From 0d6801f88eb0c7f1112d7952e218ee3d26aa90ee Mon Sep 17 00:00:00 2001 From: MinUk Song Date: Mon, 15 Jan 2024 16:24:16 +0900 Subject: [PATCH] fix: Mask user password and Fix oidc auth mapping --- .../bluechip_account/data-source.tf | 2 +- .../data-sources/bluechip_cidr/data-source.tf | 2 +- .../bluechip_cidrs/data-source.tf | 6 +-- .../bluechip_cluster/data-source.tf | 2 +- .../bluechip_image/data-source.tf | 2 +- .../bluechip_images/data-source.tf | 4 +- .../bluechip_rolebinding/data-source.tf | 2 +- .../bluechip_rolebindings/data-source.tf | 2 +- .../resources/bluechip_account/resource.tf | 12 +++--- examples/resources/bluechip_cidr/resource.tf | 2 +- .../resources/bluechip_cluster/resource.tf | 22 +++++----- examples/resources/bluechip_image/resource.tf | 12 +++--- .../resources/bluechip_oidcauth/resource.tf | 32 +++++++++++--- .../bluechip_rolebinding/resource.tf | 2 +- examples/resources/bluechip_user/resource.tf | 2 +- .../resources/bluechip_vendor/resource.tf | 6 +-- internal/services/oidcauths/resource_test.go | 20 +++++++++ internal/services/oidcauths/type.go | 43 +++++++++++++------ internal/services/users/type.go | 2 +- .../bluechip_models/resources.go | 5 ++- 20 files changed, 120 insertions(+), 62 deletions(-) diff --git a/examples/data-sources/bluechip_account/data-source.tf b/examples/data-sources/bluechip_account/data-source.tf index 288da71..b302aa7 100644 --- a/examples/data-sources/bluechip_account/data-source.tf +++ b/examples/data-sources/bluechip_account/data-source.tf @@ -1,6 +1,6 @@ data "bluechip_account" "current" { metadata { - name = "test2" + name = "test2" namespace = "default" } } diff --git a/examples/data-sources/bluechip_cidr/data-source.tf b/examples/data-sources/bluechip_cidr/data-source.tf index c1dfed0..f32501e 100644 --- a/examples/data-sources/bluechip_cidr/data-source.tf +++ b/examples/data-sources/bluechip_cidr/data-source.tf @@ -1,6 +1,6 @@ data "bluechip_cidr" "current" { metadata { - name = "my-test" + name = "my-test" namespace = "default" } } diff --git a/examples/data-sources/bluechip_cidrs/data-source.tf b/examples/data-sources/bluechip_cidrs/data-source.tf index 02fb383..83275fb 100644 --- a/examples/data-sources/bluechip_cidrs/data-source.tf +++ b/examples/data-sources/bluechip_cidrs/data-source.tf @@ -2,7 +2,7 @@ resource "bluechip_cidr" "c1" { metadata { name = "cidr1" namespace = "default" - labels = { + labels = { "foo" = "bar" } annotations = { @@ -19,11 +19,11 @@ resource "bluechip_cidr" "c2" { metadata { name = "cidr2" namespace = "default" - labels = { + labels = { "foo" = "bar" } annotations = { - "office" = "true" + "office" = "true" "bluechip.example.com/location" = "tokyo" } } diff --git a/examples/data-sources/bluechip_cluster/data-source.tf b/examples/data-sources/bluechip_cluster/data-source.tf index aa58d44..d19a842 100644 --- a/examples/data-sources/bluechip_cluster/data-source.tf +++ b/examples/data-sources/bluechip_cluster/data-source.tf @@ -1,6 +1,6 @@ data "bluechip_cluster" "current" { metadata { - name = "test" + name = "test" namespace = "default" } } diff --git a/examples/data-sources/bluechip_image/data-source.tf b/examples/data-sources/bluechip_image/data-source.tf index c9cde84..db893d6 100644 --- a/examples/data-sources/bluechip_image/data-source.tf +++ b/examples/data-sources/bluechip_image/data-source.tf @@ -1,6 +1,6 @@ data "bluechip_image" "current" { metadata { - name = "my-test" + name = "my-test" namespace = "default" } } diff --git a/examples/data-sources/bluechip_images/data-source.tf b/examples/data-sources/bluechip_images/data-source.tf index a249a3b..e7a1ad1 100644 --- a/examples/data-sources/bluechip_images/data-source.tf +++ b/examples/data-sources/bluechip_images/data-source.tf @@ -1,8 +1,8 @@ data "bluechip_images" "current" { filter { operator = "equals" - field = "spec.commitHash" - value = "6874ece755439b5b3473b5b910fb4938751d6689" + field = "spec.commitHash" + value = "6874ece755439b5b3473b5b910fb4938751d6689" } namespace = "pubg" } diff --git a/examples/data-sources/bluechip_rolebinding/data-source.tf b/examples/data-sources/bluechip_rolebinding/data-source.tf index 0f0b27b..77de467 100644 --- a/examples/data-sources/bluechip_rolebinding/data-source.tf +++ b/examples/data-sources/bluechip_rolebinding/data-source.tf @@ -1,6 +1,6 @@ data "bluechip_rolebinding" "current" { metadata { - name = "my-test" + name = "my-test" namespace = "default" } } diff --git a/examples/data-sources/bluechip_rolebindings/data-source.tf b/examples/data-sources/bluechip_rolebindings/data-source.tf index ed03147..d48cd2b 100644 --- a/examples/data-sources/bluechip_rolebindings/data-source.tf +++ b/examples/data-sources/bluechip_rolebindings/data-source.tf @@ -2,7 +2,7 @@ data "bluechip_rolebindings" "current" { filter { operator = "equals" key = "metadata.name" - value = "" + value = "" } namespace = "pubg" } diff --git a/examples/resources/bluechip_account/resource.tf b/examples/resources/bluechip_account/resource.tf index e74eb7e..179f5aa 100644 --- a/examples/resources/bluechip_account/resource.tf +++ b/examples/resources/bluechip_account/resource.tf @@ -1,14 +1,14 @@ resource "bluechip_account" "current" { metadata { - name = "test2" + name = "test2" namespace = "default" } spec { - account_id = "12398213" + account_id = "12398213" display_name = "test" - description = "test" - alias = "test" - vendor = "AWS" - regions = ["test"] + description = "test" + alias = "test" + vendor = "AWS" + regions = ["test"] } } diff --git a/examples/resources/bluechip_cidr/resource.tf b/examples/resources/bluechip_cidr/resource.tf index 6f92ece..73cfd7f 100644 --- a/examples/resources/bluechip_cidr/resource.tf +++ b/examples/resources/bluechip_cidr/resource.tf @@ -1,6 +1,6 @@ resource "bluechip_cidr" "current" { metadata { - name = "my-test" + name = "my-test" namespace = "default" } spec { diff --git a/examples/resources/bluechip_cluster/resource.tf b/examples/resources/bluechip_cluster/resource.tf index 5639414..eebd1ca 100644 --- a/examples/resources/bluechip_cluster/resource.tf +++ b/examples/resources/bluechip_cluster/resource.tf @@ -1,28 +1,28 @@ resource "bluechip_cluster" "current" { metadata { - name = "test" + name = "test" namespace = "default" } spec { - project = "pubg" - environment = "dev" + project = "pubg" + environment = "dev" organization_unit = "devops" - platform = "pc" + platform = "pc" pubg { infra = "common" - site = "devops" + site = "devops" } vendor { - name = "AWS" + name = "AWS" account_id = "12398213" - engine = "EKS" - region = "ap-northeast-2" + engine = "EKS" + region = "ap-northeast-2" } kubernetes { - endpoint = "https://api.devops.dev.pubg.com" - ca_cert = "-----BEGIN CERTIFI" + endpoint = "https://api.devops.dev.pubg.com" + ca_cert = "-----BEGIN CERTIFI" sa_issuer = "https://login.microsoftonline.com/1a27bdbf-e6cc-4e33-85d2-e1c81bad930a/v2.0" - version = "1.28" + version = "1.28" } } } diff --git a/examples/resources/bluechip_image/resource.tf b/examples/resources/bluechip_image/resource.tf index e1e2e7b..e54dcba 100644 --- a/examples/resources/bluechip_image/resource.tf +++ b/examples/resources/bluechip_image/resource.tf @@ -1,14 +1,14 @@ resource "bluechip_image" "current" { metadata { - name = "my-test" + name = "my-test" namespace = "default" } spec { - app = "my-test" - timestamp = 1398329823 + app = "my-test" + timestamp = 1398329823 commit_hash = "1234567890" - repository = "test" - tag = "test" - branch = "test" + repository = "test" + tag = "test" + branch = "test" } } diff --git a/examples/resources/bluechip_oidcauth/resource.tf b/examples/resources/bluechip_oidcauth/resource.tf index 326542c..ef1e10f 100644 --- a/examples/resources/bluechip_oidcauth/resource.tf +++ b/examples/resources/bluechip_oidcauth/resource.tf @@ -3,12 +3,32 @@ resource "bluechip_oidcauth" "current" { name = "my-test" } spec { - username_claim= "sub" - username_prefix= "string" - issuer = "https://accounts.google.com/" - client_id = "string" + username_claim = "sub" + username_prefix = "string" + issuer = "https://accounts.google.com/" + client_id = "string" required_claims = ["string"] - groups_claim = "string" - groups_prefix = "string" + groups_claim = "string" + groups_prefix = "string" + attribute_mapping { + from = "namespace_path" + from_path_resolver = "bare" + to = "namespace_path" + } + attribute_mapping { + from = "project_path" + from_path_resolver = "bare" + to = "project_path" + } + attribute_mapping { + from = "pipeline_source" + from_path_resolver = "bare" + to = "pipeline_source" + } + attribute_mapping { + from = "ref_path" + from_path_resolver = "bare" + to = "ref_path" + } } } diff --git a/examples/resources/bluechip_rolebinding/resource.tf b/examples/resources/bluechip_rolebinding/resource.tf index 7b6bd3f..35682a3 100644 --- a/examples/resources/bluechip_rolebinding/resource.tf +++ b/examples/resources/bluechip_rolebinding/resource.tf @@ -1,6 +1,6 @@ resource "bluechip_rolebinding" "current" { metadata { - name = "my-test" + name = "my-test" namespace = "default" } spec { diff --git a/examples/resources/bluechip_user/resource.tf b/examples/resources/bluechip_user/resource.tf index 1eb9579..a8b13f1 100644 --- a/examples/resources/bluechip_user/resource.tf +++ b/examples/resources/bluechip_user/resource.tf @@ -4,6 +4,6 @@ resource "bluechip_user" "current" { } spec { password = "tetete" - groups = ["asdf"] + groups = ["asdf"] } } diff --git a/examples/resources/bluechip_vendor/resource.tf b/examples/resources/bluechip_vendor/resource.tf index ab3dd8c..815d305 100644 --- a/examples/resources/bluechip_vendor/resource.tf +++ b/examples/resources/bluechip_vendor/resource.tf @@ -4,8 +4,8 @@ resource "bluechip_vendor" "current" { } spec { display_name = "asdf" - code_name = "AWS" - short_name = "aws" - regions = ["asdf"] + code_name = "AWS" + short_name = "aws" + regions = ["asdf"] } } diff --git a/internal/services/oidcauths/resource_test.go b/internal/services/oidcauths/resource_test.go index 2f0545a..954a959 100644 --- a/internal/services/oidcauths/resource_test.go +++ b/internal/services/oidcauths/resource_test.go @@ -40,6 +40,26 @@ resource "bluechip_oidcauth" "current" { required_claims = ["string"] groups_claim = "string" groups_prefix = "string" + attribute_mapping { + from = "namespace_path" + from_path_resolver = "bare" + to = "namespace_path" + } + attribute_mapping { + from = "project_path" + from_path_resolver = "bare" + to = "project_path" + } + attribute_mapping { + from = "pipeline_source" + from_path_resolver = "bare" + to = "pipeline_source" + } + attribute_mapping { + from = "ref_path" + from_path_resolver = "bare" + to = "ref_path" + } } } ` diff --git a/internal/services/oidcauths/type.go b/internal/services/oidcauths/type.go index d2f9fe2..9038ace 100644 --- a/internal/services/oidcauths/type.go +++ b/internal/services/oidcauths/type.go @@ -65,6 +65,11 @@ func (t SpecType) Schema() *schema.Schema { Required: !t.Computed, Computed: t.Computed, }, + "from_path_resolver": { + Type: schema.TypeString, + Optional: !t.Computed, + Computed: t.Computed, + }, "to": { Type: schema.TypeString, Required: !t.Computed, @@ -98,12 +103,15 @@ func (t SpecType) Expand(ctx context.Context, d *schema.ResourceData, out *bluec out.GroupsPrefix = fwtype.String(attr["groups_prefix"].(string)) } if attr["attribute_mapping"] != nil { - rawAttributeMappings := fwflex.ExpandMapList(attr["attribute_mapping"].([]any)) - for _, rawAttributeMapping := range rawAttributeMappings { - out.AttributeMapping = append(out.AttributeMapping, bluechip_models.AttributeMapping{ + for _, rawAttributeMapping := range fwflex.ExpandMapList(attr["attribute_mapping"].([]any)) { + mapping := bluechip_models.AttributeMapping{ From: rawAttributeMapping["from"].(string), To: rawAttributeMapping["to"].(string), - }) + } + if rawAttributeMapping["from_path_resolver"] != nil { + mapping.FromPathResolver = rawAttributeMapping["from_path_resolver"].(string) + } + out.AttributeMapping = append(out.AttributeMapping, mapping) } } return nil @@ -111,15 +119,24 @@ func (t SpecType) Expand(ctx context.Context, d *schema.ResourceData, out *bluec func (t SpecType) Flatten(in bluechip_models.OidcAuthSpec) map[string]any { attr := map[string]any{ - "username_claim": in.UsernameClaim, - "username_prefix": in.UsernamePrefix, - "issuer": in.Issuer, - "client_id": in.ClientId, - "required_claims": in.RequiredClaims, - "groups_claim": in.GroupsClaim, - "groups_prefix": in.GroupsPrefix, - "attribute_mapping": in.AttributeMapping, + "username_claim": in.UsernameClaim, + "username_prefix": in.UsernamePrefix, + "issuer": in.Issuer, + "client_id": in.ClientId, + "required_claims": in.RequiredClaims, + "groups_claim": in.GroupsClaim, + "groups_prefix": in.GroupsPrefix, + } + if len(in.AttributeMapping) > 0 { + var attributeMapping []map[string]any + for _, mapping := range in.AttributeMapping { + attributeMapping = append(attributeMapping, map[string]any{ + "from": mapping.From, + "from_path_resolver": mapping.FromPathResolver, + "to": mapping.To, + }) + } + attr["attribute_mapping"] = attributeMapping } - return attr } diff --git a/internal/services/users/type.go b/internal/services/users/type.go index f2f83fd..2164e4a 100644 --- a/internal/services/users/type.go +++ b/internal/services/users/type.go @@ -52,7 +52,7 @@ func (t SpecType) Expand(ctx context.Context, d *schema.ResourceData, out *bluec func (t SpecType) Flatten(in bluechip_models.UserSpec) map[string]any { attr := map[string]any{ - "password": in.Password, + //"password": in.Password, "groups": in.Groups, "attributes": in.Attributes, } diff --git a/pkg/bluechip_client/bluechip_models/resources.go b/pkg/bluechip_client/bluechip_models/resources.go index f95e9f4..18761d7 100644 --- a/pkg/bluechip_client/bluechip_models/resources.go +++ b/pkg/bluechip_client/bluechip_models/resources.go @@ -177,8 +177,9 @@ type OidcAuthSpec struct { } type AttributeMapping struct { - From string `json:"from"` - To string `json:"to"` + From string `json:"from"` + FromPathResolver string `json:"fromPathResolver,omitempty"` + To string `json:"to"` } var _ ClusterApiResource[ClusterRoleBindingSpec] = &ClusterRoleBinding{}