Implement support for TOTP on the root user

docs/index.md

@@ -3,12 +3,12 @@
 page_title: "proxmoxve Provider"
 subcategory: ""
 description: |-
-  The following environment variables can be set as a fallback for any omitted attributes in the provider declaration: PROXMOXVE_BASE_URL, PROXMOXVE_TOKEN_ID, PROXMOXVE_SECRET, PROXMOXVE_ROOT_PASSWORD, PROXMOXVE_TLS_INSECURE.NOTE: base_url attribute is always required. Additionally, most API endpoints require token_id and secret, whilst some require root_password. The latter will be documented in the resource.
+  The following environment variables can be set as a fallback for any omitted attributes in the provider declaration: PROXMOXVE_BASE_URL, PROXMOXVE_TOKEN_ID, PROXMOXVE_SECRET, PROXMOXVE_ROOT_PASSWORD, PROXMOXVE_TOTPSEED, PROXMOXVE_TLS_INSECURE.NOTE: base_url attribute is always required. Additionally, most API endpoints require token_id and secret. Other API endpoints require root_password, and if 2FA is enabled for the root user, totp_seed must also be informed.
 ---
 
 # proxmoxve Provider
 
-The following environment variables can be set as a fallback for any omitted attributes in the provider declaration: `PROXMOXVE_BASE_URL`, `PROXMOXVE_TOKEN_ID`, `PROXMOXVE_SECRET`, `PROXMOXVE_ROOT_PASSWORD`, `PROXMOXVE_TLS_INSECURE`.</p>**NOTE:** `base_url` attribute is always required. Additionally, most API endpoints require `token_id` and `secret`, whilst some require `root_password`. The latter will be documented in the resource.
+The following environment variables can be set as a fallback for any omitted attributes in the provider declaration: `PROXMOXVE_BASE_URL`, `PROXMOXVE_TOKEN_ID`, `PROXMOXVE_SECRET`, `PROXMOXVE_ROOT_PASSWORD`, `PROXMOXVE_TOTPSEED`, `PROXMOXVE_TLS_INSECURE`.</p>**NOTE:** `base_url` attribute is always required. Additionally, most API endpoints require `token_id` and `secret`. Other API endpoints require `root_password`, and if 2FA is enabled for the `root` user, `totp_seed` must also be informed.
 
 ## Example Usage
 
@@ -40,3 +40,4 @@ provider "proxmoxve" {
 - `secret` (String, Sensitive) API Token secret
 - `tls_insecure` (Boolean) Set to `true` to bypass TLS cert validation. Defaults to `false`
 - `token_id` (String) API token ID. e.g. `user@pam!token_name`
+- `totp_seed` (String, Sensitive) If the `root` user has 2FA enabled, please inform the seed used to generate the OTPs. At the moment no other methods of 2FA are supported.

go.mod

@@ -5,7 +5,7 @@ go 1.19
 // replace github.com/c10l/proxmoxve-client-go => ../proxmoxve-client-go
 
 require (
-	github.com/c10l/proxmoxve-client-go v0.0.0-20220823091240-1b1e8c48eb9f
+	github.com/c10l/proxmoxve-client-go v0.0.0-20221220211640-68e8b3ea8257
 	github.com/hashicorp/terraform-plugin-docs v0.13.0
 	github.com/hashicorp/terraform-plugin-framework v1.0.1
 	github.com/hashicorp/terraform-plugin-go v0.14.2
@@ -21,6 +21,7 @@ require (
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/bgentry/speakeasy v0.1.0 // indirect
+	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
@@ -55,6 +56,7 @@ require (
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/oklog/run v1.1.0 // indirect
 	github.com/posener/complete v1.2.3 // indirect
+	github.com/pquerna/otp v1.4.0 // indirect
 	github.com/russross/blackfriday v1.6.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/spf13/cast v1.5.0 // indirect

go.sum

@@ -28,8 +28,15 @@ github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgI
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQkY=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
+github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=
+github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/c10l/proxmoxve-client-go v0.0.0-20220823091240-1b1e8c48eb9f h1:erHj0IB7YZow8DAqOM28AuEBMgi9FoRS4AZOM3anEh4=
 github.com/c10l/proxmoxve-client-go v0.0.0-20220823091240-1b1e8c48eb9f/go.mod h1:LE0T0ivO2U3rXyLJPKZkxvxAU61PUSV+ALikK8o4LCs=
+github.com/c10l/proxmoxve-client-go v0.0.0-20221220133548-106fc7ca5a51 h1:TXUBnmIQARtcH4v7Tk5hDJecY540L3O51R0nJDaNAFo=
+github.com/c10l/proxmoxve-client-go v0.0.0-20221220133548-106fc7ca5a51/go.mod h1:LE0T0ivO2U3rXyLJPKZkxvxAU61PUSV+ALikK8o4LCs=
+github.com/c10l/proxmoxve-client-go v0.0.0-20221220211640-68e8b3ea8257 h1:Xzg/nysA6SkUlkJ1RKCThtDPz0oBMnO0Qn5oG8aBvAc=
+github.com/c10l/proxmoxve-client-go v0.0.0-20221220211640-68e8b3ea8257/go.mod h1:ZApKlMtmPbGYDlLr3kbFvH9SWFArJELF6iZ50OuQMrk=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -179,6 +186,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/posener/complete v1.2.3 h1:NP0eAhjcjImqslEwo/1hq7gpajME0fTLTezBKDqfXqo=
 github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
+github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
+github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
 github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww=
 github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY=

internal/provider/provider.go

@@ -32,6 +32,7 @@ type ProxmoxVEProviderModel struct {
 	TokenID      types.String `tfsdk:"token_id"`
 	Secret       types.String `tfsdk:"secret"`
 	RootPassword types.String `tfsdk:"root_password"`
+	TOTPSeed     types.String `tfsdk:"totp_seed"`
 	TLSInsecure  types.Bool   `tfsdk:"tls_insecure"`
 }
 
@@ -43,8 +44,8 @@ func (p *ProxmoxVEProvider) Metadata(ctx context.Context, req provider.MetadataR
 // GetSchema
 func (p *ProxmoxVEProvider) Schema(ctx context.Context, req provider.SchemaRequest, resp *provider.SchemaResponse) {
 	resp.Schema = schema.Schema{
-		MarkdownDescription: "The following environment variables can be set as a fallback for any omitted attributes in the provider declaration: `PROXMOXVE_BASE_URL`, `PROXMOXVE_TOKEN_ID`, `PROXMOXVE_SECRET`, `PROXMOXVE_ROOT_PASSWORD`, `PROXMOXVE_TLS_INSECURE`.</p>" +
-			"**NOTE:** `base_url` attribute is always required. Additionally, most API endpoints require `token_id` and `secret`, whilst some require `root_password`. The latter will be documented in the resource.",
+		MarkdownDescription: "The following environment variables can be set as a fallback for any omitted attributes in the provider declaration: `PROXMOXVE_BASE_URL`, `PROXMOXVE_TOKEN_ID`, `PROXMOXVE_SECRET`, `PROXMOXVE_ROOT_PASSWORD`, `PROXMOXVE_TOTPSEED`, `PROXMOXVE_TLS_INSECURE`.</p>" +
+			"**NOTE:** `base_url` attribute is always required. Additionally, most API endpoints require `token_id` and `secret`. Other API endpoints require `root_password`, and if 2FA is enabled for the `root` user, `totp_seed` must also be informed.",
 		Attributes: map[string]schema.Attribute{
 			"base_url": schema.StringAttribute{
 				Optional:            true,
@@ -64,6 +65,11 @@ func (p *ProxmoxVEProvider) Schema(ctx context.Context, req provider.SchemaReque
 				Sensitive:           true,
 				MarkdownDescription: "Password of the `root` user. Some API endpoints can only be called via a ticket which must be acquired as the `root@pam` user (as opposed to an API token). e.g. the ACME endpoits",
 			},
+			"totp_seed": schema.StringAttribute{
+				Optional:            true,
+				Sensitive:           true,
+				MarkdownDescription: "If the `root` user has 2FA enabled, please inform the seed used to generate the OTPs. At the moment no other methods of 2FA are supported.",
+			},
 			"tls_insecure": schema.BoolAttribute{
 				Optional:            true,
 				MarkdownDescription: "Set to `true` to bypass TLS cert validation. Defaults to `false`",
@@ -118,13 +124,13 @@ func (p *ProxmoxVEProvider) Configure(ctx context.Context, req provider.Configur
 
 	clients := map[string]getClientFunc{
 		"token": getTokenClientFunc(baseURL, tlsInsecure, data.TokenID, data.Secret),
-		"root":  getRootClientFunc(baseURL, tlsInsecure, data.RootPassword),
+		"root":  getRootClientFunc(baseURL, tlsInsecure, data.RootPassword, data.TOTPSeed),
 	}
 	resp.DataSourceData = clients
 	resp.ResourceData = clients
 }
 
-func getRootClientFunc(baseURL string, insecure bool, rootPassword types.String) func() (*proxmox.Client, error) {
+func getRootClientFunc(baseURL string, insecure bool, rootPassword, totpSeed types.String) func() (*proxmox.Client, error) {
 	return func() (*proxmox.Client, error) {
 		pwd := rootPassword.ValueString()
 		if rootPassword.IsNull() {
@@ -134,7 +140,12 @@ func getRootClientFunc(baseURL string, insecure bool, rootPassword types.String)
 			}
 		}
 
-		rootClient, err := proxmox.NewTicketClient(baseURL, "root@pam", pwd, insecure)
+		totpSd := totpSeed.ValueString()
+		if totpSeed.IsNull() {
+			totpSd = os.Getenv("PROXMOXVE_TOTPSEED")
+		}
+
+		rootClient, err := proxmox.NewTicketClient(baseURL, "root@pam", pwd, totpSd, insecure)
 		if err != nil {
 			return nil, errors.New("unable to create ProxMox VE client with root@pam user and password:\n\n" + err.Error())
 		}