[v14] Allow configuration of Okta access list importing.

api/proto/teleport/legacy/types/types.proto

@@ -5618,11 +5618,33 @@ message PluginOktaSettings {
   // OrgUrl is the Okta organization URL to use for API communication.
   string org_url = 1;
 
-  // EnableUserSync controls the user sync in the Okta integration service.
+  // EnableUserSync controls the user sync in the Okta integration service. Deprecated.
+  // TODO(mdwn): Remove once e changes have been made.
   bool enable_user_sync = 2;
 
-  // SSOConnectorID is the ID of the Teleport SSO connector associated with this plugin
+  // SSOConnectorID (deprecated)
+  // TODO(mdwn): Remove once e changes have been made.
   string sso_connector_id = 3;
+
+  // Sync settings controls the user and access list sync settings for Okta.
+  PluginOktaSyncSettings sync_settings = 4;
+}
+
+// Defines settings for syncing users and access lists from Okta.
+message PluginOktaSyncSettings {
+  option (gogoproto.equal) = true;
+
+  // SyncUsers controls the user sync in the Okta integration service.
+  bool sync_users = 1;
+
+  // SSOConnectorID is the name of the Teleport SSO connector created and used by the Okta plugin
+  string sso_connector_id = 2;
+
+  // SyncAccessLists controls the access list sync in the Okta integration service.
+  bool sync_access_lists = 3;
+
+  // DefaultOwners are the default owners for all imported access lists.
+  repeated string default_owners = 4;
 }
 
 // Defines a set of discord channel IDs

api/types/plugin.go

@@ -442,10 +442,23 @@ func (s *PluginOktaSettings) CheckAndSetDefaults() error {
 		return trace.BadParameter("org_url must be set")
 	}
 
-	if s.EnableUserSync && s.SsoConnectorId == "" {
+	// If sync settings is not set, default to an empty config.
+	if s.SyncSettings == nil {
+		s.SyncSettings = &PluginOktaSyncSettings{}
+
+		// TODO(mdwn): Remove once modifications have been made in enterprise.
+		s.SyncSettings.SyncUsers = s.EnableUserSync
+		s.SyncSettings.SsoConnectorId = s.SsoConnectorId
+	}
+
+	if s.SyncSettings.SyncUsers && s.SsoConnectorId == "" {
 		return trace.BadParameter("sso_connector_id must be set when user sync enabled")
 	}
 
+	if s.SyncSettings.SyncAccessLists && len(s.SyncSettings.DefaultOwners) == 0 {
+		return trace.BadParameter("default owners must be set when access list import is enabled")
+	}
+
 	return nil
 }
 

api/types/plugin_test.go

@@ -217,6 +217,18 @@ func TestPluginOktaValidation(t *testing.T) {
 		},
 	}
 
+	validSettingsWithSyncSettings := &PluginSpecV1_Okta{
+		Okta: &PluginOktaSettings{
+			OrgUrl:         "https://test.okta.com",
+			EnableUserSync: true,
+			SsoConnectorId: "some-sso-connector-id",
+			SyncSettings: &PluginOktaSyncSettings{
+				SyncAccessLists: true,
+				DefaultOwners:   []string{"owner1"},
+			},
+		},
+	}
+
 	validCreds := &PluginCredentialsV1{
 		Credentials: &PluginCredentialsV1_StaticCredentialsRef{
 			&PluginStaticCredentialsRef{
@@ -242,6 +254,23 @@ func TestPluginOktaValidation(t *testing.T) {
 			assertValue: func(t *testing.T, settings *PluginOktaSettings) {
 				require.Equal(t, "https://test.okta.com", settings.OrgUrl)
 				require.True(t, settings.EnableUserSync)
+				require.Equal(t, "some-sso-connector-id", settings.SsoConnectorId)
+				require.True(t, settings.SyncSettings.SyncUsers)
+				require.Equal(t, "some-sso-connector-id", settings.SyncSettings.SsoConnectorId)
+				require.False(t, settings.SyncSettings.SyncAccessLists)
+			},
+		},
+		{
+			name:      "valid values are preserved, import populated",
+			settings:  validSettingsWithSyncSettings,
+			creds:     validCreds,
+			assertErr: require.NoError,
+			assertValue: func(t *testing.T, settings *PluginOktaSettings) {
+				require.Equal(t, "https://test.okta.com", settings.OrgUrl)
+				require.True(t, settings.EnableUserSync)
+				require.False(t, settings.SyncSettings.SyncUsers) // Mismatch because there are sync settings.
+				require.True(t, settings.SyncSettings.SyncAccessLists)
+				require.ElementsMatch(t, []string{"owner1"}, settings.SyncSettings.DefaultOwners)
 			},
 		},
 		{
@@ -332,7 +361,23 @@ func TestPluginOktaValidation(t *testing.T) {
 			assertValue: func(t *testing.T, settings *PluginOktaSettings) {
 				require.False(t, settings.EnableUserSync)
 				require.Empty(t, settings.SsoConnectorId)
+				require.False(t, settings.SyncSettings.SyncUsers)
+				require.Empty(t, settings.SyncSettings.SsoConnectorId)
+			},
+		}, {
+			name: "import enabled without default owners",
+			settings: &PluginSpecV1_Okta{
+				Okta: &PluginOktaSettings{
+					OrgUrl:         "https://test.okta.com",
+					EnableUserSync: true,
+					SsoConnectorId: "some-sso-connector-id",
+					SyncSettings: &PluginOktaSyncSettings{
+						SyncAccessLists: true,
+					},
+				},
 			},
+			creds:     validCreds,
+			assertErr: requireBadParameterWith("default owners must be set when access list import is enabled"),
 		},
 	}