Add support for login MFA resources (#1620)

hashicorp · Oct 4, 2022 · 810708c · 810708c
1 parent 94e7965
commit 810708c
Show file tree

Hide file tree

Showing 28 changed files with 1,964 additions and 69 deletions.
diff --git a/internal/consts/consts.go b/internal/consts/consts.go
@@ -9,6 +9,7 @@ const (
 	FieldMethod                   = "method"
 	FieldNamespace                = "namespace"
 	FieldNamespaceID              = "namespace_id"
+	FieldNamespacePath            = "namespace_path"
 	FieldBackend                  = "backend"
 	FieldPathFQ                   = "path_fq"
 	FieldData                     = "data"
@@ -45,8 +46,8 @@ const (
 	FieldCurve                    = "curve"
 	FieldKeyBits                  = "key_bits"
 	FieldForceRWSession           = "force_rw_session"
-	FieldAWSAccessKey             = "access_key"
-	FieldAWSSecretKey             = "secret_key"
+	FieldAccessKey                = "access_key"
+	FieldSecretKey                = "secret_key"
 	FieldEndpoint                 = "endpoint"
 	FieldKeyType                  = "key_type"
 	FieldKMSKey                   = "kms_key"
@@ -62,6 +63,7 @@ const (
 	FieldAllowReplaceKey          = "allow_replace_key"
 	FieldAllowStoreKey            = "allow_store_key"
 	FieldAnyMount                 = "any_mount"
+	FieldID                       = "id"
 	FieldUUID                     = "uuid"
 	FieldMountAccessor            = "mount_accessor"
 	FieldUsername                 = "username"
@@ -124,6 +126,46 @@ const (
 	FieldResourceGroupName        = "resource_group_name"
 	FieldVMName                   = "vm_name"
 	FieldVMSSName                 = "vmss_name"
+	FieldUsernameFormat           = "username_format"
+	FieldIntegrationKey           = "integration_key"
+	FieldAPIHostname              = "api_hostname"
+	FieldPushInfo                 = "push_info"
+	FieldUsePasscode              = "use_passcode"
+	FieldIssuer                   = "issuer"
+	FieldPeriod                   = "period"
+	FieldKeySize                  = "key_size"
+	FieldQRSize                   = "qr_size"
+	FieldAlgorithm                = "algorithm"
+	FieldDigits                   = "digits"
+	FieldSkew                     = "skew"
+	FieldMaxValidationAttempts    = "max_validation_attempts"
+	FieldOrgName                  = "org_name"
+	FieldAPIToken                 = "api_token"
+	FieldBaseURL                  = "base_url"
+	FieldPrimaryEmail             = "primary_email"
+	FieldSettingsFileBase64       = "settings_file_base64"
+	FieldUseSignature             = "use_signature"
+	FieldIdpURL                   = "idp_url"
+	FieldAdminURL                 = "admin_url"
+	FieldAuthenticatorURL         = "authenticator_url"
+	FieldOrgAlias                 = "org_alias"
+	FieldType                     = "type"
+	FieldMethodID                 = "method_id"
+	FieldMFAMethodIDs             = "mfa_method_ids"
+	FieldAuthMethodAccessors      = "auth_method_accessors"
+	FieldAuthMethodTypes          = "auth_method_types"
+	FieldIdentityGroupIDs         = "identity_group_ids"
+	FieldIdentityEntityIDs        = "identity_entity_ids"
+	/*
+		auth_method_accessors ([]string: []) - Array of auth mount accessor IDs. If present, only auth methods corresponding to the given accessors are checked during login.
+
+		auth_method_types ([]string: []) - Array of auth method types. If present, only auth methods corresponding to the given types are checked during login.
+
+		identity_group_ids ([]string: []) - Array of identity group IDs. If present, only entities belonging to one of the given groups are checked during login. Note that these IDs can be from the current namespace or a child namespace.
+
+		identity_entity_ids ([]string: []) - Array of identity entity IDs. If present, only entities with the given IDs are checked during login. Note that these IDs can be from the current namespace or a child namespace.
+
+	*/
 
 	/*
 		common environment variables

diff --git a/internal/identity/mfa/duo.go b/internal/identity/mfa/duo.go
@@ -0,0 +1,57 @@
+package mfa
+
+import (
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
+)
+
+const (
+	MethodTypeDuo   = "duo"
+	ResourceNameDuo = resourceNamePrefix + MethodTypeDuo
+)
+
+var duoSchemaMap = map[string]*schema.Schema{
+	consts.FieldUsernameFormat: {
+		Type:        schema.TypeString,
+		Description: "A template string for mapping Identity names to MFA methods.",
+		Optional:    true,
+	},
+	consts.FieldSecretKey: {
+		Type:        schema.TypeString,
+		Required:    true,
+		Description: "Secret key for Duo",
+		Sensitive:   true,
+	},
+	consts.FieldIntegrationKey: {
+		Type:        schema.TypeString,
+		Required:    true,
+		Description: "Integration key for Duo",
+		Sensitive:   true,
+	},
+	consts.FieldAPIHostname: {
+		Type:        schema.TypeString,
+		Required:    true,
+		Description: "API hostname for Duo",
+	},
+	consts.FieldPushInfo: {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "Push information for Duo.",
+	},
+	consts.FieldUsePasscode: {
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Default:     false,
+		Description: "Require passcode upon MFA validation.",
+	},
+}
+
+func GetDuoSchemaResource() (*schema.Resource, error) {
+	config, _ := NewContextFuncConfig(MethodTypeDuo, PathTypeMethodID, nil, nil, map[string]string{
+		// API is inconsistent between create/update and read.
+		"pushinfo": consts.FieldPushInfo,
+	})
+
+	return getMethodSchemaResource(duoSchemaMap, config), nil
+}
diff --git a/internal/identity/mfa/login_enforcement.go b/internal/identity/mfa/login_enforcement.go
@@ -0,0 +1,77 @@
+package mfa
+
+import (
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
+)
+
+const (
+	MethodTypeLoginEnforcement   = "login-enforcement"
+	ResourceNameLoginEnforcement = resourceNamePrefix + "login_enforcement"
+)
+
+var loginEnforcementSchemaMap = map[string]*schema.Schema{
+	consts.FieldName: {
+		Type:        schema.TypeString,
+		Required:    true,
+		Description: "Login enforcement name.",
+	},
+	consts.FieldMFAMethodIDs: {
+		Type: schema.TypeSet,
+		Elem: &schema.Schema{
+			Type: schema.TypeString,
+		},
+		Required:    true,
+		Description: `Set of MFA method UUIDs.`,
+	},
+	consts.FieldAuthMethodAccessors: {
+		Type: schema.TypeSet,
+		Elem: &schema.Schema{
+			Type: schema.TypeString,
+		},
+		Optional:    true,
+		Description: `Set of auth method accessor IDs.`,
+	},
+	consts.FieldAuthMethodTypes: {
+		Type: schema.TypeSet,
+		Elem: &schema.Schema{
+			Type: schema.TypeString,
+		},
+		Optional:    true,
+		Description: `Set of auth method types.`,
+	},
+	consts.FieldIdentityGroupIDs: {
+		Type: schema.TypeSet,
+		Elem: &schema.Schema{
+			Type: schema.TypeString,
+		},
+		Optional:    true,
+		Description: `Set of identity group IDs.`,
+	},
+	consts.FieldIdentityEntityIDs: {
+		Type: schema.TypeSet,
+		Elem: &schema.Schema{
+			Type: schema.TypeString,
+		},
+		Optional:    true,
+		Description: `Set of identity entity IDs.`,
+	},
+}
+
+func GetLoginEnforcementSchemaResource() (*schema.Resource, error) {
+	config, err := NewContextFuncConfig(MethodTypeLoginEnforcement, PathTypeName, nil, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	r := getSchemaResource(loginEnforcementSchemaMap, config, mustAddCommonSchema)
+	for k, v := range r.Schema {
+		switch k {
+		case consts.FieldUUID, consts.FieldName:
+			v.ForceNew = true
+		}
+	}
+
+	return r, nil
+}