SSO: Add org_mapping and org_attribute_path to sso_settings resource (#1683)

mgyongyosi · web-flow · commit 6743c635bfd5 · 2024-07-31T08:29:37.000-04:00
* First changes

* Add tests for validation

* Regenerate docs
diff --git a/docs/resources/sso_settings.md b/docs/resources/sso_settings.md
@@ -114,6 +114,8 @@ Optional:
 - `login_attribute_path` (String) JMESPath expression to use for user login lookup from the user ID token. Only applicable to Generic OAuth.
 - `name` (String) Helpful if you use more than one identity providers or SSO protocols.
 - `name_attribute_path` (String) JMESPath expression to use for user name lookup from the user ID token. This name will be used as the user’s display name. Only applicable to Generic OAuth.
+- `org_attribute_path` (String) JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match "Organization" in the "org_mapping"). Only applicable to Generic OAuth and Okta.
+- `org_mapping` (String) List of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: None, Viewer, Editor or Admin.
 - `role_attribute_path` (String) JMESPath expression to use for Grafana role lookup.
 - `role_attribute_strict` (Boolean) If enabled, denies user login if the Grafana role cannot be extracted using Role attribute path.
 - `scopes` (String) List of comma- or space-separated OAuth2 scopes.
diff --git a/internal/resources/grafana/resource_sso_settings.go b/internal/resources/grafana/resource_sso_settings.go
@@ -204,6 +204,16 @@ var oauth2SettingsSchema = &schema.Resource{
 			Optional:    true,
 			Description: "Prevent synchronizing users’ organization roles from your IdP.",
 		},
+		"org_mapping": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Description: "List of comma- or space-separated Organization:OrgIdOrOrgName:Role mappings. Organization can be * meaning “All users”. Role is optional and can have the following values: None, Viewer, Editor or Admin.",
+		},
+		"org_attribute_path": {
+			Type:        schema.TypeString,
+			Optional:    true,
+			Description: `JMESPath expression to use for the organization mapping lookup from the user ID token. The extracted list will be used for the organization mapping (to match "Organization" in the "org_mapping"). Only applicable to Generic OAuth and Okta.`,
+		},
 		"define_allowed_groups": {
 			Type:        schema.TypeBool,
 			Optional:    true,
@@ -685,6 +695,7 @@ var validationsByProvider = map[string][]validateFunc{
 		ssoValidateNotEmpty("auth_url"),
 		ssoValidateNotEmpty("token_url"),
 		ssoValidateEmpty("api_url"),
+		ssoValidateEmpty("org_attribute_path"),
 		ssoValidateURL("auth_url"),
 		ssoValidateURL("token_url"),
 	},
@@ -695,6 +706,7 @@ var validationsByProvider = map[string][]validateFunc{
 		ssoValidateURL("auth_url"),
 		ssoValidateURL("token_url"),
 		ssoValidateURL("api_url"),
+		ssoValidateInterdependencyXOR("org_attribute_path", "org_mapping"),
 	},
 	"okta": {
 		ssoValidateNotEmpty("auth_url"),
@@ -703,21 +715,25 @@ var validationsByProvider = map[string][]validateFunc{
 		ssoValidateURL("auth_url"),
 		ssoValidateURL("token_url"),
 		ssoValidateURL("api_url"),
+		ssoValidateInterdependencyXOR("org_attribute_path", "org_mapping"),
 	},
 	"github": {
 		ssoValidateEmpty("auth_url"),
 		ssoValidateEmpty("token_url"),
 		ssoValidateEmpty("api_url"),
+		ssoValidateEmpty("org_attribute_path"),
 	},
 	"gitlab": {
 		ssoValidateEmpty("auth_url"),
 		ssoValidateEmpty("token_url"),
 		ssoValidateEmpty("api_url"),
+		ssoValidateEmpty("org_attribute_path"),
 	},
 	"google": {
 		ssoValidateEmpty("auth_url"),
 		ssoValidateEmpty("token_url"),
 		ssoValidateEmpty("api_url"),
+		ssoValidateEmpty("org_attribute_path"),
 	},
 	"saml": {
 		ssoValidateInterdependencyXOR("certificate", "private_key"),
diff --git a/internal/resources/grafana/resource_sso_settings_test.go b/internal/resources/grafana/resource_sso_settings_test.go
@@ -595,4 +595,36 @@ var testConfigsWithValidationErrors = []string{
 		token_url = "https://myidp.com/oauth/token"
 	}
 }`,
+	// org_attribute_path is not empty for AzureAD
+	`resource "grafana_sso_settings" "azure_sso_settings" {
+		provider_name = "azuread"
+		oauth2_settings {
+			client_id = "client_id"
+			auth_url  = "https://login.microsoftonline.com/12345/oauth2/v2.0/authorize"
+			token_url = "https://login.microsoftonline.com/12345/oauth2/v2.0/token"
+			org_attribute_path = "org"
+		}
+	}`,
+	// org_mapping is configured but org_attribute_path is missing for Okta
+	`resource "grafana_sso_settings" "okta_sso_settings" {
+  		provider_name = "okta"
+  		oauth2_settings {
+    		client_id = "client_id"
+    		auth_url  = "https://tenantid123.okta.com/oauth2/v1/auth"
+    		token_url = "https://tenantid123.okta.com/oauth2/v1/token"
+			api_url = "https://tenantid123.okta.com/oauth2/v1/userinfo"
+			org_mapping = "[\"Group A:1:Editor\",\"Group A:2:Admin\"]"
+  		}
+	}`,
+	// org_attribute_path is configured but org_mapping is missing for Generic OAuth
+	`resource "grafana_sso_settings" "generic_oauth_sso_settings" {
+		provider_name = "generic_oauth"
+		oauth2_settings {
+		  client_id = "client_id"
+		  auth_url  = "https://tenantid123.okta.com/oauth2/v1/auth"
+		  token_url = "https://tenantid123.okta.com/oauth2/v1/token"
+		  api_url = "https://tenantid123.okta.com/oauth2/v1/userinfo"
+		  org_attribute_path = "groups"
+		}
+  }`,
 }
