feat(codegen): Add support for more hashing types and hide them within private state (#520)

Author: kklimonda-cl

assets/terraform/internal/provider/encrypted.go

@@ -0,0 +1,117 @@
+package provider
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+type HashingType string
+
+const (
+	HashingSoloType   HashingType = "solo"
+	HashingCustomType HashingType = "custom"
+)
+
+type EncryptedValue struct {
+	HashingType HashingType `json:"hashing_type"`
+	Encrypted   *string     `json:"encrypted,omitempty"`
+	Plaintext   *string     `json:"plaintext,omitempty"`
+}
+
+type EncryptedValuesManager struct {
+	preferServerState bool                       `json:"-"`
+	EncryptedValues   map[string]*EncryptedValue `json:"values"`
+}
+
+type EncryptedHashingTypeMismatchError struct {
+	key      string
+	expected HashingType
+	actual   HashingType
+}
+
+func (o EncryptedHashingTypeMismatchError) Error() string {
+	return fmt.Sprintf("unexpected hashing type for key '%s': %s != %s", o.key, o.expected, o.actual)
+}
+
+func NewEncryptedValuesManager(payload []byte, preferServerState bool) (*EncryptedValuesManager, error) {
+	manager := &EncryptedValuesManager{
+		preferServerState: preferServerState,
+	}
+
+	if payload != nil {
+		err := json.Unmarshal(payload, manager)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		manager.EncryptedValues = make(map[string]*EncryptedValue)
+	}
+
+	return manager, nil
+}
+
+func (o EncryptedValuesManager) PreferServerState() bool {
+	return o.preferServerState
+}
+
+func (o *EncryptedValuesManager) StorePlaintextValue(key string, hashing_type HashingType, value string) error {
+	values, found := o.EncryptedValues[key]
+	if !found {
+		values = &EncryptedValue{
+			Plaintext:   &value,
+			HashingType: hashing_type,
+		}
+		o.EncryptedValues[key] = values
+	} else if values.HashingType != hashing_type {
+		return EncryptedHashingTypeMismatchError{
+			key:      key,
+			expected: hashing_type,
+			actual:   values.HashingType,
+		}
+	} else {
+		values.Plaintext = &value
+	}
+
+	return nil
+}
+
+func (o *EncryptedValuesManager) StoreEncryptedValue(key string, hashing_type HashingType, value string) error {
+	values, found := o.EncryptedValues[key]
+	if !found {
+		values = &EncryptedValue{
+			Encrypted:   &value,
+			HashingType: hashing_type,
+		}
+		o.EncryptedValues[key] = values
+	} else if values.HashingType != hashing_type {
+		return EncryptedHashingTypeMismatchError{
+			key:      key,
+			expected: hashing_type,
+			actual:   values.HashingType,
+		}
+	} else {
+		values.Encrypted = &value
+	}
+
+	return nil
+}
+
+func (o EncryptedValuesManager) GetPlaintextValue(key string) (string, bool) {
+	if values, found := o.EncryptedValues[key]; !found {
+		return "", false
+	} else if values.Plaintext == nil {
+		return "", false
+	} else {
+		return *values.Plaintext, true
+	}
+}
+
+func (o EncryptedValuesManager) GetEncryptedValue(key string) (string, bool) {
+	if values, found := o.EncryptedValues[key]; !found {
+		return "", false
+	} else if values.Encrypted == nil {
+		return "", false
+	} else {
+		return *values.Encrypted, true
+	}
+}

assets/terraform/internal/provider/encrypted_test.go

@@ -0,0 +1,58 @@
+package provider
+
+import (
+	"encoding/json"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("EncryptedValuesManager", func() {
+	payload := []byte(`{"values":{"/attr-1":{"hashing_type":"solo","encrypted":"$enc$value","plaintext":"value"}}}`)
+	Context("when creating encrypted values manager from existing payload", func() {
+		It("should return correct values", func() {
+			ev, err := NewEncryptedValuesManager(payload, false)
+			Expect(err).ToNot(HaveOccurred())
+
+			value, found := ev.GetPlaintextValue("/attr-1")
+			Expect(found).To(BeTrue())
+			Expect(value).To(Equal("value"))
+
+			value, found = ev.GetEncryptedValue("/attr-1")
+			Expect(found).To(BeTrue())
+			Expect(value).To(Equal("$enc$value"))
+
+			marshalled, err := json.Marshal(ev)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(marshalled).To(Equal(payload))
+		})
+	})
+	Context("when creating encrypted values manager with no existing payload", func() {
+		var payload []byte
+		Context("and inserting plaintext and encrypted values for a given xpath", func() {
+			It("should return expected values back when requested", func() {
+				ev, err := NewEncryptedValuesManager(payload, false)
+				Expect(err).ToNot(HaveOccurred())
+
+				err = ev.StorePlaintextValue("/attr-1", HashingSoloType, "value")
+				Expect(err).ToNot(HaveOccurred())
+
+				err = ev.StoreEncryptedValue("/attr-1", HashingSoloType, "$enc$value")
+				Expect(err).ToNot(HaveOccurred())
+
+				value, found := ev.GetPlaintextValue("/attr-1")
+				Expect(found).To(BeTrue())
+				Expect(value).To(Equal("value"))
+
+				value, found = ev.GetEncryptedValue("/attr-1")
+				Expect(found).To(BeTrue())
+				Expect(value).To(Equal("$enc$value"))
+
+				expected := []byte(`{"values":{"/attr-1":{"hashing_type":"solo","encrypted":"$enc$value","plaintext":"value"}}}`)
+				marshalled, err := json.Marshal(ev)
+				Expect(err).ToNot(HaveOccurred())
+				Expect(marshalled).To(Equal(expected))
+			})
+		})
+	})
+})

assets/terraform/internal/provider/provider_suite_test.go

@@ -0,0 +1,18 @@
+package provider_test
+
+import (
+	"log/slog"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestProvider(t *testing.T) {
+	handler := slog.NewTextHandler(GinkgoWriter, &slog.HandlerOptions{
+		Level: slog.LevelDebug,
+	})
+	slog.SetDefault(slog.New(handler))
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Provider Suite")
+}

assets/terraform/internal/provider/tools.go

@@ -57,3 +57,53 @@ func ProviderParamDescription(desc, defaultValue, envName, jsonName string) stri
 
 	return b.String()
 }
+
+type AncestorType string
+
+const (
+	AncestorObjectEntry AncestorType = "object-entry"
+	AncestorListEntry   AncestorType = "list-entry"
+)
+
+type Ancestor interface {
+	AncestorName() string
+	EntryName() *string
+}
+
+type XpathAncestorError struct {
+	name    string
+	message string
+}
+
+func (o XpathAncestorError) Error() string {
+	message := o.message
+	message += fmt.Sprintf(": %s", o.name)
+	return message
+}
+
+func CreateXpathForAttributeWithAncestors(ancestors []Ancestor, attribute string) (string, error) {
+	var xpath []string
+
+	createXpathElements := func(attr Ancestor) ([]string, error) {
+		elts := []string{"/" + attr.AncestorName()}
+		name := attr.EntryName()
+		if name != nil {
+			elts = append(elts, fmt.Sprintf("/entry[@name=\"%s\"]", *name))
+
+		}
+
+		return elts, nil
+	}
+
+	for _, elt := range ancestors {
+		xpathElts, err := createXpathElements(elt)
+		if err != nil {
+			return "", err
+		}
+
+		xpath = append(xpath, xpathElts...)
+	}
+
+	xpath = append(xpath, "/"+attribute)
+	return strings.Join(xpath, ""), nil
+}

assets/terraform/internal/provider/tools_test.go

@@ -0,0 +1,69 @@
+package provider_test
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/PaloAltoNetworks/terraform-provider-panos/internal/provider"
+)
+
+type AncestorMock struct {
+	name      string
+	entryName string
+}
+
+func (o AncestorMock) AncestorName() string {
+	return o.name
+}
+
+func (o AncestorMock) EntryName() *string {
+	if o.entryName == "" {
+		return nil
+	}
+	return &o.entryName
+}
+
+var _ = Describe("CreateXpathForParameterWithAncestors", func() {
+	Context("When no ancestors are provided", func() {
+		It("should generate a single element xpath", func() {
+			var ancestors []provider.Ancestor
+
+			xpath, err := provider.CreateXpathForAttributeWithAncestors(ancestors, "attr-1")
+			Expect(err).ToNot(HaveOccurred())
+			Expect(xpath).To(Equal("/attr-1"))
+		})
+	})
+	Context("When single ancestor of nested type is provided", func() {
+		It("should generate a single element xpath", func() {
+			ancestors := []provider.Ancestor{
+				&AncestorMock{
+					name: "attr-1",
+				},
+			}
+
+			xpath, err := provider.CreateXpathForAttributeWithAncestors(ancestors, "attr-2")
+			Expect(err).ToNot(HaveOccurred())
+			Expect(xpath).To(Equal("/attr-1/attr-2"))
+		})
+	})
+	Context("When multiple ancestors are provided", func() {
+		Context("and one of ancestors is a list", func() {
+			It("should generate a single element xpath", func() {
+				ancestors := []provider.Ancestor{
+					&AncestorMock{
+						name: "attr-1",
+					},
+					&AncestorMock{
+						name:      "attr-2",
+						entryName: "element-1",
+					},
+				}
+
+				xpath, err := provider.CreateXpathForAttributeWithAncestors(ancestors, "attr-3")
+				Expect(err).ToNot(HaveOccurred())
+				Expect(xpath).To(Equal(`/attr-1/attr-2/entry[@name="element-1"]/attr-3`))
+			})
+		})
+
+	})
+})

assets/terraform/test/resource_ntp_settings_test.go

@@ -98,6 +98,25 @@ func TestAccNtpSettings(t *testing.T) {
 					),
 				},
 			},
+			{
+				Config: ntpSettingsConfig4,
+				ConfigVariables: map[string]config.Variable{
+					"location": location,
+				},
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(
+						"panos_ntp_settings.settings",
+						tfjsonpath.New("ntp_servers").
+							AtMapKey("secondary_ntp_server").
+							AtMapKey("authentication_type").
+							AtMapKey("symmetric_key").
+							AtMapKey("algorithm").
+							AtMapKey("md5").
+							AtMapKey("authentication_key"),
+						knownvalue.StringExact("83d043db4fdfe6882fb7f01a09d92b11"),
+					),
+				},
+			},
 		},
 	})
 }
@@ -178,3 +197,41 @@ resource "panos_ntp_settings" "settings" {
   }
 }
 `
+
+const ntpSettingsConfig4 = `
+variable "location" { type = map }
+
+resource "panos_ntp_settings" "settings" {
+  location = var.location
+
+  ntp_servers = {
+    primary_ntp_server = {
+      ntp_server_address = "172.16.0.1"
+      authentication_type = {
+        symmetric_key = {
+          key_id = 1
+          algorithm = {
+            sha1 = {
+              authentication_key = "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+            }
+          }
+        }
+      }
+    }
+
+    secondary_ntp_server = {
+      ntp_server_address = "172.16.0.2"
+      authentication_type = {
+        symmetric_key = {
+          key_id = 1
+          algorithm = {
+            md5 = {
+              authentication_key = "83d043db4fdfe6882fb7f01a09d92b11"
+            }
+          }
+        }
+      }
+    }
+  }
+}
+`