaSDKClientV5.PolicyAPI.ListPolicies(ctx).Type_(_type).Execute()
if err != nil {
return nil, err
}
for _, p := range policies {
policy := p.GetActualInstance().(OktaPolicy)
if policy.GetSystem() {
res = append(res, p)
}
}

return res, nil
}

func frameworkListApps(ctx context.Context, config *Config, filters *appFilters, limit int64) ([]okta.ListApplications200ResponseInner, error) {
req := config.oktaSDKClientV5.ApplicationAPI.ListApplications(ctx).Limit(int32(limit))
if filters != nil {
req = req.Filter(filters.Status)
req = req.Q(filters.getQ())
}
apps, resp, err := req.Execute()
if err != nil {
return nil, err
}
for resp.HasNextPage() {
var nextApps []okta.ListApplications200ResponseInner
resp, err = resp.Next(&nextApps)
if err != nil {
return nil, err
}
apps = append(apps, nextApps...)
}
return apps, nil
}
1 change: 0 additions & 1 deletion okta/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,6 @@ func Provider() *schema.Provider {
appSamlAppSettings: resourceAppSamlAppSettings(),
appSecurePasswordStore: resourceAppSecurePasswordStore(),
appSharedCredentials: resourceAppSharedCredentials(),
appSignOnPolicy: resourceAppSignOnPolicy(),
appSignOnPolicyRule: resourceAppSignOnPolicyRule(),
appSwa: resourceAppSwa(),
appThreeField: resourceAppThreeField(),
Expand Down
Loading

0 comments on commit f4a3050

Please sign in to comment.