Add login hooks.

[mdwn]

Login hooks have been added to support performing arbitrary operations on user login. This is done to support generating of an Okta assignment on user login for the Okta service feature.

Please refer to https://github.com/gravitational/teleport.e/blob/master/rfd/0003e-application-access-okta-integration.md#teleport-to-okta-user-reconciliation for more information.

Note: This diverges slightly from the RFD as it only happens on login as opposed to happening regularly.

There will need to be a follow on PR to handle SAML/OIDC logins.

[rosstimothy]

Do we need to add CallLoginHooks for SAML/OIDC connectors too? This seems like something that will be very easy to forget to add if any new login processing is added.

[mdwn]

Do we need to add CallLoginHooks for SAML/OIDC connectors too? This seems like something that will be very easy to forget to add if any new login processing is added.

It does, but that's a PR for e. I'll post it now just so it's associated. Edit: Just to respond to very easy to forget, that's true. I don't know that there's much of a way around this, though -- the same goes for LoginRules.

[codingllama]

Apologies for the delay!

[r0mant]

How are you going to actually use these login hooks? Presumably, you'll need to reconcile user's Okta assignments based on the access requests. The login hook is right now just a function with context and a user - is this enough information in the hook to determine whether you need to create assignments or not? And how would it create them?

TBH I think it would make sense to pair this change with the actual functionality you're introducing it for. Then we can better decide whether this interface works or needs more tweaks.

Also, do the hooks get called for logins via CLI as well?

[mdwn]

How are you going to actually use these login hooks? Presumably, you'll need to reconcile user's Okta assignments based on the access requests. The login hook is right only just a function with context and a user - is this enough information in the hook to determine whether you need to create assignments or not?

TBH I think it would make sense to pair this change with the actual functionality you're introducing it for. Then we can better decide whether this interface works or needs more tweaks.

Also, do the hooks get called for logins via CLI as well?

They should get called via the CLI. Basically enterprise will do a

register.LoginHook(oktaUserAssignmentCreator)

And the creator will take a:

	accessInfo := services.AccessInfoFromUser(user)
	checker, err := services.NewAccessChecker(accessInfo, clusterName.GetClusterName(), s)
	if err != nil {
		return nil, trace.Wrap(err)
	}

Then we'll use that checker against the groups and apps, which should give us enough of what we need.

[mdwn]

https://github.com/gravitational/teleport.e/pull/1198 Here's the associated e PR. Let me know what you think.

[codingllama]

LGTM, assuming Roman is happy with the replies.