GH-587: Remove computed property from set_user_root_attributes (#602)

auth0 · May 25, 2023 · 26d2ecb · 26d2ecb
1 parent 5e9d15d
commit 26d2ecb
Show file tree

Hide file tree

Showing 6 changed files with 362 additions and 159 deletions.
diff --git a/docs/resources/connection.md b/docs/resources/connection.md
@@ -675,7 +675,7 @@ Optional:
 - `requires_username` (Boolean) Indicates whether the user is required to provide a username in addition to an email address.
 - `scopes` (Set of String) Permissions to grant to the connection. Within the Auth0 dashboard these appear under the "Attributes" and "Extended Attributes" sections. Some examples: `basic_profile`, `ext_profile`, `ext_nested_groups`, etc.
 - `scripts` (Map of String) A map of scripts used for an OAuth connection. Only accepts a `fetchUserProfile` script.
-- `set_user_root_attributes` (String) Determines whether the 'name', 'given_name', 'family_name', 'nickname', and 'picture' attributes can be independently updated when using an external IdP. Possible values are 'on_each_login' (default value, it configures the connection to automatically update the root attributes from the external IdP with each user login. When this setting is used, root attributes cannot be independently updated), 'on_first_login' (configures the connection to only set the root attributes on first login, allowing them to be independently updated thereafter).
+- `set_user_root_attributes` (String) Determines whether to sync user profile attributes (`name`, `given_name`, `family_name`, `nickname`, `picture`) at each login or only on the first login. Options include: `on_each_login`, `on_first_login`. Default value: `on_each_login`.
 - `should_trust_email_verified_connection` (String) Choose how Auth0 sets the email_verified field in the user profile.
 - `sign_in_endpoint` (String) SAML single login URL for the connection.
 - `sign_out_endpoint` (String) SAML single logout URL for the connection.

diff --git a/internal/auth0/connection/expand.go b/internal/auth0/connection/expand.go
@@ -584,11 +584,15 @@ func expandConnectionOptionsAzureAD(
 		EnableUsersAPI:      value.Bool(config.GetAttr("api_enable_users")),
 		LogoURL:             value.String(config.GetAttr("icon_url")),
 		IdentityAPI:         value.String(config.GetAttr("identity_api")),
-		SetUserAttributes:   value.String(config.GetAttr("set_user_root_attributes")),
 		NonPersistentAttrs:  value.Strings(config.GetAttr("non_persistent_attrs")),
 		TrustEmailVerified:  value.String(config.GetAttr("should_trust_email_verified_connection")),
 	}
 
+	options.SetUserAttributes = value.String(config.GetAttr("set_user_root_attributes"))
+	if options.GetSetUserAttributes() == "on_each_login" {
+		options.SetUserAttributes = nil // This needs to be omitted to have the toggle enabled in the UI.
+	}
+
 	expandConnectionOptionsScopes(d, options)
 
 	var err error

diff --git a/internal/auth0/connection/flatten.go b/internal/auth0/connection/flatten.go
@@ -507,11 +507,15 @@ func flattenConnectionOptionsAzureAD(options *management.ConnectionOptionsAzureA
 		"api_enable_users":                       options.GetEnableUsersAPI(),
 		"max_groups_to_retrieve":                 options.GetMaxGroupsToRetrieve(),
 		"scopes":                                 options.Scopes(),
-		"set_user_root_attributes":               options.GetSetUserAttributes(),
 		"non_persistent_attrs":                   options.GetNonPersistentAttrs(),
 		"should_trust_email_verified_connection": options.GetTrustEmailVerified(),
 	}
 
+	m["set_user_root_attributes"] = options.GetSetUserAttributes()
+	if options.GetSetUserAttributes() == "" {
+		m["set_user_root_attributes"] = "on_each_login"
+	}
+
 	upstreamParams, err := structure.FlattenJsonToString(options.UpstreamParams)
 	if err != nil {
 		return nil, diag.FromErr(err)

diff --git a/internal/auth0/connection/resource_test.go b/internal/auth0/connection/resource_test.go
@@ -236,6 +236,29 @@ func TestAccConnectionAzureAD(t *testing.T) {
 					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "options.0.upstream_params", "{\"screen_name\":{\"alias\":\"login_hint\"}}"),
 				),
 			},
+			{
+				Config: acctest.ParseTestName(testAccConnectionADConfigUpdateSetUserRootAttributes, t.Name()),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "name", fmt.Sprintf("Acceptance-Test-Azure-AD-%s", t.Name())),
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "strategy", "waad"),
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "show_as_button", "true"),
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "options.0.identity_api", "azure-active-directory-v1.0"),
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "options.0.client_id", "123456"),
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "options.0.client_secret", "123456"),
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "options.0.tenant_domain", "example.onmicrosoft.com"),
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "options.0.domain", "example.onmicrosoft.com"),
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "options.0.domain_aliases.#", "2"),
+					resource.TestCheckTypeSetElemAttr("auth0_connection.azure_ad", "options.0.domain_aliases.*", "example.com"),
+					resource.TestCheckTypeSetElemAttr("auth0_connection.azure_ad", "options.0.domain_aliases.*", "api.example.com"),
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "options.0.scopes.#", "3"),
+					resource.TestCheckTypeSetElemAttr("auth0_connection.azure_ad", "options.0.scopes.*", "basic_profile"),
+					resource.TestCheckTypeSetElemAttr("auth0_connection.azure_ad", "options.0.scopes.*", "ext_profile"),
+					resource.TestCheckTypeSetElemAttr("auth0_connection.azure_ad", "options.0.scopes.*", "ext_groups"),
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "options.0.set_user_root_attributes", "on_first_login"),
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "options.0.should_trust_email_verified_connection", "never_set_emails_as_verified"),
+					resource.TestCheckResourceAttr("auth0_connection.azure_ad", "options.0.upstream_params", "{\"screen_name\":{\"alias\":\"login_hint\"}}"),
+				),
+			},
 		},
 	})
 }
@@ -275,6 +298,41 @@ resource "auth0_connection" "azure_ad" {
 }
 `
 
+const testAccConnectionADConfigUpdateSetUserRootAttributes = `
+resource "auth0_connection" "azure_ad" {
+	name     = "Acceptance-Test-Azure-AD-{{.testName}}"
+	strategy = "waad"
+	show_as_button = true
+	options {
+		identity_api  = "azure-active-directory-v1.0"
+		client_id     = "123456"
+		client_secret = "123456"
+		tenant_domain = "example.onmicrosoft.com"
+		domain        = "example.onmicrosoft.com"
+		domain_aliases = [
+			"example.com",
+			"api.example.com"
+		]
+		use_wsfed            = false
+		waad_protocol        = "openid-connect"
+		waad_common_endpoint = false
+		api_enable_users     = true
+		scopes               = [
+			"basic_profile",
+			"ext_groups",
+			"ext_profile"
+		]
+		set_user_root_attributes = "on_first_login"
+		should_trust_email_verified_connection = "never_set_emails_as_verified"
+		upstream_params = jsonencode({
+			"screen_name": {
+				"alias": "login_hint"
+			}
+		})
+	}
+}
+`
+
 func TestAccConnectionADFS(t *testing.T) {
 	acctest.Test(t, resource.TestCase{
 		Steps: []resource.TestStep{

diff --git a/internal/auth0/connection/schema.go b/internal/auth0/connection/schema.go
@@ -503,19 +503,12 @@ var resourceSchema = map[string]*schema.Schema{
 				},
 
 				"set_user_root_attributes": {
-					Type:     schema.TypeString,
-					Optional: true,
-					Computed: true,
-					ValidateFunc: validation.StringInSlice([]string{
-						"on_each_login", "on_first_login",
-					}, false),
-					Description: "Determines whether the 'name', 'given_name', 'family_name', 'nickname', " +
-						"and 'picture' attributes can be independently updated when using an external IdP. " +
-						"Possible values are 'on_each_login' (default value, it configures the connection to " +
-						"automatically update the root attributes from the external IdP with each user login. " +
-						"When this setting is used, root attributes cannot be independently updated), " +
-						"'on_first_login' (configures the connection to only set the root attributes on " +
-						"first login, allowing them to be independently updated thereafter).",
+					Type:         schema.TypeString,
+					Optional:     true,
+					ValidateFunc: validation.StringInSlice([]string{"on_each_login", "on_first_login"}, false),
+					Description: "Determines whether to sync user profile attributes (`name`, `given_name`, " +
+						"`family_name`, `nickname`, `picture`) at each login or only on the first login. Options " +
+						"include: `on_each_login`, `on_first_login`. Default value: `on_each_login`.",
 				},
 				"non_persistent_attrs": {
 					Type:     schema.TypeSet,