diff --git a/api/client/accesslist/accesslist.go b/api/client/accesslist/accesslist.go index 84eaccbe64c78..18d30203973fb 100644 --- a/api/client/accesslist/accesslist.go +++ b/api/client/accesslist/accesslist.go @@ -88,8 +88,8 @@ func (c *Client) GetAccessList(ctx context.Context, name string) (*accesslist.Ac return nil, trail.FromGRPC(err) } - accessList, err := conv.FromProto(resp) - return accessList, trail.FromGRPC(err) + accessList, err := conv.FromProto(resp, conv.WithOwnersIneligibleStatusField(resp.GetSpec().GetOwners())) + return accessList, trace.Wrap(err) } // UpsertAccessList creates or updates an access list resource. @@ -129,9 +129,9 @@ func (c *Client) ListAccessListMembers(ctx context.Context, accessList string, p } members = make([]*accesslist.AccessListMember, len(resp.Members)) - for i, accessList := range resp.Members { + for i, member := range resp.Members { var err error - members[i], err = conv.FromMemberProto(accessList) + members[i], err = conv.FromMemberProto(member, conv.WithMemberIneligibleStatusField(member)) if err != nil { return nil, "", trail.FromGRPC(err) } @@ -150,8 +150,8 @@ func (c *Client) GetAccessListMember(ctx context.Context, accessList string, mem return nil, trail.FromGRPC(err) } - member, err := conv.FromMemberProto(resp) - return member, trail.FromGRPC(err) + member, err := conv.FromMemberProto(resp, conv.WithMemberIneligibleStatusField(resp)) + return member, trace.Wrap(err) } // UpsertAccessListMember creates or updates an access list member resource. diff --git a/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go b/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go index 2082fe5a00040..c9799feaab26c 100644 --- a/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go +++ b/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go @@ -38,6 +38,70 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) +// IneligibleStatus describes how the user is ineligible. +type IneligibleStatus int32 + +const ( + // INELIGIBLE_STATUS_UNSPECIFIED means eligiblity is unknown. + IneligibleStatus_INELIGIBLE_STATUS_UNSPECIFIED IneligibleStatus = 0 + // INELIGIBLE_STATUS_ELIGIBLE means checks were done and user met all requirements. + IneligibleStatus_INELIGIBLE_STATUS_ELIGIBLE IneligibleStatus = 1 + // INELIGIBLE_STATUS_USER_NOT_EXIST means user was not found in backend. + IneligibleStatus_INELIGIBLE_STATUS_USER_NOT_EXIST IneligibleStatus = 2 + // INELIGIBLE_STATUS_MISSING_REQUIREMENTS means user is missing some requirements + // defined by AccessListRequires (fields can be either ownership_requires + // or membership_requires) + IneligibleStatus_INELIGIBLE_STATUS_MISSING_REQUIREMENTS IneligibleStatus = 3 + // INELIGIBLE_STATUS_EXPIRED means user is expired. + // Only applicable to members. + IneligibleStatus_INELIGIBLE_STATUS_EXPIRED IneligibleStatus = 4 +) + +// Enum value maps for IneligibleStatus. +var ( + IneligibleStatus_name = map[int32]string{ + 0: "INELIGIBLE_STATUS_UNSPECIFIED", + 1: "INELIGIBLE_STATUS_ELIGIBLE", + 2: "INELIGIBLE_STATUS_USER_NOT_EXIST", + 3: "INELIGIBLE_STATUS_MISSING_REQUIREMENTS", + 4: "INELIGIBLE_STATUS_EXPIRED", + } + IneligibleStatus_value = map[string]int32{ + "INELIGIBLE_STATUS_UNSPECIFIED": 0, + "INELIGIBLE_STATUS_ELIGIBLE": 1, + "INELIGIBLE_STATUS_USER_NOT_EXIST": 2, + "INELIGIBLE_STATUS_MISSING_REQUIREMENTS": 3, + "INELIGIBLE_STATUS_EXPIRED": 4, + } +) + +func (x IneligibleStatus) Enum() *IneligibleStatus { + p := new(IneligibleStatus) + *p = x + return p +} + +func (x IneligibleStatus) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (IneligibleStatus) Descriptor() protoreflect.EnumDescriptor { + return file_teleport_accesslist_v1_accesslist_proto_enumTypes[0].Descriptor() +} + +func (IneligibleStatus) Type() protoreflect.EnumType { + return &file_teleport_accesslist_v1_accesslist_proto_enumTypes[0] +} + +func (x IneligibleStatus) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use IneligibleStatus.Descriptor instead. +func (IneligibleStatus) EnumDescriptor() ([]byte, []int) { + return file_teleport_accesslist_v1_accesslist_proto_rawDescGZIP(), []int{0} +} + // AccessList describes the basic building block of access grants, which are // similar to access requests but for longer lived permissions that need to be // regularly audited. @@ -215,6 +279,9 @@ type AccessListOwner struct { Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // description is the plaintext description of the owner and why they are an owner. Description string `protobuf:"bytes,2,opt,name=description,proto3" json:"description,omitempty"` + // ineligible_status describes if this owner is eligible or not + // and if not, describes how they're lacking eligibility. + IneligibleStatus IneligibleStatus `protobuf:"varint,3,opt,name=ineligible_status,json=ineligibleStatus,proto3,enum=teleport.accesslist.v1.IneligibleStatus" json:"ineligible_status,omitempty"` } func (x *AccessListOwner) Reset() { @@ -263,6 +330,13 @@ func (x *AccessListOwner) GetDescription() string { return "" } +func (x *AccessListOwner) GetIneligibleStatus() IneligibleStatus { + if x != nil { + return x.IneligibleStatus + } + return IneligibleStatus_INELIGIBLE_STATUS_UNSPECIFIED +} + // AccessListAudit describes the audit configuration for an access list. type AccessListAudit struct { state protoimpl.MessageState @@ -514,6 +588,9 @@ type MemberSpec struct { Reason string `protobuf:"bytes,5,opt,name=reason,proto3" json:"reason,omitempty"` // added_by is the user that added this user to the access list. AddedBy string `protobuf:"bytes,6,opt,name=added_by,json=addedBy,proto3" json:"added_by,omitempty"` + // ineligible_status describes if this member is eligible or not + // and if not, describes how they're lacking eligibility. + IneligibleStatus IneligibleStatus `protobuf:"varint,7,opt,name=ineligible_status,json=ineligibleStatus,proto3,enum=teleport.accesslist.v1.IneligibleStatus" json:"ineligible_status,omitempty"` } func (x *MemberSpec) Reset() { @@ -590,6 +667,13 @@ func (x *MemberSpec) GetAddedBy() string { return "" } +func (x *MemberSpec) GetIneligibleStatus() IneligibleStatus { + if x != nil { + return x.IneligibleStatus + } + return IneligibleStatus_INELIGIBLE_STATUS_UNSPECIFIED +} + var File_teleport_accesslist_v1_accesslist_proto protoreflect.FileDescriptor var file_teleport_accesslist_v1_accesslist_proto_rawDesc = []byte{ @@ -643,60 +727,84 @@ var file_teleport_accesslist_v1_accesslist_proto_rawDesc = []byte{ 0x73, 0x74, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x52, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x52, 0x07, 0x6d, 0x65, - 0x6d, 0x62, 0x65, 0x72, 0x73, 0x22, 0x47, 0x0a, 0x0f, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, - 0x69, 0x73, 0x74, 0x4f, 0x77, 0x6e, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x20, 0x0a, 0x0b, - 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x8e, - 0x01, 0x0a, 0x0f, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x75, 0x64, - 0x69, 0x74, 0x12, 0x37, 0x0a, 0x09, 0x66, 0x72, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x79, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x52, 0x09, 0x66, 0x72, 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x79, 0x12, 0x42, 0x0a, 0x0f, 0x6e, - 0x65, 0x78, 0x74, 0x5f, 0x61, 0x75, 0x64, 0x69, 0x74, 0x5f, 0x64, 0x61, 0x74, 0x65, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, - 0x52, 0x0d, 0x6e, 0x65, 0x78, 0x74, 0x41, 0x75, 0x64, 0x69, 0x74, 0x44, 0x61, 0x74, 0x65, 0x22, - 0x5c, 0x0a, 0x12, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65, 0x71, - 0x75, 0x69, 0x72, 0x65, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x01, - 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x12, 0x30, 0x0a, 0x06, 0x74, - 0x72, 0x61, 0x69, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x74, 0x65, - 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, 0x72, 0x61, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, - 0x54, 0x72, 0x61, 0x69, 0x74, 0x52, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x22, 0x5a, 0x0a, - 0x10, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x47, 0x72, 0x61, 0x6e, 0x74, - 0x73, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, - 0x52, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x12, 0x30, 0x0a, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, - 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, - 0x72, 0x74, 0x2e, 0x74, 0x72, 0x61, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69, - 0x74, 0x52, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x22, 0x7c, 0x0a, 0x06, 0x4d, 0x65, 0x6d, - 0x62, 0x65, 0x72, 0x12, 0x3a, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, - 0x65, 0x61, 0x64, 0x65, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, - 0x65, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, - 0x36, 0x0a, 0x04, 0x73, 0x70, 0x65, 0x63, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, - 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6c, - 0x69, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x6d, 0x62, 0x65, 0x72, 0x53, 0x70, 0x65, - 0x63, 0x52, 0x04, 0x73, 0x70, 0x65, 0x63, 0x22, 0xde, 0x01, 0x0a, 0x0a, 0x4d, 0x65, 0x6d, 0x62, - 0x65, 0x72, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1f, 0x0a, 0x0b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, - 0x5f, 0x6c, 0x69, 0x73, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x63, 0x63, - 0x65, 0x73, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x32, 0x0a, 0x06, 0x6a, - 0x6f, 0x69, 0x6e, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, - 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x06, 0x6a, 0x6f, 0x69, 0x6e, 0x65, 0x64, 0x12, - 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, - 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, - 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, - 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x19, 0x0a, - 0x08, 0x61, 0x64, 0x64, 0x65, 0x64, 0x5f, 0x62, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x07, 0x61, 0x64, 0x64, 0x65, 0x64, 0x42, 0x79, 0x42, 0x58, 0x5a, 0x56, 0x67, 0x69, 0x74, 0x68, - 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, - 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, - 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6c, 0x69, - 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6c, 0x69, 0x73, 0x74, - 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6d, 0x62, 0x65, 0x72, 0x73, 0x22, 0x9e, 0x01, 0x0a, 0x0f, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, + 0x4c, 0x69, 0x73, 0x74, 0x4f, 0x77, 0x6e, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, + 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x20, 0x0a, + 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, + 0x55, 0x0a, 0x11, 0x69, 0x6e, 0x65, 0x6c, 0x69, 0x67, 0x69, 0x62, 0x6c, 0x65, 0x5f, 0x73, 0x74, + 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x28, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6c, 0x69, 0x73, 0x74, + 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x6e, 0x65, 0x6c, 0x69, 0x67, 0x69, 0x62, 0x6c, 0x65, 0x53, 0x74, + 0x61, 0x74, 0x75, 0x73, 0x52, 0x10, 0x69, 0x6e, 0x65, 0x6c, 0x69, 0x67, 0x69, 0x62, 0x6c, 0x65, + 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x8e, 0x01, 0x0a, 0x0f, 0x41, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x75, 0x64, 0x69, 0x74, 0x12, 0x37, 0x0a, 0x09, 0x66, 0x72, + 0x65, 0x71, 0x75, 0x65, 0x6e, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, + 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, + 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x66, 0x72, 0x65, 0x71, 0x75, 0x65, + 0x6e, 0x63, 0x79, 0x12, 0x42, 0x0a, 0x0f, 0x6e, 0x65, 0x78, 0x74, 0x5f, 0x61, 0x75, 0x64, 0x69, + 0x74, 0x5f, 0x64, 0x61, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, + 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, + 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0d, 0x6e, 0x65, 0x78, 0x74, 0x41, 0x75, + 0x64, 0x69, 0x74, 0x44, 0x61, 0x74, 0x65, 0x22, 0x5c, 0x0a, 0x12, 0x41, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x4c, 0x69, 0x73, 0x74, 0x52, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x73, 0x12, 0x14, 0x0a, + 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x72, 0x6f, + 0x6c, 0x65, 0x73, 0x12, 0x30, 0x0a, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x18, 0x02, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, + 0x72, 0x61, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69, 0x74, 0x52, 0x06, 0x74, + 0x72, 0x61, 0x69, 0x74, 0x73, 0x22, 0x5a, 0x0a, 0x10, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, + 0x69, 0x73, 0x74, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x6f, 0x6c, + 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x12, + 0x30, 0x0a, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x18, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, 0x72, 0x61, 0x69, 0x74, + 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69, 0x74, 0x52, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, + 0x73, 0x22, 0x7c, 0x0a, 0x06, 0x4d, 0x65, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x3a, 0x0a, 0x06, 0x68, + 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2e, 0x76, 0x31, + 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, + 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x36, 0x0a, 0x04, 0x73, 0x70, 0x65, 0x63, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6c, 0x69, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x4d, + 0x65, 0x6d, 0x62, 0x65, 0x72, 0x53, 0x70, 0x65, 0x63, 0x52, 0x04, 0x73, 0x70, 0x65, 0x63, 0x22, + 0xb5, 0x02, 0x0a, 0x0a, 0x4d, 0x65, 0x6d, 0x62, 0x65, 0x72, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1f, + 0x0a, 0x0b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6c, 0x69, 0x73, 0x74, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x12, + 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x12, 0x32, 0x0a, 0x06, 0x6a, 0x6f, 0x69, 0x6e, 0x65, 0x64, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, + 0x06, 0x6a, 0x6f, 0x69, 0x6e, 0x65, 0x64, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, + 0x65, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, + 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, + 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x16, 0x0a, + 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, + 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x08, 0x61, 0x64, 0x64, 0x65, 0x64, 0x5f, 0x62, + 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x65, 0x64, 0x42, 0x79, + 0x12, 0x55, 0x0a, 0x11, 0x69, 0x6e, 0x65, 0x6c, 0x69, 0x67, 0x69, 0x62, 0x6c, 0x65, 0x5f, 0x73, + 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x28, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6c, 0x69, 0x73, + 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x6e, 0x65, 0x6c, 0x69, 0x67, 0x69, 0x62, 0x6c, 0x65, 0x53, + 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x10, 0x69, 0x6e, 0x65, 0x6c, 0x69, 0x67, 0x69, 0x62, 0x6c, + 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x2a, 0xc6, 0x01, 0x0a, 0x10, 0x49, 0x6e, 0x65, 0x6c, + 0x69, 0x67, 0x69, 0x62, 0x6c, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x21, 0x0a, 0x1d, + 0x49, 0x4e, 0x45, 0x4c, 0x49, 0x47, 0x49, 0x42, 0x4c, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, + 0x53, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, + 0x1e, 0x0a, 0x1a, 0x49, 0x4e, 0x45, 0x4c, 0x49, 0x47, 0x49, 0x42, 0x4c, 0x45, 0x5f, 0x53, 0x54, + 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x4c, 0x49, 0x47, 0x49, 0x42, 0x4c, 0x45, 0x10, 0x01, 0x12, + 0x24, 0x0a, 0x20, 0x49, 0x4e, 0x45, 0x4c, 0x49, 0x47, 0x49, 0x42, 0x4c, 0x45, 0x5f, 0x53, 0x54, + 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, 0x45, 0x58, + 0x49, 0x53, 0x54, 0x10, 0x02, 0x12, 0x2a, 0x0a, 0x26, 0x49, 0x4e, 0x45, 0x4c, 0x49, 0x47, 0x49, + 0x42, 0x4c, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x4d, 0x49, 0x53, 0x53, 0x49, + 0x4e, 0x47, 0x5f, 0x52, 0x45, 0x51, 0x55, 0x49, 0x52, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x53, 0x10, + 0x03, 0x12, 0x1d, 0x0a, 0x19, 0x49, 0x4e, 0x45, 0x4c, 0x49, 0x47, 0x49, 0x42, 0x4c, 0x45, 0x5f, + 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x58, 0x50, 0x49, 0x52, 0x45, 0x44, 0x10, 0x04, + 0x42, 0x58, 0x5a, 0x56, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, + 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6c, 0x69, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x61, 0x63, + 0x63, 0x65, 0x73, 0x73, 0x6c, 0x69, 0x73, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, } var ( @@ -711,42 +819,46 @@ func file_teleport_accesslist_v1_accesslist_proto_rawDescGZIP() []byte { return file_teleport_accesslist_v1_accesslist_proto_rawDescData } +var file_teleport_accesslist_v1_accesslist_proto_enumTypes = make([]protoimpl.EnumInfo, 1) var file_teleport_accesslist_v1_accesslist_proto_msgTypes = make([]protoimpl.MessageInfo, 8) var file_teleport_accesslist_v1_accesslist_proto_goTypes = []interface{}{ - (*AccessList)(nil), // 0: teleport.accesslist.v1.AccessList - (*AccessListSpec)(nil), // 1: teleport.accesslist.v1.AccessListSpec - (*AccessListOwner)(nil), // 2: teleport.accesslist.v1.AccessListOwner - (*AccessListAudit)(nil), // 3: teleport.accesslist.v1.AccessListAudit - (*AccessListRequires)(nil), // 4: teleport.accesslist.v1.AccessListRequires - (*AccessListGrants)(nil), // 5: teleport.accesslist.v1.AccessListGrants - (*Member)(nil), // 6: teleport.accesslist.v1.Member - (*MemberSpec)(nil), // 7: teleport.accesslist.v1.MemberSpec - (*v1.ResourceHeader)(nil), // 8: teleport.header.v1.ResourceHeader - (*durationpb.Duration)(nil), // 9: google.protobuf.Duration - (*timestamppb.Timestamp)(nil), // 10: google.protobuf.Timestamp - (*v11.Trait)(nil), // 11: teleport.trait.v1.Trait + (IneligibleStatus)(0), // 0: teleport.accesslist.v1.IneligibleStatus + (*AccessList)(nil), // 1: teleport.accesslist.v1.AccessList + (*AccessListSpec)(nil), // 2: teleport.accesslist.v1.AccessListSpec + (*AccessListOwner)(nil), // 3: teleport.accesslist.v1.AccessListOwner + (*AccessListAudit)(nil), // 4: teleport.accesslist.v1.AccessListAudit + (*AccessListRequires)(nil), // 5: teleport.accesslist.v1.AccessListRequires + (*AccessListGrants)(nil), // 6: teleport.accesslist.v1.AccessListGrants + (*Member)(nil), // 7: teleport.accesslist.v1.Member + (*MemberSpec)(nil), // 8: teleport.accesslist.v1.MemberSpec + (*v1.ResourceHeader)(nil), // 9: teleport.header.v1.ResourceHeader + (*durationpb.Duration)(nil), // 10: google.protobuf.Duration + (*timestamppb.Timestamp)(nil), // 11: google.protobuf.Timestamp + (*v11.Trait)(nil), // 12: teleport.trait.v1.Trait } var file_teleport_accesslist_v1_accesslist_proto_depIdxs = []int32{ - 8, // 0: teleport.accesslist.v1.AccessList.header:type_name -> teleport.header.v1.ResourceHeader - 1, // 1: teleport.accesslist.v1.AccessList.spec:type_name -> teleport.accesslist.v1.AccessListSpec - 2, // 2: teleport.accesslist.v1.AccessListSpec.owners:type_name -> teleport.accesslist.v1.AccessListOwner - 3, // 3: teleport.accesslist.v1.AccessListSpec.audit:type_name -> teleport.accesslist.v1.AccessListAudit - 4, // 4: teleport.accesslist.v1.AccessListSpec.membership_requires:type_name -> teleport.accesslist.v1.AccessListRequires - 4, // 5: teleport.accesslist.v1.AccessListSpec.ownership_requires:type_name -> teleport.accesslist.v1.AccessListRequires - 5, // 6: teleport.accesslist.v1.AccessListSpec.grants:type_name -> teleport.accesslist.v1.AccessListGrants - 9, // 7: teleport.accesslist.v1.AccessListAudit.frequency:type_name -> google.protobuf.Duration - 10, // 8: teleport.accesslist.v1.AccessListAudit.next_audit_date:type_name -> google.protobuf.Timestamp - 11, // 9: teleport.accesslist.v1.AccessListRequires.traits:type_name -> teleport.trait.v1.Trait - 11, // 10: teleport.accesslist.v1.AccessListGrants.traits:type_name -> teleport.trait.v1.Trait - 8, // 11: teleport.accesslist.v1.Member.header:type_name -> teleport.header.v1.ResourceHeader - 7, // 12: teleport.accesslist.v1.Member.spec:type_name -> teleport.accesslist.v1.MemberSpec - 10, // 13: teleport.accesslist.v1.MemberSpec.joined:type_name -> google.protobuf.Timestamp - 10, // 14: teleport.accesslist.v1.MemberSpec.expires:type_name -> google.protobuf.Timestamp - 15, // [15:15] is the sub-list for method output_type - 15, // [15:15] is the sub-list for method input_type - 15, // [15:15] is the sub-list for extension type_name - 15, // [15:15] is the sub-list for extension extendee - 0, // [0:15] is the sub-list for field type_name + 9, // 0: teleport.accesslist.v1.AccessList.header:type_name -> teleport.header.v1.ResourceHeader + 2, // 1: teleport.accesslist.v1.AccessList.spec:type_name -> teleport.accesslist.v1.AccessListSpec + 3, // 2: teleport.accesslist.v1.AccessListSpec.owners:type_name -> teleport.accesslist.v1.AccessListOwner + 4, // 3: teleport.accesslist.v1.AccessListSpec.audit:type_name -> teleport.accesslist.v1.AccessListAudit + 5, // 4: teleport.accesslist.v1.AccessListSpec.membership_requires:type_name -> teleport.accesslist.v1.AccessListRequires + 5, // 5: teleport.accesslist.v1.AccessListSpec.ownership_requires:type_name -> teleport.accesslist.v1.AccessListRequires + 6, // 6: teleport.accesslist.v1.AccessListSpec.grants:type_name -> teleport.accesslist.v1.AccessListGrants + 0, // 7: teleport.accesslist.v1.AccessListOwner.ineligible_status:type_name -> teleport.accesslist.v1.IneligibleStatus + 10, // 8: teleport.accesslist.v1.AccessListAudit.frequency:type_name -> google.protobuf.Duration + 11, // 9: teleport.accesslist.v1.AccessListAudit.next_audit_date:type_name -> google.protobuf.Timestamp + 12, // 10: teleport.accesslist.v1.AccessListRequires.traits:type_name -> teleport.trait.v1.Trait + 12, // 11: teleport.accesslist.v1.AccessListGrants.traits:type_name -> teleport.trait.v1.Trait + 9, // 12: teleport.accesslist.v1.Member.header:type_name -> teleport.header.v1.ResourceHeader + 8, // 13: teleport.accesslist.v1.Member.spec:type_name -> teleport.accesslist.v1.MemberSpec + 11, // 14: teleport.accesslist.v1.MemberSpec.joined:type_name -> google.protobuf.Timestamp + 11, // 15: teleport.accesslist.v1.MemberSpec.expires:type_name -> google.protobuf.Timestamp + 0, // 16: teleport.accesslist.v1.MemberSpec.ineligible_status:type_name -> teleport.accesslist.v1.IneligibleStatus + 17, // [17:17] is the sub-list for method output_type + 17, // [17:17] is the sub-list for method input_type + 17, // [17:17] is the sub-list for extension type_name + 17, // [17:17] is the sub-list for extension extendee + 0, // [0:17] is the sub-list for field type_name } func init() { file_teleport_accesslist_v1_accesslist_proto_init() } @@ -857,13 +969,14 @@ func file_teleport_accesslist_v1_accesslist_proto_init() { File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_teleport_accesslist_v1_accesslist_proto_rawDesc, - NumEnums: 0, + NumEnums: 1, NumMessages: 8, NumExtensions: 0, NumServices: 0, }, GoTypes: file_teleport_accesslist_v1_accesslist_proto_goTypes, DependencyIndexes: file_teleport_accesslist_v1_accesslist_proto_depIdxs, + EnumInfos: file_teleport_accesslist_v1_accesslist_proto_enumTypes, MessageInfos: file_teleport_accesslist_v1_accesslist_proto_msgTypes, }.Build() File_teleport_accesslist_v1_accesslist_proto = out.File diff --git a/api/proto/teleport/accesslist/v1/accesslist.proto b/api/proto/teleport/accesslist/v1/accesslist.proto index 3eed4f4d848e9..6d54b88050166 100644 --- a/api/proto/teleport/accesslist/v1/accesslist.proto +++ b/api/proto/teleport/accesslist/v1/accesslist.proto @@ -72,6 +72,10 @@ message AccessListOwner { // description is the plaintext description of the owner and why they are an owner. string description = 2; + + // ineligible_status describes if this owner is eligible or not + // and if not, describes how they're lacking eligibility. + IneligibleStatus ineligible_status = 3; } // AccessListAudit describes the audit configuration for an access list. @@ -130,4 +134,25 @@ message MemberSpec { // added_by is the user that added this user to the access list. string added_by = 6; + + // ineligible_status describes if this member is eligible or not + // and if not, describes how they're lacking eligibility. + IneligibleStatus ineligible_status = 7; +} + +// IneligibleStatus describes how the user is ineligible. +enum IneligibleStatus { + // INELIGIBLE_STATUS_UNSPECIFIED means eligiblity is unknown. + INELIGIBLE_STATUS_UNSPECIFIED = 0; + // INELIGIBLE_STATUS_ELIGIBLE means checks were done and user met all requirements. + INELIGIBLE_STATUS_ELIGIBLE = 1; + // INELIGIBLE_STATUS_USER_NOT_EXIST means user was not found in backend. + INELIGIBLE_STATUS_USER_NOT_EXIST = 2; + // INELIGIBLE_STATUS_MISSING_REQUIREMENTS means user is missing some requirements + // defined by AccessListRequires (fields can be either ownership_requires + // or membership_requires) + INELIGIBLE_STATUS_MISSING_REQUIREMENTS = 3; + // INELIGIBLE_STATUS_EXPIRED means user is expired. + // Only applicable to members. + INELIGIBLE_STATUS_EXPIRED = 4; } diff --git a/api/types/accesslist/accesslist.go b/api/types/accesslist/accesslist.go index b858963887272..262e905d441bf 100644 --- a/api/types/accesslist/accesslist.go +++ b/api/types/accesslist/accesslist.go @@ -75,6 +75,9 @@ type Owner struct { // Description is the plaintext description of the owner and why they are an owner. Description string `json:"description" yaml:"description"` + + // IneligibleStatus describes the reason why this owner is not eligible. + IneligibleStatus string `json:"ineligible_status" yaml:"ineligible_status"` } // Audit describes the audit configuration for an access list. @@ -178,6 +181,11 @@ func (a *AccessList) GetOwners() []Owner { return a.Spec.Owners } +// GetOwners returns the list of owners from the access list. +func (a *AccessList) SetOwners(owners []Owner) { + a.Spec.Owners = owners +} + // GetAuditFrequency returns the audit frequency from the access list. func (a *AccessList) GetAuditFrequency() time.Duration { return a.Spec.Audit.Frequency diff --git a/api/types/accesslist/convert/v1/accesslist.go b/api/types/accesslist/convert/v1/accesslist.go index e4894315057e6..e652d5a4632c3 100644 --- a/api/types/accesslist/convert/v1/accesslist.go +++ b/api/types/accesslist/convert/v1/accesslist.go @@ -27,8 +27,10 @@ import ( traitv1 "github.com/gravitational/teleport/api/types/trait/convert/v1" ) +type AccessListOption func(*accesslist.AccessList) + // FromProto converts a v1 access list into an internal access list object. -func FromProto(msg *accesslistv1.AccessList) (*accesslist.AccessList, error) { +func FromProto(msg *accesslistv1.AccessList, opts ...AccessListOption) (*accesslist.AccessList, error) { if msg == nil { return nil, trace.BadParameter("access list message is nil") } @@ -54,6 +56,9 @@ func FromProto(msg *accesslistv1.AccessList) (*accesslist.AccessList, error) { owners[i] = accesslist.Owner{ Name: owner.Name, Description: owner.Description, + // Set it to empty as default. + // Must provide as options to set it with the provided value. + IneligibleStatus: "", } } @@ -78,17 +83,29 @@ func FromProto(msg *accesslistv1.AccessList) (*accesslist.AccessList, error) { Traits: traitv1.FromProto(msg.Spec.Grants.Traits), }, }) + if err != nil { + return nil, trace.Wrap(err) + } + + for _, opt := range opts { + opt(accessList) + } - return accessList, trace.Wrap(err) + return accessList, nil } // ToProto converts an internal access list into a v1 access list object. func ToProto(accessList *accesslist.AccessList) *accesslistv1.AccessList { owners := make([]*accesslistv1.AccessListOwner, len(accessList.Spec.Owners)) for i, owner := range accessList.Spec.Owners { + var ineligibleStatus accesslistv1.IneligibleStatus + if enumVal, ok := accesslistv1.IneligibleStatus_value[owner.IneligibleStatus]; ok { + ineligibleStatus = accesslistv1.IneligibleStatus(enumVal) + } owners[i] = &accesslistv1.AccessListOwner{ - Name: owner.Name, - Description: owner.Description, + Name: owner.Name, + Description: owner.Description, + IneligibleStatus: ineligibleStatus, } } @@ -117,3 +134,20 @@ func ToProto(accessList *accesslist.AccessList) *accesslistv1.AccessList { }, } } + +// WithOwnersIneligibleStatusField sets the "ineligibleStatus" field to the provided proto value. +func WithOwnersIneligibleStatusField(protoOwners []*accesslistv1.AccessListOwner) AccessListOption { + return func(a *accesslist.AccessList) { + updatedOwners := make([]accesslist.Owner, len(a.GetOwners())) + for i, owner := range a.GetOwners() { + protoIneligibleStatus := protoOwners[i].GetIneligibleStatus() + ineligibleStatus := "" + if protoIneligibleStatus != accesslistv1.IneligibleStatus_INELIGIBLE_STATUS_UNSPECIFIED { + ineligibleStatus = protoIneligibleStatus.String() + } + owner.IneligibleStatus = ineligibleStatus + updatedOwners[i] = owner + } + a.SetOwners(updatedOwners) + } +} diff --git a/api/types/accesslist/convert/v1/accesslist_test.go b/api/types/accesslist/convert/v1/accesslist_test.go index c853455758370..6c3a9d2263587 100644 --- a/api/types/accesslist/convert/v1/accesslist_test.go +++ b/api/types/accesslist/convert/v1/accesslist_test.go @@ -23,10 +23,58 @@ import ( "github.com/google/go-cmp/cmp" "github.com/stretchr/testify/require" + accesslistv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1" "github.com/gravitational/teleport/api/types/accesslist" "github.com/gravitational/teleport/api/types/header" ) +func TestWithOwnersIneligibleStatusField(t *testing.T) { + proto := []*accesslistv1.AccessListOwner{ + { + Name: "expired", + IneligibleStatus: accesslistv1.IneligibleStatus_INELIGIBLE_STATUS_EXPIRED, + }, + { + Name: "missing", + IneligibleStatus: accesslistv1.IneligibleStatus_INELIGIBLE_STATUS_MISSING_REQUIREMENTS, + }, + { + Name: "dne", + IneligibleStatus: accesslistv1.IneligibleStatus_INELIGIBLE_STATUS_USER_NOT_EXIST, + }, + } + + owners := []accesslist.Owner{ + {Name: "expired"}, + {Name: "missing"}, + {Name: "dne"}, + } + al := &accesslist.AccessList{ + Spec: accesslist.Spec{ + Owners: owners, + }, + } + require.Empty(t, cmp.Diff(al.Spec.Owners, owners)) + + fn := WithOwnersIneligibleStatusField(proto) + fn(al) + + require.Empty(t, cmp.Diff(al.Spec.Owners, []accesslist.Owner{ + { + Name: "expired", + IneligibleStatus: accesslistv1.IneligibleStatus_INELIGIBLE_STATUS_EXPIRED.String(), + }, + { + Name: "missing", + IneligibleStatus: accesslistv1.IneligibleStatus_INELIGIBLE_STATUS_MISSING_REQUIREMENTS.String(), + }, + { + Name: "dne", + IneligibleStatus: accesslistv1.IneligibleStatus_INELIGIBLE_STATUS_USER_NOT_EXIST.String(), + }, + })) +} + func TestRoundtrip(t *testing.T) { accessList := newAccessList(t, "access-list") diff --git a/api/types/accesslist/convert/v1/member.go b/api/types/accesslist/convert/v1/member.go index 7c13c6296c88d..b4dd495ea79c3 100644 --- a/api/types/accesslist/convert/v1/member.go +++ b/api/types/accesslist/convert/v1/member.go @@ -25,8 +25,10 @@ import ( headerv1 "github.com/gravitational/teleport/api/types/header/convert/v1" ) +type MemberOption func(*accesslist.AccessListMember) + // FromMemberProto converts a v1 access list member into an internal access list member object. -func FromMemberProto(msg *accesslistv1.Member) (*accesslist.AccessListMember, error) { +func FromMemberProto(msg *accesslistv1.Member, opts ...MemberOption) (*accesslist.AccessListMember, error) { if msg == nil { return nil, trace.BadParameter("access list message is nil") } @@ -42,9 +44,19 @@ func FromMemberProto(msg *accesslistv1.Member) (*accesslist.AccessListMember, er Expires: msg.Spec.Expires.AsTime(), Reason: msg.Spec.Reason, AddedBy: msg.Spec.AddedBy, + // Set it to empty as default. + // Must provide as options to set it with the provided value. + IneligibleStatus: "", }) + if err != nil { + return nil, trace.Wrap(err) + } - return member, trace.Wrap(err) + for _, opt := range opts { + opt(member) + } + + return member, nil } // FromMembersProto converts a list of v1 access list members into a list of internal access list members. @@ -62,15 +74,21 @@ func FromMembersProto(msgs []*accesslistv1.Member) ([]*accesslist.AccessListMemb // ToMemberProto converts an internal access list member into a v1 access list member object. func ToMemberProto(member *accesslist.AccessListMember) *accesslistv1.Member { + var ineligibleStatus accesslistv1.IneligibleStatus + if enumVal, ok := accesslistv1.IneligibleStatus_value[member.Spec.IneligibleStatus]; ok { + ineligibleStatus = accesslistv1.IneligibleStatus(enumVal) + } + return &accesslistv1.Member{ Header: headerv1.ToResourceHeaderProto(member.ResourceHeader), Spec: &accesslistv1.MemberSpec{ - AccessList: member.Spec.AccessList, - Name: member.Spec.Name, - Joined: timestamppb.New(member.Spec.Joined), - Expires: timestamppb.New(member.Spec.Expires), - Reason: member.Spec.Reason, - AddedBy: member.Spec.AddedBy, + AccessList: member.Spec.AccessList, + Name: member.Spec.Name, + Joined: timestamppb.New(member.Spec.Joined), + Expires: timestamppb.New(member.Spec.Expires), + Reason: member.Spec.Reason, + AddedBy: member.Spec.AddedBy, + IneligibleStatus: ineligibleStatus, }, } } @@ -83,3 +101,15 @@ func ToMembersProto(members []*accesslist.AccessListMember) []*accesslistv1.Memb } return out } + +// WithMemberIneligibleStatusField sets the "ineligibleStatus" field to the provided proto value. +func WithMemberIneligibleStatusField(protoMember *accesslistv1.Member) MemberOption { + return func(m *accesslist.AccessListMember) { + protoIneligibleStatus := protoMember.GetSpec().GetIneligibleStatus() + ineligibleStatus := "" + if protoIneligibleStatus != accesslistv1.IneligibleStatus_INELIGIBLE_STATUS_UNSPECIFIED { + ineligibleStatus = protoIneligibleStatus.String() + } + m.Spec.IneligibleStatus = ineligibleStatus + } +} diff --git a/api/types/accesslist/convert/v1/member_test.go b/api/types/accesslist/convert/v1/member_test.go index 4be01d962b313..f621a61e9f1f7 100644 --- a/api/types/accesslist/convert/v1/member_test.go +++ b/api/types/accesslist/convert/v1/member_test.go @@ -23,6 +23,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/stretchr/testify/require" + accesslistv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1" "github.com/gravitational/teleport/api/types/accesslist" "github.com/gravitational/teleport/api/types/header" ) @@ -36,6 +37,24 @@ func TestMemberRoundtrip(t *testing.T) { require.Empty(t, cmp.Diff(member, converted)) } +func TestWithMemberIneligibleStatusField(t *testing.T) { + proto := &accesslistv1.Member{ + Spec: &accesslistv1.MemberSpec{ + IneligibleStatus: accesslistv1.IneligibleStatus_INELIGIBLE_STATUS_EXPIRED, + }, + } + + alMember := &accesslist.AccessListMember{ + Spec: accesslist.AccessListMemberSpec{}, + } + require.Empty(t, alMember.Spec.IneligibleStatus) + + fn := WithMemberIneligibleStatusField(proto) + fn(alMember) + + require.Equal(t, accesslistv1.IneligibleStatus_INELIGIBLE_STATUS_EXPIRED.Enum().String(), alMember.Spec.IneligibleStatus) +} + // Make sure that we don't panic if any of the message fields are missing. func TestMemberFromProtoNils(t *testing.T) { // Spec is nil diff --git a/api/types/accesslist/member.go b/api/types/accesslist/member.go index 5cd7de673bd0a..824676304c519 100644 --- a/api/types/accesslist/member.go +++ b/api/types/accesslist/member.go @@ -54,6 +54,9 @@ type AccessListMemberSpec struct { // added_by is the user that added this user to the access list. AddedBy string `json:"added_by" yaml:"added_by"` + + // IneligibleStatus describes the reason why this member is not eligible. + IneligibleStatus string `json:"ineligible_status" yaml:"ineligible_status"` } // NewAccessListMember will create a new access listm member.