DXCDT-492: Add support for OIDCLogoutPrompt toggle on tenant resource (…

…#754)
auth0 · Jul 28, 2023 · 48b575c · 48b575c
1 parent 610bd70
commit 48b575c
Show file tree

Hide file tree

Showing 8 changed files with 135 additions and 55 deletions.
diff --git a/docs/data-sources/tenant.md b/docs/data-sources/tenant.md
@@ -34,6 +34,7 @@ data "auth0_tenant" "my_tenant" {}
 - `sandbox_version` (String) Selected sandbox version for the extensibility environment, which allows you to use custom scripts to extend parts of Auth0's functionality.
 - `session_cookie` (List of Object) Alters behavior of tenant's session cookie. Contains a single `mode` property. (see [below for nested schema](#nestedatt--session_cookie))
 - `session_lifetime` (Number) Number of hours during which a session will stay valid.
+- `sessions` (List of Object) Sessions related settings for the tenant. (see [below for nested schema](#nestedatt--sessions))
 - `support_email` (String) Support email address for authenticating users.
 - `support_url` (String) Support URL for authenticating users.
 
@@ -74,3 +75,11 @@ Read-Only:
 - `mode` (String)
 
 
+<a id="nestedatt--sessions"></a>
+### Nested Schema for `sessions`
+
+Read-Only:
+
+- `oidc_logout_prompt_enabled` (Boolean)
+
+
diff --git a/docs/resources/tenant.md b/docs/resources/tenant.md
@@ -24,9 +24,6 @@ resource "auth0_tenant" "my_tenant" {
   sandbox_version         = "12"
   enabled_locales         = ["en"]
   default_redirection_uri = "https://example.com/login"
-  session_cookie {
-    mode = "non-persistent"
-  }
 
   flags {
     disable_clickjack_protection_headers   = true
@@ -36,6 +33,14 @@ resource "auth0_tenant" "my_tenant" {
     disable_management_api_sms_obfuscation = false
     disable_fields_map_fix                 = false
   }
+
+  session_cookie {
+    mode = "non-persistent"
+  }
+
+  sessions {
+    oidc_logout_prompt_enabled = false
+  }
 }
 ```
 
@@ -56,6 +61,7 @@ resource "auth0_tenant" "my_tenant" {
 - `sandbox_version` (String) Selected sandbox version for the extensibility environment, which allows you to use custom scripts to extend parts of Auth0's functionality.
 - `session_cookie` (Block List, Max: 1) Alters behavior of tenant's session cookie. Contains a single `mode` property. (see [below for nested schema](#nestedblock--session_cookie))
 - `session_lifetime` (Number) Number of hours during which a session will stay valid.
+- `sessions` (Block List, Max: 1) Sessions related settings for the tenant. (see [below for nested schema](#nestedblock--sessions))
 - `support_email` (String) Support email address for authenticating users.
 - `support_url` (String) Support URL for authenticating users.
 
@@ -99,6 +105,14 @@ Optional:
 
 - `mode` (String) Behavior of tenant session cookie. Accepts either "persistent" or "non-persistent".
 
+
+<a id="nestedblock--sessions"></a>
+### Nested Schema for `sessions`
+
+Required:
+
+- `oidc_logout_prompt_enabled` (Boolean) When active, users will be presented with a consent prompt to confirm the logout request if the request is not trustworthy. Turn off the consent prompt to bypass user confirmation.
+
 ## Import
 
 Import is supported using the following syntax:

diff --git a/examples/resources/auth0_tenant/resource.tf b/examples/resources/auth0_tenant/resource.tf
@@ -8,9 +8,6 @@ resource "auth0_tenant" "my_tenant" {
   sandbox_version         = "12"
   enabled_locales         = ["en"]
   default_redirection_uri = "https://example.com/login"
-  session_cookie {
-    mode = "non-persistent"
-  }
 
   flags {
     disable_clickjack_protection_headers   = true
@@ -20,4 +17,12 @@ resource "auth0_tenant" "my_tenant" {
     disable_management_api_sms_obfuscation = false
     disable_fields_map_fix                 = false
   }
+
+  session_cookie {
+    mode = "non-persistent"
+  }
+
+  sessions {
+    oidc_logout_prompt_enabled = false
+  }
 }
diff --git a/internal/auth0/tenant/expand.go b/internal/auth0/tenant/expand.go
@@ -28,6 +28,7 @@ func expandTenant(d *schema.ResourceData) *management.Tenant {
 		EnabledLocales:        value.Strings(config.GetAttr("enabled_locales")),
 		Flags:                 expandTenantFlags(config.GetAttr("flags")),
 		SessionCookie:         expandTenantSessionCookie(config.GetAttr("session_cookie")),
+		Sessions:              expandTenantSessions(config.GetAttr("sessions")),
 	}
 
 	if d.IsNewResource() || d.HasChange("idle_session_lifetime") {
@@ -86,3 +87,18 @@ func expandTenantSessionCookie(config cty.Value) *management.TenantSessionCookie
 
 	return &sessionCookie
 }
+
+func expandTenantSessions(config cty.Value) *management.TenantSessions {
+	var sessions management.TenantSessions
+
+	config.ForEachElement(func(_ cty.Value, cfg cty.Value) (stop bool) {
+		sessions.OIDCLogoutPromptEnabled = value.Bool(cfg.GetAttr("oidc_logout_prompt_enabled"))
+		return stop
+	})
+
+	if sessions == (management.TenantSessions{}) {
+		return nil
+	}
+
+	return &sessions
+}
diff --git a/internal/auth0/tenant/flatten.go b/internal/auth0/tenant/flatten.go
@@ -22,6 +22,7 @@ func flattenTenant(data *schema.ResourceData, tenant *management.Tenant) error {
 		data.Set("enabled_locales", tenant.GetEnabledLocales()),
 		data.Set("flags", flattenTenantFlags(tenant.GetFlags())),
 		data.Set("session_cookie", flattenTenantSessionCookie(tenant.GetSessionCookie())),
+		data.Set("sessions", flattenTenantSessions(tenant.GetSessions())),
 	)
 
 	return result.ErrorOrNil()
@@ -65,3 +66,10 @@ func flattenTenantSessionCookie(sessionCookie *management.TenantSessionCookie) [
 
 	return []interface{}{m}
 }
+
+func flattenTenantSessions(sessions *management.TenantSessions) []interface{} {
+	m := make(map[string]interface{})
+	m["oidc_logout_prompt_enabled"] = sessions.GetOIDCLogoutPromptEnabled()
+
+	return []interface{}{m}
+}
diff --git a/internal/auth0/tenant/resource.go b/internal/auth0/tenant/resource.go
@@ -271,6 +271,24 @@ func NewResource() *schema.Resource {
 					},
 				},
 			},
+			"sessions": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Computed:    true,
+				MaxItems:    1,
+				Description: "Sessions related settings for the tenant.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"oidc_logout_prompt_enabled": {
+							Type:     schema.TypeBool,
+							Required: true,
+							Description: "When active, users will be presented with a consent prompt to confirm the " +
+								"logout request if the request is not trustworthy. Turn off the consent prompt to " +
+								"bypass user confirmation.",
+						},
+					},
+				},
+			},
 		},
 	}
 }

diff --git a/internal/auth0/tenant/resource_test.go b/internal/auth0/tenant/resource_test.go
@@ -43,6 +43,7 @@ func TestAccTenant(t *testing.T) {
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "flags.0.mfa_show_factor_list_on_enrollment", "false"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "default_redirection_uri", "https://example.com/login"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "session_cookie.0.mode", "non-persistent"),
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "sessions.0.oidc_logout_prompt_enabled", "false"),
 				),
 			},
 			{
@@ -58,6 +59,7 @@ func TestAccTenant(t *testing.T) {
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "allowed_logout_urls.#", "0"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "session_cookie.0.mode", "persistent"),
 					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "default_redirection_uri", ""),
+					resource.TestCheckResourceAttr("auth0_tenant.my_tenant", "sessions.0.oidc_logout_prompt_enabled", "true"),
 				),
 			},
 			{
@@ -105,6 +107,10 @@ resource "auth0_tenant" "my_tenant" {
 	session_cookie {
 		mode = "non-persistent"
 	}
+
+	sessions {
+		oidc_logout_prompt_enabled = false
+	}
 }
 `
 
@@ -135,6 +141,10 @@ resource "auth0_tenant" "my_tenant" {
 	session_cookie {
 		mode = "persistent"
 	}
+
+	sessions {
+		oidc_logout_prompt_enabled = true
+	}
 }
 `