check if user is in specified sub-accesslists

gravitational · Apr 4, 2024 · 7e449e3 · 7e449e3
1 parent 2d3156c
commit 7e449e3
Show file tree

Hide file tree

Showing 10 changed files with 660 additions and 193 deletions.
diff --git a/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go b/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go
diff --git a/api/proto/teleport/accesslist/v1/accesslist.proto b/api/proto/teleport/accesslist/v1/accesslist.proto
@@ -72,9 +72,22 @@ message AccessListSpec {
   // owner_grants describes the access granted by owners to this access list.
   AccessListGrants owner_grants = 11;
 
-  // sub_access_lists is a list of access list ids that user
+  // member_access_lists is a list of access lists that user
   // membership should be fetched from
-  repeated string sub_access_lists = 12;
+  repeated ParentAccessList member_access_lists = 12;
+
+  // owner_access_lists is a list of access lists that owner
+  // membership should be fetched from
+  repeated ParentAccessList owner_access_lists = 13;
+}
+
+// ParentAccessList contains information about access lists included
+// as parents in an access list
+message ParentAccessList {
+  // name is the id of the parent access list
+  string name = 1;
+  // title is the title of the parent access list
+  string title = 2;
 }
 
 // AccessListOwner is an owner of an access list.

diff --git a/api/types/accesslist/accesslist.go b/api/types/accesslist/accesslist.go
@@ -155,6 +155,14 @@ type Spec struct {
 
 	// OwnerGrants describes the access granted by ownership of this access list.
 	OwnerGrants Grants `json:"owner_grants" yaml:"owner_grants"`
+
+	// MemberAccessLists is a list of AccessList ids that user membership
+	// should be fetched from
+	MemberAccessLists []ParentAccessList `json:"member_access_lists" yaml:"access_lists"`
+
+	// OwnerAccessLists is a list of AccessLists that owner membership
+	// should be fetched from
+	OwnerAccessLists []ParentAccessList `json:"owner_access_lists" yaml:"access_lists"`
 }
 
 // Owner is an owner of an access list.
@@ -227,6 +235,11 @@ type Status struct {
 	MemberCount *uint32
 }
 
+type ParentAccessList struct {
+	Name  string `json:"name" yaml:"name"`
+	Title string `json:"title" yaml:"title"`
+}
+
 // NewAccessList will create a new access list.
 func NewAccessList(metadata header.Metadata, spec Spec) (*AccessList, error) {
 	accessList := &AccessList{
@@ -309,6 +322,15 @@ func (a *AccessList) CheckAndSetDefaults() error {
 	}
 	a.Spec.Owners = deduplicatedOwners
 
+	for _, memberACL := range append(a.Spec.MemberAccessLists, a.Spec.OwnerAccessLists...) {
+		if memberACL.Name == "" {
+			return trace.BadParameter("member access list name is missing")
+		}
+		if memberACL.Title == "" {
+			return trace.BadParameter("member access list title is missing")
+		}
+	}
+
 	return nil
 }
 

diff --git a/api/types/accesslist/convert/v1/accesslist.go b/api/types/accesslist/convert/v1/accesslist.go
@@ -92,13 +92,28 @@ func FromProto(msg *accesslistv1.AccessList, opts ...AccessListOption) (*accessl
 	if msg.Spec.Audit.NextAuditDate != nil {
 		nextAuditDate = msg.Spec.Audit.NextAuditDate.AsTime()
 	}
-
 	var memberCount *uint32
 	if msg.Status != nil && msg.Status.MemberCount != nil {
 		memberCount = new(uint32)
 		*memberCount = *msg.Status.MemberCount
 	}
 
+	var parentMemberAccessLists []accesslist.ParentAccessList
+	for _, al := range msg.Spec.MemberAccessLists {
+		parentMemberAccessLists = append(parentMemberAccessLists, accesslist.ParentAccessList{
+			Name:  al.Name,
+			Title: al.Title,
+		})
+	}
+
+	var parentOwnerAccessLists []accesslist.ParentAccessList
+	for _, al := range msg.Spec.OwnerAccessLists {
+		parentOwnerAccessLists = append(parentOwnerAccessLists, accesslist.ParentAccessList{
+			Name:  al.Name,
+			Title: al.Title,
+		})
+	}
+
 	accessList, err := accesslist.NewAccessList(headerv1.FromMetadataProto(msg.Header.Metadata), accesslist.Spec{
 		Title:       msg.Spec.Title,
 		Description: msg.Spec.Description,
@@ -120,7 +135,9 @@ func FromProto(msg *accesslistv1.AccessList, opts ...AccessListOption) (*accessl
 			Roles:  msg.Spec.Grants.Roles,
 			Traits: traitv1.FromProto(msg.Spec.Grants.Traits),
 		},
-		OwnerGrants: ownerGrants,
+		OwnerGrants:       ownerGrants,
+		OwnerAccessLists:  parentOwnerAccessLists,
+		MemberAccessLists: parentMemberAccessLists,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -177,6 +194,20 @@ func ToProto(accessList *accesslist.AccessList) *accesslistv1.AccessList {
 		memberCount = new(uint32)
 		*memberCount = *accessList.Status.MemberCount
 	}
+	var parentMemberAccessLists []*accesslistv1.ParentAccessList
+	for _, al := range accessList.Spec.MemberAccessLists {
+		parentMemberAccessLists = append(parentMemberAccessLists, &accesslistv1.ParentAccessList{
+			Name:  al.Name,
+			Title: al.Title,
+		})
+	}
+	var parentOwnerAccessLists []*accesslistv1.ParentAccessList
+	for _, al := range accessList.Spec.OwnerAccessLists {
+		parentOwnerAccessLists = append(parentOwnerAccessLists, &accesslistv1.ParentAccessList{
+			Name:  al.Name,
+			Title: al.Title,
+		})
+	}
 
 	return &accesslistv1.AccessList{
 		Header: headerv1.ToResourceHeaderProto(accessList.ResourceHeader),
@@ -206,7 +237,9 @@ func ToProto(accessList *accesslist.AccessList) *accesslistv1.AccessList {
 				Roles:  accessList.Spec.Grants.Roles,
 				Traits: traitv1.ToProto(accessList.Spec.Grants.Traits),
 			},
-			OwnerGrants: ownerGrants,
+			OwnerGrants:       ownerGrants,
+			MemberAccessLists: parentMemberAccessLists,
+			OwnerAccessLists:  parentOwnerAccessLists,
 		},
 		Status: &accesslistv1.AccessListStatus{
 			MemberCount: memberCount,

diff --git a/gen/proto/ts/teleport/accesslist/v1/accesslist_pb.ts b/gen/proto/ts/teleport/accesslist/v1/accesslist_pb.ts
diff --git a/lib/auth/userloginstate/generator.go b/lib/auth/userloginstate/generator.go
@@ -116,7 +116,7 @@ func NewGenerator(config GeneratorConfig) (*Generator, error) {
 		accessLists:   config.AccessLists,
 		access:        config.Access,
 		usageEvents:   config.UsageEvents,
-		memberChecker: services.NewAccessListMembershipChecker(config.Clock, config.AccessLists, config.Access),
+		memberChecker: services.NewAccessListMembershipChecker(config.Clock, config.AccessLists, config.AccessLists, config.Access),
 		clock:         config.Clock,
 	}, nil
 }

diff --git a/lib/modules/modules.go b/lib/modules/modules.go
@@ -253,6 +253,7 @@ func (f Features) IsTeam() bool {
 type AccessResourcesGetter interface {
 	ListAccessLists(context.Context, int, string) ([]*accesslist.AccessList, string, error)
 	ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
+	GetAccessList(context.Context, string) (*accesslist.AccessList, error)
 
 	ListAccessListMembers(ctx context.Context, accessList string, pageSize int, pageToken string) (members []*accesslist.AccessListMember, nextToken string, err error)
 	GetAccessListMember(ctx context.Context, accessList string, memberName string) (*accesslist.AccessListMember, error)