Make accesslist.GetAncestorsFor() public (#48873)

The Identity Center user & group provisioning system needs to re-provision Access Lists in response to changes in any of their enclosed member lists. This patch makes the existing `GetAncestorsFor()` function public so the IC SCIM provisioning system can walk the list of ancestors in any AccessList change and trigger a re-provision if necessary, without having to re-implement the ancestor search.
gravitational · Nov 14, 2024 · 3cf19a5 · 3cf19a5
1 parent f4bada7
commit 3cf19a5
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/lib/accesslists/hierarchy.go b/lib/accesslists/hierarchy.go
@@ -20,6 +20,7 @@ package accesslists
 
 import (
 	"context"
+	"maps"
 	"slices"
 
 	"github.com/gravitational/trace"
@@ -627,15 +628,14 @@ func UserMeetsRequirements(identity types.User, requires accesslist.Requires) bo
 	return true
 }
 
-func getAncestorsFor(ctx context.Context, accessList *accesslist.AccessList, kind RelationshipKind, g AccessListAndMembersGetter) ([]*accesslist.AccessList, error) {
+// GetAncestorsFor calculates and returns the set of Ancestor ACLs depending on
+// the supplied relationship criteria. Order of the ancestor list is undefined.
+func GetAncestorsFor(ctx context.Context, accessList *accesslist.AccessList, kind RelationshipKind, g AccessListAndMembersGetter) ([]*accesslist.AccessList, error) {
 	ancestorsMap := make(map[string]*accesslist.AccessList)
 	if err := collectAncestors(ctx, accessList, kind, g, make(map[string]struct{}), ancestorsMap); err != nil {
 		return nil, trace.Wrap(err)
 	}
-	ancestors := make([]*accesslist.AccessList, 0, len(ancestorsMap))
-	for _, al := range ancestorsMap {
-		ancestors = append(ancestors, al)
-	}
+	ancestors := slices.Collect(maps.Values(ancestorsMap))
 	return ancestors, nil
 }
 
@@ -712,7 +712,7 @@ func GetInheritedGrants(ctx context.Context, accessList *accesslist.AccessList,
 	}
 
 	// Get ancestors via member relationship
-	ancestorLists, err := getAncestorsFor(ctx, accessList, RelationshipKindMember, g)
+	ancestorLists, err := GetAncestorsFor(ctx, accessList, RelationshipKindMember, g)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -722,7 +722,7 @@ func GetInheritedGrants(ctx context.Context, accessList *accesslist.AccessList,
 	}
 
 	// Get ancestors via owner relationship
-	ancestorOwnerLists, err := getAncestorsFor(ctx, accessList, RelationshipKindOwner, g)
+	ancestorOwnerLists, err := GetAncestorsFor(ctx, accessList, RelationshipKindOwner, g)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}