From fdf4d4ac6acbe620c935251c53369b2c286d8a93 Mon Sep 17 00:00:00 2001 From: Mihaly Gyongyosi Date: Fri, 12 Jul 2024 16:46:19 +0200 Subject: [PATCH 1/3] First changes --- .../resources/grafana/resource_sso_settings.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/internal/resources/grafana/resource_sso_settings.go b/internal/resources/grafana/resource_sso_settings.go index 8fbc69ae8..ec7715c71 100644 --- a/internal/resources/grafana/resource_sso_settings.go +++ b/internal/resources/grafana/resource_sso_settings.go @@ -204,6 +204,16 @@ var oauth2SettingsSchema = &schema.Resource{ Optional: true, Description: "Prevent synchronizing users’ organization roles from your IdP.", }, + "org_mapping": { + Type: schema.TypeString, + Optional: true, + Description: "List of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: None, Viewer, Editor or Admin.", + }, + "org_attribute_path": { + Type: schema.TypeString, + Optional: true, + Description: `JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match "Organization" in the "org_mapping"). Only applicable to Generic OAuth and Okta.`, + }, "define_allowed_groups": { Type: schema.TypeBool, Optional: true, @@ -685,6 +695,7 @@ var validationsByProvider = map[string][]validateFunc{ ssoValidateNotEmpty("auth_url"), ssoValidateNotEmpty("token_url"), ssoValidateEmpty("api_url"), + ssoValidateEmpty("org_attribute_path"), ssoValidateURL("auth_url"), ssoValidateURL("token_url"), }, @@ -708,16 +719,19 @@ var validationsByProvider = map[string][]validateFunc{ ssoValidateEmpty("auth_url"), ssoValidateEmpty("token_url"), ssoValidateEmpty("api_url"), + ssoValidateEmpty("org_attribute_path"), }, "gitlab": { ssoValidateEmpty("auth_url"), ssoValidateEmpty("token_url"), ssoValidateEmpty("api_url"), + ssoValidateEmpty("org_attribute_path"), }, "google": { ssoValidateEmpty("auth_url"), ssoValidateEmpty("token_url"), ssoValidateEmpty("api_url"), + ssoValidateEmpty("org_attribute_path"), }, "saml": { ssoValidateOnlyOneOf("certificate", "certificate_path"), From 733f1739ce1c7701b6d086990bfef346f782c7eb Mon Sep 17 00:00:00 2001 From: Mihaly Gyongyosi Date: Wed, 31 Jul 2024 11:06:20 +0200 Subject: [PATCH 2/3] Add tests for validation --- .../grafana/resource_sso_settings.go | 2 ++ .../grafana/resource_sso_settings_test.go | 32 +++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/internal/resources/grafana/resource_sso_settings.go b/internal/resources/grafana/resource_sso_settings.go index 42f232000..3b19ba618 100644 --- a/internal/resources/grafana/resource_sso_settings.go +++ b/internal/resources/grafana/resource_sso_settings.go @@ -706,6 +706,7 @@ var validationsByProvider = map[string][]validateFunc{ ssoValidateURL("auth_url"), ssoValidateURL("token_url"), ssoValidateURL("api_url"), + ssoValidateInterdependencyXOR("org_attribute_path", "org_mapping"), }, "okta": { ssoValidateNotEmpty("auth_url"), @@ -714,6 +715,7 @@ var validationsByProvider = map[string][]validateFunc{ ssoValidateURL("auth_url"), ssoValidateURL("token_url"), ssoValidateURL("api_url"), + ssoValidateInterdependencyXOR("org_attribute_path", "org_mapping"), }, "github": { ssoValidateEmpty("auth_url"), diff --git a/internal/resources/grafana/resource_sso_settings_test.go b/internal/resources/grafana/resource_sso_settings_test.go index d3370def7..5b5a82f46 100644 --- a/internal/resources/grafana/resource_sso_settings_test.go +++ b/internal/resources/grafana/resource_sso_settings_test.go @@ -595,4 +595,36 @@ var testConfigsWithValidationErrors = []string{ token_url = "https://myidp.com/oauth/token" } }`, + // org_attribute_path is not empty for AzureAD + `resource "grafana_sso_settings" "azure_sso_settings" { + provider_name = "azuread" + oauth2_settings { + client_id = "client_id" + auth_url = "https://login.microsoftonline.com/12345/oauth2/v2.0/authorize" + token_url = "https://login.microsoftonline.com/12345/oauth2/v2.0/token" + org_attribute_path = "org" + } + }`, + // org_mapping is configured but org_attribute_path is missing for Okta + `resource "grafana_sso_settings" "okta_sso_settings" { + provider_name = "okta" + oauth2_settings { + client_id = "client_id" + auth_url = "https://tenantid123.okta.com/oauth2/v1/auth" + token_url = "https://tenantid123.okta.com/oauth2/v1/token" + api_url = "https://tenantid123.okta.com/oauth2/v1/userinfo" + org_mapping = "[\"Group A:1:Editor\",\"Group A:2:Admin\"]" + } + }`, + // org_attribute_path is configured but org_mapping is missing for Generic OAuth + `resource "grafana_sso_settings" "generic_oauth_sso_settings" { + provider_name = "generic_oauth" + oauth2_settings { + client_id = "client_id" + auth_url = "https://tenantid123.okta.com/oauth2/v1/auth" + token_url = "https://tenantid123.okta.com/oauth2/v1/token" + api_url = "https://tenantid123.okta.com/oauth2/v1/userinfo" + org_attribute_path = "groups" + } + }`, } From cb8e006e61956077ad7f6ce9e889c2a44d825845 Mon Sep 17 00:00:00 2001 From: Mihaly Gyongyosi Date: Wed, 31 Jul 2024 11:10:39 +0200 Subject: [PATCH 3/3] Regenerate docs --- docs/resources/sso_settings.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/resources/sso_settings.md b/docs/resources/sso_settings.md index e0a72176f..5657ad1f9 100644 --- a/docs/resources/sso_settings.md +++ b/docs/resources/sso_settings.md @@ -114,6 +114,8 @@ Optional: - `login_attribute_path` (String) JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth. - `name` (String) Helpful if you use more than one identity providers or SSO protocols. - `name_attribute_path` (String) JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth. +- `org_attribute_path` (String) JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match "Organization" in the "org_mapping"). Only applicable to Generic OAuth and Okta. +- `org_mapping` (String) List of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: None, Viewer, Editor or Admin. - `role_attribute_path` (String) JMESPath expression to use for Grafana role lookup. - `role_attribute_strict` (Boolean) If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path. - `scopes` (String) List of comma- or space-separated OAuth2 scopes.