Feature/enable sso authentication on connect (#48)

* added struct variable & schema for "sso_auth" * added check for sso_auth in resourceUpdateServer * fix copy and paste error * add test case for new sso_auth option * fixed another copy paste error * refactor sso_auth tests into own test * remove duplicate test function * add sso_auth parameter to resource documentation * update docker-pritunl --------- Co-authored-by: Cyril Tan <[email protected]>
disc · Sep 14, 2023 · 27e1fe3 · 27e1fe3
1 parent 25298d6
commit 27e1fe3
Show file tree

Hide file tree

Showing 6 changed files with 92 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -9,7 +9,7 @@ test:
 		-p 80:80/tcp \
 		-p 443:443/tcp \
 		-p 27017:27017/tcp \
-		ghcr.io/jippi/docker-pritunl:1.30.3236.80
+		ghcr.io/jippi/docker-pritunl:1.32.3602.80
 
 	sleep 20
 
@@ -26,4 +26,4 @@ test:
 	PRITUNL_SECRET=tfacctest_secret \
 	go test -v -cover -count 1 ./internal/provider
 
-	@docker rm tf_pritunl_acc_test -f
+	@docker rm tf_pritunl_acc_test -f
diff --git a/docs/resources/server.md b/docs/resources/server.md
@@ -44,6 +44,7 @@ description: |-
 - **network_start** (String) Starting network address for the bridged VPN client IP addresses. Must be in the subnet of the server network.
 - **network_wg** (String) Network address for the private network that will be created for clients. This network cannot conflict with any existing local networks
 - **organization_ids** (List of String) The list of attached organizations to the server.
+- **sso_auth** (Boolean) Require client to authenticate with single sign-on provider on each connection using web browser. Requires client to have access to Pritunl web server port and running updated Pritunl Client. Single sign-on provider must already be configured for this feature to work properly.
 - **otp_auth** (Boolean) Enables two-step authentication using Google Authenticator. Verification code is entered as the user password when connecting
 - **ping_interval** (Number) Interval to ping client
 - **ping_timeout** (Number) Timeout for client ping. Must be greater then ping interval

diff --git a/internal/pritunl/client.go b/internal/pritunl/client.go
@@ -291,6 +291,10 @@ func (c client) CreateServer(serverData map[string]interface{}) (*Server, error)
 	isWgEnabled := serverStruct.NetworkWG != "" && serverStruct.PortWG > 0
 	serverStruct.WG = isWgEnabled
 
+	if v, ok := serverData["sso_auth"]; ok {
+		serverStruct.SsoAuth = v.(bool)
+	}
+
 	if v, ok := serverData["otp_auth"]; ok {
 		serverStruct.OtpAuth = v.(bool)
 	}

diff --git a/internal/pritunl/server.go b/internal/pritunl/server.go
@@ -50,6 +50,7 @@ type Server struct {
 	VxLan            bool     `json:"vxlan,omitempty"`
 	DnsMapping       bool     `json:"dns_mapping,omitempty"`
 	PreConnectMsg    string   `json:"pre_connect_msg,omitempty"`
+	SsoAuth          bool     `json:"sso_auth,omitempty"`
 	OtpAuth          bool     `json:"otp_auth,omitempty"`
 	MssFix           int      `json:"mss_fix,omitempty"`
 	LzoCompression   bool     `json:"lzo_compression,omitempty"`

diff --git a/internal/provider/resource_server.go b/internal/provider/resource_server.go
@@ -176,6 +176,12 @@ func resourceServer() *schema.Resource {
 				Optional:    true,
 				Description: "Enter list of DNS servers applied on the client",
 			},
+			"sso_auth": {
+				Type:        schema.TypeBool,
+				Required:    false,
+				Optional:    true,
+				Description: "Require client to authenticate with single sign-on provider on each connection using web browser. Requires client to have access to Pritunl web server port and running updated Pritunl Client. Single sign-on provider must already be configured for this feature to work properly",
+			},
 			"otp_auth": {
 				Type:        schema.TypeBool,
 				Required:    false,
@@ -503,6 +509,7 @@ func resourceReadServer(ctx context.Context, d *schema.ResourceData, meta interf
 	d.Set("dns_servers", server.DnsServers)
 	d.Set("network_wg", server.NetworkWG)
 	d.Set("port_wg", server.PortWG)
+	d.Set("sso_auth", server.SsoAuth)
 	d.Set("otp_auth", server.OtpAuth)
 	d.Set("ipv6", server.IPv6)
 	d.Set("dh_param_bits", server.DhParamBits)
@@ -623,6 +630,7 @@ func resourceCreateServer(ctx context.Context, d *schema.ResourceData, meta inte
 		"dns_servers":        d.Get("dns_servers"),
 		"network_wg":         d.Get("network_wg"),
 		"port_wg":            d.Get("port_wg"),
+		"sso_auth":           d.Get("sso_auth"),
 		"otp_auth":           d.Get("otp_auth"),
 		"ipv6":               d.Get("ipv6"),
 		"dh_param_bits":      d.Get("dh_param_bits"),
@@ -774,6 +782,10 @@ func resourceUpdateServer(ctx context.Context, d *schema.ResourceData, meta inte
 	isWgEnabled := server.NetworkWG != "" && server.PortWG > 0
 	server.WG = isWgEnabled
 
+	if d.HasChange("sso_auth") {
+		server.SsoAuth = d.Get("sso_auth").(bool)
+	}
+
 	if d.HasChange("otp_auth") {
 		server.OtpAuth = d.Get("otp_auth").(bool)
 	}

diff --git a/internal/provider/resource_server_test.go b/internal/provider/resource_server_test.go
@@ -53,6 +53,57 @@ func TestGetServer_basic(t *testing.T) {
 	})
 }
 
+func TestGetServer_with_sso_auth(t *testing.T) {
+	var serverId string
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { preCheck(t) },
+		ProviderFactories: providerFactories,
+		CheckDestroy:      testGetServerDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testGetServerWithActiveSsoAuth("tfacc-server1"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("pritunl_server.test", "name", "tfacc-server1"),
+					resource.TestCheckResourceAttr("pritunl_server.test", "sso_auth", "true"),
+
+					// extract serverId for future use
+					func(s *terraform.State) error {
+						serverId = s.RootModule().Resources["pritunl_server.test"].Primary.Attributes["id"]
+						return nil
+					},
+				),
+			},
+			importStep("pritunl_server.test"),
+			{
+				Config: testGetServerSimpleConfig("tfacc-server2"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("pritunl_server.test", "name", "tfacc-server2"),
+					resource.TestCheckResourceAttr("pritunl_server.test", "sso_auth", "false"),
+				),
+			},
+			importStep("pritunl_server.test"),
+			{
+				Config: testGetServerWithDeactiveSsoAuth("tfacc-server3"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("pritunl_server.test", "name", "tfacc-server3"),
+					resource.TestCheckResourceAttr("pritunl_server.test", "sso_auth", "false"),
+				),
+			},
+			importStep("pritunl_server.test"),
+			// test importing
+			{
+				ResourceName: "pritunl_server.test",
+				ImportStateIdFunc: func(*terraform.State) (string, error) {
+					return serverId, nil
+				},
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestGetServer_with_attached_organization(t *testing.T) {
 	var serverId string
 
@@ -428,6 +479,24 @@ resource "pritunl_server" "test" {
 `, name)
 }
 
+func testGetServerWithActiveSsoAuth(name string) string {
+	return fmt.Sprintf(`
+resource "pritunl_server" "test" {
+	name     = "%[1]s"
+	sso_auth = true
+}
+`, name)
+}
+
+func testGetServerWithDeactiveSsoAuth(name string) string {
+	return fmt.Sprintf(`
+resource "pritunl_server" "test" {
+	name     = "%[1]s"
+	sso_auth = false
+}
+`, name)
+}
+
 func testGetServerSimpleConfigWithAttachedOrganization(name, organizationName string) string {
 	return fmt.Sprintf(`
 resource "pritunl_organization" "test" {
@@ -468,7 +537,7 @@ func testGetServerSimpleConfigWithAttachedRoute(name, route string) string {
 	return fmt.Sprintf(`
 resource "pritunl_server" "test" {
 	name = "%[1]s"
-	
+
 	route {
 		network = "%[2]s"
 		comment = "tfacc-route"
@@ -482,7 +551,7 @@ func testGetServerSimpleConfigWithAFewAttachedRoutes(name, route1, route2, route
 	return fmt.Sprintf(`
 resource "pritunl_server" "test" {
 	name = "%[1]s"
-	
+
 	route {
 		network = "%[2]s"
 		comment = "tfacc-route"
@@ -497,7 +566,7 @@ resource "pritunl_server" "test" {
 		network = "%[4]s"
 		comment = "tfacc-route"
 		net_gateway = true
-  	}	
+  	}
 }
 `, name, route1, route2, route3)
 }