Add support for admin/ProxySSO-groups API endpoint

CHANGELOG.md

@@ -1,3 +1,6 @@
+## 1.4.23
+* Support for admin/ProxySSO-groups API endpoint
+
 ## 1.4.22
 * Fix: Encode name parameter of URI for Admin SAML Groups.
 

client/admin_proxysso_groups.go

@@ -0,0 +1,71 @@
+package client
+
+import (
+	"github.com/splunk/terraform-provider-splunk/client/models"
+	"net/http"
+	"net/url"
+	"github.com/google/go-querystring/query"
+)
+
+func (client *Client) CreateAdminProxyssoGroups(name string, AdminProxyssoGroupsObject *models.AdminProxyssoGroupsObject) error {
+	values, err := query.Values(AdminProxyssoGroupsObject)
+	if err != nil {
+		return err
+	}
+
+	endpoint := client.BuildSplunkURL(nil, "servicesNS", "nobody", "system", "admin", "ProxySSO-groups", url.PathEscape(name))
+	resp, err := client.Post(endpoint, values)
+
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	return nil
+}
+
+func (client *Client) ReadAdminProxyssoGroups(name, owner, app string) (*http.Response, error) {
+	endpoint := client.BuildSplunkURL(nil, "servicesNS", "nobody", "system", "admin", "ProxySSO-groups", url.PathEscape(name))
+	resp, err := client.Get(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	return resp, nil
+}
+
+func (client *Client) UpdateAdminProxyssoGroups(name string, AdminProxyssoGroupsObject *models.AdminProxyssoGroupsObject) error {
+	values, err := query.Values(&AdminProxyssoGroupsObject)
+	if err != nil {
+		return err
+	}
+	// Not required for updating user information
+	values.Del("name")
+	endpoint := client.BuildSplunkURL(nil, "servicesNS", "nobody", "system", "admin", "ProxySSO-groups", url.PathEscape(name))
+	resp, err := client.Post(endpoint, values)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	return nil
+}
+
+func (client *Client) DeleteAdminProxyssoGroups(name string) (*http.Response, error) {
+	endpoint := client.BuildSplunkURL(nil, "servicesNS", "nobody", "system", "admin", "ProxySSO-groups", url.PathEscape(name))
+	resp, err := client.Delete(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	return resp, nil
+}
+
+// servicesNS/nobody/system/admin/ProxySSO-groups
+func (client *Client) ReadAllAdminProxyssoGroups() (*http.Response, error) {
+	endpoint := client.BuildSplunkURL(nil, "servicesNS", "nobody", "system", "admin", "ProxySSO-groups")
+	resp, err := client.Get(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	return resp, nil
+}

client/models/admin_proxysso_groups.go

@@ -0,0 +1,18 @@
+package models
+
+// Scripted Input Response Schema
+type AdminProxyssoGroupsResponse struct {
+	Entry    []AdminProxyssoGroupsEntry `json:"entry"`
+	Messages []ErrorMessage            `json:"messages"`
+}
+
+type AdminProxyssoGroupsEntry struct {
+	Name    string                   `json:"name"`
+	ACL     ACLObject                `json:"acl"`
+	Content AdminProxyssoGroupsObject `json:"content"`
+}
+
+type AdminProxyssoGroupsObject struct {
+	Roles []string `json:"roles,omitempty" url:"roles,omitempty"`
+	Name  string   `json:"name,omitempty" url:"name,omitempty"`
+}

docs/resources/admin_proxysso_groups.md

@@ -0,0 +1,30 @@
+# Resource: splunk_admin_proxysso_groups
+Manage external groups in an proxy-sso response to internal Splunk roles.
+
+## Example Usage
+```
+resource "splunk_admin_proxysso_groups" "proxy-group" {
+  name              = "mygroup"
+  roles             = ["admin", "power"]
+}
+```
+
+## Argument Reference
+For latest resource argument reference: https://docs.splunk.com/Documentation/Splunk/9.2.1/RESTREF/RESTaccess#admin/ProxySSO-groups
+
+This resource block supports the following arguments:
+* `name` - (Required) The name of the external group.
+* `roles` - (Required) List of internal roles assigned to the group.
+
+## Attribute Reference
+In addition to all arguments above, This resource block exports the following arguments:
+
+* `id` - The ID (group_name) of the resource
+
+## Import
+
+Proxy-SSO groups can be imported using the id, e.g.
+
+```
+terraform import splunk_admin_proxysso_groups.proxy-group mygroup
+```

splunk/provider.go

@@ -72,6 +72,7 @@ func providerSchema() map[string]*schema.Schema {
 func providerResources() map[string]*schema.Resource {
 	return map[string]*schema.Resource{
 		"splunk_admin_saml_groups":           adminSAMLGroups(),
+		"splunk_admin_proxysso_groups": 	  adminProxyssoGroups(),
 		"splunk_apps_local":                  appsLocal(),
 		"splunk_authentication_users":        authenticationUsers(),
 		"splunk_authorization_roles":         authorizationRoles(),

splunk/resource_splunk_admin_proxysso_groups.go

@@ -0,0 +1,168 @@
+package splunk
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"github.com/splunk/terraform-provider-splunk/client/models"
+	"net/http"
+	"regexp"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func adminProxyssoGroups() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"name": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: "Required. The Proxy SSO group name.",
+			},
+			"roles": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Computed: true,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Description: "Required. List of internal roles assigned to group.",
+			},
+		},
+		Read:   AdminProxyssoGroupsRead,
+		Create: AdminProxyssoGroupsCreate,
+		Delete: AdminProxyssoGroupsDelete,
+		Update: AdminProxyssoGroupsUpdate,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+	}
+}
+
+// Functions
+func AdminProxyssoGroupsCreate(d *schema.ResourceData, meta interface{}) error {
+	provider := meta.(*SplunkProvider)
+	name := d.Get("name").(string)
+	authenticationUserObj := getAdminProxyssoGroupsConfig(d)
+	err := (*provider.Client).CreateAdminProxyssoGroups(name, authenticationUserObj)
+	if err != nil {
+		return err
+	}
+
+	d.SetId(name)
+	return AdminProxyssoGroupsRead(d, meta)
+}
+
+func AdminProxyssoGroupsRead(d *schema.ResourceData, meta interface{}) error {
+	provider := meta.(*SplunkProvider)
+	name := d.Id()
+	// We first get list of inputs to get owner and app name for the specific input
+	resp, err := (*provider.Client).ReadAllAdminProxyssoGroups()
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	entry, err := getAdminProxyssoGroupsByName(name, resp)
+	if err != nil {
+		return err
+	}
+
+	if entry == nil {
+		return fmt.Errorf("Unable to find resource: %v", name)
+	}
+
+	// Now we read the input configuration with proper owner and app
+	resp, err = (*provider.Client).ReadAdminProxyssoGroups(name, entry.ACL.Owner, entry.ACL.App)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	entry, err = getAdminProxyssoGroupsByName(name, resp)
+	if err != nil {
+		return err
+	}
+
+	// an empty entry (with no error) means the resource wasn't found
+	// mark it as such so it can be re-created
+	if entry == nil {
+		d.SetId("")
+		return nil
+	}
+
+	if err = d.Set("name", entry.Name); err != nil {
+		return err
+	}
+
+	if err = d.Set("roles", entry.Content.Roles); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func AdminProxyssoGroupsUpdate(d *schema.ResourceData, meta interface{}) error {
+	provider := meta.(*SplunkProvider)
+	authenticationUserObj := getAdminProxyssoGroupsConfig(d)
+	err := (*provider.Client).UpdateAdminProxyssoGroups(d.Id(), authenticationUserObj)
+	if err != nil {
+		return err
+	}
+
+	return AdminProxyssoGroupsRead(d, meta)
+}
+
+func AdminProxyssoGroupsDelete(d *schema.ResourceData, meta interface{}) error {
+	provider := meta.(*SplunkProvider)
+	resp, err := (*provider.Client).DeleteAdminProxyssoGroups(d.Id())
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	switch resp.StatusCode {
+	case 200, 201:
+		return nil
+
+	default:
+		errorResponse := &models.AdminProxyssoGroupsResponse{}
+		_ = json.NewDecoder(resp.Body).Decode(errorResponse)
+		err := errors.New(errorResponse.Messages[0].Text)
+		return err
+	}
+}
+
+// Helpers
+func getAdminProxyssoGroupsConfig(d *schema.ResourceData) (authenticationUserObject *models.AdminProxyssoGroupsObject) {
+	authenticationUserObject = &models.AdminProxyssoGroupsObject{}
+	authenticationUserObject.Name = d.Get("name").(string)
+	if val, ok := d.GetOk("roles"); ok {
+		for _, v := range val.([]interface{}) {
+			authenticationUserObject.Roles = append(authenticationUserObject.Roles, v.(string))
+		}
+	}
+	return authenticationUserObject
+}
+
+func getAdminProxyssoGroupsByName(name string, httpResponse *http.Response) (AdminProxyssoGroupsEntry *models.AdminProxyssoGroupsEntry, err error) {
+	response := &models.AdminProxyssoGroupsResponse{}
+	switch httpResponse.StatusCode {
+	case 200, 201:
+		_ = json.NewDecoder(httpResponse.Body).Decode(&response)
+		re := regexp.MustCompile(`(.*)`)
+		for _, entry := range response.Entry {
+			if name == re.FindStringSubmatch(entry.Name)[1] {
+				return &entry, nil
+			}
+		}
+
+	default:
+		_ = json.NewDecoder(httpResponse.Body).Decode(response)
+		err := errors.New(response.Messages[0].Text)
+		return AdminProxyssoGroupsEntry, err
+	}
+
+	return AdminProxyssoGroupsEntry, nil
+}

splunk/resource_splunk_admin_proxysso_groups_test.go

@@ -0,0 +1,78 @@
+package splunk
+
+import (
+	"fmt"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/terraform"
+	"net/http"
+	"testing"
+)
+
+const AdminProxyssoGroupsInput = `
+resource "splunk_admin_proxysso_groups" "proxy_sso_group" {
+  name = "newrole"
+  roles = ["admin", "power"]
+}
+`
+
+const updateAdminProxyssoGroupsInput = `
+resource "splunk_admin_proxysso_groups" "proxy_sso_group" {
+  name = "newrole"
+  roles = ["admin", "power", "user"]
+}
+`
+
+func TestAccSplunkAdminProxyssoGroups(t *testing.T) {
+	resourceName := "splunk_admin_proxysso_groups.proxy_sso_group"
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+		},
+		Providers:    testAccProviders,
+		CheckDestroy: testAccSplunkAdminProxyssoGroupsInputDestroyResources,
+		Steps: []resource.TestStep{
+			{
+				Config: AdminProxyssoGroupsInput,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", "newrole"),
+					resource.TestCheckResourceAttr(resourceName, "roles.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "roles.0", "admin"),
+					resource.TestCheckResourceAttr(resourceName, "roles.1", "power"),
+				),
+			},
+			{
+				Config: updateAdminProxyssoGroupsInput,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", "newrole"),
+					resource.TestCheckResourceAttr(resourceName, "roles.#", "3"),
+					resource.TestCheckResourceAttr(resourceName, "roles.0", "admin"),
+					resource.TestCheckResourceAttr(resourceName, "roles.1", "power"),
+					resource.TestCheckResourceAttr(resourceName, "roles.2", "user"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccSplunkAdminProxyssoGroupsInputDestroyResources(s *terraform.State) error {
+	client, err := newTestClient()
+	if err != nil {
+		return err
+	}
+	for _, rs := range s.RootModule().Resources {
+		switch rs.Type {
+		case "splunk_authorization_roles":
+			endpoint := client.BuildSplunkURL(nil, "services", "admin", "ProxySSO-groups", rs.Primary.ID)
+			resp, err := client.Get(endpoint)
+			if resp.StatusCode != http.StatusNotFound {
+				return fmt.Errorf("error: %s: %s", rs.Primary.ID, err)
+			}
+		}
+	}
+	return nil
+}