search

alekc / terraform-provider-auth0

Mozilla Public License 2.0
18 stars 7 forks source link

Client SAML misconfigures logout property #28

Closed mvanderlee closed 2 years ago

mvanderlee commented 2 years ago

Description

The client resource configures the SAML logout property as a list instead of an object. This causes auth0 to ignore the configuration

From Auth0's doc in the SAML addon popup:

logout (object): An object that controls SAML logout. It can contain two properties:callback (of type string), that contains the service provider (client application)'s Single Logout Service URL, where Auth0 will send logout requests and responses, and slo_enabled(boolean) that controls whether Auth0 should notify service providers of session termination. The default value istrue (notify service providers).

Terraform Version

Terraform 1.0.4
+ provider.auth0 - 1.1.1

Affected Resource(s)

Terraform Configuration Files

addons {
    samlp {
      logout {
        callback    = "https://acme.com/"
        slo_enabled = true
      }
  }
}

Expected Behavior

Resulting Auth0 config:

"logout":
{
    "callback": "https://acme.com/",
    "slo_enabled": true
}

Actual Behavior

Resulting Auth0 config:

"logout": [
  {
      "callback": "https://acme.com/",
      "slo_enabled": true
  }
]

Steps to Reproduce

  1. terraform apply

Debug Output

NA

Panic Output

NA

Important Factoids

NA

References

Community Note

alekc commented 2 years ago

Sigh, yet again Auth0 shows that they disregard their own apis, they should really check for values instead of just blindly saving them as they are.

@mvanderlee I opened a PR with a fix, this is the rendered version 

{
  "tenant": "terraform-provider",
  "global": false,
  "is_token_endpoint_ip_header_trusted": true,
  "name": "Acceptance Test - okendc",
  "description": "Test Application Long Description",
  "is_first_party": true,
  "oidc_conformant": true,
  "callbacks": [
    "https://example.com/callback"
  ],
  "allowed_clients": [
    "https://allowed.example.com"
  ],
  "allowed_logout_urls": [
    "https://example.com"
  ],
  "addons": {
    "samlp": {
      "audience": "https://example.com/saml",
      "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
      "createUpnClaim": false,
      "destination": "http://foo",
      "digestAlgorithm": "sha1",
      "includeAttributeNameFormat": true,
      "lifetimeInSeconds": 180,
      "logout": {
        "callback": "http://example.com/callback",
        "slo_enabled": true
      },
      "mapIdentities": false,
      "mapUnknownClaimsAsIs": false,
      "mappings": {
        "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
        "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
      },
      "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
      "nameIdentifierProbes": [
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
      ],
      "passthroughClaimsWithNoMapping": false,
      "recipient": "http://foo",
      "signResponse": false,
      "signatureAlgorithm": "rsa-sha1",
      "signingCert": "fakecertificate",
      "typedAttributes": false
    }
  },
  "client_metadata": {
    "foo": "zoo"
  },
  "mobile": {
    "ios": {
      "app_bundle_identifier": "com.my.bundle.id",
      "team_id": "9JA89QQLNQ"
    }
  },
  "initiate_login_uri": "https://example.com/login",
  "refresh_token": {
    "expiration_type": "expiring",
    "leeway": 42,
    "token_lifetime": 424242,
    "infinite_token_lifetime": true,
    "infinite_idle_token_lifetime": false,
    "idle_token_lifetime": 3600,
    "rotation_type": "rotating"
  },
  "organization_usage": "deny",
  "organization_require_behavior": "no_prompt",
  "sso_disabled": false,
  "cross_origin_auth": false,
  "signing_keys": [
    {
      "cert": "-----BEGIN CERTIFICATE-----\r\nMIIDGTCCAgGgAwIBAgIJTv5+TI6JdOmiMA0GCSqGSIb3DQEBCwUAMCoxKDAmBgNV\r\nBAMTH3RlcnJhZm9ybS1wcm92aWRlci5ldS5hdXRoMC5jb20wHhcNMjExMDAxMTMz\r\nNjE1WhcNMzUwNjEwMTMzNjE1WjAqMSgwJgYDVQQDEx90ZXJyYWZvcm0tcHJvdmlk\r\nZXIuZXUuYXV0aDAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\r\nt/I5IvIjJxoKeso7wC7PKjZIRmcXWCsCTxazfIvtJA/11emG+5RPlY0OTnFvK/By\r\nDYwWc17k1phU6r0x8hMR9F9k9pPKzBOBn83Tm/WrhqTyGGhUfqWdSRfkJu2pxdhh\r\nsi6p+YXnHINPDi/Y2Yzf6kFZ6m03V8ET8xGZ9jGj39IorjGjwOhdrWRGoTQNvyt7\r\nyiAmm2bX3pETW6pDO04QbV/Z/OrLv7Pvf53h2eOqPBlLRr7UGgvvVMXEiG8yVENw\r\nd27T3KkoEDcqy0csW4yCfBOTzx11rlclO3VKeO3yU5D/jx9Nq3pmT3TFGAScCB7V\r\n1xv87wBAxXij8WEc54ir3QIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud\r\nDgQWBBRmV+xwzOVejJW7Gu/KOY3ZUS6WjDAOBgNVHQ8BAf8EBAMCAoQwDQYJKoZI\r\nhvcNAQELBQADggEBAAA/NUdeg4QShwGUQz7/ntzuiZNpKaYib/sBqYjdHOCEk9V0\r\nOASUQwWnbOcXXcAg4E3Xb28j0DE54nlHa5eSE5ZZyG8lbmA4Qur5P9XMNQb8UKLR\r\nnx030AVy1U+GQeS3u7iCoPp1SKzWUBv5EbBIlxt/9MhI8P2T9fKuGpQ1uybMcIuR\r\nhCNtAG/fypd7FtFzaZlxkGy6or1hp0Y1bWWumH4yzPQPZg9kNOVtMJw+ImIGJuqF\r\nz5hvZ7fbWsr8jiBAK340K4Dd6xUDkvizPm0mafASx47cGDZPJbNCHOR+x7UTr9SZ\r\npTNp+GlPQaQBBxAGWPmatSOagKgqjAXxdBRYoXA=\r\n-----END CERTIFICATE-----",
      "pkcs7": "-----BEGIN PKCS7-----\r\nMIIDSAYJKoZIhvcNAQcCoIIDOTCCAzUCAQExADALBgkqhkiG9w0BBwGgggMdMIID\r\nGTCCAgGgAwIBAgIJTv5+TI6JdOmiMA0GCSqGSIb3DQEBCwUAMCoxKDAmBgNVBAMT\r\nH3RlcnJhZm9ybS1wcm92aWRlci5ldS5hdXRoMC5jb20wHhcNMjExMDAxMTMzNjE1\r\nWhcNMzUwNjEwMTMzNjE1WjAqMSgwJgYDVQQDEx90ZXJyYWZvcm0tcHJvdmlkZXIu\r\nZXUuYXV0aDAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt/I5\r\nIvIjJxoKeso7wC7PKjZIRmcXWCsCTxazfIvtJA/11emG+5RPlY0OTnFvK/ByDYwW\r\nc17k1phU6r0x8hMR9F9k9pPKzBOBn83Tm/WrhqTyGGhUfqWdSRfkJu2pxdhhsi6p\r\n+YXnHINPDi/Y2Yzf6kFZ6m03V8ET8xGZ9jGj39IorjGjwOhdrWRGoTQNvyt7yiAm\r\nm2bX3pETW6pDO04QbV/Z/OrLv7Pvf53h2eOqPBlLRr7UGgvvVMXEiG8yVENwd27T\r\n3KkoEDcqy0csW4yCfBOTzx11rlclO3VKeO3yU5D/jx9Nq3pmT3TFGAScCB7V1xv8\r\n7wBAxXij8WEc54ir3QIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW\r\nBBRmV+xwzOVejJW7Gu/KOY3ZUS6WjDAOBgNVHQ8BAf8EBAMCAoQwDQYJKoZIhvcN\r\nAQELBQADggEBAAA/NUdeg4QShwGUQz7/ntzuiZNpKaYib/sBqYjdHOCEk9V0OASU\r\nQwWnbOcXXcAg4E3Xb28j0DE54nlHa5eSE5ZZyG8lbmA4Qur5P9XMNQb8UKLRnx03\r\n0AVy1U+GQeS3u7iCoPp1SKzWUBv5EbBIlxt/9MhI8P2T9fKuGpQ1uybMcIuRhCNt\r\nAG/fypd7FtFzaZlxkGy6or1hp0Y1bWWumH4yzPQPZg9kNOVtMJw+ImIGJuqFz5hv\r\nZ7fbWsr8jiBAK340K4Dd6xUDkvizPm0mafASx47cGDZPJbNCHOR+x7UTr9SZpTNp\r\n+GlPQaQBBxAGWPmatSOagKgqjAXxdBRYoXAxAA==\r\n-----END PKCS7-----\r\n",
      "subject": "deprecated"
    }
  ],
  "allowed_origins": [
    "https://example.com"
  ],
  "client_id": "Fr4MS04tFIxi23n8PdZvRaX7gfBLhcKT",
  "callback_url_template": false,
  "client_secret": "Jcy3F9ubLimBRpyE7j9ONl-OK8aqEEkUbj0b87Sq1Bp20fxQose8qJu7iVdhA_pX",
  "jwt_configuration": {
    "scopes": {
      "foo": "bar"
    },
    "alg": "RS256",
    "lifetime_in_seconds": 300,
    "secret_encoded": true
  },
  "token_endpoint_auth_method": "client_secret_post",
  "app_type": "non_interactive",
  "grant_types": [
    "authorization_code",
    "http://auth0.com/oauth/grant-type/password-realm",
    "implicit",
    "password",
    "refresh_token"
  ],
  "web_origins": [
    "https://example.com"
  ],
  "custom_login_page_on": true
}

Are you able to build and test the version in PR to ensure that it's working properly for you? I do not have any real world samlp to test it against

mvanderlee commented 2 years ago

@alekc The fix in the PR worked great. Thank you!

mvanderlee commented 2 years ago

I don't think this next issue needs special consideration, but wanted to log it in case someone else runs into it.

When running against an existing resource that has it misconfigured, the plugin crashes. The work-around is to manually fix the SAML settings in the Auth0 Management UI and run terraform again.

Error output:

β”‚ Error: Plugin did not respond
β”‚ 
β”‚   with auth0_client.opensearch,
β”‚   on main.tf line 60, in resource "auth0_client" "opensearch":
β”‚   60: resource "auth0_client" "opensearch" {
β”‚ 
β”‚ The plugin encountered an error, and failed to respond to the
β”‚ plugin.(*GRPCProvider).ReadResource call. The plugin logs may contain more
β”‚ details.
β•΅
Releasing state lock. This may take a few moments...

Stack trace from the terraform-provider-auth0_v1.1.5 plugin:

panic: interface conversion: interface {} is []interface {}, not map[string]interface {}

goroutine 60 [running]:
github.com/alekc/terraform-provider-auth0/auth0.flattenAddons(0xc0001101b0, 0x0, 0x0, 0x0)
        /home/michiel/ugit/terraform-provider-auth0/auth0/resource_auth0_client.go:749 +0x14f6
github.com/alekc/terraform-provider-auth0/auth0.readClient(0x18b0ce0, 0xc0002ab440, 0xc0000fa500, 0x13f5e60, 0xc000300000, 0x0, 0x0, 0x0)
        /home/michiel/ugit/terraform-provider-auth0/auth0/resource_auth0_client.go:710 +0xd86
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0xc000608fc0, 0x18b0ce0, 0xc0002ab440, 0xc0000fa500, 0x13f5e60, 0xc000300000, 0x0, 0x0, 0x0)
        /home/michiel/.asdf/installs/golang/1.14.1/packages/pkg/mod/github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.1/helper/schema/resource.go:347 +0x350
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc000608fc0, 0x18b0c60, 0xc000762700, 0xc0003501c0, 0x13f5e60, 0xc000300000, 0x0, 0x0, 0x0, 0x0)
        /home/michiel/.asdf/installs/golang/1.14.1/packages/pkg/mod/github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.1/helper/schema/resource.go:624 +0x77d
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadResource(0xc0005cc5c0, 0x18b0c60, 0xc000762700, 0xc000762740, 0x0, 0x0, 0x0)
        /home/michiel/.asdf/installs/golang/1.14.1/packages/pkg/mod/github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.1/helper/schema/grpc_provider.go:575 +0xc9f
github.com/hashicorp/terraform-plugin-go/tfprotov5/server.(*server).ReadResource(0xc00057ee00, 0x18b0c60, 0xc000762700, 0xc0002aa0c0, 0x0, 0x0, 0x0)
        /home/michiel/.asdf/installs/golang/1.14.1/packages/pkg/mod/github.com/hashicorp/terraform-plugin-go@v0.3.0/tfprotov5/server/server.go:298 +0x181
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler(0x14c6800, 0xc00057ee00, 0x18b0d20, 0xc000308150, 0xc0002aa060, 0x0, 0x0, 0x0, 0x0, 0x0)
        /home/michiel/.asdf/installs/golang/1.14.1/packages/pkg/mod/github.com/hashicorp/terraform-plugin-go@v0.3.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:344 +0x3df
google.golang.org/grpc.(*Server).processUnaryRPC(0xc00034ddc0, 0x18bb200, 0xc00031f500, 0xc00051e400, 0xc0006286f0, 0x20953f0, 0x0, 0x0, 0x0)
        /home/michiel/.asdf/installs/golang/1.14.1/packages/pkg/mod/google.golang.org/grpc@v1.32.0/server.go:1194 +0x101d
google.golang.org/grpc.(*Server).handleStream(0xc00034ddc0, 0x18bb200, 0xc00031f500, 0xc00051e400, 0x0)
        /home/michiel/.asdf/installs/golang/1.14.1/packages/pkg/mod/google.golang.org/grpc@v1.32.0/server.go:1517 +0x98e
google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc000354190, 0xc00034ddc0, 0x18bb200, 0xc00031f500, 0xc00051e400)
        /home/michiel/.asdf/installs/golang/1.14.1/packages/pkg/mod/google.golang.org/grpc@v1.32.0/server.go:859 +0xf4
created by google.golang.org/grpc.(*Server).serveStreams.func1
        /home/michiel/.asdf/installs/golang/1.14.1/packages/pkg/mod/google.golang.org/grpc@v1.32.0/server.go:857 +0x2b7

Error: The terraform-provider-auth0_v1.1.5 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

ERRO[0017] 1 error occurred:
        * exit status 1
alekc commented 2 years ago

The work-around is to manually fix the SAML settings and run terraform again

What do you mean? manually changing the tf state or removing and adding back the affected resource?

mvanderlee commented 2 years ago

Updated my comment:

The work-around is to manually fix the SAML settings in the Auth0 Management UI and run terraform again.

alekc commented 2 years ago

Ok I see. Its probably best to apply an autofix before merging this one then. I will update shortly

alekc commented 2 years ago

Added an additional check. If there is an invalid (array) value, it would be ignored and rectified on the update. I am aiming to release 1.1.2 with the fix tomorrow.