From 0040774524c64ad4be567ba151e3684f87c95a2c Mon Sep 17 00:00:00 2001 From: mo-auto <54212639+mo-auto@users.noreply.github.com> Date: Wed, 27 Sep 2023 12:06:54 +0000 Subject: [PATCH] fix(terraform-provider-jans): update terraform provider Signed-off-by: mo-auto <54212639+mo-auto@users.noreply.github.com> --- CHANGELOG.md | 20 ++++++++++++++ docs/resources/app_configuration.md | 6 +++++ docs/resources/oidc_client.md | 1 + docs/resources/scope.md | 1 + jans/app_configuration.go | 7 ++++- jans/attributes.go | 12 ++++----- jans/oidc_client.go | 1 + provider/resource_app_configuration.go | 37 ++++++++++++++++++++++---- provider/resource_oidc_client.go | 5 ++++ provider/resource_script.go | 33 ++++++++++++++++++----- 10 files changed, 105 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b2a0de9..e2851e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,25 @@ # Changelog +## [0.8.0](https://github.com/JanssenProject/terraform-provider-jans/compare/v0.7.3...v0.8.0) (2023-09-27) + + +### Features + +* fixed app configuration, OIDC client, and attribute type to match latest API + + +### Bug Fixes + +* added new attributes to app config, client, custom scripts to match latest API version + +## [0.7.4](https://github.com/JanssenProject/terraform-provider-jans/compare/v0.7.4...v0.7.4) (2023-09-28) + + +### Bug Fixes + +* fixed app configuration, OIDC client, and attribute type to match latest API + + ## [0.7.3](https://github.com/JanssenProject/terraform-provider-jans/compare/v0.7.2...v0.7.3) (2023-07-28) diff --git a/docs/resources/app_configuration.md b/docs/resources/app_configuration.md index cd4c89b..80009c7 100644 --- a/docs/resources/app_configuration.md +++ b/docs/resources/app_configuration.md @@ -39,6 +39,9 @@ resource "jans_app_configuration" "global" { - `authentication_filters` (Block List) List of authentication filters. (see [below for nested schema](#nestedblock--authentication_filters)) - `authentication_filters_enabled` (Boolean) Boolean value specifying whether to enable user authentication filters. - `authentication_protection_configuration` (Block List, Max: 1) Authentication Brute Force Protection Configuration. (see [below for nested schema](#nestedblock--authentication_protection_configuration)) +- `authorization_challenge_default_acr` (String) Default ACR for authorization challenge. +- `authorization_challenge_endpoint` (String) The authorization challenge endpoint URL. +- `authorization_challenge_should_generate_session` (Boolean) Boolean value specifying whether to generate session for authorization challenge. - `authorization_code_lifetime` (Number) The lifetime of the Authorization Code. - `authorization_encryption_alg_values_supported` (List of String) A list of the authorization encryption algorithms supported. - `authorization_encryption_enc_values_supported` (List of String) A list of the authorization encryption algorithms supported. @@ -84,8 +87,10 @@ resource "jans_app_configuration" "global" { - `css_location` (String) The location for CSS files. - `custom_headers_with_authorization_response` (Boolean) Boolean value specifying whether to enable Custom Response Header parameter to return custom headers with the Authorization Response. - `date_formatter_patterns` (Map of String) Data formatter patterns. +- `dcr_attestation_evidence_required` (Boolean) Boolean value indicating if DCR attestation evidence is required. - `dcr_authorization_with_client_credentials` (Boolean) Boolean value indicating if DCR authorization to be performed using client credentials. - `dcr_authorization_with_mtls` (Boolean) Boolean value indicating if DCR authorization allowed with MTLS. +- `dcr_forbid_expiration_time_in_request` (Boolean) Boolean value to specify if the expiration time should be forbidden in DCR request. - `dcr_signature_validation_enabled` (Boolean) Boolean value enables DCR signature validation. Default is false. - `dcr_signature_validation_jwks` (String) Specifies JWKS for all DCR's validations. - `dcr_signature_validation_jwks_uri` (String) Specifies JWKS URI for all DCR's validations. @@ -208,6 +213,7 @@ resource "jans_app_configuration" "global" { - `logging_level` (String) Logging level for jans-auth logger. - `metric_reporter_interval` (Number) The interval for metric reporter in seconds. - `metric_reporter_keep_data_days` (Number) The days to keep metric reported data. +- `mtls_authorization_challenge_endpoint` (String) URL for Mutual TLS Client Authentication and Certificate-Bound Access Tokens (MTLS) Challenge Endpoint. - `mtls_authorization_endpoint` (String) URL for Mutual TLS Client Authentication and Certificate-Bound Access Tokens (MTLS) Endpoint. Example: 'https://server.example.com/jans-auth/restv1/mtls' - `mtls_check_session_iframe` (String) URL for MTLS IFrame that supports cross-origin communications for session state information with the RP diff --git a/docs/resources/oidc_client.md b/docs/resources/oidc_client.md index b067d45..d6b58d0 100644 --- a/docs/resources/oidc_client.md +++ b/docs/resources/oidc_client.md @@ -140,6 +140,7 @@ Optional: - `backchannel_logout_uri` (List of String) List of RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. - `consent_gathering_scripts` (List of String) List of consent gathering scripts. - `dpop_bound_access_token` (Boolean) boolean value to indicate if DPoP bound access token is required. +- `evidence` (String) Specifies the evidence that the client presents to the authorization server. - `id_token_lifetime` (Number) Specifies the Client-specific ID Token expiration. - `introspection_scripts` (List of String) List of introspection scripts. - `jans_auth_enc_resp_alg` (String) JWE alg algorithm JWA required for encrypting authorization responses. diff --git a/docs/resources/scope.md b/docs/resources/scope.md index ee3702e..8ea2b02 100644 --- a/docs/resources/scope.md +++ b/docs/resources/scope.md @@ -199,6 +199,7 @@ Optional: - `backchannel_logout_uri` (List of String) List of RP URL that will cause the RP to log itself out when sent a Logout Token by the OP. - `consent_gathering_scripts` (List of String) List of consent gathering scripts. - `dpop_bound_access_token` (Boolean) boolean value to indicate if DPoP bound access token is required. +- `evidence` (String) Specifies the evidence that the client presents to the authorization server. - `id_token_lifetime` (Number) Specifies the Client-specific ID Token expiration. - `introspection_scripts` (List of String) List of introspection scripts. - `jans_auth_enc_resp_alg` (String) JWE alg algorithm JWA required for encrypting authorization responses. diff --git a/jans/app_configuration.go b/jans/app_configuration.go index c5306e2..a971bd4 100644 --- a/jans/app_configuration.go +++ b/jans/app_configuration.go @@ -106,6 +106,7 @@ type AppConfiguration struct { Issuer string `schema:"issuer" json:"issuer"` BaseEndpoint string `schema:"base_endpoint" json:"baseEndpoint"` AuthorizationEndpoint string `schema:"authorization_endpoint" json:"authorizationEndpoint"` + AuthorizationChallengeEndpoint string `schema:"authorization_challenge_endpoint" json:"authorizationChallengeEndpoint"` TokenEndpoint string `schema:"token_endpoint" json:"tokenEndpoint"` TokenRevocationEndpoint string `schema:"token_revocation_endpoint" json:"tokenRevocationEndpoint"` UserInfoEndpoint string `schema:"userinfo_endpoint" json:"userInfoEndpoint"` @@ -122,6 +123,7 @@ type AppConfiguration struct { RequirePar bool `schema:"require_par" json:"requirePar"` DeviceAuthzEndpoint string `schema:"device_authz_endpoint" json:"deviceAuthzEndpoint"` MtlsAuthorizationEndpoint string `schema:"mtls_authorization_endpoint" json:"mtlsAuthorizationEndpoint"` + MtlsAuthorizationChallengeEndpoint string `schema:"mtls_authorization_challenge_endpoint" json:"mtlsAuthorizationChallengeEndpoint"` MtlsTokenEndpoint string `schema:"mtls_token_endpoint" json:"mtlsTokenEndpoint"` MtlsTokenRevocationEndpoint string `schema:"mtls_token_revocation_endpoint" json:"mtlsTokenRevocationEndpoint"` MtlsUserInfoEndpoint string `schema:"mtls_user_info_endpoint" json:"mtlsUserInfoEndpoint"` @@ -309,6 +311,7 @@ type AppConfiguration struct { DcrSignatureValidationJwksUri string `schema:"dcr_signature_validation_jwks_uri" json:"dcrSignatureValidationJwksUri"` DcrAuthorizationWithClientCredentials bool `schema:"dcr_authorization_with_client_credentials" json:"dcrAuthorizationWithClientCredentials"` DcrAuthorizationWithMTLS bool `schema:"dcr_authorization_with_mtls" json:"dcrAuthorizationWithMTLS"` + DcrAttestationEvidenceRequired bool `schema:"dcr_attestation_evidence_required" json:"dcrAttestationEvidenceRequired"` TrustedSSAIssuers []TrustedIssuerConfig `schema:"trusted_ssa_issuers" json:"trustedSsaIssuers"` UseLocalCache bool `schema:"use_local_cache" json:"useLocalCache"` FapiCompatibility bool `schema:"fapi_compatibility" json:"fapiCompatibility"` @@ -368,11 +371,13 @@ type AppConfiguration struct { DcrSsaValidationConfigs []SsaValidationConfig `schema:"dcr_ssa_validation_configs" json:"dcrSsaValidationConfigs"` SsaConfiguration SsaConfiguration `schema:"ssa_configuration" json:"ssaConfiguration"` BlockWebviewAuthorizationEnabled bool `schema:"block_webview_authorization_enabled" json:"blockWebviewAuthorizationEnabled"` + AuthorizationChallengeDefaultAcr string `schema:"authorization_challenge_default_acr" json:"authorizationChallengeDefaultAcr"` + AuthorizationChallengeShouldGenerateSession bool `schema:"authorization_challenge_should_generate_session" json:"authorizationChallengeShouldGenerateSession"` DateFormatterPatterns map[string]string `schema:"date_formatter_patterns" json:"dateFormatterPatterns"` AllResponseTypesSupported []string `schema:"all_response_types_supported" json:"allResponseTypesSupported"` HttpLoggingResponseBodyContent bool `schema:"http_logging_response_body_content" json:"httpLoggingResponseBodyContent"` - SkipAuthenticationFilterOptionsMethod bool `schema:"skip_authentication_filter_options_method" json:"skipAuthenticationFilterOptionsMethod"` Fapi bool `schema:"fapi" json:"fapi"` + SkipAuthenticationFilterOptionsMethod bool `schema:"skip_authentication_filter_options_method" json:"skipAuthenticationFilterOptionsMethod"` } // GetAppConfiguration returns all Janssen authorization server configuration diff --git a/jans/attributes.go b/jans/attributes.go index f73e260..4bce6a3 100644 --- a/jans/attributes.go +++ b/jans/attributes.go @@ -14,7 +14,7 @@ type AttributeValidation struct { MaxLength int `schema:"max_length" json:"maxLength,omitempty"` } -// Attribute represents a single Gluu attribute. +// Attribute represents a single Jans attribute. type Attribute struct { Dn string `schema:"dn" json:"dn,omitempty"` Selected bool `schema:"selected" json:"selected,omitempty"` @@ -52,7 +52,7 @@ type Attribute struct { BaseDn string `schema:"base_dn" json:"baseDn,omitempty"` } -// GetAttributes returns a list of all Gluu attributes currently configured +// GetAttributes returns a list of all Jans attributes currently configured // in the server. func (c *Client) GetAttributes(ctx context.Context) ([]Attribute, error) { @@ -76,7 +76,7 @@ func (c *Client) GetAttributes(ctx context.Context) ([]Attribute, error) { return resp.Data, nil } -// GetAttribute returns a single attribute, identified by its inum. +// GetAttribute returns a single Jans attribute, identified by its inum. func (c *Client) GetAttribute(ctx context.Context, inum string) (*Attribute, error) { if inum == "" { @@ -98,7 +98,7 @@ func (c *Client) GetAttribute(ctx context.Context, inum string) (*Attribute, err return ret, nil } -// CreateAttribute creates a new attribute. +// CreateAttribute creates a new Jans attribute. func (c *Client) CreateAttribute(ctx context.Context, attr *Attribute) (*Attribute, error) { if attr == nil { @@ -119,7 +119,7 @@ func (c *Client) CreateAttribute(ctx context.Context, attr *Attribute) (*Attribu return ret, nil } -// UpdateAttribute updates an existing attribute. +// UpdateAttribute updates an existing Jans attribute. func (c *Client) UpdateAttribute(ctx context.Context, attr *Attribute) (*Attribute, error) { if attr == nil { @@ -142,7 +142,7 @@ func (c *Client) UpdateAttribute(ctx context.Context, attr *Attribute) (*Attribu return ret, nil } -// DeleteAttribute deletes the attribute with the given inum. +// DeleteAttribute deletes the Jans attribute with the given inum. func (c *Client) DeleteAttribute(ctx context.Context, inum string) error { if inum == "" { diff --git a/jans/oidc_client.go b/jans/oidc_client.go index 2a42905..782d2ec 100644 --- a/jans/oidc_client.go +++ b/jans/oidc_client.go @@ -39,6 +39,7 @@ type OidcClientAttribute struct { AdditionalTokenEndpointAuthMethods []string `schema:"additional_token_endpoint_auth_methods" json:"additionalTokenEndpointAuthMethods,omitempty"` MinimumAcrPriorityList []string `schema:"minimum_acr_priority_list" json:"minimumAcrPriorityList,omitempty"` RequestedLifetime int `schema:"requested_lifetime" json:"requestedLifetime,omitempty"` + Evidence string `schema:"evidence" json:"evidence,omitempty"` } // OidcClient is the definition of an OpenId Connect Client. diff --git a/provider/resource_app_configuration.go b/provider/resource_app_configuration.go index 2735437..7534366 100644 --- a/provider/resource_app_configuration.go +++ b/provider/resource_app_configuration.go @@ -171,6 +171,12 @@ func resourceAppConfiguration() *schema.Resource { Description: "The authorization endpoint URL. Example: https://server.example.com/restv1/authorize", ValidateDiagFunc: validateURL, }, + "authorization_challenge_endpoint": { + Type: schema.TypeString, + Optional: true, + Description: "The authorization challenge endpoint URL.", + ValidateDiagFunc: validateURL, + }, "token_endpoint": { Type: schema.TypeString, Optional: true, @@ -267,6 +273,12 @@ func resourceAppConfiguration() *schema.Resource { Example: 'https://server.example.com/jans-auth/restv1/mtls'`, ValidateDiagFunc: validateURL, }, + "mtls_authorization_challenge_endpoint": { + Type: schema.TypeString, + Optional: true, + Description: `URL for Mutual TLS Client Authentication and Certificate-Bound Access Tokens (MTLS) Challenge Endpoint.`, + ValidateDiagFunc: validateURL, + }, "mtls_token_endpoint": { Type: schema.TypeString, Optional: true, @@ -1587,6 +1599,11 @@ func resourceAppConfiguration() *schema.Resource { Optional: true, Description: "Boolean value indicating if DCR authorization allowed with MTLS.", }, + "dcr_attestation_evidence_required": { + Type: schema.TypeBool, + Optional: true, + Description: "Boolean value indicating if DCR attestation evidence is required.", + }, "trusted_ssa_issuers": { Type: schema.TypeList, Optional: true, @@ -2052,6 +2069,16 @@ func resourceAppConfiguration() *schema.Resource { Optional: true, Description: "Boolean value specifying whether to block webview authorization.", }, + "authorization_challenge_default_acr": { + Type: schema.TypeString, + Optional: true, + Description: "Default ACR for authorization challenge.", + }, + "authorization_challenge_should_generate_session": { + Type: schema.TypeBool, + Optional: true, + Description: "Boolean value specifying whether to generate session for authorization challenge.", + }, "date_formatter_patterns": { Type: schema.TypeMap, Optional: true, @@ -2070,6 +2097,11 @@ func resourceAppConfiguration() *schema.Resource { Optional: true, Description: "Boolean value specifying whether to skip authentication filter for options method calls.", }, + "fapi": { + Type: schema.TypeBool, + Optional: true, + Description: "Boolean value specifying whether to enable FAPI.", + }, "all_response_types_supported": { Type: schema.TypeList, Optional: true, @@ -2084,11 +2116,6 @@ func resourceAppConfiguration() *schema.Resource { }, }, }, - "fapi": { - Type: schema.TypeBool, - Optional: true, - Description: "Boolean value specifying whether to enable FAPI.", - }, }, Importer: &schema.ResourceImporter{ StateContext: schema.ImportStatePassthroughContext, diff --git a/provider/resource_oidc_client.go b/provider/resource_oidc_client.go index f5ec646..83b8572 100644 --- a/provider/resource_oidc_client.go +++ b/provider/resource_oidc_client.go @@ -692,6 +692,11 @@ func resourceOidcClient() *schema.Resource { Optional: true, Description: "List of requested lifetime.", }, + "evidence": { + Type: schema.TypeString, + Optional: true, + Description: "Specifies the evidence that the client presents to the authorization server.", + }, }, }, }, diff --git a/provider/resource_script.go b/provider/resource_script.go index f2bd04a..568187b 100644 --- a/provider/resource_script.go +++ b/provider/resource_script.go @@ -65,12 +65,33 @@ func resourceScript() *schema.Resource { ValidateDiagFunc: func(v interface{}, p cty.Path) diag.Diagnostics { enums := []string{ - "person_authentication", "introspection", "resource_owner_password_credentials", - "application_session", "cache_refresh", "client_registration", "id_generator", - "uma_rpt_policy", "uma_rpt_claims", "uma_claims_gathering", "consent_gathering", - "dynamic_scope", "spontaneous_scope", "end_session", "post_authn", "select_account", - "scim", "ciba_end_user_notification", "revoke_token", "persistence_extension", - "idp", "discovery", "update_token", "config_api", + "person_authentication", + "authorization_challenge", + "introspection", + "resource_owner_password_credentials", + "application_session", + "cache_refresh", + "client_registration", + "id_generator", + "uma_rpt_policy", + "uma_rpt_claims", + "uma_claims_gathering", + "consent_gathering", + "dynamic_scope", + "spontaneous_scope", + "end_session", + "post_authn", + "select_account", + "scim", + "ciba_end_user_notification", + "revoke_token", + "persistence_extension", + "idp", + "discovery", + "update_token", + "config_api_auth", + "modify_ssa_response", + "fido2_extension", } return validateEnum(v, enums) },