Fix potential inconsistent result errors when using certain OGNL expressions (#499)

* Initial basic fix for escaped OGNL

* Remove unneeded error return from ClientStruct method

* Add tests to cover escaped OGNL expressions

* Mark locations that need to have json Unmarshal removed

* Remove json unmarshal from attribute_sources client struct build

* Remove json Unmarshal from issuance_criteria Client Struct build

* Remove json Unmarshal from oauth_token_exchange_token_generator_mapping CRUD

* Remove unnecessary error return from common methods

* Generate client struct build logic for policy actions

* Changelog

Author: henryrecker-pingidentity

CHANGELOG.md

@@ -4,6 +4,7 @@
 * Fixed plan validation logic in various resources that did not correctly handle unknown values, such as values that depend on the output of another resource. ([#488](https://github.com/pingidentity/terraform-provider-pingfederate/pull/488))
 * Fixed missing `false` default for `pingfederate_incoming_proxy_settings.enable_client_cert_header_auth`. ([#494](https://github.com/pingidentity/terraform-provider-pingfederate/pull/494))
 * Fixed the `encrypted_value` fields of sensitive configuration fields not being correctly written to state. ([#497](https://github.com/pingidentity/terraform-provider-pingfederate/pull/497))
+* Fixed potential inconsistent result errors when using certain escaped OGNL expressions in resource configuration. ([#499](https://github.com/pingidentity/terraform-provider-pingfederate/pull/499))
 
 # v1.4.4 April 8, 2025
 ### Bug fixes

internal/acctest/config/authenticationpolicies/fragments/authentication_policies_fragment_test.go

@@ -224,7 +224,7 @@ resource "pingfederate_authentication_policies_fragment" "%[1]s" {
                   source = {
                     type = "EXPRESSION"
                   },
-                  value = "fullName"
+                  value = "'test1|test2|test3'.split(\"\\\\|\")[1]"
                 }
                 "photo" : {
                   source = {

internal/acctest/config/oauth/accesstokenmapping/oauth_access_token_mapping_resource_gen_test.go

@@ -3,15 +3,21 @@
 package attributecontractfulfillment
 
 import (
-	"encoding/json"
-
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	client "github.com/pingidentity/pingfederate-go-client/v1220/configurationapi"
-	internaljson "github.com/pingidentity/terraform-provider-pingfederate/internal/json"
 )
 
-func ClientStruct(attributeContractFulfillmentAttr types.Map) (map[string]client.AttributeFulfillmentValue, error) {
+func ClientStruct(attributeContractFulfillmentAttr types.Map) map[string]client.AttributeFulfillmentValue {
 	attributeContractFulfillment := map[string]client.AttributeFulfillmentValue{}
-	attributeContractFulfillmentErr := json.Unmarshal([]byte(internaljson.FromValue(attributeContractFulfillmentAttr, false)), &attributeContractFulfillment)
-	return attributeContractFulfillment, attributeContractFulfillmentErr
+	for key, fulfillment := range attributeContractFulfillmentAttr.Elements() {
+		fulfillmentValue := client.AttributeFulfillmentValue{}
+		fulfillmentAttrs := fulfillment.(types.Object).Attributes()
+		fulfillmentValue.Value = fulfillmentAttrs["value"].(types.String).ValueString()
+		fulfillmentValue.Source = client.SourceTypeIdKey{}
+		sourceAttrs := fulfillmentAttrs["source"].(types.Object).Attributes()
+		fulfillmentValue.Source.Type = sourceAttrs["type"].(types.String).ValueString()
+		fulfillmentValue.Source.Id = sourceAttrs["id"].(types.String).ValueStringPointer()
+		attributeContractFulfillment[key] = fulfillmentValue
+	}
+	return attributeContractFulfillment
 }

internal/acctest/config/sp/idpconnection/sp_idp_connection_resource_gen_inbound_provisioning_test.go

@@ -3,43 +3,132 @@
 package attributesources
 
 import (
-	"encoding/json"
-
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	client "github.com/pingidentity/pingfederate-go-client/v1220/configurationapi"
-	internaljson "github.com/pingidentity/terraform-provider-pingfederate/internal/json"
 	internaltypes "github.com/pingidentity/terraform-provider-pingfederate/internal/types"
 )
 
-func ClientStruct(attributeSourcesAttr basetypes.SetValue) ([]client.AttributeSourceAggregation, error) {
+func ClientStruct(attributeSourcesAttr basetypes.SetValue) []client.AttributeSourceAggregation {
 	attributeSourceAggregation := []client.AttributeSourceAggregation{}
 	for _, source := range attributeSourcesAttr.Elements() {
 		//Determine which attribute source type this is
 		sourceAttrs := source.(types.Object).Attributes()
 		attributeSourceInner := client.AttributeSourceAggregation{}
 		if internaltypes.IsDefined(sourceAttrs["custom_attribute_source"]) {
 			attributeSourceInner.CustomAttributeSource = &client.CustomAttributeSource{}
-			customAttributeSourceErr := json.Unmarshal([]byte(internaljson.FromValue(sourceAttrs["custom_attribute_source"], true)), attributeSourceInner.CustomAttributeSource)
-			if customAttributeSourceErr != nil {
-				return nil, customAttributeSourceErr
+			customAttributeSourceAttrs := sourceAttrs["custom_attribute_source"].(types.Object).Attributes()
+			if !customAttributeSourceAttrs["attribute_contract_fulfillment"].IsNull() && !customAttributeSourceAttrs["attribute_contract_fulfillment"].IsUnknown() {
+				attributeSourceInner.CustomAttributeSource.AttributeContractFulfillment = &map[string]client.AttributeFulfillmentValue{}
+				for key, attributeContractFulfillmentElement := range customAttributeSourceAttrs["attribute_contract_fulfillment"].(types.Map).Elements() {
+					attributeContractFulfillmentValue := client.AttributeFulfillmentValue{}
+					attributeContractFulfillmentAttrs := attributeContractFulfillmentElement.(types.Object).Attributes()
+					attributeContractFulfillmentSourceValue := client.SourceTypeIdKey{}
+					attributeContractFulfillmentSourceAttrs := attributeContractFulfillmentAttrs["source"].(types.Object).Attributes()
+					attributeContractFulfillmentSourceValue.Id = attributeContractFulfillmentSourceAttrs["id"].(types.String).ValueStringPointer()
+					attributeContractFulfillmentSourceValue.Type = attributeContractFulfillmentSourceAttrs["type"].(types.String).ValueString()
+					attributeContractFulfillmentValue.Source = attributeContractFulfillmentSourceValue
+					attributeContractFulfillmentValue.Value = attributeContractFulfillmentAttrs["value"].(types.String).ValueString()
+					(*attributeSourceInner.CustomAttributeSource.AttributeContractFulfillment)[key] = attributeContractFulfillmentValue
+				}
+			}
+			customAttributeSourceDataStoreRefValue := client.ResourceLink{}
+			customAttributeSourceDataStoreRefAttrs := customAttributeSourceAttrs["data_store_ref"].(types.Object).Attributes()
+			customAttributeSourceDataStoreRefValue.Id = customAttributeSourceDataStoreRefAttrs["id"].(types.String).ValueString()
+			attributeSourceInner.CustomAttributeSource.DataStoreRef = customAttributeSourceDataStoreRefValue
+			attributeSourceInner.CustomAttributeSource.Description = customAttributeSourceAttrs["description"].(types.String).ValueStringPointer()
+			if !customAttributeSourceAttrs["filter_fields"].IsNull() && !customAttributeSourceAttrs["filter_fields"].IsUnknown() {
+				attributeSourceInner.CustomAttributeSource.FilterFields = []client.FieldEntry{}
+				for _, filterFieldsElement := range customAttributeSourceAttrs["filter_fields"].(types.Set).Elements() {
+					filterFieldsValue := client.FieldEntry{}
+					filterFieldsAttrs := filterFieldsElement.(types.Object).Attributes()
+					filterFieldsValue.Name = filterFieldsAttrs["name"].(types.String).ValueString()
+					filterFieldsValue.Value = filterFieldsAttrs["value"].(types.String).ValueStringPointer()
+					attributeSourceInner.CustomAttributeSource.FilterFields = append(attributeSourceInner.CustomAttributeSource.FilterFields, filterFieldsValue)
+				}
 			}
+			attributeSourceInner.CustomAttributeSource.Id = customAttributeSourceAttrs["id"].(types.String).ValueStringPointer()
+			attributeSourceInner.CustomAttributeSource.Type = customAttributeSourceAttrs["type"].(types.String).ValueString()
 		}
 		if internaltypes.IsDefined(sourceAttrs["jdbc_attribute_source"]) {
 			attributeSourceInner.JdbcAttributeSource = &client.JdbcAttributeSource{}
-			jdbcAttributeSourceErr := json.Unmarshal([]byte(internaljson.FromValue(sourceAttrs["jdbc_attribute_source"], true)), attributeSourceInner.JdbcAttributeSource)
-			if jdbcAttributeSourceErr != nil {
-				return nil, jdbcAttributeSourceErr
+			jdbcAttributeSourceAttrs := sourceAttrs["jdbc_attribute_source"].(types.Object).Attributes()
+			if !jdbcAttributeSourceAttrs["attribute_contract_fulfillment"].IsNull() && !jdbcAttributeSourceAttrs["attribute_contract_fulfillment"].IsUnknown() {
+				attributeSourceInner.JdbcAttributeSource.AttributeContractFulfillment = &map[string]client.AttributeFulfillmentValue{}
+				for key, attributeContractFulfillmentElement := range jdbcAttributeSourceAttrs["attribute_contract_fulfillment"].(types.Map).Elements() {
+					attributeContractFulfillmentValue := client.AttributeFulfillmentValue{}
+					attributeContractFulfillmentAttrs := attributeContractFulfillmentElement.(types.Object).Attributes()
+					attributeContractFulfillmentSourceValue := client.SourceTypeIdKey{}
+					attributeContractFulfillmentSourceAttrs := attributeContractFulfillmentAttrs["source"].(types.Object).Attributes()
+					attributeContractFulfillmentSourceValue.Id = attributeContractFulfillmentSourceAttrs["id"].(types.String).ValueStringPointer()
+					attributeContractFulfillmentSourceValue.Type = attributeContractFulfillmentSourceAttrs["type"].(types.String).ValueString()
+					attributeContractFulfillmentValue.Source = attributeContractFulfillmentSourceValue
+					attributeContractFulfillmentValue.Value = attributeContractFulfillmentAttrs["value"].(types.String).ValueString()
+					(*attributeSourceInner.JdbcAttributeSource.AttributeContractFulfillment)[key] = attributeContractFulfillmentValue
+				}
+			}
+			if !jdbcAttributeSourceAttrs["column_names"].IsNull() && !jdbcAttributeSourceAttrs["column_names"].IsUnknown() {
+				attributeSourceInner.JdbcAttributeSource.ColumnNames = []string{}
+				for _, columnNamesElement := range jdbcAttributeSourceAttrs["column_names"].(types.List).Elements() {
+					attributeSourceInner.JdbcAttributeSource.ColumnNames = append(attributeSourceInner.JdbcAttributeSource.ColumnNames, columnNamesElement.(types.String).ValueString())
+				}
 			}
+			jdbcAttributeSourceDataStoreRefValue := client.ResourceLink{}
+			jdbcAttributeSourceDataStoreRefAttrs := jdbcAttributeSourceAttrs["data_store_ref"].(types.Object).Attributes()
+			jdbcAttributeSourceDataStoreRefValue.Id = jdbcAttributeSourceDataStoreRefAttrs["id"].(types.String).ValueString()
+			attributeSourceInner.JdbcAttributeSource.DataStoreRef = jdbcAttributeSourceDataStoreRefValue
+			attributeSourceInner.JdbcAttributeSource.Description = jdbcAttributeSourceAttrs["description"].(types.String).ValueStringPointer()
+			attributeSourceInner.JdbcAttributeSource.Filter = jdbcAttributeSourceAttrs["filter"].(types.String).ValueString()
+			attributeSourceInner.JdbcAttributeSource.Id = jdbcAttributeSourceAttrs["id"].(types.String).ValueStringPointer()
+			attributeSourceInner.JdbcAttributeSource.Schema = jdbcAttributeSourceAttrs["schema"].(types.String).ValueStringPointer()
+			attributeSourceInner.JdbcAttributeSource.Table = jdbcAttributeSourceAttrs["table"].(types.String).ValueString()
+			attributeSourceInner.JdbcAttributeSource.Type = jdbcAttributeSourceAttrs["type"].(types.String).ValueString()
 		}
 		if internaltypes.IsDefined(sourceAttrs["ldap_attribute_source"]) {
 			attributeSourceInner.LdapAttributeSource = &client.LdapAttributeSource{}
-			ldapAttributeSourceErr := json.Unmarshal([]byte(internaljson.FromValue(sourceAttrs["ldap_attribute_source"], true)), attributeSourceInner.LdapAttributeSource)
-			if ldapAttributeSourceErr != nil {
-				return nil, ldapAttributeSourceErr
+			ldapAttributeSourceAttrs := sourceAttrs["ldap_attribute_source"].(types.Object).Attributes()
+			if !ldapAttributeSourceAttrs["attribute_contract_fulfillment"].IsNull() && !ldapAttributeSourceAttrs["attribute_contract_fulfillment"].IsUnknown() {
+				attributeSourceInner.LdapAttributeSource.AttributeContractFulfillment = &map[string]client.AttributeFulfillmentValue{}
+				for key, attributeContractFulfillmentElement := range ldapAttributeSourceAttrs["attribute_contract_fulfillment"].(types.Map).Elements() {
+					attributeContractFulfillmentValue := client.AttributeFulfillmentValue{}
+					attributeContractFulfillmentAttrs := attributeContractFulfillmentElement.(types.Object).Attributes()
+					attributeContractFulfillmentSourceValue := client.SourceTypeIdKey{}
+					attributeContractFulfillmentSourceAttrs := attributeContractFulfillmentAttrs["source"].(types.Object).Attributes()
+					attributeContractFulfillmentSourceValue.Id = attributeContractFulfillmentSourceAttrs["id"].(types.String).ValueStringPointer()
+					attributeContractFulfillmentSourceValue.Type = attributeContractFulfillmentSourceAttrs["type"].(types.String).ValueString()
+					attributeContractFulfillmentValue.Source = attributeContractFulfillmentSourceValue
+					attributeContractFulfillmentValue.Value = attributeContractFulfillmentAttrs["value"].(types.String).ValueString()
+					(*attributeSourceInner.LdapAttributeSource.AttributeContractFulfillment)[key] = attributeContractFulfillmentValue
+				}
+			}
+			attributeSourceInner.LdapAttributeSource.BaseDn = ldapAttributeSourceAttrs["base_dn"].(types.String).ValueStringPointer()
+			if !ldapAttributeSourceAttrs["binary_attribute_settings"].IsNull() && !ldapAttributeSourceAttrs["binary_attribute_settings"].IsUnknown() {
+				attributeSourceInner.LdapAttributeSource.BinaryAttributeSettings = &map[string]client.BinaryLdapAttributeSettings{}
+				for key, binaryAttributeSettingsElement := range ldapAttributeSourceAttrs["binary_attribute_settings"].(types.Map).Elements() {
+					binaryAttributeSettingsValue := client.BinaryLdapAttributeSettings{}
+					binaryAttributeSettingsAttrs := binaryAttributeSettingsElement.(types.Object).Attributes()
+					binaryAttributeSettingsValue.BinaryEncoding = binaryAttributeSettingsAttrs["binary_encoding"].(types.String).ValueStringPointer()
+					(*attributeSourceInner.LdapAttributeSource.BinaryAttributeSettings)[key] = binaryAttributeSettingsValue
+				}
+			}
+			ldapAttributeSourceDataStoreRefValue := client.ResourceLink{}
+			ldapAttributeSourceDataStoreRefAttrs := ldapAttributeSourceAttrs["data_store_ref"].(types.Object).Attributes()
+			ldapAttributeSourceDataStoreRefValue.Id = ldapAttributeSourceDataStoreRefAttrs["id"].(types.String).ValueString()
+			attributeSourceInner.LdapAttributeSource.DataStoreRef = ldapAttributeSourceDataStoreRefValue
+			attributeSourceInner.LdapAttributeSource.Description = ldapAttributeSourceAttrs["description"].(types.String).ValueStringPointer()
+			attributeSourceInner.LdapAttributeSource.Id = ldapAttributeSourceAttrs["id"].(types.String).ValueStringPointer()
+			attributeSourceInner.LdapAttributeSource.MemberOfNestedGroup = ldapAttributeSourceAttrs["member_of_nested_group"].(types.Bool).ValueBoolPointer()
+			if !ldapAttributeSourceAttrs["search_attributes"].IsNull() && !ldapAttributeSourceAttrs["search_attributes"].IsUnknown() {
+				attributeSourceInner.LdapAttributeSource.SearchAttributes = []string{}
+				for _, searchAttributesElement := range ldapAttributeSourceAttrs["search_attributes"].(types.Set).Elements() {
+					attributeSourceInner.LdapAttributeSource.SearchAttributes = append(attributeSourceInner.LdapAttributeSource.SearchAttributes, searchAttributesElement.(types.String).ValueString())
+				}
 			}
+			attributeSourceInner.LdapAttributeSource.SearchFilter = ldapAttributeSourceAttrs["search_filter"].(types.String).ValueString()
+			attributeSourceInner.LdapAttributeSource.SearchScope = ldapAttributeSourceAttrs["search_scope"].(types.String).ValueString()
+			attributeSourceInner.LdapAttributeSource.Type = ldapAttributeSourceAttrs["type"].(types.String).ValueString()
 		}
 		attributeSourceAggregation = append(attributeSourceAggregation, attributeSourceInner)
 	}
-	return attributeSourceAggregation, nil
+	return attributeSourceAggregation
 }