Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bugfix: UPN single quote escaping #643

Merged
merged 3 commits into from
Nov 11, 2021

Conversation

daramir
Copy link
Contributor

@daramir daramir commented Oct 22, 2021

This PR addresses #639.

We need to escape User Principal Names before querying Microsoft Graph.

I'm unable to run acceptance tests at the moment, but I have included a test.

Copy link
Contributor

@manicminer manicminer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @daramir, thanks for the PR!

Overall this looks good, I have one suggestion for approaching the test configuration. If you can consider this, and the tests pass, then this should be good to merge. Thanks!

internal/services/users/user_data_source_test.go Outdated Show resolved Hide resolved
@daramir daramir force-pushed the bugfix/upn-single-quote-escaping branch 2 times, most recently from 21c7edb to 0e492a6 Compare November 4, 2021 01:53
@github-actions github-actions bot added size/XS and removed size/S labels Nov 4, 2021
@daramir daramir requested a review from manicminer November 4, 2021 01:55
Copy link
Contributor

@manicminer manicminer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@daramir Thanks for the updates! This is almost good to go, there are a couple of test fixes to make but unfortunately I don't have permission to push to your branch. I've made one suggestion below, and there are a couple of other changes:

diff --git a/internal/services/users/user_resource_test.go b/internal/services/users/user_resource_test.go
index b96e9ab4..e28395a8 100644
--- a/internal/services/users/user_resource_test.go
+++ b/internal/services/users/user_resource_test.go
@@ -149,7 +149,7 @@ data "azuread_domains" "test" {
 }

 resource "azuread_user" "test" {
-  user_principal_name = "acctestUser.%[1]d@${data.azuread_domains.test.domains.0.domain_name}"
+  user_principal_name = "acctestUser'%[1]d@${data.azuread_domains.test.domains.0.domain_name}"
   display_name        = "acctestUser-%[1]d"
   password            = "%[2]s"
 }
@@ -171,7 +171,7 @@ resource "azuread_user" "manager" {
 }

 resource "azuread_user" "test" {
-  user_principal_name = "acct'estUser.%[1]d@${data.azuread_domains.test.domains.0.domain_name}"
+  user_principal_name = "acctestUser'%[1]d@${data.azuread_domains.test.domains.0.domain_name}"
   mail                = "acctestUser.%[1][email protected]"
   mail_nickname       = "acctestUser-%[1]d-MailNickname"
   other_mails         = ["acctestUser.%[1][email protected]", "acctestUser.%[1][email protected]"]
@@ -223,7 +223,7 @@ data "azuread_domains" "test" {
 }

 resource "azuread_user" "testA" {
-  user_principal_name = "acctestUser.%[1]d.A@${data.azuread_domains.test.domains.0.domain_name}"
+  user_principal_name = "acctestUser'%[1]d.A@${data.azuread_domains.test.domains.0.domain_name}"
   display_name        = "acctestUser-%[1]d-A"
   password            = "%[2]s"
 }

These are because some of our tests use several configs to update resources in place.

If you can update the tests as per the above, this will be good to merge. Thanks!

internal/services/users/user_resource_test.go Outdated Show resolved Hide resolved
@daramir daramir force-pushed the bugfix/upn-single-quote-escaping branch from 0e492a6 to 7ce432e Compare November 8, 2021 01:23
@daramir daramir requested a review from manicminer November 8, 2021 01:24
Copy link
Contributor

@manicminer manicminer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @daramir, this LGTM!

One thing I forgot to mention is why I suggested moving the apostrophe around - we try to prefix the primary text field of test resources with the string acctest (case doesn't matter) as this makes it easier to clean up after failed tests.

Copy link
Contributor

@manicminer manicminer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@daramir Sorry, it looks like we also need to ensure single quotes are escape for mailNicknames too. I'm still unable to push to your fork, not sure why as GH only returns "access denied". Could you add this too?

diff --git a/internal/services/users/user_data_source.go b/internal/services/users/user_data_source.go
index 3e2ed884..58bab1c7 100644
--- a/internal/services/users/user_data_source.go
+++ b/internal/services/users/user_data_source.go
@@ -347,7 +347,7 @@ func userDataSourceRead(ctx context.Context, d *schema.ResourceData, meta interf
                user = *u
        } else if mailNickname, ok := d.Get("mail_nickname").(string); ok && mailNickname != "" {
                query := odata.Query{
-                       Filter: fmt.Sprintf("mailNickname eq '%s'", mailNickname),
+                       Filter: fmt.Sprintf("mailNickname eq '%s'", utils.EscapeSingleQuote(mailNickname)),
                }
                users, _, err := client.List(ctx, query)
                if err != nil {
diff --git a/internal/services/users/users_data_source.go b/internal/services/users/users_data_source.go
index fee72eff..087e8f47 100644
--- a/internal/services/users/users_data_source.go
+++ b/internal/services/users/users_data_source.go
@@ -223,7 +223,7 @@ func usersDataSourceRead(ctx context.Context, d *schema.ResourceData, meta inter
                        expectedCount = len(mailNicknames)
                        for _, v := range mailNicknames {
                                query := odata.Query{
-                                       Filter: fmt.Sprintf("mailNickname eq '%s'", v),
+                                       Filter: fmt.Sprintf("mailNickname eq '%s'", utils.EscapeSingleQuote(v.(string))),
                                }
                                result, _, err := client.List(ctx, query)
                                if err != nil {

Thanks!

in "complete()" UserResource test scenario
it is used by TestAccUserDataSource_byUserPrincipalName
@daramir daramir force-pushed the bugfix/upn-single-quote-escaping branch from 7ce432e to dd251a3 Compare November 9, 2021 03:22
@daramir
Copy link
Contributor Author

daramir commented Nov 9, 2021

@daramir Sorry, it looks like we also need to ensure single quotes are escape for mailNicknames too. I'm still unable to push to your fork, not sure why as GH only returns "access denied". Could you add this too?
(...)
Thanks!

Hi @manicminer , the above has been included. Please have a look!

Copy link
Contributor

@manicminer manicminer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @daramir, this LGTM and tests are passing 🚀

Screenshot 2021-11-11 at 18 33 57

@manicminer manicminer merged commit 6b9421f into hashicorp:main Nov 11, 2021
manicminer added a commit that referenced this pull request Nov 11, 2021
@daramir daramir deleted the bugfix/upn-single-quote-escaping branch November 11, 2021 23:39
@github-actions
Copy link

This functionality has been released in v2.9.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants