feat: Update AccessList Proto with new fields, add utils

- Add Hierarchy utils for nested AccessList validation and handling
- Update AccessList Protos with new fields
- Update AccessList and AccessListMember types and converters with new
  fields

api/proto/teleport/accesslist/v1/accesslist.proto

@@ -71,6 +71,12 @@ message AccessListSpec {
 
   // owner_grants describes the access granted by owners to this Access List.
   AccessListGrants owner_grants = 11;
+
+  // owner_of describes Access Lists that this Access List is an explicit owner of.
+  repeated string owner_of = 12;
+
+  // member_of describes Access Lists that this Access List is an explicit member of.
+  repeated string member_of = 13;
 }
 
 // AccessListOwner is an owner of an Access List.
@@ -85,6 +91,10 @@ message AccessListOwner {
   // ineligible_status describes if this owner is eligible or not
   // and if not, describes how they're lacking eligibility.
   IneligibleStatus ineligible_status = 3;
+
+  // membership_kind describes the type of membership, either
+  // `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`.
+  MembershipKind membership_kind = 4;
 }
 
 // AccessListAudit describes the audit configuration for an Access List.
@@ -197,6 +207,21 @@ message MemberSpec {
   // ineligible_status describes if this member is eligible or not
   // and if not, describes how they're lacking eligibility.
   IneligibleStatus ineligible_status = 7;
+
+  // membership_kind describes the type of membership, either
+  // `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`.
+  MembershipKind membership_kind = 9;
+}
+
+// MembershipKind represents the different kinds of list membership
+enum MembershipKind {
+  // MEMBERSHIP_KIND_UNSPECIFIED represents list members that are of
+  // unknown membership kind, defaulting to being treated as type USER
+  MEMBERSHIP_KIND_UNSPECIFIED = 0;
+  // MEMBERSHIP_KIND_USER represents list members that are normal users
+  MEMBERSHIP_KIND_USER = 1;
+  // MEMBERSHIP_KIND_LIST represents list members that are nested Access Lists
+  MEMBERSHIP_KIND_LIST = 2;
 }
 
 // IneligibleStatus describes how the user is ineligible.
@@ -268,6 +293,8 @@ message ReviewChanges {
 
 // AccessListStatus contains dynamic fields calculated during retrieval.
 message AccessListStatus {
-  // member_count is the number of members in the in the Access List.
+  // member_count is the number of members in the Access List.
   optional uint32 member_count = 1;
+  // member_list_count is the number of nested list members in the Access List.
+  optional uint32 member_list_count = 2;
 }

api/types/accesslist/accesslist.go

@@ -24,6 +24,7 @@ import (
 	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
 
+	accesslistv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/types/header"
 	"github.com/gravitational/teleport/api/types/header/convert/legacy"
@@ -75,6 +76,20 @@ func parseReviewFrequency(input string) ReviewFrequency {
 	return 0
 }
 
+// MaxAllowedDepth is the maximum allowed depth for nested access lists.
+const MaxAllowedDepth = 10
+
+var (
+	// MembershipKindUnspecified is the default membership kind (treated as 'user').
+	MembershipKindUnspecified = accesslistv1.MembershipKind_MEMBERSHIP_KIND_UNSPECIFIED.String()
+
+	// MembershipKindUser is the user membership kind.
+	MembershipKindUser = accesslistv1.MembershipKind_MEMBERSHIP_KIND_USER.String()
+
+	// MembershipKindList is the list membership kind.
+	MembershipKindList = accesslistv1.MembershipKind_MEMBERSHIP_KIND_LIST.String()
+)
+
 // ReviewDayOfMonth is the day of month the review should be repeated on.
 type ReviewDayOfMonth int
 
@@ -137,6 +152,12 @@ type Spec struct {
 	// Owners is a list of owners of the access list.
 	Owners []Owner `json:"owners" yaml:"owners"`
 
+	// OwnerOf is a list of Access List UUIDs where this access list is an explicit owner.
+	OwnerOf []string `json:"owner_of" yaml:"owner_of"`
+
+	// MemberOf is a list of Access List UUIDs where this access list is an explicit member.
+	MemberOf []string `json:"member_of" yaml:"member_of"`
+
 	// Audit describes the frequency that this access list must be audited.
 	Audit Audit `json:"audit" yaml:"audit"`
 
@@ -167,6 +188,10 @@ type Owner struct {
 
 	// IneligibleStatus describes the reason why this owner is not eligible.
 	IneligibleStatus string `json:"ineligible_status" yaml:"ineligible_status"`
+
+	// MembershipKind describes the kind of ownership,
+	// either "MEMBERSHIP_KIND_USER" or "MEMBERSHIP_KIND_LIST".
+	MembershipKind string `json:"membership_kind" yaml:"membership_kind"`
 }
 
 // Audit describes the audit configuration for an access list.
@@ -225,6 +250,8 @@ type Grants struct {
 type Status struct {
 	// MemberCount is the number of members in the access list.
 	MemberCount *uint32
+	// MemberListCount is the number of members in the access list that are lists themselves.
+	MemberListCount *uint32
 }
 
 // NewAccessList will create a new access list.
@@ -258,6 +285,14 @@ func (a *AccessList) CheckAndSetDefaults() error {
 		return trace.BadParameter("owners are missing")
 	}
 
+	if a.Spec.OwnerOf == nil {
+		a.Spec.OwnerOf = []string{}
+	}
+
+	if a.Spec.MemberOf == nil {
+		a.Spec.MemberOf = []string{}
+	}
+
 	if a.Spec.Audit.Recurrence.Frequency == 0 {
 		a.Spec.Audit.Recurrence.Frequency = SixMonths
 	}
@@ -286,10 +321,6 @@ func (a *AccessList) CheckAndSetDefaults() error {
 		a.Spec.Audit.Notifications.Start = twoWeeks
 	}
 
-	if len(a.Spec.Grants.Roles) == 0 && len(a.Spec.Grants.Traits) == 0 {
-		return trace.BadParameter("grants must specify at least one role or trait")
-	}
-
 	// Deduplicate owners. The backend will currently prevent this, but it's possible that access lists
 	// were created with duplicated owners before the backend checked for duplicate owners. In order to
 	// ensure that these access lists are backwards compatible, we'll deduplicate them here.
@@ -299,6 +330,9 @@ func (a *AccessList) CheckAndSetDefaults() error {
 		if owner.Name == "" {
 			return trace.BadParameter("owner name is missing")
 		}
+		if owner.MembershipKind == "" {
+			owner.MembershipKind = MembershipKindUser
+		}
 
 		if _, ok := ownerMap[owner.Name]; ok {
 			continue
@@ -317,7 +351,7 @@ func (a *AccessList) GetOwners() []Owner {
 	return a.Spec.Owners
 }
 
-// GetOwners returns the list of owners from the access list.
+// SetOwners sets the owners of the access list.
 func (a *AccessList) SetOwners(owners []Owner) {
 	a.Spec.Owners = owners
 }
@@ -337,6 +371,11 @@ func (a *AccessList) GetGrants() Grants {
 	return a.Spec.Grants
 }
 
+// GetOwnerGrants returns the owner grants from the access list.
+func (a *AccessList) GetOwnerGrants() Grants {
+	return a.Spec.OwnerGrants
+}
+
 // GetMetadata returns metadata. This is specifically for conforming to the Resource interface,
 // and should be removed when possible.
 func (a *AccessList) GetMetadata() types.Metadata {

api/types/accesslist/convert/v1/accesslist.go

@@ -68,13 +68,10 @@ func FromProto(msg *accesslistv1.AccessList, opts ...AccessListOption) (*accessl
 
 	owners := make([]accesslist.Owner, len(msg.Spec.Owners))
 	for i, owner := range msg.Spec.Owners {
-		owners[i] = accesslist.Owner{
-			Name:        owner.Name,
-			Description: owner.Description,
-			// Set it to empty as default.
-			// Must provide as options to set it with the provided value.
-			IneligibleStatus: "",
-		}
+		owners[i] = FromOwnerProto(owner)
+		// Set IneligibleStatus to empty as default.
+		// Must provide as options to set it with the provided value.
+		owners[i].IneligibleStatus = ""
 	}
 
 	var ownerGrants accesslist.Grants
@@ -94,15 +91,22 @@ func FromProto(msg *accesslistv1.AccessList, opts ...AccessListOption) (*accessl
 	}
 
 	var memberCount *uint32
+	var memberListCount *uint32
 	if msg.Status != nil && msg.Status.MemberCount != nil {
 		memberCount = new(uint32)
 		*memberCount = *msg.Status.MemberCount
 	}
+	if msg.Status != nil && msg.Status.MemberListCount != nil {
+		memberListCount = new(uint32)
+		*memberListCount = *msg.Status.MemberListCount
+	}
 
 	accessList, err := accesslist.NewAccessList(headerv1.FromMetadataProto(msg.Header.Metadata), accesslist.Spec{
 		Title:       msg.Spec.Title,
 		Description: msg.Spec.Description,
 		Owners:      owners,
+		OwnerOf:     msg.Spec.OwnerOf,
+		MemberOf:    msg.Spec.MemberOf,
 		Audit: accesslist.Audit{
 			NextAuditDate: nextAuditDate,
 			Recurrence:    recurrence,
@@ -126,7 +130,8 @@ func FromProto(msg *accesslistv1.AccessList, opts ...AccessListOption) (*accessl
 		return nil, trace.Wrap(err)
 	}
 	accessList.Status = accesslist.Status{
-		MemberCount: memberCount,
+		MemberCount:     memberCount,
+		MemberListCount: memberListCount,
 	}
 
 	for _, opt := range opts {
@@ -140,15 +145,7 @@ func FromProto(msg *accesslistv1.AccessList, opts ...AccessListOption) (*accessl
 func ToProto(accessList *accesslist.AccessList) *accesslistv1.AccessList {
 	owners := make([]*accesslistv1.AccessListOwner, len(accessList.Spec.Owners))
 	for i, owner := range accessList.Spec.Owners {
-		var ineligibleStatus accesslistv1.IneligibleStatus
-		if enumVal, ok := accesslistv1.IneligibleStatus_value[owner.IneligibleStatus]; ok {
-			ineligibleStatus = accesslistv1.IneligibleStatus(enumVal)
-		}
-		owners[i] = &accesslistv1.AccessListOwner{
-			Name:             owner.Name,
-			Description:      owner.Description,
-			IneligibleStatus: ineligibleStatus,
-		}
+		owners[i] = ToOwnerProto(owner)
 	}
 
 	var ownerGrants *accesslistv1.AccessListGrants
@@ -173,17 +170,24 @@ func ToProto(accessList *accesslist.AccessList) *accesslistv1.AccessList {
 	}
 
 	var memberCount *uint32
+	var memberListCount *uint32
 	if accessList.Status.MemberCount != nil {
 		memberCount = new(uint32)
 		*memberCount = *accessList.Status.MemberCount
 	}
+	if accessList.Status.MemberListCount != nil {
+		memberListCount = new(uint32)
+		*memberListCount = *accessList.Status.MemberListCount
+	}
 
 	return &accesslistv1.AccessList{
 		Header: headerv1.ToResourceHeaderProto(accessList.ResourceHeader),
 		Spec: &accesslistv1.AccessListSpec{
 			Title:       accessList.Spec.Title,
 			Description: accessList.Spec.Description,
 			Owners:      owners,
+			OwnerOf:     accessList.Spec.OwnerOf,
+			MemberOf:    accessList.Spec.MemberOf,
 			Audit: &accesslistv1.AccessListAudit{
 				NextAuditDate: nextAuditDate,
 				Recurrence: &accesslistv1.Recurrence{
@@ -209,11 +213,51 @@ func ToProto(accessList *accesslist.AccessList) *accesslistv1.AccessList {
 			OwnerGrants: ownerGrants,
 		},
 		Status: &accesslistv1.AccessListStatus{
-			MemberCount: memberCount,
+			MemberCount:     memberCount,
+			MemberListCount: memberListCount,
 		},
 	}
 }
 
+// ToOwnerProto converts an internal access list owner into a v1 access list owner object.
+func ToOwnerProto(owner accesslist.Owner) *accesslistv1.AccessListOwner {
+	var ineligibleStatus accesslistv1.IneligibleStatus
+	if owner.IneligibleStatus != "" {
+		if enumVal, ok := accesslistv1.IneligibleStatus_value[owner.IneligibleStatus]; ok {
+			ineligibleStatus = accesslistv1.IneligibleStatus(enumVal)
+		}
+	} else {
+		ineligibleStatus = accesslistv1.IneligibleStatus_INELIGIBLE_STATUS_UNSPECIFIED
+	}
+
+	var kind accesslistv1.MembershipKind
+	if enumVal, ok := accesslistv1.MembershipKind_value[owner.MembershipKind]; ok {
+		kind = accesslistv1.MembershipKind(enumVal)
+	}
+
+	return &accesslistv1.AccessListOwner{
+		Name:             owner.Name,
+		Description:      owner.Description,
+		IneligibleStatus: ineligibleStatus,
+		MembershipKind:   kind,
+	}
+}
+
+// FromOwnerProto converts a v1 access list owner into an internal access list owner object.
+func FromOwnerProto(protoOwner *accesslistv1.AccessListOwner) accesslist.Owner {
+	ineligibleStatus := ""
+	if protoOwner.IneligibleStatus != accesslistv1.IneligibleStatus_INELIGIBLE_STATUS_UNSPECIFIED {
+		ineligibleStatus = protoOwner.IneligibleStatus.String()
+	}
+
+	return accesslist.Owner{
+		Name:             protoOwner.Name,
+		Description:      protoOwner.Description,
+		IneligibleStatus: ineligibleStatus,
+		MembershipKind:   protoOwner.MembershipKind.String(),
+	}
+}
+
 // WithOwnersIneligibleStatusField sets the "ineligibleStatus" field to the provided proto value.
 func WithOwnersIneligibleStatusField(protoOwners []*accesslistv1.AccessListOwner) AccessListOption {
 	return func(a *accesslist.AccessList) {

api/types/accesslist/member.go

@@ -61,6 +61,10 @@ type AccessListMemberSpec struct {
 
 	// IneligibleStatus describes the reason why this member is not eligible.
 	IneligibleStatus string `json:"ineligible_status" yaml:"ineligible_status"`
+
+	// MembershipKind describes the kind of membership,
+	// either "MEMBERSHIP_KIND_USER" or "MEMBERSHIP_KIND_LIST".
+	MembershipKind string `json:"membership_kind" yaml:"membership_kind"`
 }
 
 // NewAccessListMember will create a new access listm member.
@@ -86,6 +90,10 @@ func (a *AccessListMember) CheckAndSetDefaults() error {
 		return trace.Wrap(err)
 	}
 
+	if a.Spec.MembershipKind == "" {
+		a.Spec.MembershipKind = MembershipKindUser
+	}
+
 	if a.Spec.AccessList == "" {
 		return trace.BadParameter("access list is missing")
 	}

docs/pages/reference/operator-resources/resources.teleport.dev_accesslists.mdx

@@ -29,8 +29,10 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |audit|[object](#specaudit)|audit describes the frequency that this Access List must be audited.|
 |description|string|description is an optional plaintext description of the Access List.|
 |grants|[object](#specgrants)|grants describes the access granted by membership to this Access List.|
+|member_of|[]string|member_of describes Access Lists that this Access List is an explicit member of.|
 |membership_requires|[object](#specmembership_requires)|membership_requires describes the requirements for a user to be a member of the Access List. For a membership to an Access List to be effective, the user must meet the requirements of Membership_requires and must be in the members list.|
 |owner_grants|[object](#specowner_grants)|owner_grants describes the access granted by owners to this Access List.|
+|owner_of|[]string|owner_of describes Access Lists that this Access List is an explicit owner of.|
 |owners|[][object](#specowners-items)|owners is a list of owners of the Access List.|
 |ownership_requires|[object](#specownership_requires)|ownership_requires describes the requirements for a user to be an owner of the Access List. For ownership of an Access List to be effective, the user must meet the requirements of ownership_requires and must be in the owners list.|
 |title|string|title is a plaintext short description of the Access List.|
@@ -83,6 +85,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |---|---|---|
 |description|string|description is the plaintext description of the owner and why they are an owner.|
 |ineligible_status|string or integer|ineligible_status describes if this owner is eligible or not and if not, describes how they're lacking eligibility. Can be either the string or the integer representation of each option.|
+|membership_kind|string or integer|membership_kind describes the type of membership, either `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`. Can be either the string or the integer representation of each option.|
 |name|string|name is the username of the owner.|
 
 ### spec.ownership_requires

docs/pages/reference/terraform-provider/data-sources/access_list.mdx

@@ -57,8 +57,10 @@ Required:
 Optional:
 
 - `description` (String) description is an optional plaintext description of the Access List.
+- `member_of` (List of String) member_of describes Access Lists that this Access List is an explicit member of.
 - `membership_requires` (Attributes) membership_requires describes the requirements for a user to be a member of the Access List. For a membership to an Access List to be effective, the user must meet the requirements of Membership_requires and must be in the members list. (see [below for nested schema](#nested-schema-for-specmembership_requires))
 - `owner_grants` (Attributes) owner_grants describes the access granted by owners to this Access List. (see [below for nested schema](#nested-schema-for-specowner_grants))
+- `owner_of` (List of String) owner_of describes Access Lists that this Access List is an explicit owner of.
 - `ownership_requires` (Attributes) ownership_requires describes the requirements for a user to be an owner of the Access List. For ownership of an Access List to be effective, the user must meet the requirements of ownership_requires and must be in the owners list. (see [below for nested schema](#nested-schema-for-specownership_requires))
 - `title` (String) title is a plaintext short description of the Access List.
 
@@ -113,6 +115,7 @@ Optional:
 Optional:
 
 - `description` (String) description is the plaintext description of the owner and why they are an owner.
+- `membership_kind` (Number) membership_kind describes the type of membership, either `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`.
 - `name` (String) name is the username of the owner.
 
 

docs/pages/reference/terraform-provider/resources/access_list.mdx

@@ -99,8 +99,10 @@ Required:
 Optional:
 
 - `description` (String) description is an optional plaintext description of the Access List.
+- `member_of` (List of String) member_of describes Access Lists that this Access List is an explicit member of.
 - `membership_requires` (Attributes) membership_requires describes the requirements for a user to be a member of the Access List. For a membership to an Access List to be effective, the user must meet the requirements of Membership_requires and must be in the members list. (see [below for nested schema](#nested-schema-for-specmembership_requires))
 - `owner_grants` (Attributes) owner_grants describes the access granted by owners to this Access List. (see [below for nested schema](#nested-schema-for-specowner_grants))
+- `owner_of` (List of String) owner_of describes Access Lists that this Access List is an explicit owner of.
 - `ownership_requires` (Attributes) ownership_requires describes the requirements for a user to be an owner of the Access List. For ownership of an Access List to be effective, the user must meet the requirements of ownership_requires and must be in the owners list. (see [below for nested schema](#nested-schema-for-specownership_requires))
 - `title` (String) title is a plaintext short description of the Access List.
 
@@ -155,6 +157,7 @@ Optional:
 Optional:
 
 - `description` (String) description is the plaintext description of the owner and why they are an owner.
+- `membership_kind` (Number) membership_kind describes the type of membership, either `MEMBERSHIP_KIND_USER` or `MEMBERSHIP_KIND_LIST`.
 - `name` (String) name is the username of the owner.