From 8fd5d6d792c9747b604d6bc96585a3e598c023fe Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Thu, 7 Nov 2024 09:41:58 +0000 Subject: [PATCH] [entraid] add manual flag to disable automatic entraID aplication setup This PR adds a flag that disables Entra ID application setup. This aims customers that prefer to manually configure the applications and permissions instead of relying on `tctl` to automatically perform that. Signed-off-by: Tiago Silva --- tool/tctl/common/plugin/entraid.go | 41 +++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/tool/tctl/common/plugin/entraid.go b/tool/tctl/common/plugin/entraid.go index 6b264cf790672..70cbe93734055 100644 --- a/tool/tctl/common/plugin/entraid.go +++ b/tool/tctl/common/plugin/entraid.go @@ -70,6 +70,17 @@ To rerun the script, type 'exit' to close and then restart the process. ` + bold("Step 2: Input Tenant ID and Client ID") + ` With the output of Step 1, please copy and paste the following information: +` + + manualConfigurationTemplate = ` + +` + bold("Step 1: Input Tenant ID and Client ID") + ` + +To finish the Entra ID integration, manually configure the Application in Azure Entra ID. + +Follow the instructions provided in the Teleport documentation: [https://goteleport.com/docs/admin-guides/teleport-policy/integrations/entra-id/]. + +After completing the Entra ID setup, copy and paste the following information: ` ) @@ -80,6 +91,7 @@ type entraArgs struct { useSystemCredentials bool accessGraph bool force bool + manualEntraIDSetup bool } func (p *PluginsCommand) initInstallEntra(parent *kingpin.CmdClause) { @@ -113,6 +125,12 @@ func (p *PluginsCommand) initInstallEntra(parent *kingpin.CmdClause) { Short('f'). Default("false"). BoolVar(&p.install.entraID.force) + + cmd. + Flag("manual-setup", "Manually set up the EntraID integration."). + Short('m'). + Default("false"). + BoolVar(&p.install.entraID.manualEntraIDSetup) } type entraSettings struct { @@ -123,7 +141,13 @@ type entraSettings struct { var errCancel = trace.BadParameter("operation canceled") -func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string) (entraSettings, error) { +func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string, manualEntraIDSetup bool) (entraSettings, error) { + if manualEntraIDSetup { + fmt.Fprint(os.Stdout, manualConfigurationTemplate) + settings, err := readAzureInputs(p.install.entraID.accessGraph) + return settings, trace.Wrap(err) + } + pwd, err := os.Getwd() if err != nil { return entraSettings{}, trace.Wrap(err, "failed to get working dir") @@ -163,14 +187,19 @@ func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string) (entraSettings, return entraSettings{}, errCancel } + fmt.Fprint(os.Stdout, step2Template) + + settings, err := readAzureInputs(p.install.entraID.accessGraph) + return settings, trace.Wrap(err) +} + +func readAzureInputs(acessGraph bool) (entraSettings, error) { validUUID := func(input string) bool { _, err := uuid.Parse(input) return err == nil } - - fmt.Fprint(os.Stdout, step2Template) - var settings entraSettings + var err error settings.tenantID, err = readData(os.Stdin, os.Stdout, "Enter the Tenant ID", validUUID, "Invalid Tenant ID") if err != nil { return settings, trace.Wrap(err, "failed to read Tenant ID") @@ -181,7 +210,7 @@ func (p *PluginsCommand) entraSetupGuide(proxyPublicAddr string) (entraSettings, return settings, trace.Wrap(err, "failed to read Client ID") } - if p.install.entraID.accessGraph { + if acessGraph { dataValidator := func(input string) bool { settings.accessGraphCache, err = readTAGCache(input) return err == nil @@ -218,7 +247,7 @@ func (p *PluginsCommand) InstallEntra(ctx context.Context, args installPluginArg return trace.Wrap(err) } - settings, err := p.entraSetupGuide(proxyPublicAddr) + settings, err := p.entraSetupGuide(proxyPublicAddr, inputs.entraID.manualEntraIDSetup) if err != nil { if errors.Is(err, errCancel) { return nil