auth0 · sergiught · Sep 19, 2023 · Sep 19, 2023 · Sep 19, 2023
diff --git a/docs/data-sources/signing_keys.md b/docs/data-sources/signing_keys.md
@@ -0,0 +1,48 @@
+---
+page_title: "Data Source: auth0_signing_keys"
+description: |-
+  Data source to retrieve signing keys used by the applications in your tenant. Learn more https://auth0.com/docs/get-started/tenant-settings/signing-keys.
+---
+
+# Data Source: auth0_signing_keys
+
+Data source to retrieve signing keys used by the applications in your tenant. [Learn more](https://auth0.com/docs/get-started/tenant-settings/signing-keys).
+
+## Example Usage
+
+```terraform
+data "auth0_signing_keys" "my_keys" {}
+
+# Example on how to get the current key from the data source.
+output "current_key" {
+  value = try(
+    element([for key in data.auth0_signing_keys.my_keys.signing_keys : key.kid if key.current], 0),
+    "No current key found"
+  )
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `signing_keys` (List of Object) All application signing keys. (see [below for nested schema](#nestedatt--signing_keys))
+
+<a id="nestedatt--signing_keys"></a>
+### Nested Schema for `signing_keys`
+
+Read-Only:
+
+- `cert` (String)
+- `current` (Boolean)
+- `fingerprint` (String)
+- `kid` (String)
+- `next` (Boolean)
+- `pkcs7` (String)
+- `previous` (Boolean)
+- `revoked` (Boolean)
+- `thumbprint` (String)
+
+
diff --git a/examples/data-sources/auth0_signing_keys/data-source.tf b/examples/data-sources/auth0_signing_keys/data-source.tf
@@ -0,0 +1,9 @@
+data "auth0_signing_keys" "my_keys" {}
+
+# Example on how to get the current key from the data source.
+output "current_key" {
+  value = try(
+    element([for key in data.auth0_signing_keys.my_keys.signing_keys : key.kid if key.current], 0),
+    "No current key found"
+  )
+}
diff --git a/internal/acctest/http_recorder.go b/internal/acctest/http_recorder.go
@@ -2,13 +2,15 @@ package acctest
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"os"
 	"path"
 	"runtime"
 	"strings"
 	"testing"
 
+	"github.com/auth0/go-auth0"
 	"github.com/auth0/go-auth0/management"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/dnaeon/go-vcr.v3/cassette"
@@ -61,6 +63,7 @@ func removeSensitiveDataFromRecordings(t *testing.T, recorderTransport *recorder
 			domain := os.Getenv("AUTH0_DOMAIN")
 			require.NotEmpty(t, domain, "removeSensitiveDataFromRecordings(): AUTH0_DOMAIN is empty")
 
+			redactSensitiveDataInSigningKeys(t, i, domain)
 			redactSensitiveDataInClient(t, i, domain)
 			redactDomain(i, domain)
 
@@ -140,3 +143,39 @@ func redactSensitiveDataInClient(t *testing.T, i *cassette.Interaction, domain s
 		i.Response.Body = string(clientBody)
 	}
 }
+
+func redactSensitiveDataInSigningKeys(t *testing.T, i *cassette.Interaction, domain string) {
+	read := i.Request.URL == "https://"+domain+"/api/v2/keys/signing" && i.Request.Method == http.MethodGet
+	if read {
+		currentSigningKey := &management.SigningKey{
+			KID:         auth0.String("111111111111111111111"),
+			Cert:        auth0.String("-----BEGIN CERTIFICATE-----\\r\\n[REDACTED]\\r\\n-----END CERTIFICATE-----"),
+			PKCS7:       auth0.String("-----BEGIN PKCS7-----\\r\\n[REDACTED]\\r\\n-----END PKCS7-----"),
+			Current:     auth0.Bool(true),
+			Next:        auth0.Bool(false),
+			Previous:    auth0.Bool(true),
+			Fingerprint: auth0.String("[REDACTED]"),
+			Thumbprint:  auth0.String("[REDACTED]"),
+			Revoked:     auth0.Bool(false),
+		}
+		previousSigningKey := &management.SigningKey{
+			KID:         auth0.String("222222222222222222222"),
+			Cert:        auth0.String("-----BEGIN CERTIFICATE-----\\r\\n[REDACTED]\\r\\n-----END CERTIFICATE-----"),
+			PKCS7:       auth0.String("-----BEGIN PKCS7-----\\r\\n[REDACTED]\\r\\n-----END PKCS7-----"),
+			Current:     auth0.Bool(false),
+			Next:        auth0.Bool(true),
+			Previous:    auth0.Bool(true),
+			Fingerprint: auth0.String("[REDACTED]"),
+			Thumbprint:  auth0.String("[REDACTED]"),
+			Revoked:     auth0.Bool(false),
+		}
+
+		currentSigningKeyBody, err := json.Marshal(currentSigningKey)
+		require.NoError(t, err)
+
+		previousSigningKeyBody, err := json.Marshal(previousSigningKey)
+		require.NoError(t, err)
+
+		i.Response.Body = fmt.Sprintf(`[%s,%s]`, currentSigningKeyBody, previousSigningKeyBody)
+	}
+}
diff --git a/internal/auth0/signingkey/data_source.go b/internal/auth0/signingkey/data_source.go
@@ -0,0 +1,88 @@
+package signingkey
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/id"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/auth0/terraform-provider-auth0/internal/config"
+)
+
+// NewDataSource will return a new auth0_signing_keys data source.
+func NewDataSource() *schema.Resource {
+	return &schema.Resource{
+		ReadContext: readSigningKeys,
+		Description: "Data source to retrieve signing keys used by the applications in your tenant. [Learn more](https://auth0.com/docs/get-started/tenant-settings/signing-keys).",
+		Schema: map[string]*schema.Schema{
+			"signing_keys": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Description: "All application signing keys.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"kid": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The key ID of the signing key.",
+						},
+						"cert": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The public certificate of the signing key.",
+						},
+						"pkcs7": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The public certificate of the signing key in PKCS7 format.",
+						},
+						"current": {
+							Type:        schema.TypeBool,
+							Computed:    true,
+							Description: "True if the key is the the current key.",
+						},
+						"next": {
+							Type:        schema.TypeBool,
+							Computed:    true,
+							Description: "True if the key is the the next key.",
+						},
+						"previous": {
+							Type:        schema.TypeBool,
+							Computed:    true,
+							Description: "True if the key is the the previous key.",
+						},
+						"revoked": {
+							Type:        schema.TypeBool,
+							Computed:    true,
+							Description: "True if the key is revoked.",
+						},
+						"fingerprint": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The cert fingerprint.",
+						},
+						"thumbprint": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: "The cert thumbprint.",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func readSigningKeys(ctx context.Context, data *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	api := meta.(*config.Config).GetAPI()
+
+	signingKeys, err := api.SigningKey.List(ctx)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	data.SetId(id.UniqueId())
+
+	return diag.FromErr(data.Set("signing_keys", flattenSigningKeys(signingKeys)))
+}
diff --git a/internal/auth0/signingkey/data_source_test.go b/internal/auth0/signingkey/data_source_test.go
@@ -0,0 +1,44 @@
+package signingkey_test
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+
+	"github.com/auth0/terraform-provider-auth0/internal/acctest"
+)
+
+const testAccDataSourceSigningKeys = `
+data "auth0_signing_keys" "my_keys" { }
+`
+
+func TestAccDataSourceSigningKeys(t *testing.T) {
+	acctest.Test(t, resource.TestCase{
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceSigningKeys,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.auth0_signing_keys.my_keys", "signing_keys.#", "2"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.0.kid"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.0.cert"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.0.pkcs7"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.0.current"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.0.next"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.0.previous"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.0.revoked"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.0.fingerprint"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.0.thumbprint"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.1.kid"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.1.cert"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.1.pkcs7"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.1.current"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.1.next"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.1.previous"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.1.revoked"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.1.fingerprint"),
+					resource.TestCheckResourceAttrSet("data.auth0_signing_keys.my_keys", "signing_keys.1.thumbprint"),
+				),
+			},
+		},
+	})
+}
diff --git a/internal/auth0/signingkey/flatten.go b/internal/auth0/signingkey/flatten.go
@@ -0,0 +1,23 @@
+package signingkey
+
+import (
+	"github.com/auth0/go-auth0/management"
+)
+
+func flattenSigningKeys(keys []*management.SigningKey) []interface{} {
+	var result []interface{}
+	for _, key := range keys {
+		result = append(result, map[string]interface{}{
+			"kid":         key.GetKID(),
+			"cert":        key.GetCert(),
+			"pkcs7":       key.GetPKCS7(),
+			"current":     key.GetCurrent(),
+			"next":        key.GetNext(),
+			"previous":    key.GetPrevious(),
+			"revoked":     key.GetRevoked(),
+			"fingerprint": key.GetFingerprint(),
+			"thumbprint":  key.GetThumbprint(),
+		})
+	}
+	return result
+}
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -21,6 +21,7 @@ import (
 	"github.com/auth0/terraform-provider-auth0/internal/auth0/resourceserver"
 	"github.com/auth0/terraform-provider-auth0/internal/auth0/role"
 	"github.com/auth0/terraform-provider-auth0/internal/auth0/rule"
+	"github.com/auth0/terraform-provider-auth0/internal/auth0/signingkey"
 	"github.com/auth0/terraform-provider-auth0/internal/auth0/tenant"
 	"github.com/auth0/terraform-provider-auth0/internal/auth0/user"
 	"github.com/auth0/terraform-provider-auth0/internal/config"
@@ -142,6 +143,7 @@ func New() *schema.Provider {
 			"auth0_pages":             page.NewDataSource(),
 			"auth0_resource_server":   resourceserver.NewDataSource(),
 			"auth0_role":              role.NewDataSource(),
+			"auth0_signing_keys":      signingkey.NewDataSource(),
 			"auth0_tenant":            tenant.NewDataSource(),
 			"auth0_user":              user.NewDataSource(),
 		},