Entra ID integration: add plugin boilerplate and OIDC adjustments

api/proto/teleport/legacy/types/types.proto

@@ -5781,10 +5781,12 @@ message PluginSpecV1 {
     PluginServiceNowSettings serviceNow = 10;
     // Settings for the Gitlab plugin.
     PluginGitlabSettings gitlab = 12;
+    // Settings for the Entra ID plugin
+    PluginEntraIDSettings entra_id = 13;
   }
 
   // generation contains a unique ID that should:
-  // - Be created by the backed on plugin creation.
+  // - Be created by the backend on plugin creation.
   // - Be updated by the backend if the plugin is updated in any way.
   //
   // For older plugins, it's possible for this to be empty.
@@ -5966,6 +5968,22 @@ message PluginDiscordSettings {
   map<string, DiscordChannels> role_to_recipients = 1;
 }
 
+// PluginEntraIDSettings defines settings for the Entra ID sync plugin
+message PluginEntraIDSettings {
+  option (gogoproto.equal) = true;
+
+  // SyncSettings controls the user and access list sync settings for EntraID.
+  PluginEntraIDSyncSettings sync_settings = 1;
+}
+
+// Defines settings for syncing users and access lists from Entra ID.
+message PluginEntraIDSyncSettings {
+  option (gogoproto.equal) = true;
+
+  // DefaultOwners are the default owners for all imported access lists.
+  repeated string default_owners = 1;
+}
+
 message PluginBootstrapCredentialsV1 {
   oneof credentials {
     PluginOAuth2AuthorizationCodeCredentials oauth2_authorization_code = 1;
@@ -6422,6 +6440,8 @@ message IntegrationSpecV1 {
   oneof SubKindSpec {
     // AWSOIDC contains the specific fields to handle the AWS OIDC Integration subkind
     AWSOIDCIntegrationSpecV1 AWSOIDC = 1 [(gogoproto.jsontag) = "aws_oidc,omitempty"];
+    // AzureOIDC contains the specific fields to handle the Azure OIDC Integration subkind
+    AzureOIDCIntegrationSpecV1 AzureOIDC = 2 [(gogoproto.jsontag) = "azure_oidc,omitempty"];
   }
 }
 
@@ -6440,6 +6460,17 @@ message AWSOIDCIntegrationSpecV1 {
   string IssuerS3URI = 2 [(gogoproto.jsontag) = "issuer_s3_uri,omitempty"];
 }
 
+// AzureOIDCIntegrationSpecV1 contains the spec properties for the Azure OIDC SubKind Integration.
+message AzureOIDCIntegrationSpecV1 {
+  // TenantID specifies the ID of Entra Tenant (Directory)
+  // that this plugin integrates with.
+  string TenantID = 1 [(gogoproto.jsontag) = "tenant_id,omitempty"];
+
+  // ClientID specifies the ID of Azure enterprise application (client)
+  // that corresponds to this plugin.
+  string ClientID = 2 [(gogoproto.jsontag) = "client_id,omitempty"];
+}
+
 // HeadlessAuthentication holds data for an ongoing headless authentication attempt.
 message HeadlessAuthentication {
   // Header is the resource header.

api/types/integration.go

@@ -29,6 +29,9 @@ import (
 const (
 	// IntegrationSubKindAWSOIDC is an integration with AWS that uses OpenID Connect as an Identity Provider.
 	IntegrationSubKindAWSOIDC = "aws-oidc"
+
+	// IntegrationSubKindAzureOIDC is an integration with Azure that uses OpenID Connect as an Identity Provider.
+	IntegrationSubKindAzureOIDC = "azure-oidc"
 )
 
 // Integration specifies is a connection configuration between Teleport and a 3rd party system.
@@ -47,6 +50,9 @@ type Integration interface {
 	// SetAWSOIDCIssuerS3URI sets the IssuerS3URI of the AWS OIDC Spec.
 	// Eg, s3://my-bucket/my-prefix
 	SetAWSOIDCIssuerS3URI(string)
+
+	// GetAzureOIDCIntegrationSpec returns the `azure-oidc` spec fields.
+	GetAzureOIDCIntegrationSpec() *AzureOIDCIntegrationSpecV1
 }
 
 var _ ResourceWithLabels = (*IntegrationV1)(nil)
@@ -72,6 +78,27 @@ func NewIntegrationAWSOIDC(md Metadata, spec *AWSOIDCIntegrationSpecV1) (*Integr
 	return ig, nil
 }
 
+// NewIntegrationAzureOIDC returns a new `azure-oidc` subkind Integration
+func NewIntegrationAzureOIDC(md Metadata, spec *AzureOIDCIntegrationSpecV1) (*IntegrationV1, error) {
+	ig := &IntegrationV1{
+		ResourceHeader: ResourceHeader{
+			Metadata: md,
+			Kind:     KindIntegration,
+			Version:  V1,
+			SubKind:  IntegrationSubKindAzureOIDC,
+		},
+		Spec: IntegrationSpecV1{
+			SubKindSpec: &IntegrationSpecV1_AzureOIDC{
+				AzureOIDC: spec,
+			},
+		},
+	}
+	if err := ig.CheckAndSetDefaults(); err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return ig, nil
+}
+
 // String returns the integration string representation.
 func (ig *IntegrationV1) String() string {
 	return fmt.Sprintf("IntegrationV1(Name=%v, SubKind=%s, Labels=%v)",
@@ -128,14 +155,19 @@ func (s *IntegrationSpecV1) CheckAndSetDefaults() error {
 		if err != nil {
 			return trace.Wrap(err)
 		}
+	case *IntegrationSpecV1_AzureOIDC:
+		err := integrationSubKind.CheckAndSetDefaults()
+		if err != nil {
+			return trace.Wrap(err)
+		}
 	default:
 		return trace.BadParameter("unknown integration subkind: %T", integrationSubKind)
 	}
 
 	return nil
 }
 
-// CheckAndSetDefaults validates an agent mesh integration.
+// CheckAndSetDefaults validates the configuration for AWS OIDC integration subkind.
 func (s *IntegrationSpecV1_AWSOIDC) CheckAndSetDefaults() error {
 	if s == nil || s.AWSOIDC == nil {
 		return trace.BadParameter("aws_oidc is required for %q subkind", IntegrationSubKindAWSOIDC)
@@ -160,6 +192,21 @@ func (s *IntegrationSpecV1_AWSOIDC) CheckAndSetDefaults() error {
 	return nil
 }
 
+// CheckAndSetDefaults validates the configuration for Azure OIDC integration subkind.
+func (s *IntegrationSpecV1_AzureOIDC) CheckAndSetDefaults() error {
+	if s == nil || s.AzureOIDC == nil {
+		return trace.BadParameter("azure_oidc is required for %q subkind", IntegrationSubKindAzureOIDC)
+	}
+	if s.AzureOIDC.TenantID == "" {
+		return trace.BadParameter("tenant_id must be set")
+	}
+	if s.AzureOIDC.ClientID == "" {
+		return trace.BadParameter("client_id must be set")
+	}
+
+	return nil
+}
+
 // GetAWSOIDCIntegrationSpec returns the specific spec fields for `aws-oidc` subkind integrations.
 func (ig *IntegrationV1) GetAWSOIDCIntegrationSpec() *AWSOIDCIntegrationSpecV1 {
 	return ig.Spec.GetAWSOIDC()
@@ -198,6 +245,11 @@ func (ig *IntegrationV1) SetAWSOIDCIssuerS3URI(issuerS3URI string) {
 	}
 }
 
+// GetAzureOIDCIntegrationSpec returns the specific spec fields for `azure-oidc` subkind integrations.
+func (ig *IntegrationV1) GetAzureOIDCIntegrationSpec() *AzureOIDCIntegrationSpecV1 {
+	return ig.Spec.GetAzureOIDC()
+}
+
 // Integrations is a list of Integration resources.
 type Integrations []Integration
 
@@ -247,7 +299,8 @@ func (ig *IntegrationV1) UnmarshalJSON(data []byte) error {
 	d := struct {
 		ResourceHeader `json:""`
 		Spec           struct {
-			AWSOIDC json.RawMessage `json:"aws_oidc"`
+			AWSOIDC   json.RawMessage `json:"aws_oidc"`
+			AzureOIDC json.RawMessage `json:"azure_oidc"`
 		} `json:"spec"`
 	}{}
 
@@ -270,6 +323,17 @@ func (ig *IntegrationV1) UnmarshalJSON(data []byte) error {
 
 		integration.Spec.SubKindSpec = subkindSpec
 
+	case IntegrationSubKindAzureOIDC:
+		subkindSpec := &IntegrationSpecV1_AzureOIDC{
+			AzureOIDC: &AzureOIDCIntegrationSpecV1{},
+		}
+
+		if err := json.Unmarshal(d.Spec.AzureOIDC, subkindSpec.AzureOIDC); err != nil {
+			return trace.Wrap(err)
+		}
+
+		integration.Spec.SubKindSpec = subkindSpec
+
 	default:
 		return trace.BadParameter("invalid subkind %q", integration.ResourceHeader.SubKind)
 	}
@@ -290,7 +354,8 @@ func (ig *IntegrationV1) MarshalJSON() ([]byte, error) {
 	d := struct {
 		ResourceHeader `json:""`
 		Spec           struct {
-			AWSOIDC AWSOIDCIntegrationSpecV1 `json:"aws_oidc"`
+			AWSOIDC   AWSOIDCIntegrationSpecV1   `json:"aws_oidc"`
+			AzureOIDC AzureOIDCIntegrationSpecV1 `json:"azure_oidc"`
 		} `json:"spec"`
 	}{}
 
@@ -303,6 +368,12 @@ func (ig *IntegrationV1) MarshalJSON() ([]byte, error) {
 		}
 
 		d.Spec.AWSOIDC = *ig.GetAWSOIDCIntegrationSpec()
+	case IntegrationSubKindAzureOIDC:
+		if ig.GetAzureOIDCIntegrationSpec() == nil {
+			return nil, trace.BadParameter("missing subkind data for %q subkind", ig.SubKind)
+		}
+
+		d.Spec.AzureOIDC = *ig.GetAzureOIDCIntegrationSpec()
 	default:
 		return nil, trace.BadParameter("invalid subkind %q", ig.SubKind)
 	}

api/types/integration_test.go

@@ -28,7 +28,7 @@ import (
 )
 
 func TestIntegrationJSONMarshalCycle(t *testing.T) {
-	ig, err := NewIntegrationAWSOIDC(
+	aws, err := NewIntegrationAWSOIDC(
 		Metadata{Name: "some-integration"},
 		&AWSOIDCIntegrationSpecV1{
 			RoleARN:     "arn:aws:iam::123456789012:role/DevTeams",
@@ -37,14 +37,29 @@ func TestIntegrationJSONMarshalCycle(t *testing.T) {
 	)
 	require.NoError(t, err)
 
-	bs, err := json.Marshal(ig)
+	azure, err := NewIntegrationAzureOIDC(
+		Metadata{Name: "some-integration"},
+		&AzureOIDCIntegrationSpecV1{
+			TenantID: "foo-bar",
+			ClientID: "baz-quux",
+		},
+	)
 	require.NoError(t, err)
 
-	var ig2 IntegrationV1
-	err = json.Unmarshal(bs, &ig2)
-	require.NoError(t, err)
+	allIntegrations := []*IntegrationV1{aws, azure}
 
-	require.Equal(t, &ig2, ig)
+	for _, ig := range allIntegrations {
+		t.Run(ig.SubKind, func(t *testing.T) {
+			bs, err := json.Marshal(ig)
+			require.NoError(t, err)
+
+			var ig2 IntegrationV1
+			err = json.Unmarshal(bs, &ig2)
+			require.NoError(t, err)
+
+			require.Equal(t, &ig2, ig)
+		})
+	}
 }
 
 func TestIntegrationCheckAndSetDefaults(t *testing.T) {
@@ -59,7 +74,7 @@ func TestIntegrationCheckAndSetDefaults(t *testing.T) {
 		expectedErrorIs     func(error) bool
 	}{
 		{
-			name: "valid",
+			name: "aws-oidc: valid",
 			integration: func(name string) (*IntegrationV1, error) {
 				return NewIntegrationAWSOIDC(
 					Metadata{
@@ -104,9 +119,7 @@ func TestIntegrationCheckAndSetDefaults(t *testing.T) {
 					nil,
 				)
 			},
-			expectedErrorIs: func(err error) bool {
-				return trace.IsBadParameter(err)
-			},
+			expectedErrorIs: trace.IsBadParameter,
 		},
 		{
 			name: "aws-oidc: error when issuer is not a valid url",
@@ -121,9 +134,7 @@ func TestIntegrationCheckAndSetDefaults(t *testing.T) {
 					},
 				)
 			},
-			expectedErrorIs: func(err error) bool {
-				return trace.IsBadParameter(err)
-			},
+			expectedErrorIs: trace.IsBadParameter,
 		},
 		{
 			name: "aws-oidc: issuer is not an s3 url",
@@ -138,9 +149,7 @@ func TestIntegrationCheckAndSetDefaults(t *testing.T) {
 					},
 				)
 			},
-			expectedErrorIs: func(err error) bool {
-				return trace.IsBadParameter(err)
-			},
+			expectedErrorIs: trace.IsBadParameter,
 		},
 		{
 			name: "aws-oidc: error when no role is provided",
@@ -152,9 +161,71 @@ func TestIntegrationCheckAndSetDefaults(t *testing.T) {
 					&AWSOIDCIntegrationSpecV1{},
 				)
 			},
-			expectedErrorIs: func(err error) bool {
-				return trace.IsBadParameter(err)
+			expectedErrorIs: trace.IsBadParameter,
+		},
+		{
+			name: "azure-oidc: valid",
+			integration: func(name string) (*IntegrationV1, error) {
+				return NewIntegrationAzureOIDC(
+					Metadata{
+						Name: name,
+					},
+					&AzureOIDCIntegrationSpecV1{
+						ClientID: "baz-quux",
+						TenantID: "foo-bar",
+					},
+				)
+			},
+			expectedIntegration: func(name string) *IntegrationV1 {
+				return &IntegrationV1{
+					ResourceHeader: ResourceHeader{
+						Kind:    KindIntegration,
+						SubKind: IntegrationSubKindAzureOIDC,
+						Version: V1,
+						Metadata: Metadata{
+							Name:      name,
+							Namespace: defaults.Namespace,
+						},
+					},
+					Spec: IntegrationSpecV1{
+						SubKindSpec: &IntegrationSpecV1_AzureOIDC{
+							AzureOIDC: &AzureOIDCIntegrationSpecV1{
+								ClientID: "baz-quux",
+								TenantID: "foo-bar",
+							},
+						},
+					},
+				}
+			},
+			expectedErrorIs: noErrorFunc,
+		},
+		{
+			name: "azure-oidc: error when no tenant id is provided",
+			integration: func(name string) (*IntegrationV1, error) {
+				return NewIntegrationAzureOIDC(
+					Metadata{
+						Name: name,
+					},
+					&AzureOIDCIntegrationSpecV1{
+						ClientID: "baz-quux",
+					},
+				)
+			},
+			expectedErrorIs: trace.IsBadParameter,
+		},
+		{
+			name: "azure-oidc: error when no client id is provided",
+			integration: func(name string) (*IntegrationV1, error) {
+				return NewIntegrationAzureOIDC(
+					Metadata{
+						Name: name,
+					},
+					&AzureOIDCIntegrationSpecV1{
+						TenantID: "foo-bar",
+					},
+				)
 			},
+			expectedErrorIs: trace.IsBadParameter,
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {