gravitational · rosstimothy · May 5, 2025 · May 2, 2025
diff --git a/api/types/integration.go b/api/types/integration.go
@@ -86,6 +86,8 @@ type Integration interface {
 	GetCredentials() PluginCredentials
 	// WithoutCredentials returns a copy without credentials.
 	WithoutCredentials() Integration
+	// Clone returns a copy of the integration.
+	Clone() Integration
 }
 
 var _ ResourceWithLabels = (*IntegrationV1)(nil)
@@ -605,6 +607,11 @@ func (ig *IntegrationV1) GetCredentials() PluginCredentials {
 	return ig.Spec.Credentials
 }
 
+// Clone returns a copy of the integration.
+func (ig *IntegrationV1) Clone() Integration {
+	return utils.CloneProtoMsg(ig)
+}
+
 // WithoutCredentials returns a copy without credentials.
 func (ig *IntegrationV1) WithoutCredentials() Integration {
 	if ig == nil || ig.GetCredentials() == nil {

diff --git a/api/types/plugin_static_credentials.go b/api/types/plugin_static_credentials.go
@@ -16,7 +16,11 @@ limitations under the License.
 
 package types
 
-import "github.com/gravitational/trace"
+import (
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/api/utils"
+)
 
 // PluginStaticCredentials are static credentials for plugins.
 type PluginStaticCredentials interface {
@@ -40,6 +44,8 @@ type PluginStaticCredentials interface {
 
 	// GetSSHCertAuthorities will return the attached SSH CA keys.
 	GetSSHCertAuthorities() []*SSHKeyPair
+	// Clone returns a copy of the credentials.
+	Clone() PluginStaticCredentials
 }
 
 // NewPluginStaticCredentials creates a new PluginStaticCredentialsV1 resource.
@@ -58,6 +64,11 @@ func NewPluginStaticCredentials(metadata Metadata, spec PluginStaticCredentialsS
 	return p, nil
 }
 
+// Clone returns a copy of the credentials.
+func (p *PluginStaticCredentialsV1) Clone() PluginStaticCredentials {
+	return utils.CloneProtoMsg(p)
+}
+
 // CheckAndSetDefaults checks validity of all parameters and sets defaults.
 func (p *PluginStaticCredentialsV1) CheckAndSetDefaults() error {
 	p.setStaticFields()

diff --git a/lib/cache/access_monitoring_rule.go b/lib/cache/access_monitoring_rule.go
@@ -0,0 +1,132 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package cache
+
+import (
+	"context"
+
+	"github.com/gravitational/trace"
+
+	accessmonitoringrulesv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1"
+	headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils"
+	"github.com/gravitational/teleport/lib/services"
+)
+
+type accessMonitoringRuleIndex string
+
+const accessMonitoringRuleNameIndex accessMonitoringRuleIndex = "name"
+
+func newAccessMonitoringRuleCollection(upstream services.AccessMonitoringRules, w types.WatchKind) (*collection[*accessmonitoringrulesv1.AccessMonitoringRule, accessMonitoringRuleIndex], error) {
+	if upstream == nil {
+		return nil, trace.BadParameter("missing parameter Integrations")
+	}
+
+	return &collection[*accessmonitoringrulesv1.AccessMonitoringRule, accessMonitoringRuleIndex]{
+		store: newStore(map[accessMonitoringRuleIndex]func(*accessmonitoringrulesv1.AccessMonitoringRule) string{
+			accessMonitoringRuleNameIndex: func(r *accessmonitoringrulesv1.AccessMonitoringRule) string {
+				return r.GetMetadata().Name
+			},
+		}),
+		fetcher: func(ctx context.Context, loadSecrets bool) ([]*accessmonitoringrulesv1.AccessMonitoringRule, error) {
+			var resources []*accessmonitoringrulesv1.AccessMonitoringRule
+			var nextToken string
+			for {
+				var page []*accessmonitoringrulesv1.AccessMonitoringRule
+				var err error
+				page, nextToken, err = upstream.ListAccessMonitoringRules(ctx, 0 /* page size */, nextToken)
+				if err != nil {
+					return nil, trace.Wrap(err)
+				}
+				resources = append(resources, page...)
+
+				if nextToken == "" {
+					break
+				}
+			}
+			return resources, nil
+		},
+		headerTransform: func(hdr *types.ResourceHeader) *accessmonitoringrulesv1.AccessMonitoringRule {
+			return &accessmonitoringrulesv1.AccessMonitoringRule{
+				Kind:    hdr.Kind,
+				Version: hdr.Version,
+				Metadata: &headerv1.Metadata{
+					Name: hdr.Metadata.Name,
+				},
+			}
+		},
+		watch: w,
+	}, nil
+}
+
+// ListAccessMonitoringRules returns a paginated list of access monitoring rules.
+func (c *Cache) ListAccessMonitoringRules(ctx context.Context, pageSize int, pageToken string) ([]*accessmonitoringrulesv1.AccessMonitoringRule, string, error) {
+	ctx, span := c.Tracer.Start(ctx, "cache/ListAccessMonitoringRules")
+	defer span.End()
+
+	lister := genericLister[*accessmonitoringrulesv1.AccessMonitoringRule, accessMonitoringRuleIndex]{
+		cache:        c,
+		collection:   c.collections.accessMonitoringRules,
+		index:        accessMonitoringRuleNameIndex,
+		upstreamList: c.Config.AccessMonitoringRules.ListAccessMonitoringRules,
+		nextToken: func(t *accessmonitoringrulesv1.AccessMonitoringRule) string {
+			return t.GetMetadata().Name
+		},
+		clone: utils.CloneProtoMsg[*accessmonitoringrulesv1.AccessMonitoringRule],
+	}
+	out, next, err := lister.list(ctx, pageSize, pageToken)
+	return out, next, trace.Wrap(err)
+}
+
+// ListAccessMonitoringRulesWithFilter returns a paginated list of access monitoring rules.
+func (c *Cache) ListAccessMonitoringRulesWithFilter(ctx context.Context, req *accessmonitoringrulesv1.ListAccessMonitoringRulesWithFilterRequest) ([]*accessmonitoringrulesv1.AccessMonitoringRule, string, error) {
+	ctx, span := c.Tracer.Start(ctx, "cache/ListAccessMonitoringRules")
+	defer span.End()
+
+	lister := genericLister[*accessmonitoringrulesv1.AccessMonitoringRule, accessMonitoringRuleIndex]{
+		cache:        c,
+		collection:   c.collections.accessMonitoringRules,
+		index:        accessMonitoringRuleNameIndex,
+		upstreamList: c.Config.AccessMonitoringRules.ListAccessMonitoringRules,
+		nextToken: func(t *accessmonitoringrulesv1.AccessMonitoringRule) string {
+			return t.GetMetadata().Name
+		},
+		clone: utils.CloneProtoMsg[*accessmonitoringrulesv1.AccessMonitoringRule],
+		filter: func(rule *accessmonitoringrulesv1.AccessMonitoringRule) bool {
+			return services.MatchAccessMonitoringRule(rule, req.GetSubjects(), req.GetNotificationName(), req.GetAutomaticReviewName())
+		},
+	}
+	out, next, err := lister.list(ctx, int(req.GetPageSize()), req.GetPageToken())
+	return out, next, trace.Wrap(err)
+}
+
+// GetAccessMonitoringRule returns the specified AccessMonitoringRule resources.
+func (c *Cache) GetAccessMonitoringRule(ctx context.Context, name string) (*accessmonitoringrulesv1.AccessMonitoringRule, error) {
+	ctx, span := c.Tracer.Start(ctx, "cache/GetAccessMonitoringRule")
+	defer span.End()
+
+	getter := genericGetter[*accessmonitoringrulesv1.AccessMonitoringRule, accessMonitoringRuleIndex]{
+		cache:       c,
+		collection:  c.collections.accessMonitoringRules,
+		index:       accessMonitoringRuleNameIndex,
+		upstreamGet: c.Config.AccessMonitoringRules.GetAccessMonitoringRule,
+		clone:       utils.CloneProtoMsg[*accessmonitoringrulesv1.AccessMonitoringRule],
+	}
+	out, err := getter.get(ctx, name)
+	return out, trace.Wrap(err)
+}