feat: GitHub app provider (#1928)

Co-authored-by: Kevin McDermott <kevin.mcdermott@suse.com>
Co-authored-by: Jonathan Crowther <jonathan.crowther@suse.com>
Co-authored-by: Matt Trachier <matt.trachier@suse.com>

Author: 4 people

rancher2/00_provider_test.go

@@ -9,9 +9,7 @@ import (
 )
 
 func TestProvider(t *testing.T) {
-	if err := Provider().(*schema.Provider).InternalValidate(); err != nil {
-		assert.FailNow(t, "err: %s", err)
-	}
+	assert.NoError(t, Provider().(*schema.Provider).InternalValidate())
 }
 
 func TestProvider_impl(t *testing.T) {

rancher2/config.go

@@ -1268,6 +1268,8 @@ func getAuthConfigObject(kind string) (interface{}, error) {
 		return &managementClient.LdapConfig{}, nil
 	case managementClient.GithubConfigType:
 		return &managementClient.GithubConfig{}, nil
+	case managementClient.GithubAppConfigType:
+		return &managementClient.GithubAppConfig{}, nil
 	case managementClient.KeyCloakConfigType:
 		return &managementClient.KeyCloakConfig{}, nil
 	case managementClient.GenericOIDCConfigType:

rancher2/provider.go

@@ -113,6 +113,7 @@ func Provider() terraform.ResourceProvider {
 			"rancher2_auth_config_azuread":                           resourceRancher2AuthConfigAzureAD(),
 			"rancher2_auth_config_freeipa":                           resourceRancher2AuthConfigFreeIpa(),
 			"rancher2_auth_config_github":                            resourceRancher2AuthConfigGithub(),
+			"rancher2_auth_config_githubapp":                         resourceRancher2AuthConfigGithubApp(),
 			"rancher2_auth_config_keycloak":                          resourceRancher2AuthConfigKeyCloak(),
 			"rancher2_auth_config_okta":                              resourceRancher2AuthConfigOKTA(),
 			"rancher2_auth_config_generic_oidc":                      resourceRancher2AuthConfigGenericOIDC(),
@@ -235,7 +236,7 @@ func providerValidateConfig(config *Config) (*Config, error) {
 	if config.Bootstrap {
 		// If bootstrap tokenkey accesskey nor secretkey can be provided
 		if config.TokenKey != providerDefaultEmptyString {
-			return &Config{}, fmt.Errorf("[ERROR] Bootsrap mode activated. Token_key or access_key and secret_key can not be provided")
+			return &Config{}, fmt.Errorf("[ERROR] Bootsrap mode activated. token_key or access_key and secret_key can not be provided")
 		}
 	} else {
 		// Else token or access key and secret key should be provided

rancher2/resource_rancher2_auth_config_github.go

@@ -22,7 +22,7 @@ func resourceRancher2AuthConfigGithub() *schema.Resource {
 func resourceRancher2AuthConfigGithubCreate(d *schema.ResourceData, meta interface{}) error {
 	client, err := meta.(*Config).ManagementClient()
 	if err != nil {
-		return err
+		return fmt.Errorf("[ERROR] Failed to get ManagementClient %s", err)
 	}
 
 	auth, err := client.AuthConfig.ByID(AuthConfigGithubName)
@@ -59,7 +59,7 @@ func resourceRancher2AuthConfigGithubRead(d *schema.ResourceData, meta interface
 	log.Printf("[INFO] Refreshing Auth Config %s", AuthConfigGithubName)
 	client, err := meta.(*Config).ManagementClient()
 	if err != nil {
-		return err
+		return fmt.Errorf("[ERROR] Failed to get ManagementClient %s", err)
 	}
 
 	auth, err := client.AuthConfig.ByID(AuthConfigGithubName)
@@ -96,7 +96,7 @@ func resourceRancher2AuthConfigGithubDelete(d *schema.ResourceData, meta interfa
 
 	client, err := meta.(*Config).ManagementClient()
 	if err != nil {
-		return err
+		return fmt.Errorf("[ERROR] Failed to get ManagementClient %s", err)
 	}
 
 	auth, err := client.AuthConfig.ByID(AuthConfigGithubName)
@@ -106,7 +106,7 @@ func resourceRancher2AuthConfigGithubDelete(d *schema.ResourceData, meta interfa
 			d.SetId("")
 			return nil
 		}
-		return err
+		return fmt.Errorf("[ERROR] Getting the %s AuthConfig: %w", AuthConfigGithubName, err)
 	}
 
 	if auth.Enabled == true {

rancher2/resource_rancher2_auth_config_githubapp.go

@@ -0,0 +1,120 @@
+package rancher2
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	managementClient "github.com/rancher/rancher/pkg/client/generated/management/v3"
+)
+
+func resourceRancher2AuthConfigGithubApp() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceRancher2AuthConfigGithubAppCreate,
+		Read:   resourceRancher2AuthConfigGithubAppRead,
+		Update: resourceRancher2AuthConfigGithubAppUpdate,
+		Delete: resourceRancher2AuthConfigGithubAppDelete,
+		Schema: authConfigGithubAppFields(),
+	}
+}
+
+func resourceRancher2AuthConfigGithubAppCreate(d *schema.ResourceData, meta interface{}) error {
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		return fmt.Errorf("[ERROR] Failed to get ManagementClient %s", err)
+	}
+
+	auth, err := client.AuthConfig.ByID(AuthConfigGithubAppName)
+	if err != nil {
+		return fmt.Errorf("[ERROR] Failed to get Auth Config %s: %s", AuthConfigGithubAppName, err)
+	}
+
+	log.Printf("[INFO] Creating Auth Config %s %s", AuthConfigGithubAppName, auth.Name)
+
+	authGithubApp, err := expandAuthConfigGithubApp(d)
+	if err != nil {
+		return fmt.Errorf("[ERROR] Failed expanding Auth Config %s: %s", AuthConfigGithubAppName, err)
+	}
+
+	// Checking if other auth config is enabled
+	if authGithubApp.Enabled {
+		err = meta.(*Config).CheckAuthConfigEnabled(AuthConfigGithubAppName)
+		if err != nil {
+			return fmt.Errorf("[ERROR] Checking if an Auth Config other than %s is enabled: %s", AuthConfigGithubAppName, err)
+		}
+	}
+
+	// Updated auth config
+	newAuth := &managementClient.GithubAppConfig{}
+	err = meta.(*Config).UpdateAuthConfig(auth.Links["self"], authGithubApp, newAuth)
+	if err != nil {
+		return fmt.Errorf("[ERROR] Updating Auth Config %s: %s", AuthConfigGithubAppName, err)
+	}
+
+	return resourceRancher2AuthConfigGithubAppRead(d, meta)
+}
+
+func resourceRancher2AuthConfigGithubAppRead(d *schema.ResourceData, meta interface{}) error {
+	log.Printf("[INFO] Refreshing Auth Config %s", AuthConfigGithubAppName)
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		return fmt.Errorf("[ERROR] Failed to get ManagementClient %s", err)
+	}
+
+	auth, err := client.AuthConfig.ByID(AuthConfigGithubAppName)
+	if err != nil {
+		if IsNotFound(err) {
+			log.Printf("[INFO] Auth Config %s not found.", AuthConfigGithubAppName)
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("[ERROR] Getting Auth Config %s By ID: %w", AuthConfigGithubAppName, err)
+	}
+
+	authGithubApp, err := meta.(*Config).GetAuthConfig(auth)
+	if err != nil {
+		return fmt.Errorf("[ERROR] Getting Auth Config %s: %w", AuthConfigGithubAppName, err)
+	}
+
+	err = flattenAuthConfigGithubApp(d, authGithubApp.(*managementClient.GithubAppConfig))
+	if err != nil {
+		return fmt.Errorf("[ERROR] Flattening GitHub app: %w", err)
+	}
+
+	return nil
+}
+
+func resourceRancher2AuthConfigGithubAppUpdate(d *schema.ResourceData, meta interface{}) error {
+	log.Printf("[INFO] Updating Auth Config %s", AuthConfigGithubAppName)
+
+	return resourceRancher2AuthConfigGithubAppCreate(d, meta)
+}
+
+func resourceRancher2AuthConfigGithubAppDelete(d *schema.ResourceData, meta interface{}) error {
+	log.Printf("[INFO] Disabling Auth Config %s", AuthConfigGithubAppName)
+
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		return fmt.Errorf("[ERROR] Failed to get ManagementClient %s", err)
+	}
+
+	auth, err := client.AuthConfig.ByID(AuthConfigGithubAppName)
+	if err != nil {
+		if IsNotFound(err) {
+			log.Printf("[INFO] Auth Config %s not found.", AuthConfigGithubAppName)
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("[ERROR] Getting the %s AuthConfig: %w", AuthConfigGithubAppName, err)
+	}
+
+	if auth.Enabled == true {
+		err = client.Post(auth.Actions["disable"], nil, nil)
+		if err != nil {
+			return fmt.Errorf("[ERROR] Disabling Auth Config %s: %s", AuthConfigGithubAppName, err)
+		}
+	}
+
+	d.SetId("")
+	return nil
+}

rancher2/schema_auth_config_githubapp.go

@@ -0,0 +1,110 @@
+package rancher2
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"maps"
+	"strconv"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+const AuthConfigGithubAppName = "githubapp"
+
+func authConfigGithubAppFields() map[string]*schema.Schema {
+	s := map[string]*schema.Schema{
+		"client_id": {
+			Type:      schema.TypeString,
+			Required:  true,
+			Sensitive: true,
+		},
+		"client_secret": {
+			Type:      schema.TypeString,
+			Required:  true,
+			Sensitive: true,
+		},
+		"hostname": {
+			Type:     schema.TypeString,
+			Optional: true,
+			Default:  "github.com",
+		},
+		"tls": {
+			Type:     schema.TypeBool,
+			Optional: true,
+			Default:  true,
+		},
+		"app_id": {
+			Type:         schema.TypeString,
+			Description:  "The GitHub App ID is provided on the GitHub apps page.",
+			Required:     true,
+			ValidateFunc: isValidIntegerString,
+		},
+		"private_key": {
+			Type:         schema.TypeString,
+			Required:     true,
+			Description:  "PEM format private key for signing requests.",
+			ValidateFunc: isPEMEncodedPrivateKey,
+		},
+		"installation_id": {
+			Type:         schema.TypeString,
+			Description:  "If the Installation ID is not provided, all installations for the App will be queried.",
+			Optional:     true,
+			ValidateFunc: isValidIntegerString,
+		},
+	}
+
+	maps.Copy(s, authConfigFields())
+
+	return s
+}
+
+func isValidIntegerString(i any, k string) (warnings []string, errors []error) {
+	v, ok := i.(string)
+	if !ok {
+		errors = append(errors, fmt.Errorf("expected type of %q to be string", k))
+		return warnings, errors
+	}
+
+	if _, err := strconv.ParseInt(v, 10, 64); err != nil {
+		errors = append(errors, fmt.Errorf("expected %q to be a valid integer, got %v", k, v))
+	}
+
+	return warnings, errors
+}
+
+func isPEMEncodedPrivateKey(i any, k string) (warnings []string, errors []error) {
+	v, ok := i.(string)
+	if !ok {
+		errors = append(errors, fmt.Errorf("expected type of %q to be string", k))
+		return warnings, errors
+	}
+
+	var block *pem.Block
+	if block, _ = pem.Decode([]byte(v)); block == nil {
+		errors = append(errors, fmt.Errorf("expected %q to be PEM encoded", k))
+		return warnings, errors
+	}
+
+	var key any
+	parsedKey, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		parsedKey, err = x509.ParsePKCS1PrivateKey(block.Bytes)
+		if err != nil {
+			errors = append(errors, fmt.Errorf("expected %q to be an RSA Private Key", k))
+			return warnings, errors
+		} else {
+			key = parsedKey
+		}
+	} else {
+		key = parsedKey
+	}
+
+	if _, ok := key.(*rsa.PrivateKey); !ok {
+		errors = append(errors, fmt.Errorf("expected %q to be an RSA Private Key", k))
+		return warnings, errors
+	}
+
+	return warnings, errors
+}