fix(IAM Policy Management): Add operator support to subject_attribute…

…s in Authorziation Policy (#5076) * fix(IAM Policy Management): Add operator support to subject_attributes in Authorziation Policy Signed-off-by: Shaun Colley <shaun.colley@ibm.com> * fix(IAM Policy Management): re-formatted Signed-off-by: Shaun Colley <shaun.colley@ibm.com> * fix(IAM Policy Management): updated package and fixed test case Signed-off-by: Shaun Colley <shaun.colley@ibm.com> --------- Signed-off-by: Shaun Colley <shaun.colley@ibm.com> Co-authored-by: HARINI KANTAREDDY <hkantare@in.ibm.com>
IBM-Cloud · Jan 30, 2024 · abb4292 · abb4292
1 parent e332407
commit abb4292
Show file tree

Hide file tree

Showing 8 changed files with 354 additions and 103 deletions.
diff --git a/go.mod b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/IBM/ibm-hpcs-uko-sdk v0.0.20-beta
 	github.com/IBM/keyprotect-go-client v0.12.2
 	github.com/IBM/networking-go-sdk v0.44.0
-	github.com/IBM/platform-services-go-sdk v0.55.0
+	github.com/IBM/platform-services-go-sdk v0.56.3
 	github.com/IBM/project-go-sdk v0.2.0
 	github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5
 	github.com/IBM/scc-go-sdk/v5 v5.1.4

diff --git a/go.sum b/go.sum
@@ -160,6 +160,8 @@ github.com/IBM/networking-go-sdk v0.44.0 h1:6acyMd6hwxcjK3bJ2suiUBTjzg8mRFAvYD76
 github.com/IBM/networking-go-sdk v0.44.0/go.mod h1:XtqYRInR5NHmFUXhOL6RovpDdv6PnJfZ1lPFvssA8MA=
 github.com/IBM/platform-services-go-sdk v0.55.0 h1:W598xZanL61bwd8O2DQexr4qjIr+/tP0Y845zoms5yA=
 github.com/IBM/platform-services-go-sdk v0.55.0/go.mod h1:CWSprvsCsXWvujmBzbtoJSmbRZS9FVV3O594b0t/GiM=
+github.com/IBM/platform-services-go-sdk v0.56.3 h1:DQ1VMQSknhPsdT7d+AybKiZT82esczAkHCIBkwYubzQ=
+github.com/IBM/platform-services-go-sdk v0.56.3/go.mod h1:+U6Kg7o5u/Bh4ZkLxjymSgfdpVsaWAtsMtzhwclUry0=
 github.com/IBM/project-go-sdk v0.2.0 h1:DMv0HQfS3GQHkkagZ4E2vt1H1paN5Gh357K9izeaGj8=
 github.com/IBM/project-go-sdk v0.2.0/go.mod h1:lqe0M4cKvABI1iHR1b+KfasVcxQL6nl2VJ8eOyQs8Ig=
 github.com/IBM/push-notifications-go-sdk v0.0.0-20210310100607-5790b96c47f5 h1:NPUhkoOCRuv3OFWt19PmwjXGGTKlvmbuPg9fUrBUNe4=

diff --git a/ibm/flex/structures.go b/ibm/flex/structures.go
@@ -1639,7 +1639,11 @@ func FlattenV2PolicyResource(resource iampolicymanagementv1.V2PolicyResource) []
 	if len(customAttributes) > 0 {
 		out := make(map[string]string)
 		for _, a := range customAttributes {
-			out[*a.Key] = fmt.Sprint(a.Value)
+			if *a.Operator == "stringExists" && a.Value == true {
+				out[*a.Key] = fmt.Sprint("*")
+			} else if *a.Operator == "stringMatch" || *a.Operator == "stringEquals" {
+				out[*a.Key] = fmt.Sprint(a.Value)
+			}
 		}
 		l["attributes"] = out
 	}
@@ -3345,10 +3349,12 @@ func GetResourceAttribute(name string, r iampolicymanagementv1.PolicyResource) *
 
 func GetV2PolicyResourceAttribute(key string, r iampolicymanagementv1.V2PolicyResource) string {
 	for _, a := range r.Attributes {
-		if *a.Key == key &&
-			(*a.Operator == "stringMatch" ||
-				*a.Operator == "stringEquals") {
-			return a.Value.(string)
+		if *a.Key == key {
+			if *a.Operator == "stringExists" && a.Value == true {
+				return fmt.Sprint("*")
+			} else if *a.Operator == "stringMatch" || *a.Operator == "stringEquals" {
+				return a.Value.(string)
+			}
 		}
 	}
 	return *core.StringPtr("")
@@ -3363,15 +3369,15 @@ func GetSubjectAttribute(name string, s iampolicymanagementv1.PolicySubject) *st
 	return core.StringPtr("")
 }
 
-func GetV2PolicySubjectAttribute(key string, s iampolicymanagementv1.V2PolicySubject) *string {
+func GetV2PolicySubjectAttribute(key string, s iampolicymanagementv1.V2PolicySubject) interface{} {
 	for _, a := range s.Attributes {
 		if *a.Key == key &&
 			(*a.Operator == "stringMatch" ||
 				*a.Operator == "stringEquals") {
 			return a.Value
 		}
 	}
-	return core.StringPtr("")
+	return interface{}(core.StringPtr(""))
 }
 
 func SetResourceAttribute(name *string, value *string, r []iampolicymanagementv1.ResourceAttribute) []iampolicymanagementv1.ResourceAttribute {
@@ -3512,18 +3518,28 @@ func GetRoleNamesFromPolicyResponse(policy iampolicymanagementv1.V2PolicyTemplat
 	controlResponse := policy.Control.(*iampolicymanagementv1.ControlResponse)
 	policyRoles := MapRolesToPolicyRoles(controlResponse.Grant.Roles)
 	resourceAttributes := policy.Resource.Attributes
+	subjectAttributes := policy.Subject.Attributes
 
 	userDetails, err := meta.(conns.ClientSession).BluemixUserDetails()
 	if err != nil {
 		return []string{}, err
 	}
 
 	var (
-		serviceName    string
-		resourceType   string
-		serviceGroupID string
+		serviceName       string
+		sourceServiceName string
+		resourceType      string
+		serviceGroupID    string
 	)
 
+	for _, a := range subjectAttributes {
+		if *a.Key == "serviceName" &&
+			(*a.Operator == "stringMatch" ||
+				*a.Operator == "stringEquals") {
+			sourceServiceName = a.Value.(string)
+		}
+	}
+
 	for _, a := range resourceAttributes {
 		if *a.Key == "serviceName" &&
 			(*a.Operator == "stringMatch" ||
@@ -3550,6 +3566,11 @@ func GetRoleNamesFromPolicyResponse(policy iampolicymanagementv1.V2PolicyTemplat
 	if accountManagement, ok := d.GetOk("account_management"); ok {
 		isAccountManagementPolicy = accountManagement.(bool)
 	}
+
+	if serviceName == "" && resourceType == "resource-group" {
+		serviceName = "resource-controller"
+	}
+
 	if serviceName == "" && // no specific service specified
 		!isAccountManagementPolicy && // not all account management services
 		resourceType != "resource-group" && // not to a resource group
@@ -3565,6 +3586,14 @@ func GetRoleNamesFromPolicyResponse(policy iampolicymanagementv1.V2PolicyTemplat
 		listRoleOptions.ServiceGroupID = &serviceGroupID
 	}
 
+	if sourceServiceName != "" {
+		listRoleOptions.SourceServiceName = &sourceServiceName
+	}
+
+	if *policy.Type != "" {
+		listRoleOptions.PolicyType = policy.Type
+	}
+
 	roleList, _, err := iamPolicyManagementClient.ListRoles(listRoleOptions)
 
 	if err != nil {

diff --git a/ibm/service/iampolicy/data_source_ibm_iam_authorization_policies_test.go b/ibm/service/iampolicy/data_source_ibm_iam_authorization_policies_test.go
@@ -73,8 +73,8 @@ func testAccCheckIBMIAMAuthorizationPoliciesDataSourceMultiplePolicies() string
 		resource "ibm_iam_authorization_policy" "policy1" {
 			source_service_name  = "is"
 			source_resource_type = "load-balancer"
-			target_service_name  = "cloudcerts"
-			roles                = ["Reader"]
+			target_service_name  = "secrets-manager"
+			roles                = ["SecretsReader"]
 		}
 		`
 }
diff --git a/ibm/service/iampolicy/resource_ibm_iam_access_group_policy.go b/ibm/service/iampolicy/resource_ibm_iam_access_group_policy.go
@@ -481,9 +481,9 @@ func resourceIBMIAMAccessGroupPolicyRead(d *schema.ResourceData, meta interface{
 		return fmt.Errorf("[ERROR] Error retrieving access group policy: %s\n%s", err, res)
 	}
 
-	retrievedAttribute := flex.GetV2PolicySubjectAttribute("access_group_id", *accessGroupPolicy.Subject)
-	if accessGroupId != *retrievedAttribute {
-		return fmt.Errorf("[ERROR] Policy %s does not belong to access group %s, retrievedAttr: %s", accessGroupPolicyId, accessGroupId, *retrievedAttribute)
+	retrievedAttribute := flex.GetV2PolicySubjectAttribute("access_group_id", *accessGroupPolicy.Subject).(string)
+	if accessGroupId != retrievedAttribute {
+		return fmt.Errorf("[ERROR] Policy %s does not belong to access group %s, retrievedAttr: %s", accessGroupPolicyId, accessGroupId, retrievedAttribute)
 	}
 
 	d.Set("access_group_id", accessGroupId)
@@ -770,7 +770,7 @@ func resourceIBMIAMAccessGroupPolicyExists(d *schema.ResourceData, meta interfac
 		return false, nil
 	}
 
-	tempID := fmt.Sprintf("%s/%s", *flex.GetV2PolicySubjectAttribute("access_group_id", *accessGroupPolicy.Subject), *accessGroupPolicy.ID)
+	tempID := fmt.Sprintf("%s/%s", flex.GetV2PolicySubjectAttribute("access_group_id", *accessGroupPolicy.Subject), *accessGroupPolicy.ID)
 
 	return tempID == d.Id(), nil
 }