EZSCALE/terraform-provider-virtfusion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
ef8fbd530bcfe3197db0bcecda2db19be9e8b8e0
terraform-provider-virtfusion/internal/provider/resource_user_server_auth_token.go
Andrew ef8fbd530b
Some checks failed
Endpoint Sync Check / check-drift (push) Successful in 50s
Details
CI / build (push) Failing after 1m26s
Details
Fix path injection, sensitive attribute exposure, and error body truncation 
Security fixes from audit:

- Escape user-supplied strings (ext_relation_id, interface_name) with
  url.PathEscape before interpolating into API URL paths, preventing
  path traversal via crafted values like "../admin" or "foo/bar"
- Mark auth token URL attributes as Sensitive in both
  virtfusion_user_auth_token and virtfusion_user_server_auth_token
  resources, since the URL embeds the signed token
- Truncate raw API error response bodies to 500 bytes in error messages
  to prevent leaking sensitive data from verbose Laravel error responses

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-16 02:07:34 -04:00

197 lines
7.0 KiB
Go
Raw Blame History

// Copyright (c) EZSCALE.
// SPDX-License-Identifier: MPL-2.0
package provider
import (
"context"
"encoding/json"
"fmt"
"net/url"
"time"
"terraform-provider-virtfusion/internal/client"
"github.com/hashicorp/terraform-plugin-framework/path"
"github.com/hashicorp/terraform-plugin-framework/resource"
"github.com/hashicorp/terraform-plugin-framework/resource/schema"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/mapplanmodifier"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
"github.com/hashicorp/terraform-plugin-framework/types"
)
// Ensure provider-defined types fully satisfy framework interfaces.
var (
_ resource.Resource = &UserServerAuthTokenResource{}
_ resource.ResourceWithConfigure = &UserServerAuthTokenResource{}
)
// NewUserServerAuthTokenResource creates a new user server auth token resource.
func NewUserServerAuthTokenResource() resource.Resource {
return &UserServerAuthTokenResource{}
}
// UserServerAuthTokenResource defines the resource implementation.
type UserServerAuthTokenResource struct {
client *client.Client
}
// UserServerAuthTokenResourceModel describes the resource data model.
type UserServerAuthTokenResourceModel struct {
ID types.String `tfsdk:"id"`
ExtRelationID types.String `tfsdk:"ext_relation_id"`
ServerID types.Int64 `tfsdk:"server_id"`
Token types.String `tfsdk:"token"`
URL types.String `tfsdk:"url"`
Triggers types.Map `tfsdk:"triggers"`
}
func (r *UserServerAuthTokenResource) Metadata(_ context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
resp.TypeName = req.ProviderTypeName + "_user_server_auth_token"
}
func (r *UserServerAuthTokenResource) Schema(_ context.Context, _ resource.SchemaRequest, resp *resource.SchemaResponse) {
resp.Schema = schema.Schema{
MarkdownDescription: "Generates a server-scoped authentication token for a VirtFusion user. This is a trigger-style resource — the token is generated on create and can be re-generated by changing the `triggers` attribute.",
Attributes: map[string]schema.Attribute{
"id": schema.StringAttribute{
MarkdownDescription: "The identifier for this server auth token generation.",
Computed: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.UseStateForUnknown(),
},
},
"ext_relation_id": schema.StringAttribute{
MarkdownDescription: "The external relation ID of the user to generate the server auth token for.",
Required: true,
},
"server_id": schema.Int64Attribute{
MarkdownDescription: "The ID of the server to scope the auth token to.",
Required: true,
},
"token": schema.StringAttribute{
MarkdownDescription: "The generated server authentication token.",
Computed: true,
Sensitive: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.UseStateForUnknown(),
},
},
"url": schema.StringAttribute{
MarkdownDescription: "The authentication URL for the generated server token.",
Computed: true,
Sensitive: true,
PlanModifiers: []planmodifier.String{
stringplanmodifier.UseStateForUnknown(),
},
},
"triggers": schema.MapAttribute{
MarkdownDescription: "A map of arbitrary strings that, when changed, will cause the server auth token to be re-generated. Works like `triggers` in `terraform_data`.",
ElementType: types.StringType,
Optional: true,
PlanModifiers: []planmodifier.Map{
mapplanmodifier.RequiresReplace(),
},
},
},
}
}
func (r *UserServerAuthTokenResource) Configure(_ context.Context, req resource.ConfigureRequest, resp *resource.ConfigureResponse) {
if req.ProviderData == nil {
return
}
c, ok := req.ProviderData.(*client.Client)
if !ok {
resp.Diagnostics.AddError(
"Unexpected Resource Configure Type",
fmt.Sprintf("Expected *client.Client, got: %T. Please report this issue to the provider developers.", req.ProviderData),
)
return
}
r.client = c
}
func (r *UserServerAuthTokenResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
var data UserServerAuthTokenResourceModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
if resp.Diagnostics.HasError() {
return
}
apiPath := fmt.Sprintf("/users/%s/serverAuthenticationTokens/%d", url.PathEscape(data.ExtRelationID.ValueString()), data.ServerID.ValueInt64())
rawResp, err := r.client.Post(ctx, apiPath, nil)
if err != nil {
resp.Diagnostics.AddError(
"Error Generating User Server Auth Token",
fmt.Sprintf("Could not generate server auth token for user %q on server %d: %s", data.ExtRelationID.ValueString(), data.ServerID.ValueInt64(), err),
)
return
}
// Parse the response for the token and URL.
if rawResp != nil {
var tokenResp client.AuthTokenResponse
if jsonErr := json.Unmarshal(rawResp, &tokenResp); jsonErr == nil {
data.Token = types.StringValue(tokenResp.Data.Token)
data.URL = types.StringValue(tokenResp.Data.URL)
} else {
data.Token = types.StringValue("")
data.URL = types.StringValue("")
}
} else {
data.Token = types.StringValue("")
data.URL = types.StringValue("")
}
data.ID = types.StringValue(fmt.Sprintf("%s-%d-%d", data.ExtRelationID.ValueString(), data.ServerID.ValueInt64(), time.Now().UnixNano()))
resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
}
func (r *UserServerAuthTokenResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
var data UserServerAuthTokenResourceModel
resp.Diagnostics.Append(req.State.Get(ctx, &data)...)
if resp.Diagnostics.HasError() {
return
}
// Return stored state as-is for trigger-style resources.
resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
}
func (r *UserServerAuthTokenResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
var data UserServerAuthTokenResourceModel
resp.Diagnostics.Append(req.Plan.Get(ctx, &data)...)
if resp.Diagnostics.HasError() {
return
}
resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
}
func (r *UserServerAuthTokenResource) Delete(_ context.Context, _ resource.DeleteRequest, _ *resource.DeleteResponse) {
// No-op: server auth tokens cannot be revoked via this resource. Removing from state only.
}
// ValidateConfig validates the resource configuration.
func (r *UserServerAuthTokenResource) ValidateConfig(ctx context.Context, req resource.ValidateConfigRequest, resp *resource.ValidateConfigResponse) {
var data UserServerAuthTokenResourceModel
resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
if resp.Diagnostics.HasError() {
return
}
// Validate server_id is positive.
if !data.ServerID.IsNull() && !data.ServerID.IsUnknown() && data.ServerID.ValueInt64() <= 0 {
resp.Diagnostics.AddAttributeError(
path.Root("server_id"),
"Invalid Server ID",
"server_id must be a positive integer.",
)
}
}
Reference in New Issue View Git Blame Copy Permalink