handle signed metadata_url urls

docker-compose.yml

@@ -12,9 +12,9 @@ services:
     depends_on:
       - ldap
     environment:
-      - OPERATIONAL_MODE=CLUSTERED_CONSOLE
-      - CLUSTER_BIND_ADDRESS=LINK_LOCAL
-      - CLUSTER_NAME=COMPOSE_PF_CLUSTER
+      - OPERATIONAL_MODE=STANDALONE
+#      - CLUSTER_BIND_ADDRESS=LINK_LOCAL
+#      - CLUSTER_NAME=COMPOSE_PF_CLUSTER
       - DNS_QUERY_LOCATION=pingfederate-admin
       - DNS_RECORD_TYPE=A
       - PF_LOG_LEVEL=DEBUG

docs/resources/metadata_url.md

@@ -30,15 +30,31 @@ resource "pingfederate_metadata_url" "test" {
 
 ### Optional
 
-- `cert_view` (Attributes) The Signature Verification Certificate details. This property is read-only and is always ignored on a POST or PUT. (see [below for nested schema](#nestedatt--cert_view))
 - `id` (String) The persistent, unique ID for the Metadata Url. It can be any combination of [a-z0-9._-]. This property is system-assigned if not specified.
 - `validate_signature` (Boolean) Perform Metadata Signature Validation. The default value is TRUE.
 - `x509file` (Attributes) Data of the Signature Verification Certificate for the Metadata URL. (see [below for nested schema](#nestedatt--x509file))
 
+### Read-Only
+
+- `cert_view` (Attributes) The Signature Verification Certificate details. This property is read-only and is always ignored on a POST or PUT. (see [below for nested schema](#nestedatt--cert_view))
+
+<a id="nestedatt--x509file"></a>
+### Nested Schema for `x509file`
+
+Required:
+
+- `file_data` (String) The certificate data in PEM format. New line characters should be omitted or encoded in this value.
+
+Optional:
+
+- `crypto_provider` (String) Cryptographic Provider. This is only applicable if Hybrid HSM mode is true.
+- `id` (String) The persistent, unique ID for the certificate. It can be any combination of [a-z0-9._-]. This property is system-assigned if not specified.
+
+
 <a id="nestedatt--cert_view"></a>
 ### Nested Schema for `cert_view`
 
-Optional:
+Read-Only:
 
 - `crypto_provider` (String) Cryptographic Provider. This is only applicable if Hybrid HSM mode is true.
 - `expires` (String) The end date up until which the item is valid, in ISO 8601 format (UTC).
@@ -56,19 +72,6 @@ Optional:
 - `valid_from` (String) The start date from which the item is valid, in ISO 8601 format (UTC).
 - `version` (Number) The X.509 version to which the item conforms.
 
-
-<a id="nestedatt--x509file"></a>
-### Nested Schema for `x509file`
-
-Required:
-
-- `file_data` (String) The certificate data in PEM format. New line characters should be omitted or encoded in this value.
-
-Optional:
-
-- `crypto_provider` (String) Cryptographic Provider. This is only applicable if Hybrid HSM mode is true.
-- `id` (String) The persistent, unique ID for the certificate. It can be any combination of [a-z0-9._-]. This property is system-assigned if not specified.
-
 ## Import
 
 Import is supported using the following syntax:

docs/resources/sp_idp_connection.md

@@ -397,7 +397,6 @@ Optional:
 Required:
 
 - `idp_identity_mapping` (String) Defines the process in which users authenticated by the IdP are associated with user accounts local to the SP.
-- `oauth_authentication_policy_contract_ref` (Block List, Min: 1, Max: 1) The Authentication policy contract to map into for OAuth. The policy contract can subsequently be mapped into the OAuth persistent grant. (see [below for nested schema](#nestedblock--idp_browser_sso--oauth_authentication_policy_contract_ref))
 - `protocol` (String) The browser-based SSO protocol to use.
 
 Optional:
@@ -413,25 +412,14 @@ Optional:
 - `enabled_profiles` (List of String) The profiles that are enabled for browser-based SSO. SAML 2.0 supports all profiles whereas SAML 1.x IdP connections support both IdP and SP (non-standard) initiated SSO. This is required for SAMLx.x Connections.
 - `incoming_bindings` (List of String) The SAML bindings that are enabled for browser-based SSO. This is required for SAML 2.0 connections when the enabled profiles contain the SP-initiated SSO profile or either SLO profile. For SAML 1.x based connections, it is not used for SP Connections and it is optional for IdP Connections.
 - `message_customizations` (Block List) The message customizations for browser-based SSO. Depending on server settings, connection type, and protocol this may or may not be supported. (see [below for nested schema](#nestedblock--idp_browser_sso--message_customizations))
+- `oauth_authentication_policy_contract_ref` (Block List, Max: 1) The Authentication policy contract to map into for OAuth. The policy contract can subsequently be mapped into the OAuth persistent grant. (see [below for nested schema](#nestedblock--idp_browser_sso--oauth_authentication_policy_contract_ref))
 - `oidc_provider_settings` (Block List) The OpenID Provider configuration settings. Required for an OIDC connection. (see [below for nested schema](#nestedblock--idp_browser_sso--oidc_provider_settings))
 - `sign_authn_requests` (Boolean) Determines whether SAML authentication requests should be signed.
 - `slo_service_endpoints` (Block List) A list of possible endpoints to send SLO requests and responses. (see [below for nested schema](#nestedblock--idp_browser_sso--slo_service_endpoints))
 - `sso_o_auth_mapping` (Block List) Direct mapping from the IdP connection to the OAuth persistent grant. (see [below for nested schema](#nestedblock--idp_browser_sso--sso_o_auth_mapping))
 - `sso_service_endpoints` (Block List) The IdP SSO endpoints that define where to send your authentication requests. Only required for SP initiated SSO. This is required for SAML x.x and WS-FED Connections. (see [below for nested schema](#nestedblock--idp_browser_sso--sso_service_endpoints))
 - `url_whitelist_entries` (Block List) For WS-Federation connections, a whitelist of additional allowed domains and paths used to validate wreply for SLO, if enabled. (see [below for nested schema](#nestedblock--idp_browser_sso--url_whitelist_entries))
 
-<a id="nestedblock--idp_browser_sso--oauth_authentication_policy_contract_ref"></a>
-### Nested Schema for `idp_browser_sso.oauth_authentication_policy_contract_ref`
-
-Required:
-
-- `id` (String) The ID of the resource.
-
-Read-Only:
-
-- `location` (String) A read-only URL that references the resource. If the resource is not currently URL-accessible, this property will be null.
-
-
 <a id="nestedblock--idp_browser_sso--adapter_mappings"></a>
 ### Nested Schema for `idp_browser_sso.adapter_mappings`
 
@@ -1229,6 +1217,18 @@ Optional:
 - `message_expression` (String)
 
 
+<a id="nestedblock--idp_browser_sso--oauth_authentication_policy_contract_ref"></a>
+### Nested Schema for `idp_browser_sso.oauth_authentication_policy_contract_ref`
+
+Required:
+
+- `id` (String) The ID of the resource.
+
+Read-Only:
+
+- `location` (String) A read-only URL that references the resource. If the resource is not currently URL-accessible, this property will be null.
+
+
 <a id="nestedblock--idp_browser_sso--oidc_provider_settings"></a>
 ### Nested Schema for `idp_browser_sso.oidc_provider_settings`
 

internal/framework/attribute_types.go

@@ -0,0 +1,24 @@
+package framework
+
+import (
+	"github.com/hashicorp/terraform-plugin-framework/attr"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+var certViewAttrTypes = map[string]attr.Type{
+	"crypto_provider":           types.StringType,
+	"expires":                   types.StringType,
+	"id":                        types.StringType,
+	"issuer_dn":                 types.StringType,
+	"key_algorithm":             types.StringType,
+	"key_size":                  types.NumberType,
+	"serial_number":             types.StringType,
+	"sha1fingerprint":           types.StringType,
+	"sha256fingerprint":         types.StringType,
+	"signature_algorithm":       types.StringType,
+	"status":                    types.StringType,
+	"subject_alternative_names": types.ListType{ElemType: types.StringType},
+	"subject_dn":                types.StringType,
+	"valid_from":                types.StringType,
+	"version":                   types.NumberType,
+}

internal/framework/expander.go

@@ -3,6 +3,8 @@ package framework
 import (
 	"context"
 
+	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
+
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	pf "github.com/iwarapter/pingfederate-sdk-go/pingfederate/models"
 )
@@ -336,8 +338,8 @@ func expandGlobalAuthenticationSessionPolicy(in GlobalAuthenticationSessionPolic
 
 func expandMetadataUrl(in MetadataUrlData) *pf.MetadataUrl {
 	var result pf.MetadataUrl
-	if in.CertView != nil {
-		result.CertView = expandCertView(*in.CertView)
+	if !in.CertView.IsUnknown() && !in.CertView.IsNull() {
+		in.CertView.As(context.Background(), &result.CertView, basetypes.ObjectAsOptions{})
 	}
 	if !in.Id.IsUnknown() && !in.Id.IsNull() {
 		result.Id = String(in.Id.ValueString())
@@ -433,59 +435,6 @@ func expandBinaryLdapAttributeSettings(in BinaryLdapAttributeSettingsData) *pf.B
 	return &result
 }
 
-func expandCertView(in CertViewData) *pf.CertView {
-	var result pf.CertView
-	if !in.CryptoProvider.IsUnknown() && !in.CryptoProvider.IsNull() {
-		result.CryptoProvider = String(in.CryptoProvider.ValueString())
-	}
-	if !in.Expires.IsUnknown() && !in.Expires.IsNull() {
-		result.Expires = String(in.Expires.ValueString())
-	}
-	if !in.Id.IsUnknown() && !in.Id.IsNull() {
-		result.Id = String(in.Id.ValueString())
-	}
-	if !in.IssuerDN.IsUnknown() && !in.IssuerDN.IsNull() {
-		result.IssuerDN = String(in.IssuerDN.ValueString())
-	}
-	if !in.KeyAlgorithm.IsUnknown() && !in.KeyAlgorithm.IsNull() {
-		result.KeyAlgorithm = String(in.KeyAlgorithm.ValueString())
-	}
-	if !in.KeySize.IsUnknown() && !in.KeySize.IsNull() {
-		i64, _ := in.KeySize.ValueBigFloat().Int64()
-		result.KeySize = Int(int(i64))
-	}
-	if !in.SerialNumber.IsUnknown() && !in.SerialNumber.IsNull() {
-		result.SerialNumber = String(in.SerialNumber.ValueString())
-	}
-	if !in.Sha1Fingerprint.IsUnknown() && !in.Sha1Fingerprint.IsNull() {
-		result.Sha1Fingerprint = String(in.Sha1Fingerprint.ValueString())
-	}
-	if !in.Sha256Fingerprint.IsUnknown() && !in.Sha256Fingerprint.IsNull() {
-		result.Sha256Fingerprint = String(in.Sha256Fingerprint.ValueString())
-	}
-	if !in.SignatureAlgorithm.IsUnknown() && !in.SignatureAlgorithm.IsNull() {
-		result.SignatureAlgorithm = String(in.SignatureAlgorithm.ValueString())
-	}
-	if !in.Status.IsUnknown() && !in.Status.IsNull() {
-		result.Status = String(in.Status.ValueString())
-	}
-	if !in.SubjectAlternativeNames.IsUnknown() && !in.SubjectAlternativeNames.IsNull() {
-		result.SubjectAlternativeNames = expandStringList(in.SubjectAlternativeNames)
-	}
-	if !in.SubjectDN.IsUnknown() && !in.SubjectDN.IsNull() {
-		result.SubjectDN = String(in.SubjectDN.ValueString())
-	}
-	if !in.ValidFrom.IsUnknown() && !in.ValidFrom.IsNull() {
-		result.ValidFrom = String(in.ValidFrom.ValueString())
-	}
-	if !in.Version.IsUnknown() && !in.Version.IsNull() {
-		i64, _ := in.Version.ValueBigFloat().Int64()
-		result.Version = Int(int(i64))
-	}
-
-	return &result
-}
-
 func expandClientAuth(in ClientAuthData) *pf.ClientAuth {
 	var result pf.ClientAuth
 	if !in.ClientCertIssuerDn.IsUnknown() && !in.ClientCertIssuerDn.IsNull() {

internal/framework/flattener.go

@@ -1,6 +1,7 @@
 package framework
 
 import (
+	"context"
 	"math/big"
 
 	"github.com/hashicorp/terraform-plugin-framework/attr"
@@ -653,7 +654,10 @@ func flattenGlobalAuthenticationSessionPolicy(in *pf.GlobalAuthenticationSession
 func flattenMetadataUrl(in *pf.MetadataUrl) *MetadataUrlData {
 	result := MetadataUrlData{}
 	if in.CertView != nil {
-		result.CertView = flattenCertView(in.CertView)
+		flat := flattenCertView(in.CertView)
+		result.CertView, _ = types.ObjectValueFrom(context.Background(), certViewAttrTypes, *flat)
+	} else {
+		result.CertView = types.ObjectNull(certViewAttrTypes)
 	}
 	if in.Id != nil {
 		result.Id = types.StringValue(*in.Id)