[v17] Adds KindIdentityCenter umbrella resource kind (#48809)

* Adds `KindIdentityCenter` umbrella resource kind The Identity Center integration manages several resource types, and specifying individal condition statements for each kind is both unwieldy and unnecessary - anyone that can manipulate one of these resources should be able to manilpate them all in the same way. In order to simplify things, this patch introduces an umbrella `KindIdentityCenter` that will represent _any_ `KindIdentityCenter*` resource in Role conditions and RBAC checks. * Update constants.go * Update Implicit role to use Umbrella kind Updates the default implicit rules to refrence the new `KindIdentityCenter` resource kind. Also updates comments on the covered `KindIdentityCenter*` kinds with a reminder to user `KindIdentityCenter` in RBAC checks. * Update constants.go
gravitational · Nov 12, 2024 · bcfef29 · bcfef29
1 parent 14ec8e6
commit bcfef29
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 14 deletions.
diff --git a/api/types/constants.go b/api/types/constants.go
@@ -573,6 +573,12 @@ const (
 	// KindStaticHostUser is a host user to be created on matching SSH nodes.
 	KindStaticHostUser = "static_host_user"
 
+	// KindIdentityCenter is an umbrella kind, representing all KindIdentityCenter*
+	// resource kinds in RBAC checks. This is to simplify Role condition statements
+	// so that they don't have to individually specify all of the Identity Center
+	// resource kinds.
+	KindIdentityCenter = "aws_identity_center"
+
 	// KindIdentityCenterAccount describes an Identity-Center managed AWS Account
 	KindIdentityCenterAccount = "aws_ic_account"
 

diff --git a/lib/services/presets.go b/lib/services/presets.go
@@ -182,7 +182,7 @@ func NewPresetEditorRole() types.Role {
 					types.NewRule(types.KindNotification, RW()),
 					types.NewRule(types.KindStaticHostUser, RW()),
 					types.NewRule(types.KindUserTask, RW()),
-					types.NewRule(types.KindIdentityCenterAccount, RW()),
+					types.NewRule(types.KindIdentityCenter, RW()),
 				},
 			},
 		},

diff --git a/lib/services/role.go b/lib/services/role.go
@@ -79,7 +79,7 @@ var DefaultImplicitRules = []types.Rule{
 	types.NewRule(types.KindVnetConfig, RO()),
 	types.NewRule(types.KindSPIFFEFederation, RO()),
 	types.NewRule(types.KindSAMLIdPServiceProvider, RO()),
-	types.NewRule(types.KindIdentityCenterAccount, RO()),
+	types.NewRule(types.KindIdentityCenter, RO()),
 }
 
 // DefaultCertAuthorityRules provides access the minimal set of resources

diff --git a/lib/services/role_test.go b/lib/services/role_test.go
@@ -2505,25 +2505,25 @@ func TestDefaultImplicitRules(t *testing.T) {
 		checks []check
 	}{
 		{
-			name: "KindIdentityCenterAccount with NewPresetAccessRole",
+			name: "KindIdentityCenter with NewPresetAccessRole",
 			role: NewPresetAccessRole(),
 			checks: []check{
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false},
+				{rule: types.KindIdentityCenter, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true},
+				{rule: types.KindIdentityCenter, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true},
+				{rule: types.KindIdentityCenter, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false},
+				{rule: types.KindIdentityCenter, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false},
+				{rule: types.KindIdentityCenter, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false},
 			},
 		},
 		{
-			name: "KindIdentityCenterAccount with a custom role that does not explicitly target read and list verbs for KindIdentityCenterAccount",
+			name: "KindIdentityCenter with a custom role that does not explicitly target read and list verbs for KindIdentityCenterAccount",
 			role: newRole(func(r *types.RoleV6) {}),
 			checks: []check{
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false},
-				{rule: types.KindIdentityCenterAccount, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false},
+				{rule: types.KindIdentityCenter, verb: types.VerbRead, namespace: apidefaults.Namespace, hasAccess: true},
+				{rule: types.KindIdentityCenter, verb: types.VerbList, namespace: apidefaults.Namespace, hasAccess: true},
+				{rule: types.KindIdentityCenter, verb: types.VerbCreate, namespace: apidefaults.Namespace, hasAccess: false},
+				{rule: types.KindIdentityCenter, verb: types.VerbUpdate, namespace: apidefaults.Namespace, hasAccess: false},
+				{rule: types.KindIdentityCenter, verb: types.VerbDelete, namespace: apidefaults.Namespace, hasAccess: false},
 			},
 		},
 		{