Merge pull request #986 from jfrog/GH-985-fix-scoped-token-action-error

Fix actions validation in scopes attribute
jfrog · Jun 3, 2024 · bebe3a3 · bebe3a3
2 parents 30b4e17 + ba6f640
commit bebe3a3
Show file tree

Hide file tree

Showing 3 changed files with 145 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## 10.8.3 (June 3, 2024)
 
+BUG FIXES:
+
+* resource/artifactory_scoped_token: Fix incorrect validation with actions values for `scopes` attribute. Issue: [#985](https://github.com/jfrog/terraform-provider-artifactory/issues/985) PR: [#986](https://github.com/jfrog/terraform-provider-artifactory/pull/986)
+
 IMPROVEMENTS:
 
 * Documentation: Move `metadata_retrieval_timeout_secs` attribute documentation from `artifactory_remote_maven_repository` to "Artifactory Remote Repository Common Arguments" documentation. Issue: [#983](https://github.com/jfrog/terraform-provider-artifactory/issues/983) PR: [#984](https://github.com/jfrog/terraform-provider-artifactory/pull/984)

diff --git a/pkg/artifactory/resource/security/resource_artifactory_scoped_token.go b/pkg/artifactory/resource/security/resource_artifactory_scoped_token.go
@@ -196,7 +196,7 @@ func (r *ScopedTokenResource) Schema(ctx context.Context, req resource.SchemaReq
 							),
 							stringvalidator.RegexMatches(regexp.MustCompile(`^applied-permissions\/groups:.+$`), "must be 'applied-permissions/groups:<group-name>[,<group-name>...]'"),
 							stringvalidator.RegexMatches(regexp.MustCompile(`^applied-permissions\/roles:.+:.+$`), "must be 'applied-permissions/roles:<project-key>:<role-name>[,<role-name>...]'"),
-							stringvalidator.RegexMatches(regexp.MustCompile(`^artifact:.+:([rwdamxs*]|([rwdamxs]+(,[rwdamxs]+)))$`), "must be '<resource-type>:<target>[/<sub-resource>]:<actions>'"),
+							stringvalidator.RegexMatches(regexp.MustCompile(`^artifact:(?:.+):(?:(?:[rwdamxs*]+)|(?:[rwdamxs]+)(?:,[rwdamxs]+)+)$`), "must be '<resource-type>:<target>[/<sub-resource>]:<actions>'"),
 						),
 					),
 				},

diff --git a/pkg/artifactory/resource/security/resource_artifactory_scoped_token_test.go b/pkg/artifactory/resource/security/resource_artifactory_scoped_token_test.go
@@ -624,6 +624,146 @@ func TestAccScopedToken_WithRoleScope(t *testing.T) {
 	})
 }
 
+func TestAccScopedToken_WithActionsScope(t *testing.T) {
+	_, fqrn, name := testutil.MkNames("test-access-token", "artifactory_scoped_token")
+	_, _, projectName := testutil.MkNames("test-project", "project")
+	_, _, projectUserName := testutil.MkNames("test-projecuser", "project_user")
+	_, _, username := testutil.MkNames("test-user", "artifactory_managed_user")
+
+	email := username + "@tempurl.org"
+
+	accessTokenConfig := util.ExecuteTemplate(
+		"TestAccScopedToken",
+		`resource "artifactory_managed_user" "{{ .username }}" {
+			name              = "{{ .username }}"
+		    email             = "{{ .email }}"
+			admin             = true
+			disable_ui_access = false
+			groups            = ["readers"]
+			password          = "Passw0rd!"
+		}
+
+		resource "project" "{{ .projectName }}" {
+			key = "{{ .projectName }}"
+			display_name = "{{ .projectName }}"
+			admin_privileges {
+				manage_members = true
+				manage_resources = true
+				index_resources = true
+			}
+		}
+
+		resource "project_user" "{{ .projectUserName }}" {
+			name = artifactory_managed_user.{{ .username }}.name
+			project_key = project.{{ .projectName }}.key
+			roles = ["Developer"]
+		}
+
+		resource "artifactory_scoped_token" "{{ .name }}" {
+			username = artifactory_managed_user.{{ .username }}.name
+			scopes   = [
+				"artifact:generic-local-1:r",
+				"artifact:generic-local-2:r,w,d,a,m",
+			]
+		}`,
+		map[string]interface{}{
+			"name":            name,
+			"username":        username,
+			"email":           email,
+			"projectName":     projectName,
+			"projectUserName": projectUserName,
+		},
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() { acctest.PreCheck(t) },
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"project": {
+				Source: "jfrog/project",
+			},
+		},
+		ProtoV6ProviderFactories: acctest.ProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: accessTokenConfig,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(fqrn, "username", username),
+					resource.TestCheckResourceAttr(fqrn, "scopes.#", "2"),
+					resource.TestCheckTypeSetElemAttr(fqrn, "scopes.*", "artifact:generic-local-1:r"),
+					resource.TestCheckTypeSetElemAttr(fqrn, "scopes.*", "artifact:generic-local-2:r,w,d,a,m"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccScopedToken_InvalidActionsScope(t *testing.T) {
+	_, _, name := testutil.MkNames("test-access-token", "artifactory_scoped_token")
+	_, _, projectName := testutil.MkNames("test-project", "project")
+	_, _, projectUserName := testutil.MkNames("test-projecuser", "project_user")
+	_, _, username := testutil.MkNames("test-user", "artifactory_managed_user")
+
+	email := username + "@tempurl.org"
+
+	accessTokenConfig := util.ExecuteTemplate(
+		"TestAccScopedToken",
+		`resource "artifactory_managed_user" "{{ .username }}" {
+			name              = "{{ .username }}"
+		    email             = "{{ .email }}"
+			admin             = true
+			disable_ui_access = false
+			groups            = ["readers"]
+			password          = "Passw0rd!"
+		}
+
+		resource "project" "{{ .projectName }}" {
+			key = "{{ .projectName }}"
+			display_name = "{{ .projectName }}"
+			admin_privileges {
+				manage_members = true
+				manage_resources = true
+				index_resources = true
+			}
+		}
+
+		resource "project_user" "{{ .projectUserName }}" {
+			name = artifactory_managed_user.{{ .username }}.name
+			project_key = project.{{ .projectName }}.key
+			roles = ["Developer"]
+		}
+
+		resource "artifactory_scoped_token" "{{ .name }}" {
+			username = artifactory_managed_user.{{ .username }}.name
+			scopes   = [
+				"artifact:generic-local-1:t",
+			]
+		}`,
+		map[string]interface{}{
+			"name":            name,
+			"username":        username,
+			"email":           email,
+			"projectName":     projectName,
+			"projectUserName": projectUserName,
+		},
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() { acctest.PreCheck(t) },
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"project": {
+				Source: "jfrog/project",
+			},
+		},
+		ProtoV6ProviderFactories: acctest.ProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config:      accessTokenConfig,
+				ExpectError: regexp.MustCompile(`.*'<resource-type>:<target>\[\/<sub-resource>\]:<actions>'.*`),
+			},
+		},
+	})
+}
+
 func TestAccScopedToken_WithInvalidScopes(t *testing.T) {
 	_, _, name := testutil.MkNames("test-scoped-token", "artifactory_scoped_token")