[v14] Show resources in Slack notification for access requests

api/accessrequest/access_request.go

@@ -0,0 +1,181 @@
+/*
+Copyright 2023 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package accessrequest
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/api/client"
+	"github.com/gravitational/teleport/api/client/proto"
+	"github.com/gravitational/teleport/api/types"
+)
+
+type ListResourcesRequestOption func(*proto.ListResourcesRequest)
+
+// GetResourcesByKind is an alternative to client.GetResourcesWithFilters
+// that searches with the resource kinds used in access requests instead of the
+// resource types expected by ListResources.
+//
+// The ResourceType field in the request should not be set by the caller, as
+// it will be overridden.
+func GetResourcesByKind(ctx context.Context, clt client.ListResourcesClient, req proto.ListResourcesRequest, kind string) ([]types.ResourceWithLabels, error) {
+	req.ResourceType = mapResourceKindToListResourcesType(kind)
+	results, err := client.GetResourcesWithFilters(ctx, clt, req)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	resources := make([]types.ResourceWithLabels, 0, len(results))
+	for _, result := range results {
+		leafResource, err := mapListResourcesResultToLeafResource(result, kind)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		resources = append(resources, leafResource)
+	}
+	return resources, nil
+}
+
+// GetResourceDetails gets extra details for a list of resources in a given cluster.
+func GetResourceDetails(ctx context.Context, clusterName string, lister client.ListResourcesClient, ids []types.ResourceID) (map[string]types.ResourceDetails, error) {
+	var resourceIDs []types.ResourceID
+	for _, resourceID := range ids {
+		// We're interested in hostname or friendly name details. These apply to
+		// nodes, app servers, and user groups.
+		switch resourceID.Kind {
+		case types.KindNode, types.KindApp, types.KindUserGroup:
+			resourceIDs = append(resourceIDs, resourceID)
+		}
+	}
+
+	withExtraRoles := func(req *proto.ListResourcesRequest) {
+		req.UseSearchAsRoles = true
+		req.UsePreviewAsRoles = true
+	}
+
+	resources, err := GetResourcesByResourceIDs(ctx, lister, resourceIDs, withExtraRoles)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	result := make(map[string]types.ResourceDetails)
+	for _, resource := range resources {
+		friendlyName := types.FriendlyName(resource)
+
+		// No friendly name was found, so skip to the next resource.
+		if friendlyName == "" {
+			continue
+		}
+
+		id := types.ResourceID{
+			ClusterName: clusterName,
+			Kind:        resource.GetKind(),
+			Name:        resource.GetName(),
+		}
+		result[types.ResourceIDToString(id)] = types.ResourceDetails{
+			FriendlyName: friendlyName,
+		}
+	}
+
+	return result, nil
+}
+
+// GetResourceIDsByCluster will return resource IDs grouped by cluster.
+func GetResourceIDsByCluster(r types.AccessRequest) map[string][]types.ResourceID {
+	resourceIDsByCluster := make(map[string][]types.ResourceID)
+	for _, resourceID := range r.GetRequestedResourceIDs() {
+		resourceIDsByCluster[resourceID.ClusterName] = append(resourceIDsByCluster[resourceID.ClusterName], resourceID)
+	}
+	return resourceIDsByCluster
+}
+
+// GetResourcesByResourceID gets a list of resources by their resource IDs.
+func GetResourcesByResourceIDs(ctx context.Context, lister client.ListResourcesClient, resourceIDs []types.ResourceID, opts ...ListResourcesRequestOption) ([]types.ResourceWithLabels, error) {
+	resourceNamesByKind := make(map[string][]string)
+	for _, resourceID := range resourceIDs {
+		resourceNamesByKind[resourceID.Kind] = append(resourceNamesByKind[resourceID.Kind], resourceID.Name)
+	}
+	var resources []types.ResourceWithLabels
+	for kind, resourceNames := range resourceNamesByKind {
+		req := proto.ListResourcesRequest{
+			PredicateExpression: anyNameMatcher(resourceNames),
+			Limit:               int32(len(resourceNames)),
+		}
+		for _, opt := range opts {
+			opt(&req)
+		}
+		resp, err := GetResourcesByKind(ctx, lister, req, kind)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		resources = append(resources, resp...)
+	}
+	return resources, nil
+}
+
+// anyNameMatcher returns a PredicateExpression which matches any of a given list
+// of names. Given names will be escaped and quoted when building the expression.
+func anyNameMatcher(names []string) string {
+	matchers := make([]string, len(names))
+	for i := range names {
+		matchers[i] = fmt.Sprintf(`resource.metadata.name == %q`, names[i])
+	}
+	return strings.Join(matchers, " || ")
+}
+
+// mapResourceKindToListResourcesType returns the value to use for ResourceType in a
+// ListResourcesRequest based on the kind of resource you're searching for.
+// Necessary because some resource kinds don't support ListResources directly,
+// so you have to list the parent kind. Use MapListResourcesResultToLeafResource to map back
+// to the given kind.
+func mapResourceKindToListResourcesType(kind string) string {
+	switch kind {
+	case types.KindApp:
+		return types.KindAppServer
+	case types.KindDatabase:
+		return types.KindDatabaseServer
+	case types.KindKubernetesCluster:
+		return types.KindKubeServer
+	default:
+		return kind
+	}
+}
+
+// mapListResourcesResultToLeafResource is the inverse of
+// MapResourceKindToListResourcesType, after the ListResources call it maps the
+// result back to the kind we really want. `hint` should be the name of the
+// desired resource kind, used to disambiguate normal SSH nodes and kubernetes
+// services which are both returned as `types.Server`.
+func mapListResourcesResultToLeafResource(resource types.ResourceWithLabels, hint string) (types.ResourceWithLabels, error) {
+	switch r := resource.(type) {
+	case types.AppServer:
+		return r.GetApp(), nil
+	case types.KubeServer:
+		return r.GetCluster(), nil
+	case types.DatabaseServer:
+		return r.GetDatabase(), nil
+	case types.Server:
+		if hint == types.KindKubernetesCluster {
+			return nil, trace.BadParameter("expected kubernetes server, got server")
+		}
+	default:
+	}
+	return resource, nil
+}

api/accessrequest/access_request_test.go

@@ -0,0 +1,127 @@
+/*
+Copyright 2023 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package accessrequest
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/client/proto"
+	"github.com/gravitational/teleport/api/types"
+)
+
+func newNode(t *testing.T, name, hostname string) types.Server {
+	t.Helper()
+	node, err := types.NewServer(name, types.KindNode,
+		types.ServerSpecV2{
+			Hostname: hostname,
+		})
+	require.NoError(t, err)
+	return node
+}
+
+func newApp(t *testing.T, name, description, origin string) types.Application {
+	t.Helper()
+	app, err := types.NewAppV3(types.Metadata{
+		Name:        name,
+		Description: description,
+		Labels: map[string]string{
+			types.OriginLabel: origin,
+		},
+	},
+		types.AppSpecV3{
+			URI:        "https://some-addr.com",
+			PublicAddr: "https://some-addr.com",
+		})
+	require.NoError(t, err)
+	return app
+}
+
+func newUserGroup(t *testing.T, name, description, origin string) types.UserGroup {
+	t.Helper()
+	userGroup, err := types.NewUserGroup(types.Metadata{
+		Name:        name,
+		Description: description,
+		Labels: map[string]string{
+			types.OriginLabel: origin,
+		},
+	}, types.UserGroupSpecV1{})
+	require.NoError(t, err)
+	return userGroup
+}
+
+func newResourceID(clusterName, kind, name string) types.ResourceID {
+	return types.ResourceID{
+		ClusterName: clusterName,
+		Kind:        kind,
+		Name:        name,
+	}
+}
+
+type mockResourceLister struct {
+	resources []types.ResourceWithLabels
+}
+
+func (m *mockResourceLister) ListResources(ctx context.Context, _ proto.ListResourcesRequest) (*types.ListResourcesResponse, error) {
+	return &types.ListResourcesResponse{
+		Resources: m.resources,
+	}, nil
+}
+
+func TestGetResourceDetails(t *testing.T) {
+	clusterName := "cluster"
+
+	presence := &mockResourceLister{
+		resources: []types.ResourceWithLabels{
+			newNode(t, "node1", "hostname 1"),
+			newApp(t, "app1", "friendly app 1", types.OriginDynamic),
+			newApp(t, "app2", "friendly app 2", types.OriginDynamic),
+			newApp(t, "app3", "friendly app 3", types.OriginOkta),
+			newUserGroup(t, "group1", "friendly group 1", types.OriginOkta),
+		},
+	}
+	resourceIDs := []types.ResourceID{
+		newResourceID(clusterName, types.KindNode, "node1"),
+		newResourceID(clusterName, types.KindApp, "app1"),
+		newResourceID(clusterName, types.KindApp, "app2"),
+		newResourceID(clusterName, types.KindApp, "app3"),
+		newResourceID(clusterName, types.KindUserGroup, "group1"),
+	}
+
+	ctx := context.Background()
+
+	details, err := GetResourceDetails(ctx, clusterName, presence, resourceIDs)
+	require.NoError(t, err)
+
+	// Check the resource details to see if friendly names properly propagated.
+
+	// Node should be named for its hostname.
+	require.Equal(t, "hostname 1", details[types.ResourceIDToString(resourceIDs[0])].FriendlyName)
+
+	// app1 and app2 are expected to be empty because they're not Okta sourced resources.
+	require.Empty(t, details[types.ResourceIDToString(resourceIDs[1])].FriendlyName)
+
+	require.Empty(t, details[types.ResourceIDToString(resourceIDs[2])].FriendlyName)
+
+	// This Okta sourced app should have a friendly name.
+	require.Equal(t, "friendly app 3", details[types.ResourceIDToString(resourceIDs[3])].FriendlyName)
+
+	// This Okta sourced user group should have a friendly name.
+	require.Equal(t, "friendly group 1", details[types.ResourceIDToString(resourceIDs[4])].FriendlyName)
+}

api/types/resource.go

@@ -654,3 +654,18 @@ func ValidateResourceName(validationRegex *regexp.Regexp, name string) error {
 		name, validationRegex.String(),
 	)
 }
+
+// FriendlyName will return the friendly name for a resource if it has one. Otherwise, it
+// will return an empty string.
+func FriendlyName(resource ResourceWithLabels) string {
+	// Right now, only resources sourced from Okta and nodes have friendly names.
+	if resource.Origin() == OriginOkta {
+		return resource.GetMetadata().Description
+	}
+
+	if hn, ok := resource.(interface{ GetHostname() string }); ok {
+		return hn.GetHostname()
+	}
+
+	return ""
+}

api/types/resource_test.go

@@ -501,3 +501,59 @@ func TestValidLabelKey(t *testing.T) {
 		require.Equal(t, tc.valid, isValid)
 	}
 }
+
+func TestFriendlyName(t *testing.T) {
+	appNoFriendly, err := NewAppV3(Metadata{
+		Name: "no friendly",
+	}, AppSpecV3{
+		URI: "https://some-uri.com",
+	},
+	)
+	require.NoError(t, err)
+
+	appFriendly, err := NewAppV3(Metadata{
+		Name:        "no friendly",
+		Description: "friendly name",
+		Labels: map[string]string{
+			OriginLabel: OriginOkta,
+		},
+	}, AppSpecV3{
+		URI: "https://some-uri.com",
+	},
+	)
+	require.NoError(t, err)
+
+	node, err := NewServer("node", KindNode, ServerSpecV2{
+		Hostname: "friendly hostname",
+	})
+	require.NoError(t, err)
+
+	tests := []struct {
+		name     string
+		resource ResourceWithLabels
+		expected string
+	}{
+		{
+			name:     "no friendly name",
+			resource: appNoFriendly,
+			expected: "",
+		},
+		{
+			name:     "friendly app name",
+			resource: appFriendly,
+			expected: "friendly name",
+		},
+		{
+			name:     "friendly node name",
+			resource: node,
+			expected: "friendly hostname",
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			require.Equal(t, test.expected, FriendlyName(test.resource))
+		})
+	}
+}