NSOF-5930 user_settings: introduce user settings resource and data-source

Author: hod-alpert

docs/data-sources/user_settings.md

@@ -0,0 +1,51 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "pfptmeta_user_settings Data Source - terraform-provider-pfptmeta"
+subcategory: "Administration"
+description: |-
+  The pfptmeta_user_settings resource is a tool with which the administrator can configure specific user settings for particular groups.
+  For example, an organization’s security policy may require that a specific contractor’s group is prompted for re-authentication after x minutes, or that this group of users can only log in from a single device or x number of devices.
+  In addition, the administrator can choose the type of authentication factor that should be applied or if users can only log in using SSO.
+---
+
+# pfptmeta_user_settings (Data Source)
+
+The `pfptmeta_user_settings` resource is a tool with which the administrator can configure specific user settings for particular groups.
+For example, an organization’s security policy may require that a specific contractor’s group is prompted for re-authentication after x minutes, or that this group of users can only log in from a single device or x number of devices.
+In addition, the administrator can choose the type of authentication factor that should be applied or if users can only log in using SSO.
+
+## Example Usage
+
+```terraform
+data "pfptmeta_user_settings" "settings" {
+  id = "ds-123abc"
+}
+
+output "settings" {
+  value = data.pfptmeta_user_settings.settings
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- **id** (String) The ID of this resource.
+
+### Read-Only
+
+- **allowed_factors** (List of String) When users are configured to authenticate locally with MFA, you can choose which second authentication factors will be visible to this user group. The allowed values are: `SMS`, `SOFTWARE_TOTP`, `VOICECALL`, `EMAIL`.
+This applies ONLY to local Proofpoint accounts, not to accounts that authenticate via external IdPs (SSO).
+- **apply_on_org** (Boolean) Indicates whether this user setting applies to the entire org. Note: this attribute overrides `apply_to_entities`.
+- **apply_to_entities** (List of String) Entities (users, groups or network elements) that the user settings will be applied to.
+- **description** (String)
+- **enabled** (Boolean)
+- **max_devices_per_user** (Number) Provides the administrator the flexibility to restrict how many devices the user can own or authenticate from.
+- **mfa_required** (Boolean) Forces the user for second factor authentication when logging in to Proofpoint NaaS. Enabling this enforces the user to authenticate also by a second factor, as specified by `allowed_factors` parameter.
+- **name** (String)
+- **password_expiration** (Number) Allows the administrator to set how often (in days) the end user should set a new login password.
+- **prohibited_os** (List of String) Allows the administrator to select operating systems which are prohibited from onboarding. ENUM: `Android`, `macOS`, `iOS`, `Linux`, `Windows`, `ChromeOS`
+- **proxy_pops** (String) Type of proxy_pops the user will use:
+	- **ALL_POPS** - connect to the nearest Point-of-Presence regardless to whether this PoP was upgraded for static IP use or not.	- **POPS_WITH_DEDICATED_IPS** - enable the use of PoPs with dedicated IP ranges provided by Proofpoint.
+- **sso_mandatory** (Boolean) Force the user into SSO authentication, via the configured IdP. If this option is enabled and the user attempts to login without SSO, the following message is displayed: *Login without SSO is not allowed by system administrator*.

docs/resources/user_settings.md

@@ -0,0 +1,73 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "pfptmeta_user_settings Resource - terraform-provider-pfptmeta"
+subcategory: "Administration"
+description: |-
+  The pfptmeta_user_settings resource is a tool with which the administrator can configure specific user settings for particular groups.
+  For example, an organization’s security policy may require that a specific contractor’s group is prompted for re-authentication after x minutes, or that this group of users can only log in from a single device or x number of devices.
+  In addition, the administrator can choose the type of authentication factor that should be applied or if users can only log in using SSO.
+---
+
+# pfptmeta_user_settings (Resource)
+
+The `pfptmeta_user_settings` resource is a tool with which the administrator can configure specific user settings for particular groups.
+For example, an organization’s security policy may require that a specific contractor’s group is prompted for re-authentication after x minutes, or that this group of users can only log in from a single device or x number of devices.
+In addition, the administrator can choose the type of authentication factor that should be applied or if users can only log in using SSO.
+
+## Example Usage
+
+```terraform
+resource "pfptmeta_user_settings" "swg_settings" {
+  name         = "SWG settings"
+  description  = "device settings description"
+  apply_on_org = true
+  proxy_pops   = "POPS_WITH_DEDICATED_IPS"
+}
+
+resource "pfptmeta_group" "ztna_group" {
+  name = "group"
+}
+
+resource "pfptmeta_user_settings" "ztna_settings" {
+  name                 = "ZTNA settings"
+  apply_to_entities    = [pfptmeta_group.ztna_group.id]
+  max_devices_per_user = 5
+  prohibited_os        = ["macOS", "iOS"]
+}
+
+resource "pfptmeta_user_settings" "login_settings" {
+  name                = "Login settings"
+  apply_on_org        = true
+  sso_mandatory       = true
+  mfa_required        = true
+  allowed_factors     = ["SMS"]
+  password_expiration = 30
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- **name** (String)
+
+### Optional
+
+- **allowed_factors** (List of String) When users are configured to authenticate locally with MFA, you can choose which second authentication factors will be visible to this user group. The allowed values are: `SMS`, `SOFTWARE_TOTP`, `VOICECALL`, `EMAIL`.
+This applies ONLY to local Proofpoint accounts, not to accounts that authenticate via external IdPs (SSO).
+- **apply_on_org** (Boolean) Indicates whether this user setting applies to the entire org. Note: this attribute overrides `apply_to_entities`.
+- **apply_to_entities** (List of String) Entities (users, groups or network elements) that the user settings will be applied to.
+- **description** (String)
+- **enabled** (Boolean)
+- **max_devices_per_user** (Number) Provides the administrator the flexibility to restrict how many devices the user can own or authenticate from.
+- **mfa_required** (Boolean) Forces the user for second factor authentication when logging in to Proofpoint NaaS. Enabling this enforces the user to authenticate also by a second factor, as specified by `allowed_factors` parameter.
+- **password_expiration** (Number) Allows the administrator to set how often (in days) the end user should set a new login password.
+- **prohibited_os** (List of String) Allows the administrator to select operating systems which are prohibited from onboarding. ENUM: `Android`, `macOS`, `iOS`, `Linux`, `Windows`, `ChromeOS`
+- **proxy_pops** (String) Type of proxy_pops the user will use:
+	- **ALL_POPS** - connect to the nearest Point-of-Presence regardless to whether this PoP was upgraded for static IP use or not.	- **POPS_WITH_DEDICATED_IPS** - enable the use of PoPs with dedicated IP ranges provided by Proofpoint.
+- **sso_mandatory** (Boolean) Force the user into SSO authentication, via the configured IdP. If this option is enabled and the user attempts to login without SSO, the following message is displayed: *Login without SSO is not allowed by system administrator*.
+
+### Read-Only
+
+- **id** (String) The ID of this resource.

examples/data-sources/pfptmeta_user_settings/data-source.tf

@@ -0,0 +1,7 @@
+data "pfptmeta_user_settings" "settings" {
+  id = "ds-123abc"
+}
+
+output "settings" {
+  value = data.pfptmeta_user_settings.settings
+}

examples/resources/pfptmeta_user_settings/resource.tf

@@ -0,0 +1,26 @@
+resource "pfptmeta_user_settings" "swg_settings" {
+  name         = "SWG settings"
+  description  = "device settings description"
+  apply_on_org = true
+  proxy_pops   = "POPS_WITH_DEDICATED_IPS"
+}
+
+resource "pfptmeta_group" "ztna_group" {
+  name = "group"
+}
+
+resource "pfptmeta_user_settings" "ztna_settings" {
+  name                 = "ZTNA settings"
+  apply_to_entities    = [pfptmeta_group.ztna_group.id]
+  max_devices_per_user = 5
+  prohibited_os        = ["macOS", "iOS"]
+}
+
+resource "pfptmeta_user_settings" "login_settings" {
+  name                = "Login settings"
+  apply_on_org        = true
+  sso_mandatory       = true
+  mfa_required        = true
+  allowed_factors     = ["SMS"]
+  password_expiration = 30
+}

internal/client/user_settings.go

@@ -0,0 +1,132 @@
+package client
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"io/ioutil"
+	"net/http"
+)
+
+const userSettingsEndpoint = "v1/settings/user"
+
+type UserSettings struct {
+	ID                 string   `json:"id,omitempty"`
+	Name               string   `json:"name,omitempty"`
+	Description        string   `json:"description"`
+	Enabled            bool     `json:"enabled"`
+	ApplyOnOrg         bool     `json:"apply_on_org"`
+	ApplyToEntities    []string `json:"apply_to_entities"`
+	AllowedFactors     []string `json:"allowed_factors,omitempty"`
+	MaxDevicesPerUser  *int     `json:"max_devices_per_user,omitempty"`
+	MfaRequired        *bool    `json:"mfa_required,omitempty"`
+	PasswordExpiration *int     `json:"password_expiration,omitempty"`
+	ProhibitedOs       []string `json:"prohibited_os,omitempty"`
+	ProxyPops          *string  `json:"proxy_pops,omitempty"`
+	SsoMandatory       *bool    `json:"sso_mandatory,omitempty"`
+}
+
+func NewUserSettings(d *schema.ResourceData) *UserSettings {
+	res := &UserSettings{}
+	if d.HasChange("name") {
+		res.Name = d.Get("name").(string)
+	}
+	res.Description = d.Get("description").(string)
+	res.Enabled = d.Get("enabled").(bool)
+	res.ApplyOnOrg = d.Get("apply_on_org").(bool)
+	res.ApplyToEntities = ConfigToStringSlice("apply_to_entities", d)
+	_, exists := d.GetOk("allowed_factors")
+	if exists {
+		res.AllowedFactors = ConfigToStringSlice("allowed_factors", d)
+	}
+	mdpu, exists := d.GetOk("max_devices_per_user")
+	if exists {
+		maxDevicesPerUser := mdpu.(int)
+		res.MaxDevicesPerUser = &maxDevicesPerUser
+	}
+	mfar, exists := d.GetOk("mfa_required")
+	if exists {
+		mfaRequired := mfar.(bool)
+		res.MfaRequired = &mfaRequired
+	}
+	pw, exists := d.GetOk("password_expiration")
+	if exists {
+		passwordExpiration := pw.(int)
+		res.PasswordExpiration = &passwordExpiration
+	}
+	_, exists = d.GetOk("prohibited_os")
+	if exists {
+		res.ProhibitedOs = ConfigToStringSlice("prohibited_os", d)
+	}
+	pp, exists := d.GetOk("proxy_pops")
+	if exists {
+		proxyPops := pp.(string)
+		res.ProxyPops = &proxyPops
+	}
+	ssoM, exists := d.GetOk("sso_mandatory")
+	if exists {
+		ssoMandatory := ssoM.(bool)
+		res.MfaRequired = &ssoMandatory
+	}
+	return res
+}
+
+func parseUserSettings(resp *http.Response) (*UserSettings, error) {
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("could not read user settings response: %v", err)
+	}
+	ds := &UserSettings{}
+	err = json.Unmarshal(body, ds)
+	if err != nil {
+		return nil, fmt.Errorf("could not parse user settings response: %v", err)
+	}
+	return ds, nil
+}
+
+func CreateUserSettings(ctx context.Context, c *Client, ds *UserSettings) (*UserSettings, error) {
+	url := fmt.Sprintf("%s/%s", c.BaseURL, userSettingsEndpoint)
+	body, err := json.Marshal(ds)
+	if err != nil {
+		return nil, fmt.Errorf("could not convert user settings to json: %v", err)
+	}
+	resp, err := c.Post(ctx, url, bytes.NewReader(body))
+	if err != nil {
+		return nil, err
+	}
+	return parseUserSettings(resp)
+}
+
+func UpdateUserSettings(ctx context.Context, c *Client, dsID string, ds *UserSettings) (*UserSettings, error) {
+	url := fmt.Sprintf("%s/%s/%s", c.BaseURL, userSettingsEndpoint, dsID)
+	body, err := json.Marshal(ds)
+	if err != nil {
+		return nil, fmt.Errorf("could not convert user settings to json: %v", err)
+	}
+	resp, err := c.Patch(ctx, url, bytes.NewReader(body))
+	if err != nil {
+		return nil, err
+	}
+	return parseUserSettings(resp)
+}
+
+func GetUserSettings(ctx context.Context, c *Client, dsID string) (*UserSettings, error) {
+	url := fmt.Sprintf("%s/%s/%s", c.BaseURL, userSettingsEndpoint, dsID)
+	resp, err := c.Get(ctx, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	return parseUserSettings(resp)
+}
+
+func DeleteUserSettings(ctx context.Context, c *Client, dsID string) (*UserSettings, error) {
+	url := fmt.Sprintf("%s/%s/%s", c.BaseURL, userSettingsEndpoint, dsID)
+	resp, err := c.Delete(ctx, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	return parseUserSettings(resp)
+}