Skip to content

Commit

Permalink
Merge branch 'branch/v17' into strideynet/v17/backport-49426
Browse files Browse the repository at this point in the history
  • Loading branch information
strideynet authored Jan 13, 2025
2 parents b6faadf + b570e4e commit ab62f70
Show file tree
Hide file tree
Showing 38 changed files with 2,309 additions and 467 deletions.
490 changes: 396 additions & 94 deletions api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go

Large diffs are not rendered by default.

38 changes: 36 additions & 2 deletions api/proto/teleport/workloadidentity/v1/resource.proto
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,46 @@ message WorkloadIdentity {
WorkloadIdentitySpec spec = 5;
}

// The attribute casted to a string must be equal to the value.
message WorkloadIdentityConditionEq {
// The value to compare the attribute against.
string value = 1;
}

// The attribute casted to a string must not be equal to the value.
message WorkloadIdentityConditionNotEq {
// The value to compare the attribute against.
string value = 1;
}

// The attribute casted to a string must be in the list of values.
message WorkloadIdentityConditionIn {
// The list of values to compare the attribute against.
repeated string values = 1;
}

// The attribute casted to a string must not be in the list of values.
message WorkloadIdentityConditionNotIn {
// The list of values to compare the attribute against.
repeated string values = 1;
}

// The individual conditions that make up a rule.
message WorkloadIdentityCondition {
reserved 2;
reserved "equals";
// The name of the attribute to evaluate the condition against.
string attribute = 1;
// An exact string that the attribute must match.
string equals = 2;
oneof operator {
// The attribute casted to a string must be equal to the value.
WorkloadIdentityConditionEq eq = 3;
// The attribute casted to a string must not be equal to the value.
WorkloadIdentityConditionNotEq not_eq = 4;
// The attribute casted to a string must be in the list of values.
WorkloadIdentityConditionIn in = 5;
// The attribute casted to a string must not be in the list of values.
WorkloadIdentityConditionNotIn not_in = 6;
}
}

// An individual rule that is evaluated during the issuance of a WorkloadIdentity.
Expand Down
39 changes: 39 additions & 0 deletions api/types/resource_153.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ import (
"encoding/json"
"time"

"google.golang.org/protobuf/encoding/protojson"
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/timestamppb"

headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
Expand Down Expand Up @@ -124,6 +126,10 @@ func (r *legacyToResource153Adapter) GetVersion() string {
// [Resource] type. Implements [ResourceWithLabels] and CloneResource (where the)
// wrapped resource supports cloning).
//
// Resources153 implemented by proto-generated structs should use ProtoResource153ToLegacy
// instead as it will ensure the protobuf message is properly marshaled to JSON
// with protojson.
//
// Note that CheckAndSetDefaults is a noop for the returned resource and
// SetSubKind is not implemented and panics on use.
func Resource153ToLegacy(r Resource153) Resource {
Expand Down Expand Up @@ -348,3 +354,36 @@ func (r *resource153ToUnifiedResourceAdapter) CloneResource() ResourceWithLabels
clone := r.inner.(ClonableResource153).CloneResource()
return Resource153ToUnifiedResource(clone)
}

// ProtoResource153 is a Resource153 implemented by a protobuf-generated struct.
type ProtoResource153 interface {
Resource153
proto.Message
}

type protoResource153ToLegacyAdapter struct {
inner ProtoResource153
resource153ToLegacyAdapter
}

// MarshalJSON adds support for marshaling the wrapped resource (instead of
// marshaling the adapter itself).
func (r *protoResource153ToLegacyAdapter) MarshalJSON() ([]byte, error) {
return protojson.MarshalOptions{
UseProtoNames: true,
}.Marshal(r.inner)
}

// ProtoResource153ToLegacy transforms an RFD 153 style resource implemented by
// a proto-generated struct into a legacy [Resource] type. Implements
// [ResourceWithLabels] and CloneResource (where the wrapped resource supports
// cloning).
//
// Note that CheckAndSetDefaults is a noop for the returned resource and
// SetSubKind is not implemented and panics on use.
func ProtoResource153ToLegacy(r ProtoResource153) Resource {
return &protoResource153ToLegacyAdapter{
r,
resource153ToLegacyAdapter{r},
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,38 @@ Optional:
Optional:

- `attribute` (String) The name of the attribute to evaluate the condition against.
- `equals` (String) An exact string that the attribute must match.
- `eq` (Attributes) The attribute casted to a string must be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionseq))
- `in` (Attributes) The attribute casted to a string must be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsin))
- `not_eq` (Attributes) The attribute casted to a string must not be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_eq))
- `not_in` (Attributes) The attribute casted to a string must not be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_in))

### Nested Schema for `spec.rules.allow.conditions.eq`

Optional:

- `value` (String) The value to compare the attribute against.


### Nested Schema for `spec.rules.allow.conditions.in`

Optional:

- `values` (List of String) The list of values to compare the attribute against.


### Nested Schema for `spec.rules.allow.conditions.not_eq`

Optional:

- `value` (String) The value to compare the attribute against.


### Nested Schema for `spec.rules.allow.conditions.not_in`

Optional:

- `values` (List of String) The list of values to compare the attribute against.




Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@ resource "teleport_workload_identity" "example" {
{
conditions = [{
attribute = "user.name"
equals = "noah"
eq = {
value = "my-user"
}
}]
}
]
Expand Down Expand Up @@ -80,7 +82,38 @@ Optional:
Optional:

- `attribute` (String) The name of the attribute to evaluate the condition against.
- `equals` (String) An exact string that the attribute must match.
- `eq` (Attributes) The attribute casted to a string must be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionseq))
- `in` (Attributes) The attribute casted to a string must be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsin))
- `not_eq` (Attributes) The attribute casted to a string must not be equal to the value. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_eq))
- `not_in` (Attributes) The attribute casted to a string must not be in the list of values. (see [below for nested schema](#nested-schema-for-specrulesallowconditionsnot_in))

### Nested Schema for `spec.rules.allow.conditions.eq`

Optional:

- `value` (String) The value to compare the attribute against.


### Nested Schema for `spec.rules.allow.conditions.in`

Optional:

- `values` (List of String) The list of values to compare the attribute against.


### Nested Schema for `spec.rules.allow.conditions.not_eq`

Optional:

- `value` (String) The value to compare the attribute against.


### Nested Schema for `spec.rules.allow.conditions.not_in`

Optional:

- `values` (List of String) The list of values to compare the attribute against.




Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,9 @@ resource "teleport_workload_identity" "example" {
{
conditions = [{
attribute = "user.name"
equals = "noah"
eq = {
value = "my-user"
}
}]
}
]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,9 @@ resource "teleport_workload_identity" "test" {
{
conditions = [{
attribute = "user.name"
equals = "foo"
eq = {
value = "foo"
}
}]
}
]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,9 @@ resource "teleport_workload_identity" "test" {
{
conditions = [{
attribute = "user.name"
equals = "foo"
eq = {
value = "foo"
}
}]
}
]
Expand Down
12 changes: 8 additions & 4 deletions integrations/terraform/testlib/workload_identity_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ func (s *TerraformSuiteOSS) TestWorkloadIdentity() {
resource.TestCheckResourceAttr(name, "kind", "workload_identity"),
resource.TestCheckResourceAttr(name, "spec.spiffe.id", "/test"),
resource.TestCheckResourceAttr(name, "spec.rules.allow.0.conditions.0.attribute", "user.name"),
resource.TestCheckResourceAttr(name, "spec.rules.allow.0.conditions.0.equals", "foo"),
resource.TestCheckResourceAttr(name, "spec.rules.allow.0.conditions.0.eq.value", "foo"),
),
},
{
Expand All @@ -68,7 +68,7 @@ func (s *TerraformSuiteOSS) TestWorkloadIdentity() {
resource.TestCheckResourceAttr(name, "kind", "workload_identity"),
resource.TestCheckResourceAttr(name, "spec.spiffe.id", "/test/updated"),
resource.TestCheckResourceAttr(name, "spec.rules.allow.0.conditions.0.attribute", "user.name"),
resource.TestCheckResourceAttr(name, "spec.rules.allow.0.conditions.0.equals", "foo"),
resource.TestCheckResourceAttr(name, "spec.rules.allow.0.conditions.0.eq.value", "foo"),
),
},
{
Expand Down Expand Up @@ -101,7 +101,11 @@ func (s *TerraformSuiteOSS) TestImportWorkloadIdentity() {
Conditions: []*workloadidentityv1pb.WorkloadIdentityCondition{
{
Attribute: "user.name",
Equals: "foo",
Operator: &workloadidentityv1pb.WorkloadIdentityCondition_Eq{
Eq: &workloadidentityv1pb.WorkloadIdentityConditionEq{
Value: "foo",
},
},
},
},
},
Expand Down Expand Up @@ -133,7 +137,7 @@ func (s *TerraformSuiteOSS) TestImportWorkloadIdentity() {
require.Equal(t, types.KindWorkloadIdentity, state[0].Attributes["kind"])
require.Equal(t, "/test", state[0].Attributes["spec.spiffe.id"])
require.Equal(t, "user.name", state[0].Attributes["spec.rules.allow.0.conditions.0.attribute"])
require.Equal(t, "foo", state[0].Attributes["spec.rules.allow.0.conditions.0.equals"])
require.Equal(t, "foo", state[0].Attributes["spec.rules.allow.0.conditions.0.eq.value"])

return nil
},
Expand Down
Loading

0 comments on commit ab62f70

Please sign in to comment.