From 355eddacf332f60fd3dbd8d150e31dbeb9445a9c Mon Sep 17 00:00:00 2001
From: Bala Ganaparthi <bala.ganaparthi@okta.com>
Date: Tue, 12 Apr 2022 21:17:18 -0500
Subject: [PATCH 1/5] Fix : Issue#1060 remove old_password requirement when
 setting user's credential object

---
 okta/resource_okta_user.go | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/okta/resource_okta_user.go b/okta/resource_okta_user.go
index ee09f19d5..f887c7bde 100644
--- a/okta/resource_okta_user.go
+++ b/okta/resource_okta_user.go
@@ -599,8 +599,8 @@ func resourceUserUpdate(ctx context.Context, d *schema.ResourceData, m interface
 
 	if passwordChange {
 		oldPassword, newPassword := d.GetChange("password")
-		old, ok := d.GetOk("old_password")
-		if ok {
+		old, oldPasswordExist := d.GetOk("old_password")
+		if oldPasswordExist {
 			oldPassword = old
 		}
 		op := &okta.PasswordCredential{
@@ -609,13 +609,29 @@ func resourceUserUpdate(ctx context.Context, d *schema.ResourceData, m interface
 		np := &okta.PasswordCredential{
 			Value: newPassword.(string),
 		}
-		npr := &okta.ChangePasswordRequest{
-			OldPassword: op,
-			NewPassword: np,
+		if oldPasswordExist {
+			npr := &okta.ChangePasswordRequest{
+				OldPassword: op,
+				NewPassword: np,
+			}
+			_, _, err := client.User.ChangePassword(ctx, d.Id(), *npr, nil)
+			if err != nil {
+				return diag.Errorf("failed to update user's password: %v", err)
+			}
 		}
-		_, _, err := client.User.ChangePassword(ctx, d.Id(), *npr, nil)
-		if err != nil {
-			return diag.Errorf("failed to update user's password: %v", err)
+		if !oldPasswordExist {
+			password, _ := newPassword.(string)
+			user := okta.User{
+				Credentials: &okta.UserCredentials{
+					Password: &okta.PasswordCredential{
+						Value: password,
+					},
+				},
+			}
+			_, _, err := client.User.UpdateUser(ctx, d.Id(), user, nil)
+			if err != nil {
+				return diag.Errorf("failed to set user's password: %v", err)
+			}
 		}
 	}
 

From beae111adcb2540e4fe6e89618dec6dc498385fc Mon Sep 17 00:00:00 2001
From: Bala Ganaparthi <bala.ganaparthi@okta.com>
Date: Tue, 12 Apr 2022 21:39:17 -0500
Subject: [PATCH 2/5] Fix : Issue#1060 remove old_password requirement when
 setting user's credential object

---
 okta/resource_okta_user.go | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/okta/resource_okta_user.go b/okta/resource_okta_user.go
index f887c7bde..4fa71a913 100644
--- a/okta/resource_okta_user.go
+++ b/okta/resource_okta_user.go
@@ -603,13 +603,14 @@ func resourceUserUpdate(ctx context.Context, d *schema.ResourceData, m interface
 		if oldPasswordExist {
 			oldPassword = old
 		}
-		op := &okta.PasswordCredential{
-			Value: oldPassword.(string),
-		}
-		np := &okta.PasswordCredential{
-			Value: newPassword.(string),
-		}
 		if oldPasswordExist {
+			fmt.Println("OLD/NEW pwd exist")
+			op := &okta.PasswordCredential{
+				Value: oldPassword.(string),
+			}
+			np := &okta.PasswordCredential{
+				Value: newPassword.(string),
+			}
 			npr := &okta.ChangePasswordRequest{
 				OldPassword: op,
 				NewPassword: np,
@@ -620,6 +621,7 @@ func resourceUserUpdate(ctx context.Context, d *schema.ResourceData, m interface
 			}
 		}
 		if !oldPasswordExist {
+			fmt.Println("Only NEW pwd exist")
 			password, _ := newPassword.(string)
 			user := okta.User{
 				Credentials: &okta.UserCredentials{

From 04be282303351e78f93f82e310585169fea1624b Mon Sep 17 00:00:00 2001
From: Bala Ganaparthi <bala.ganaparthi@okta.com>
Date: Tue, 12 Apr 2022 21:40:10 -0500
Subject: [PATCH 3/5] Fix : Issue#1060 remove old_password requirement when
 setting user's credential object

---
 okta/resource_okta_user.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/okta/resource_okta_user.go b/okta/resource_okta_user.go
index 4fa71a913..bb0742ab0 100644
--- a/okta/resource_okta_user.go
+++ b/okta/resource_okta_user.go
@@ -604,7 +604,6 @@ func resourceUserUpdate(ctx context.Context, d *schema.ResourceData, m interface
 			oldPassword = old
 		}
 		if oldPasswordExist {
-			fmt.Println("OLD/NEW pwd exist")
 			op := &okta.PasswordCredential{
 				Value: oldPassword.(string),
 			}
@@ -621,7 +620,6 @@ func resourceUserUpdate(ctx context.Context, d *schema.ResourceData, m interface
 			}
 		}
 		if !oldPasswordExist {
-			fmt.Println("Only NEW pwd exist")
 			password, _ := newPassword.(string)
 			user := okta.User{
 				Credentials: &okta.UserCredentials{

From 2cfd5f99c9adaca7ed1906a53d6120f59b47d6e0 Mon Sep 17 00:00:00 2001
From: Bala Ganaparthi <bala.ganaparthi@okta.com>
Date: Wed, 13 Apr 2022 11:14:19 -0500
Subject: [PATCH 4/5] Fix : Issue#1061 Added testcase and sample tf to handle
 old_password

---
 okta/resource_okta_user_test.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/okta/resource_okta_user_test.go b/okta/resource_okta_user_test.go
index 75b7d2c9f..a4976c1df 100644
--- a/okta/resource_okta_user_test.go
+++ b/okta/resource_okta_user_test.go
@@ -241,6 +241,7 @@ func TestAccOktaUser_updateCredentials(t *testing.T) {
 	mgr := newFixtureManager(user)
 	config := mgr.GetFixtures("basic_with_credentials.tf", ri, t)
 	minimalConfigWithCredentials := mgr.GetFixtures("basic_with_credentials_updated.tf", ri, t)
+	minimalConfigWithCredentialsOldPassword := mgr.GetFixtures("basic_with_credentials_updated_old_password.tf", ri, t)
 	resourceName := fmt.Sprintf("%s.test", user)
 	email := fmt.Sprintf("testAcc-%d@example.com", ri)
 
@@ -271,6 +272,18 @@ func TestAccOktaUser_updateCredentials(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "recovery_answer", "Asterisk"),
 				),
 			},
+			{
+				Config: minimalConfigWithCredentialsOldPassword,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "first_name", "TestAcc"),
+					resource.TestCheckResourceAttr(resourceName, "last_name", "Smith"),
+					resource.TestCheckResourceAttr(resourceName, "login", email),
+					resource.TestCheckResourceAttr(resourceName, "email", email),
+					resource.TestCheckResourceAttr(resourceName, "password", "Super#Secret@007"),
+					resource.TestCheckResourceAttr(resourceName, "old_password", "SuperSecret007"),
+					resource.TestCheckResourceAttr(resourceName, "recovery_answer", "0010"),
+				),
+			},
 		},
 	})
 }

From bb672379f3364605e9e16348c0c8c74690bbb84b Mon Sep 17 00:00:00 2001
From: Bala Ganaparthi <bala.ganaparthi@okta.com>
Date: Wed, 13 Apr 2022 11:18:28 -0500
Subject: [PATCH 5/5] Fix : Issue#1061 Added testcase and sample tf to handle
 old_password

---
 .../basic_with_credentials_updated_old_password.tf     | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 examples/okta_user/basic_with_credentials_updated_old_password.tf

diff --git a/examples/okta_user/basic_with_credentials_updated_old_password.tf b/examples/okta_user/basic_with_credentials_updated_old_password.tf
new file mode 100644
index 000000000..902b0b241
--- /dev/null
+++ b/examples/okta_user/basic_with_credentials_updated_old_password.tf
@@ -0,0 +1,10 @@
+resource "okta_user" "test" {
+  first_name        = "TestAcc"
+  last_name         = "Smith"
+  login             = "testAcc-replace_with_uuid@example.com"
+  email             = "testAcc-replace_with_uuid@example.com"
+  password          = "Super#Secret@007"
+  old_password      = "SuperSecret007"
+  recovery_question = "0011 & 1010"
+  recovery_answer   = "0010"
+}