[v13] Add the Access List review backend.

api/client/accesslist/accesslist.go

@@ -218,3 +218,51 @@ func (c *Client) AccessRequestPromote(ctx context.Context, req *accesslistv1.Acc
 	}
 	return resp, nil
 }
+
+// ListAccessListReviews will list access list reviews for a particular access list.
+func (c *Client) ListAccessListReviews(ctx context.Context, accessList string, pageSize int, pageToken string) (reviews []*accesslist.Review, nextToken string, err error) {
+	resp, err := c.grpcClient.ListAccessListReviews(ctx, &accesslistv1.ListAccessListReviewsRequest{
+		PageSize:  int32(pageSize),
+		NextToken: nextToken,
+	})
+	if err != nil {
+		return nil, "", trace.Wrap(err)
+	}
+
+	reviews = make([]*accesslist.Review, len(resp.Reviews))
+	for i, review := range resp.Reviews {
+		var err error
+		reviews[i], err = conv.FromReviewProto(review)
+		if err != nil {
+			return nil, "", trace.Wrap(err)
+		}
+	}
+
+	return reviews, resp.GetNextToken(), nil
+}
+
+// CreateAccessListReview will create a new review for an access list.
+func (c *Client) CreateAccessListReview(ctx context.Context, review *accesslist.Review) (*accesslist.Review, error) {
+	resp, err := c.grpcClient.CreateAccessListReview(ctx, &accesslistv1.CreateAccessListReviewRequest{
+		Review: conv.ToReviewProto(review),
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	review.SetName(resp.ReviewName)
+	return review, nil
+}
+
+// DeleteAccessListReview will delete an access list review from the backend.
+func (c *Client) DeleteAccessListReview(ctx context.Context, accessListName, reviewName string) error {
+	_, err := c.grpcClient.DeleteAccessListReview(ctx, &accesslistv1.DeleteAccessListReviewRequest{
+		AccessListName: accessListName,
+		ReviewName:     reviewName,
+	})
+	return trace.Wrap(err)
+}
+
+// DeleteAllAccessListReviews will delete all access list reviews from an access list.
+func (c *Client) DeleteAllAccessListReviews(ctx context.Context, accessListName string) error {
+	return trace.NotImplemented("DeleteAllAccessListReviews is not supported in the gRPC client")
+}

api/proto/teleport/accesslist/v1/accesslist_service.proto

@@ -228,8 +228,11 @@ message CreateAccessListReviewResponse {
 
 // DeleteAccessListReviewRequest is the request for deleting an access list review.
 message DeleteAccessListReviewRequest {
-  // review_name is the name of the access list to delete.
+  // review_name is the name of the review to delete.
   string review_name = 1;
+
+  // access_list_name is the name of the access list to delete the review from.
+  string access_list_name = 2;
 }
 
 // AccessRequestPromoteRequest is the request for promoting an access request to an access list.

lib/services/access_list.go

@@ -48,6 +48,7 @@ type AccessListsGetter interface {
 type AccessLists interface {
 	AccessListsGetter
 	AccessListMembers
+	AccessListReviews
 
 	// UpsertAccessList creates or updates an access list resource.
 	UpsertAccessList(context.Context, *accesslist.AccessList) (*accesslist.AccessList, error)
@@ -289,3 +290,62 @@ func SelectNextReviewDate(accessList *accesslist.AccessList) time.Time {
 
 	return nextDate
 }
+
+// AccessListReviews defines an interface for managing Access List reviews.
+type AccessListReviews interface {
+	// ListAccessListReviews will list access list reviews for a particular access list.
+	ListAccessListReviews(ctx context.Context, accessList string, pageSize int, pageToken string) (reviews []*accesslist.Review, nextToken string, err error)
+
+	// CreateAccessListReview will create a new review for an access list.
+	CreateAccessListReview(ctx context.Context, review *accesslist.Review) (updatedReview *accesslist.Review, err error)
+
+	// DeleteAccessListReview will delete an access list review from the backend.
+	DeleteAccessListReview(ctx context.Context, accessListName, reviewName string) error
+
+	// DeleteAllAccessListReviews will delete all access list reviews from an access list.
+	DeleteAllAccessListReviews(ctx context.Context, accessListName string) error
+}
+
+// MarshalAccessListReview marshals the access list review resource to JSON.
+func MarshalAccessListReview(review *accesslist.Review, opts ...MarshalOption) ([]byte, error) {
+	if err := review.CheckAndSetDefaults(); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	cfg, err := CollectOptions(opts)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	if !cfg.PreserveResourceID {
+		copy := *review
+		copy.SetResourceID(0)
+		review = &copy
+	}
+	return utils.FastMarshal(review)
+}
+
+// UnmarshalAccessListReview unmarshals the access list review resource from JSON.
+func UnmarshalAccessListReview(data []byte, opts ...MarshalOption) (*accesslist.Review, error) {
+	if len(data) == 0 {
+		return nil, trace.BadParameter("missing access list review data")
+	}
+	cfg, err := CollectOptions(opts)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	var review accesslist.Review
+	if err := utils.FastUnmarshal(data, &review); err != nil {
+		return nil, trace.BadParameter(err.Error())
+	}
+	if err := review.CheckAndSetDefaults(); err != nil {
+		return nil, trace.Wrap(err)
+	}
+	if cfg.ID != 0 {
+		review.SetResourceID(cfg.ID)
+	}
+	if !cfg.Expires.IsZero() {
+		review.SetExpiry(cfg.Expires)
+	}
+	return &review, nil
+}

lib/services/access_list_test.go

@@ -27,6 +27,7 @@ import (
 
 	"github.com/gravitational/teleport/api/types/accesslist"
 	"github.com/gravitational/teleport/api/types/header"
+	"github.com/gravitational/teleport/api/types/trait"
 	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
 )
@@ -468,6 +469,107 @@ func TestSelectNextReviewDate(t *testing.T) {
 	}
 }
 
+// TestAccessListReviewUnmarshal verifies an access list review resource can be unmarshaled.
+func TestAccessListReviewUnmarshal(t *testing.T) {
+	expected, err := accesslist.NewReview(
+		header.Metadata{
+			Name: "test-access-list-review",
+		},
+		accesslist.ReviewSpec{
+			AccessList: "access-list",
+			Reviewers: []string{
+				"user1",
+				"user2",
+			},
+			ReviewDate: time.Date(2023, 1, 1, 0, 0, 0, 0, time.UTC),
+			Notes:      "Some notes",
+			Changes: accesslist.ReviewChanges{
+				MembershipRequirementsChanged: &accesslist.Requires{
+					Roles: []string{
+						"role1",
+						"role2",
+					},
+					Traits: trait.Traits{
+						"trait1": []string{
+							"value1",
+							"value2",
+						},
+						"trait2": []string{
+							"value1",
+							"value2",
+						},
+					},
+				},
+				RemovedMembers: []string{
+					"member1",
+					"member2",
+				},
+				ReviewFrequencyChanged:  accesslist.ThreeMonths,
+				ReviewDayOfMonthChanged: accesslist.FifteenthDayOfMonth,
+			},
+		},
+	)
+	require.NoError(t, err)
+	data, err := utils.ToJSON([]byte(accessListReviewYAML))
+	require.NoError(t, err)
+	actual, err := UnmarshalAccessListReview(data)
+	require.NoError(t, err)
+	require.Equal(t, expected, actual)
+}
+
+// TestAccessListReviewMarshal verifies a marshaled access list review resource can be unmarshaled back.
+func TestAccessListReviewMarshal(t *testing.T) {
+	expected, err := accesslist.NewAccessList(
+		header.Metadata{
+			Name: "test-access-list-review",
+		},
+		accesslist.Spec{
+			Title:       "title",
+			Description: "test access list",
+			Owners: []accesslist.Owner{
+				{
+					Name:        "test-user1",
+					Description: "test user 1",
+				},
+				{
+					Name:        "test-user2",
+					Description: "test user 2",
+				},
+			},
+			Audit: accesslist.Audit{
+				NextAuditDate: time.Date(2023, 02, 02, 0, 0, 0, 0, time.UTC),
+			},
+			MembershipRequires: accesslist.Requires{
+				Roles: []string{"mrole1", "mrole2"},
+				Traits: map[string][]string{
+					"mtrait1": {"mvalue1", "mvalue2"},
+					"mtrait2": {"mvalue3", "mvalue4"},
+				},
+			},
+			OwnershipRequires: accesslist.Requires{
+				Roles: []string{"orole1", "orole2"},
+				Traits: map[string][]string{
+					"otrait1": {"ovalue1", "ovalue2"},
+					"otrait2": {"ovalue3", "ovalue4"},
+				},
+			},
+			Grants: accesslist.Grants{
+				Roles: []string{"grole1", "grole2"},
+				Traits: map[string][]string{
+					"gtrait1": {"gvalue1", "gvalue2"},
+					"gtrait2": {"gvalue3", "gvalue4"},
+				},
+			},
+		},
+	)
+	require.NoError(t, err)
+	data, err := MarshalAccessList(expected)
+	require.NoError(t, err)
+	actual, err := UnmarshalAccessList(data)
+	require.NoError(t, err)
+	require.Equal(t, expected, actual)
+}
+
 func newAccessList(t *testing.T) *accesslist.AccessList {
 	t.Helper()
 
@@ -490,6 +592,10 @@ func newAccessList(t *testing.T) *accesslist.AccessList {
 			},
 			Audit: accesslist.Audit{
 				NextAuditDate: time.Date(2024, 6, 1, 0, 0, 0, 0, time.UTC),
+				Recurrence: accesslist.Recurrence{
+					Frequency:  accesslist.ThreeMonths,
+					DayOfMonth: accesslist.FifteenthDayOfMonth,
+				},
 			},
 			MembershipRequires: accesslist.Requires{
 				Roles: []string{"mrole1", "mrole2"},
@@ -624,3 +730,34 @@ spec:
   reason: "because"
   added_by: "test-user1"
 `
+
+var accessListReviewYAML = `---
+kind: access_list_review
+version: v1
+metadata:
+  name: test-access-list-review
+spec:
+  access_list: access-list
+  reviewers:
+  - user1
+  - user2
+  review_date: 2023-01-01T00:00:00Z
+  notes: "Some notes"
+  changes:
+    membership_requirements_changed:
+      roles:
+      - role1
+      - role2
+      traits:
+        trait1:
+        - value1
+        - value2
+        trait2:
+        - value1
+        - value2
+    removed_members:
+    - member1
+    - member2
+    review_frequency_changed: 3 months
+    review_day_of_month_changed: "15"
+`