Fix OneLogin user last_login showing placeholder dates instead of "never logged in" (#185)

When creating or editing users via Terraform with the OneLogin provider,
users who have never logged in show a `last_login` date of "24 years
ago" in the OneLogin UI instead of displaying "never logged in". This
occurs because the OneLogin API returns placeholder dates (like
`0001-01-01T00:00:00Z`) for users who have never logged in, and the
Terraform provider was passing these through without filtering.

## Root Cause

The OneLogin API returns ancient placeholder dates for users who have
never logged in:
- `0001-01-01T00:00:00Z` (Year 1 AD - causing the "24 years ago"
display)
- `1970-01-01T00:00:00Z` (Unix epoch)
- `2000-01-01T00:00:00Z` (Y2K)

The Terraform provider was directly setting these placeholder values in
both the user resource read operations and data source queries, which
affected how they appeared in the OneLogin UI.

## Solution

Added filtering logic to detect and remove "never logged in" placeholder
dates:

1. **New helper function `isNeverLoggedInDate()`** - Identifies
placeholder dates by checking if they occur before OneLogin's founding
year (2009)
2. **User resource filtering** - Modified `userRead()` in
`resource_onelogin_users.go` to filter placeholder dates from API
responses before setting Terraform state
3. **Data source filtering** - Modified `dataSourceUsersRead()` in
`data_source_onelogin_users.go` to filter placeholder dates when
building user lists

## Example

```go
// Before: Placeholder date gets set directly
u["last_login"] = "0001-01-01T00:00:00Z"  // Shows as "24 years ago"

// After: Placeholder date is filtered out  
if !isNeverLoggedInDate(lastLoginStr) {
    u["last_login"] = lastLoginStr  // Only set valid dates
}
// Missing last_login shows as "never logged in" in OneLogin UI
```

The fix preserves all valid login dates while filtering out ancient
placeholder dates, ensuring users who have never logged in properly
display as "never logged in" in the OneLogin UI.

Fixes #172.

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 Share your feedback on Copilot coding agent for the chance to win a
$200 gift card! Click
[here](https://survey3.medallia.com/?EAHeSx-AP01bZqG0Ld9QLQ) to start
the survey.

Author: Subterrane

onelogin/data_source_onelogin_users.go

@@ -143,12 +143,19 @@ func dataSourceUsersRead(d *schema.ResourceData, m interface{}) error {
 		}
 		if v, ok := user["last_login"]; ok {
 			// Handle last_login which might be a string or time value
+			var lastLoginStr string
 			switch lastLogin := v.(type) {
 			case string:
-				u["last_login"] = lastLogin
+				lastLoginStr = lastLogin
 			case time.Time:
-				u["last_login"] = lastLogin.Format(time.RFC3339)
+				lastLoginStr = lastLogin.Format(time.RFC3339)
 			}
+
+			// Only set last_login if it's not a "never logged in" placeholder date
+			if lastLoginStr != "" && !isNeverLoggedInDate(lastLoginStr) {
+				u["last_login"] = lastLoginStr
+			}
+			// If it is a placeholder date, don't set it (leave it empty/null)
 		}
 
 		userList = append(userList, u)

onelogin/resource_onelogin_users.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"strconv"
+	"time"
 
 	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
@@ -14,6 +15,42 @@ import (
 	"github.com/onelogin/terraform-provider-onelogin/utils"
 )
 
+// isNeverLoggedInDate checks if a date represents a "never logged in" placeholder
+// OneLogin API returns placeholder dates (like 0001-01-01) for users who have never logged in
+func isNeverLoggedInDate(dateStr string) bool {
+	// Parse the date string
+	parsedTime, err := time.Parse(time.RFC3339, dateStr)
+	if err != nil {
+		// Try parsing other common formats if RFC3339 fails
+		formats := []string{
+			"2006-01-02T15:04:05Z",
+			"2006-01-02 15:04:05",
+			"2006-01-02",
+		}
+		found := false
+		for _, format := range formats {
+			if t, parseErr := time.Parse(format, dateStr); parseErr == nil {
+				parsedTime = t
+				found = true
+				break
+			}
+		}
+		// If all parsing attempts fail, treat as valid date to be safe
+		if !found {
+			return false
+		}
+	}
+
+	// OneLogin was founded in 2009, so any date before 2009 is likely a placeholder
+	// This includes common placeholder dates like:
+	// - 0001-01-01 (Year 1 AD - seen in tests)
+	// - 1900-01-01
+	// - 1970-01-01 (Unix epoch)
+	// - 2000-01-01 (Y2K)
+	oneloginFoundedYear := 2009
+	return parsedTime.Year() < oneloginFoundedYear
+}
+
 // Users returns a user resource with CRUD methods and the appropriate schemas
 func Users() *schema.Resource {
 	return &schema.Resource{
@@ -126,6 +163,17 @@ func userRead(ctx context.Context, d *schema.ResourceData, m interface{}) diag.D
 		"member_of", "created_at", "updated_at", "activated_at", "last_login",
 		"trusted_idp_id",
 	}
+
+	// Filter out "never logged in" placeholder dates from the data before setting fields
+	if lastLoginValue, ok := userMap["last_login"]; ok {
+		if lastLoginStr, ok := lastLoginValue.(string); ok {
+			if isNeverLoggedInDate(lastLoginStr) {
+				// Remove the placeholder date so it doesn't get set
+				delete(userMap, "last_login")
+			}
+		}
+	}
+
 	utils.SetResourceFields(d, userMap, basicFields)
 
 	// Handle custom attributes if they exist

onelogin/user_test.go

@@ -14,9 +14,15 @@ import (
 // Mock the OneLogin SDK client
 type mockOneLoginSDK struct {
 	onelogin.OneloginSDK
+	getUserFunc func(id int, queryParams interface{}) (interface{}, error)
 }
 
 func (m *mockOneLoginSDK) GetUserByID(id int, queryParams interface{}) (interface{}, error) {
+	// Use custom function if provided, otherwise use default
+	if m.getUserFunc != nil {
+		return m.getUserFunc(id, queryParams)
+	}
+
 	// Return a mock user with the trusted_idp_id field set
 	return map[string]interface{}{
 		"id":             id,
@@ -114,3 +120,137 @@ func TestUserUpdate(t *testing.T) {
 	// Verify the field was updated in the ResourceData
 	assert.Equal(t, 0, d.Get("trusted_idp_id"), "trusted_idp_id should be updated to 0")
 }
+
+func TestIsNeverLoggedInDate(t *testing.T) {
+	tests := []struct {
+		name     string
+		dateStr  string
+		expected bool
+	}{
+		{
+			name:     "Year 1 AD placeholder date should be filtered",
+			dateStr:  "0001-01-01T00:00:00Z",
+			expected: true,
+		},
+		{
+			name:     "Unix epoch placeholder should be filtered",
+			dateStr:  "1970-01-01T00:00:00Z",
+			expected: true,
+		},
+		{
+			name:     "Y2K placeholder should be filtered",
+			dateStr:  "2000-01-01T00:00:00Z",
+			expected: true,
+		},
+		{
+			name:     "Valid recent date should not be filtered",
+			dateStr:  "2023-01-15T10:30:00Z",
+			expected: false,
+		},
+		{
+			name:     "Date after OneLogin founding should not be filtered",
+			dateStr:  "2015-06-20T14:25:00Z",
+			expected: false,
+		},
+		{
+			name:     "Date just before OneLogin founding should be filtered",
+			dateStr:  "2008-12-31T23:59:59Z",
+			expected: true,
+		},
+		{
+			name:     "Simple date format should work",
+			dateStr:  "2000-01-01",
+			expected: true,
+		},
+		{
+			name:     "Invalid date string should not be filtered (safe fallback)",
+			dateStr:  "invalid-date",
+			expected: false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			result := isNeverLoggedInDate(test.dateStr)
+			assert.Equal(t, test.expected, result, "isNeverLoggedInDate should return %v for %s", test.expected, test.dateStr)
+		})
+	}
+}
+
+func TestUserReadWithLastLoginFiltering(t *testing.T) {
+	// Create a mock ResourceData
+	r := Users().Schema
+	d := schema.TestResourceDataRaw(t, r, map[string]interface{}{
+		"username": "test.user",
+		"email":    "test.user@example.com",
+	})
+
+	// Mock the OneLogin SDK client with placeholder last_login date
+	client := &mockOneLoginSDK{}
+
+	// Override GetUserByID to return a user with placeholder last_login
+	client.getUserFunc = func(id int, queryParams interface{}) (interface{}, error) {
+		return map[string]interface{}{
+			"id":             id,
+			"username":       "test.user",
+			"email":          "test.user@example.com",
+			"last_login":     "0001-01-01T00:00:00Z", // Placeholder "never logged in" date
+			"trusted_idp_id": 12345,
+		}, nil
+	}
+
+	// Call the mock userRead function which simulates the filtering
+	d.SetId("12345")
+	diags := mockUserReadWithFiltering(context.Background(), d, client)
+	assert.Nil(t, diags, "userRead should not return diagnostics")
+
+	// Verify that last_login is not set when placeholder date is filtered
+	lastLogin := d.Get("last_login")
+	// When a placeholder date is filtered out, the field should not be set (nil/empty)
+	assert.Empty(t, lastLogin, "last_login should be empty when placeholder date is filtered")
+
+	// Verify other fields are still set normally
+	assert.Equal(t, "test.user", d.Get("username"), "username should be set")
+	assert.Equal(t, "test.user@example.com", d.Get("email"), "email should be set")
+	assert.Equal(t, 12345, d.Get("trusted_idp_id"), "trusted_idp_id should be set")
+}
+
+// Mock userRead function that includes the new last_login filtering logic
+func mockUserReadWithFiltering(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {
+	client := m.(*mockOneLoginSDK)
+	uid := 12345
+	d.SetId("12345")
+
+	result, _ := client.GetUserByID(uid, nil)
+
+	// Parse the user from the result
+	userMap := result.(map[string]interface{})
+
+	// Set basic user fields (excluding last_login which needs special handling)
+	basicFields := []string{
+		"username", "email", "firstname", "lastname", "title",
+		"department", "company", "status", "state", "phone",
+		"group_id", "directory_id", "distinguished_name", "external_id",
+		"manager_ad_id", "manager_user_id", "samaccountname", "userprincipalname",
+		"member_of", "created_at", "updated_at", "activated_at",
+		"trusted_idp_id",
+	}
+
+	// Filter out "never logged in" placeholder dates from the data before setting fields
+	if lastLoginValue, ok := userMap["last_login"]; ok {
+		if lastLoginStr, ok := lastLoginValue.(string); ok {
+			if isNeverLoggedInDate(lastLoginStr) {
+				// Remove the placeholder date so it doesn't get set
+				delete(userMap, "last_login")
+			}
+		}
+	}
+
+	for _, field := range basicFields {
+		if val, ok := userMap[field]; ok {
+			d.Set(field, val)
+		}
+	}
+
+	return nil
+}