diff --git a/lib/auth/grpcserver.go b/lib/auth/grpcserver.go index 3ce5c78a330ec..f18389c44819b 100644 --- a/lib/auth/grpcserver.go +++ b/lib/auth/grpcserver.go @@ -73,6 +73,7 @@ import ( usersv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/users/v1" usertaskv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/usertasks/v1" vnetv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/vnet/v1" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" userpreferencesv1pb "github.com/gravitational/teleport/api/gen/proto/go/userpreferences/v1" "github.com/gravitational/teleport/api/internalutils/stream" "github.com/gravitational/teleport/api/metadata" @@ -93,6 +94,7 @@ import ( "github.com/gravitational/teleport/lib/auth/kubewaitingcontainer/kubewaitingcontainerv1" "github.com/gravitational/teleport/lib/auth/loginrule/loginrulev1" "github.com/gravitational/teleport/lib/auth/machineid/machineidv1" + "github.com/gravitational/teleport/lib/auth/machineid/workloadidentityv1" "github.com/gravitational/teleport/lib/auth/notifications/notificationsv1" "github.com/gravitational/teleport/lib/auth/presence/presencev1" "github.com/gravitational/teleport/lib/auth/trust/trustv1" @@ -5093,6 +5095,18 @@ func NewGRPCServer(cfg GRPCServerConfig) (*GRPCServer, error) { } machineidv1pb.RegisterSPIFFEFederationServiceServer(server, spiffeFederationService) + workloadIdentityResourceService, err := workloadidentityv1.NewResourceService(&workloadidentityv1.ResourceServiceConfig{ + Authorizer: cfg.Authorizer, + Backend: cfg.AuthServer.Services.WorkloadIdentities, + Cache: cfg.AuthServer.Cache, + Emitter: cfg.Emitter, + Clock: cfg.AuthServer.GetClock(), + }) + if err != nil { + return nil, trace.Wrap(err, "creating workload identity resource service") + } + workloadidentityv1pb.RegisterWorkloadIdentityResourceServiceServer(server, workloadIdentityResourceService) + dbObjectImportRuleService, err := dbobjectimportrulev1.NewDatabaseObjectImportRuleService(dbobjectimportrulev1.DatabaseObjectImportRuleServiceConfig{ Authorizer: cfg.Authorizer, Backend: cfg.AuthServer.Services, diff --git a/lib/auth/machineid/workloadidentityv1/resource_service.go b/lib/auth/machineid/workloadidentityv1/resource_service.go new file mode 100644 index 0000000000000..6ca893e1b1fa9 --- /dev/null +++ b/lib/auth/machineid/workloadidentityv1/resource_service.go @@ -0,0 +1,362 @@ +// Teleport +// Copyright (C) 2024 Gravitational, Inc. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package workloadidentityv1 + +import ( + "context" + "log/slog" + + "github.com/gravitational/trace" + "github.com/jonboulle/clockwork" + "google.golang.org/protobuf/encoding/protojson" + "google.golang.org/protobuf/types/known/emptypb" + + "github.com/gravitational/teleport" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" + "github.com/gravitational/teleport/api/types" + apievents "github.com/gravitational/teleport/api/types/events" + "github.com/gravitational/teleport/lib/authz" + "github.com/gravitational/teleport/lib/events" +) + +type workloadIdentityReader interface { + GetWorkloadIdentity(ctx context.Context, name string) (*workloadidentityv1pb.WorkloadIdentity, error) + ListWorkloadIdentities(ctx context.Context, pageSize int, token string) ([]*workloadidentityv1pb.WorkloadIdentity, string, error) +} + +type workloadIdentityReadWriter interface { + workloadIdentityReader + + CreateWorkloadIdentity(ctx context.Context, identity *workloadidentityv1pb.WorkloadIdentity) (*workloadidentityv1pb.WorkloadIdentity, error) + UpdateWorkloadIdentity(ctx context.Context, identity *workloadidentityv1pb.WorkloadIdentity) (*workloadidentityv1pb.WorkloadIdentity, error) + DeleteWorkloadIdentity(ctx context.Context, name string) error + UpsertWorkloadIdentity(ctx context.Context, identity *workloadidentityv1pb.WorkloadIdentity) (*workloadidentityv1pb.WorkloadIdentity, error) +} + +// ResourceServiceConfig holds configuration options for the ResourceService. +type ResourceServiceConfig struct { + Authorizer authz.Authorizer + Backend workloadIdentityReadWriter + Cache workloadIdentityReader + Clock clockwork.Clock + Emitter apievents.Emitter + Logger *slog.Logger +} + +// ResourceService is the gRPC service for managing workload identity resources. +// It implements the workloadidentityv1pb.WorkloadIdentityResourceServiceServer +type ResourceService struct { + workloadidentityv1pb.UnimplementedWorkloadIdentityResourceServiceServer + + authorizer authz.Authorizer + backend workloadIdentityReadWriter + cache workloadIdentityReader + clock clockwork.Clock + emitter apievents.Emitter + logger *slog.Logger +} + +// NewResourceService returns a new instance of the ResourceService. +func NewResourceService(cfg *ResourceServiceConfig) (*ResourceService, error) { + switch { + case cfg.Backend == nil: + return nil, trace.BadParameter("backend service is required") + case cfg.Cache == nil: + return nil, trace.BadParameter("cache service is required") + case cfg.Authorizer == nil: + return nil, trace.BadParameter("authorizer is required") + case cfg.Emitter == nil: + return nil, trace.BadParameter("emitter is required") + } + + if cfg.Logger == nil { + cfg.Logger = slog.With(teleport.ComponentKey, "workload_identity_resource.service") + } + if cfg.Clock == nil { + cfg.Clock = clockwork.NewRealClock() + } + return &ResourceService{ + authorizer: cfg.Authorizer, + backend: cfg.Backend, + cache: cfg.Cache, + clock: cfg.Clock, + emitter: cfg.Emitter, + logger: cfg.Logger, + }, nil +} + +// GetWorkloadIdentity returns a WorkloadIdentity by name. +// Implements teleport.workloadidentity.v1.ResourceService/GetWorkloadIdentity +func (s *ResourceService) GetWorkloadIdentity( + ctx context.Context, req *workloadidentityv1pb.GetWorkloadIdentityRequest, +) (*workloadidentityv1pb.WorkloadIdentity, error) { + authCtx, err := s.authorizer.Authorize(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindWorkloadIdentity, types.VerbRead); err != nil { + return nil, trace.Wrap(err) + } + + if req.Name == "" { + return nil, trace.BadParameter("name: must be non-empty") + } + + resource, err := s.cache.GetWorkloadIdentity(ctx, req.Name) + if err != nil { + return nil, trace.Wrap(err) + } + + return resource, nil +} + +// ListWorkloadIdentities returns a list of WorkloadIdentity resources. It +// follows the Google API design guidelines for list pagination. +// Implements teleport.workloadidentity.v1.ResourceService/ListWorkloadIdentities +func (s *ResourceService) ListWorkloadIdentities( + ctx context.Context, req *workloadidentityv1pb.ListWorkloadIdentitiesRequest, +) (*workloadidentityv1pb.ListWorkloadIdentitiesResponse, error) { + authCtx, err := s.authorizer.Authorize(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindWorkloadIdentity, types.VerbRead, types.VerbList); err != nil { + return nil, trace.Wrap(err) + } + + resources, nextToken, err := s.cache.ListWorkloadIdentities( + ctx, + int(req.PageSize), + req.PageToken, + ) + if err != nil { + return nil, trace.Wrap(err) + } + + return &workloadidentityv1pb.ListWorkloadIdentitiesResponse{ + WorkloadIdentities: resources, + NextPageToken: nextToken, + }, nil +} + +// DeleteWorkloadIdentity deletes a WorkloadIdentity by name. +// Implements teleport.workloadidentity.v1.ResourceService/DeleteWorkloadIdentity +func (s *ResourceService) DeleteWorkloadIdentity( + ctx context.Context, req *workloadidentityv1pb.DeleteWorkloadIdentityRequest, +) (*emptypb.Empty, error) { + authCtx, err := s.authorizer.Authorize(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindWorkloadIdentity, types.VerbDelete); err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.AuthorizeAdminAction(); err != nil { + return nil, trace.Wrap(err) + } + + if req.Name == "" { + return nil, trace.BadParameter("name: must be non-empty") + } + + if err := s.backend.DeleteWorkloadIdentity(ctx, req.Name); err != nil { + return nil, trace.Wrap(err) + } + + if err := s.emitter.EmitAuditEvent(ctx, &apievents.WorkloadIdentityDelete{ + Metadata: apievents.Metadata{ + Code: events.WorkloadIdentityDeleteCode, + Type: events.WorkloadIdentityDeleteEvent, + }, + UserMetadata: authz.ClientUserMetadata(ctx), + ConnectionMetadata: authz.ConnectionMetadata(ctx), + ResourceMetadata: apievents.ResourceMetadata{ + Name: req.Name, + }, + }); err != nil { + s.logger.ErrorContext( + ctx, "Failed to emit audit event for deletion of WorkloadIdentity", + "error", err, + ) + } + + return &emptypb.Empty{}, nil +} + +// CreateWorkloadIdentity creates a new WorkloadIdentity. +// Implements teleport.workloadidentity.v1.ResourceService/CreateWorkloadIdentity +func (s *ResourceService) CreateWorkloadIdentity( + ctx context.Context, req *workloadidentityv1pb.CreateWorkloadIdentityRequest, +) (*workloadidentityv1pb.WorkloadIdentity, error) { + authCtx, err := s.authorizer.Authorize(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindWorkloadIdentity, types.VerbCreate); err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.AuthorizeAdminAction(); err != nil { + return nil, trace.Wrap(err) + } + + created, err := s.backend.CreateWorkloadIdentity(ctx, req.WorkloadIdentity) + if err != nil { + return nil, trace.Wrap(err) + } + + evt := &apievents.WorkloadIdentityCreate{ + Metadata: apievents.Metadata{ + Code: events.WorkloadIdentityCreateCode, + Type: events.WorkloadIdentityCreateEvent, + }, + UserMetadata: authz.ClientUserMetadata(ctx), + ConnectionMetadata: authz.ConnectionMetadata(ctx), + ResourceMetadata: apievents.ResourceMetadata{ + Name: req.WorkloadIdentity.Metadata.Name, + }, + } + evt.WorkloadIdentityData, err = resourceToStruct(created) + if err != nil { + s.logger.ErrorContext( + ctx, + "Failed to convert WorkloadIdentity to struct for audit log", + "error", err, + ) + } + if err := s.emitter.EmitAuditEvent(ctx, evt); err != nil { + s.logger.ErrorContext( + ctx, "Failed to emit audit event for creation of WorkloadIdentity", + "error", err, + ) + } + + return created, nil +} + +// UpdateWorkloadIdentity updates an existing WorkloadIdentity. +// Implements teleport.workloadidentity.v1.ResourceService/UpdateWorkloadIdentity +func (s *ResourceService) UpdateWorkloadIdentity( + ctx context.Context, req *workloadidentityv1pb.UpdateWorkloadIdentityRequest, +) (*workloadidentityv1pb.WorkloadIdentity, error) { + authCtx, err := s.authorizer.Authorize(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind(types.KindWorkloadIdentity, types.VerbUpdate); err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.AuthorizeAdminAction(); err != nil { + return nil, trace.Wrap(err) + } + + created, err := s.backend.UpdateWorkloadIdentity(ctx, req.WorkloadIdentity) + if err != nil { + return nil, trace.Wrap(err) + } + + evt := &apievents.WorkloadIdentityUpdate{ + Metadata: apievents.Metadata{ + Code: events.WorkloadIdentityUpdateCode, + Type: events.WorkloadIdentityUpdateEvent, + }, + UserMetadata: authz.ClientUserMetadata(ctx), + ConnectionMetadata: authz.ConnectionMetadata(ctx), + ResourceMetadata: apievents.ResourceMetadata{ + Name: req.WorkloadIdentity.Metadata.Name, + }, + } + evt.WorkloadIdentityData, err = resourceToStruct(created) + if err != nil { + s.logger.ErrorContext( + ctx, + "Failed to convert WorkloadIdentity to struct for audit log", + "error", err, + ) + } + if err := s.emitter.EmitAuditEvent(ctx, evt); err != nil { + s.logger.ErrorContext( + ctx, "Failed to emit audit event for updating of WorkloadIdentity", + "error", err, + ) + } + + return created, nil +} + +// UpsertWorkloadIdentity updates or creates an existing WorkloadIdentity. +// Implements teleport.workloadidentity.v1.ResourceService/UpsertWorkloadIdentity +func (s *ResourceService) UpsertWorkloadIdentity( + ctx context.Context, req *workloadidentityv1pb.UpsertWorkloadIdentityRequest, +) (*workloadidentityv1pb.WorkloadIdentity, error) { + authCtx, err := s.authorizer.Authorize(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.CheckAccessToKind( + types.KindWorkloadIdentity, types.VerbCreate, types.VerbUpdate, + ); err != nil { + return nil, trace.Wrap(err) + } + if err := authCtx.AuthorizeAdminAction(); err != nil { + return nil, trace.Wrap(err) + } + + created, err := s.backend.UpsertWorkloadIdentity(ctx, req.WorkloadIdentity) + if err != nil { + return nil, trace.Wrap(err) + } + + evt := &apievents.WorkloadIdentityCreate{ + Metadata: apievents.Metadata{ + Code: events.WorkloadIdentityCreateCode, + Type: events.WorkloadIdentityCreateEvent, + }, + UserMetadata: authz.ClientUserMetadata(ctx), + ConnectionMetadata: authz.ConnectionMetadata(ctx), + ResourceMetadata: apievents.ResourceMetadata{ + Name: req.WorkloadIdentity.Metadata.Name, + }, + } + evt.WorkloadIdentityData, err = resourceToStruct(created) + if err != nil { + s.logger.ErrorContext( + ctx, + "Failed to convert WorkloadIdentity to struct for audit log", + "error", err, + ) + } + if err := s.emitter.EmitAuditEvent(ctx, evt); err != nil { + s.logger.ErrorContext( + ctx, "Failed to emit audit event for upsertion of WorkloadIdentity", + "error", err, + ) + } + + return created, nil +} + +func resourceToStruct(in *workloadidentityv1pb.WorkloadIdentity) (*apievents.Struct, error) { + data, err := protojson.MarshalOptions{UseProtoNames: true}.Marshal(in) + if err != nil { + return nil, trace.Wrap(err, "marshaling resource for audit log") + } + out := &apievents.Struct{} + if err := out.UnmarshalJSON(data); err != nil { + return nil, trace.Wrap(err, "unmarshaling resource for audit log") + } + return out, nil +} diff --git a/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go b/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go new file mode 100644 index 0000000000000..1c0601a34dd54 --- /dev/null +++ b/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go @@ -0,0 +1,984 @@ +// Teleport +// Copyright (C) 2024 Gravitational, Inc. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package workloadidentityv1_test + +import ( + "context" + "errors" + "fmt" + "net" + "os" + "slices" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/gravitational/trace" + "github.com/jonboulle/clockwork" + "github.com/stretchr/testify/require" + "google.golang.org/protobuf/proto" + "google.golang.org/protobuf/testing/protocmp" + + headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" + "github.com/gravitational/teleport/api/types" + "github.com/gravitational/teleport/api/types/events" + "github.com/gravitational/teleport/lib/auth" + "github.com/gravitational/teleport/lib/auth/authclient" + libevents "github.com/gravitational/teleport/lib/events" + "github.com/gravitational/teleport/lib/events/eventstest" + "github.com/gravitational/teleport/lib/modules" +) + +func TestMain(m *testing.M) { + modules.SetInsecureTestMode(true) + os.Exit(m.Run()) +} + +func newTestTLSServer(t testing.TB) (*auth.TestTLSServer, *eventstest.MockRecorderEmitter) { + as, err := auth.NewTestAuthServer(auth.TestAuthServerConfig{ + Dir: t.TempDir(), + Clock: clockwork.NewFakeClockAt(time.Now().Round(time.Second).UTC()), + }) + require.NoError(t, err) + + emitter := &eventstest.MockRecorderEmitter{} + srv, err := as.NewTestTLSServer(func(config *auth.TestTLSServerConfig) { + config.APIConfig.Emitter = emitter + }) + require.NoError(t, err) + + t.Cleanup(func() { + err := srv.Close() + if errors.Is(err, net.ErrClosed) { + return + } + require.NoError(t, err) + }) + + return srv, emitter +} + +func TestResourceService_CreateWorkloadIdentity(t *testing.T) { + t.Parallel() + srv, eventRecorder := newTestTLSServer(t) + ctx := context.Background() + + authorizedUser, _, err := auth.CreateUserAndRole( + srv.Auth(), + "authorized", + []string{}, + []types.Rule{ + { + Resources: []string{types.KindWorkloadIdentity}, + Verbs: []string{types.VerbCreate}, + }, + }) + require.NoError(t, err) + authorizedClient, err := srv.NewClient(auth.TestUser(authorizedUser.GetName())) + require.NoError(t, err) + unauthorizedUser, _, err := auth.CreateUserAndRole( + srv.Auth(), + "unauthorized", + []string{}, + []types.Rule{}, + ) + require.NoError(t, err) + unauthorizedClient, err := srv.NewClient(auth.TestUser(unauthorizedUser.GetName())) + require.NoError(t, err) + + // Create a pre-existing workload identity + preExisting, err := srv.Auth().CreateWorkloadIdentity( + ctx, + &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "preexisting", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/example", + }, + }, + }) + require.NoError(t, err) + + tests := []struct { + name string + client *authclient.Client + req *workloadidentityv1pb.CreateWorkloadIdentityRequest + requireError require.ErrorAssertionFunc + checkResultReturned bool + requireEvent *events.WorkloadIdentityCreate + }{ + { + name: "success", + client: authorizedClient, + req: &workloadidentityv1pb.CreateWorkloadIdentityRequest{ + WorkloadIdentity: &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "new", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/example", + }, + }, + }, + }, + requireError: require.NoError, + checkResultReturned: true, + requireEvent: &events.WorkloadIdentityCreate{ + Metadata: events.Metadata{ + Code: libevents.WorkloadIdentityCreateCode, + Type: libevents.WorkloadIdentityCreateEvent, + }, + ResourceMetadata: events.ResourceMetadata{ + Name: "new", + }, + UserMetadata: events.UserMetadata{ + User: authorizedUser.GetName(), + UserKind: events.UserKind_USER_KIND_HUMAN, + }, + }, + }, + { + name: "pre-existing", + client: authorizedClient, + req: &workloadidentityv1pb.CreateWorkloadIdentityRequest{ + WorkloadIdentity: &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: preExisting.GetMetadata().GetName(), + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/example", + }, + }, + }, + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsAlreadyExists(err)) + }, + }, + { + name: "validation fail", + client: authorizedClient, + req: &workloadidentityv1pb.CreateWorkloadIdentityRequest{ + WorkloadIdentity: &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "new", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "", + }, + }, + }, + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsBadParameter(err)) + require.ErrorContains(t, err, "spec.spiffe.id: is required") + }, + }, + { + name: "unauthorized", + client: unauthorizedClient, + req: &workloadidentityv1pb.CreateWorkloadIdentityRequest{ + WorkloadIdentity: &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "unauthorized", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/example", + }, + }, + }, + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsAccessDenied(err)) + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + eventRecorder.Reset() + client := workloadidentityv1pb.NewWorkloadIdentityResourceServiceClient( + tt.client.GetConnection(), + ) + res, err := client.CreateWorkloadIdentity(ctx, tt.req) + tt.requireError(t, err) + + if tt.checkResultReturned { + require.NotEmpty(t, res.Metadata.Revision) + // Expect returned result to match request, but also have a + // revision + require.Empty( + t, + cmp.Diff( + res, + tt.req.WorkloadIdentity, + protocmp.Transform(), + protocmp.IgnoreFields(&headerv1.Metadata{}, "revision"), + ), + ) + // Expect the value fetched from the store to match returned + // item. + fetched, err := srv.Auth().GetWorkloadIdentity(ctx, res.Metadata.Name) + require.NoError(t, err) + require.Empty( + t, + cmp.Diff( + res, + fetched, + protocmp.Transform(), + ), + ) + } + if tt.requireEvent != nil { + evt, ok := eventRecorder.LastEvent().(*events.WorkloadIdentityCreate) + require.True(t, ok) + require.NotEmpty(t, evt.ConnectionMetadata.RemoteAddr) + require.Empty(t, cmp.Diff( + evt, + tt.requireEvent, + cmpopts.IgnoreFields(events.WorkloadIdentityCreate{}, "ConnectionMetadata", "WorkloadIdentityData"), + )) + } + }) + } +} + +func TestResourceService_DeleteWorkloadIdentity(t *testing.T) { + t.Parallel() + srv, eventRecorder := newTestTLSServer(t) + ctx := context.Background() + + authorizedUser, _, err := auth.CreateUserAndRole( + srv.Auth(), + "authorized", + []string{}, + []types.Rule{ + { + Resources: []string{types.KindWorkloadIdentity}, + Verbs: []string{types.VerbDelete}, + }, + }) + require.NoError(t, err) + authorizedClient, err := srv.NewClient(auth.TestUser(authorizedUser.GetName())) + require.NoError(t, err) + unauthorizedUser, _, err := auth.CreateUserAndRole( + srv.Auth(), + "unauthorized", + []string{}, + []types.Rule{}, + ) + require.NoError(t, err) + unauthorizedClient, err := srv.NewClient(auth.TestUser(unauthorizedUser.GetName())) + require.NoError(t, err) + + // Create a pre-existing workload identity + preExisting, err := srv.Auth().CreateWorkloadIdentity( + ctx, + &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "preexisting", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/example", + }, + }, + }) + require.NoError(t, err) + + tests := []struct { + name string + client *authclient.Client + req *workloadidentityv1pb.DeleteWorkloadIdentityRequest + requireError require.ErrorAssertionFunc + checkNonExisting bool + requireEvent *events.WorkloadIdentityDelete + }{ + { + name: "success", + client: authorizedClient, + req: &workloadidentityv1pb.DeleteWorkloadIdentityRequest{ + Name: preExisting.GetMetadata().GetName(), + }, + requireError: require.NoError, + checkNonExisting: true, + requireEvent: &events.WorkloadIdentityDelete{ + Metadata: events.Metadata{ + Code: libevents.WorkloadIdentityDeleteCode, + Type: libevents.WorkloadIdentityDeleteEvent, + }, + ResourceMetadata: events.ResourceMetadata{ + Name: preExisting.GetMetadata().GetName(), + }, + UserMetadata: events.UserMetadata{ + User: authorizedUser.GetName(), + UserKind: events.UserKind_USER_KIND_HUMAN, + }, + }, + }, + { + name: "non-existing", + client: authorizedClient, + req: &workloadidentityv1pb.DeleteWorkloadIdentityRequest{ + Name: "i-do-not-exist", + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsNotFound(err)) + }, + }, + { + name: "validation fail", + client: authorizedClient, + req: &workloadidentityv1pb.DeleteWorkloadIdentityRequest{ + Name: "", + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsBadParameter(err)) + require.ErrorContains(t, err, "name: must be non-empty") + }, + }, + { + name: "unauthorized", + client: unauthorizedClient, + req: &workloadidentityv1pb.DeleteWorkloadIdentityRequest{ + Name: "unauthorized", + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsAccessDenied(err)) + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + eventRecorder.Reset() + client := workloadidentityv1pb.NewWorkloadIdentityResourceServiceClient( + tt.client.GetConnection(), + ) + _, err := client.DeleteWorkloadIdentity(ctx, tt.req) + tt.requireError(t, err) + + if tt.checkNonExisting { + _, err := srv.Auth().GetWorkloadIdentity(ctx, tt.req.Name) + require.True(t, trace.IsNotFound(err)) + } + if tt.requireEvent != nil { + evt, ok := eventRecorder.LastEvent().(*events.WorkloadIdentityDelete) + require.True(t, ok) + require.NotEmpty(t, evt.ConnectionMetadata.RemoteAddr) + require.Empty(t, cmp.Diff( + tt.requireEvent, + evt, + cmpopts.IgnoreFields(events.WorkloadIdentityDelete{}, "ConnectionMetadata"), + )) + } + }) + } +} + +func TestResourceService_GetWorkloadIdentity(t *testing.T) { + t.Parallel() + srv, _ := newTestTLSServer(t) + ctx := context.Background() + + authorizedUser, _, err := auth.CreateUserAndRole( + srv.Auth(), + "authorized", + []string{}, + []types.Rule{ + { + Resources: []string{types.KindWorkloadIdentity}, + Verbs: []string{types.VerbRead}, + }, + }) + require.NoError(t, err) + authorizedClient, err := srv.NewClient(auth.TestUser(authorizedUser.GetName())) + require.NoError(t, err) + unauthorizedUser, _, err := auth.CreateUserAndRole( + srv.Auth(), + "unauthorized", + []string{}, + []types.Rule{}, + ) + require.NoError(t, err) + unauthorizedClient, err := srv.NewClient(auth.TestUser(unauthorizedUser.GetName())) + require.NoError(t, err) + + // Create a pre-existing workload identity + preExisting, err := srv.Auth().CreateWorkloadIdentity( + ctx, + &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "preexisting", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/example", + }, + }, + }) + require.NoError(t, err) + + tests := []struct { + name string + client *authclient.Client + req *workloadidentityv1pb.GetWorkloadIdentityRequest + wantRes *workloadidentityv1pb.WorkloadIdentity + requireError require.ErrorAssertionFunc + }{ + { + name: "success", + client: authorizedClient, + req: &workloadidentityv1pb.GetWorkloadIdentityRequest{ + Name: preExisting.GetMetadata().GetName(), + }, + wantRes: preExisting, + requireError: require.NoError, + }, + { + name: "non-existing", + client: authorizedClient, + req: &workloadidentityv1pb.GetWorkloadIdentityRequest{ + Name: "i-do-not-exist", + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsNotFound(err)) + }, + }, + { + name: "validation fail", + client: authorizedClient, + req: &workloadidentityv1pb.GetWorkloadIdentityRequest{ + Name: "", + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsBadParameter(err)) + require.ErrorContains(t, err, "name: must be non-empty") + }, + }, + { + name: "unauthorized", + client: unauthorizedClient, + req: &workloadidentityv1pb.GetWorkloadIdentityRequest{ + Name: "unauthorized", + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsAccessDenied(err)) + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + client := workloadidentityv1pb.NewWorkloadIdentityResourceServiceClient( + tt.client.GetConnection(), + ) + got, err := client.GetWorkloadIdentity(ctx, tt.req) + tt.requireError(t, err) + + if tt.wantRes != nil { + require.Empty( + t, + cmp.Diff( + tt.wantRes, + got, + protocmp.Transform(), + ), + ) + } + }) + } +} + +func TestResourceService_ListWorkloadIdentities(t *testing.T) { + t.Parallel() + srv, _ := newTestTLSServer(t) + ctx := context.Background() + + authorizedUser, _, err := auth.CreateUserAndRole( + srv.Auth(), + "authorized", + []string{}, + []types.Rule{ + { + Resources: []string{types.KindWorkloadIdentity}, + Verbs: []string{types.VerbRead, types.VerbList}, + }, + }) + require.NoError(t, err) + authorizedClient, err := srv.NewClient(auth.TestUser(authorizedUser.GetName())) + require.NoError(t, err) + unauthorizedUser, _, err := auth.CreateUserAndRole( + srv.Auth(), + "unauthorized", + []string{}, + []types.Rule{}, + ) + require.NoError(t, err) + unauthorizedClient, err := srv.NewClient(auth.TestUser(unauthorizedUser.GetName())) + require.NoError(t, err) + + // Create a pre-existing workload identities + // Two complete pages of ten, plus one incomplete page of nine + created := []*workloadidentityv1pb.WorkloadIdentity{} + for i := 0; i < 29; i++ { + r, err := srv.Auth().CreateWorkloadIdentity( + ctx, + &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: fmt.Sprintf("preexisting-%d", i), + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/example", + }, + }, + }) + require.NoError(t, err) + created = append(created, r) + } + + t.Run("unauthorized", func(t *testing.T) { + client := workloadidentityv1pb.NewWorkloadIdentityResourceServiceClient( + unauthorizedClient.GetConnection(), + ) + + _, err := client.ListWorkloadIdentities(ctx, &workloadidentityv1pb.ListWorkloadIdentitiesRequest{}) + require.True(t, trace.IsAccessDenied(err)) + }) + + t.Run("success - default page", func(t *testing.T) { + client := workloadidentityv1pb.NewWorkloadIdentityResourceServiceClient( + authorizedClient.GetConnection(), + ) + + // For the default page size, we expect to get all results in one page + res, err := client.ListWorkloadIdentities(ctx, &workloadidentityv1pb.ListWorkloadIdentitiesRequest{}) + require.NoError(t, err) + require.Len(t, res.WorkloadIdentities, 29) + require.Empty(t, res.NextPageToken) + for _, created := range created { + slices.ContainsFunc(res.WorkloadIdentities, func(resource *workloadidentityv1pb.WorkloadIdentity) bool { + return proto.Equal(created, resource) + }) + } + }) + + t.Run("success - page size 10", func(t *testing.T) { + client := workloadidentityv1pb.NewWorkloadIdentityResourceServiceClient( + authorizedClient.GetConnection(), + ) + + fetched := []*workloadidentityv1pb.WorkloadIdentity{} + token := "" + iterations := 0 + for { + iterations++ + res, err := client.ListWorkloadIdentities(ctx, &workloadidentityv1pb.ListWorkloadIdentitiesRequest{ + PageSize: 10, + PageToken: token, + }) + require.NoError(t, err) + fetched = append(fetched, res.WorkloadIdentities...) + if res.NextPageToken == "" { + break + } + token = res.NextPageToken + } + + require.Len(t, fetched, 29) + require.Equal(t, 3, iterations) + for _, created := range created { + slices.ContainsFunc(fetched, func(resource *workloadidentityv1pb.WorkloadIdentity) bool { + return proto.Equal(created, resource) + }) + } + }) +} + +func TestResourceService_UpdateWorkloadIdentity(t *testing.T) { + t.Parallel() + srv, eventRecorder := newTestTLSServer(t) + ctx := context.Background() + + authorizedUser, _, err := auth.CreateUserAndRole( + srv.Auth(), + "authorized", + []string{}, + []types.Rule{ + { + Resources: []string{types.KindWorkloadIdentity}, + Verbs: []string{types.VerbUpdate}, + }, + }) + require.NoError(t, err) + authorizedClient, err := srv.NewClient(auth.TestUser(authorizedUser.GetName())) + require.NoError(t, err) + unauthorizedUser, _, err := auth.CreateUserAndRole( + srv.Auth(), + "unauthorized", + []string{}, + []types.Rule{}, + ) + require.NoError(t, err) + unauthorizedClient, err := srv.NewClient(auth.TestUser(unauthorizedUser.GetName())) + require.NoError(t, err) + + // Create a pre-existing workload identity + preExisting, err := srv.Auth().CreateWorkloadIdentity( + ctx, + &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "preexisting", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/example", + }, + }, + }) + require.NoError(t, err) + preExisting2, err := srv.Auth().CreateWorkloadIdentity( + ctx, + &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "preexisting-2", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/example", + }, + }, + }) + require.NoError(t, err) + + tests := []struct { + name string + client *authclient.Client + req *workloadidentityv1pb.UpdateWorkloadIdentityRequest + requireError require.ErrorAssertionFunc + checkResultReturned bool + requireEvent *events.WorkloadIdentityUpdate + }{ + { + name: "success", + client: authorizedClient, + req: &workloadidentityv1pb.UpdateWorkloadIdentityRequest{ + WorkloadIdentity: preExisting, + }, + requireError: require.NoError, + checkResultReturned: true, + requireEvent: &events.WorkloadIdentityUpdate{ + Metadata: events.Metadata{ + Code: libevents.WorkloadIdentityUpdateCode, + Type: libevents.WorkloadIdentityUpdateEvent, + }, + ResourceMetadata: events.ResourceMetadata{ + Name: preExisting.GetMetadata().GetName(), + }, + UserMetadata: events.UserMetadata{ + User: authorizedUser.GetName(), + UserKind: events.UserKind_USER_KIND_HUMAN, + }, + }, + }, + { + name: "incorrect revision", + client: authorizedClient, + req: (func() *workloadidentityv1pb.UpdateWorkloadIdentityRequest { + preExisting2.Metadata.Revision = "incorrect" + return &workloadidentityv1pb.UpdateWorkloadIdentityRequest{ + WorkloadIdentity: preExisting2, + } + })(), + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsCompareFailed(err)) + }, + }, + { + name: "not existing", + client: authorizedClient, + req: &workloadidentityv1pb.UpdateWorkloadIdentityRequest{ + WorkloadIdentity: &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "new", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/test", + }, + }, + }, + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.Error(t, err) + }, + }, + { + name: "unauthorized", + client: unauthorizedClient, + req: &workloadidentityv1pb.UpdateWorkloadIdentityRequest{ + WorkloadIdentity: preExisting, + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsAccessDenied(err)) + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + eventRecorder.Reset() + client := workloadidentityv1pb.NewWorkloadIdentityResourceServiceClient( + tt.client.GetConnection(), + ) + res, err := client.UpdateWorkloadIdentity(ctx, tt.req) + tt.requireError(t, err) + + if tt.checkResultReturned { + require.NotEmpty(t, res.Metadata.Revision) + require.NotEqual(t, tt.req.WorkloadIdentity.GetMetadata().GetRevision(), res.Metadata.Revision) + // Expect returned result to match request, but also have a + // revision + require.Empty( + t, + cmp.Diff( + res, + tt.req.WorkloadIdentity, + protocmp.Transform(), + protocmp.IgnoreFields(&headerv1.Metadata{}, "revision"), + ), + ) + // Expect the value fetched from the store to match returned + // item. + fetched, err := srv.Auth().GetWorkloadIdentity(ctx, res.Metadata.Name) + require.NoError(t, err) + require.Empty( + t, + cmp.Diff( + res, + fetched, + protocmp.Transform(), + ), + ) + } + if tt.requireEvent != nil { + evt, ok := eventRecorder.LastEvent().(*events.WorkloadIdentityUpdate) + require.True(t, ok) + require.NotEmpty(t, evt.ConnectionMetadata.RemoteAddr) + require.Empty(t, cmp.Diff( + evt, + tt.requireEvent, + cmpopts.IgnoreFields(events.WorkloadIdentityUpdate{}, "ConnectionMetadata", "WorkloadIdentityData"), + )) + } + }) + } +} + +func TestResourceService_UpsertWorkloadIdentity(t *testing.T) { + t.Parallel() + srv, eventRecorder := newTestTLSServer(t) + ctx := context.Background() + + authorizedUser, _, err := auth.CreateUserAndRole( + srv.Auth(), + "authorized", + []string{}, + []types.Rule{ + { + Resources: []string{types.KindWorkloadIdentity}, + Verbs: []string{types.VerbCreate, types.VerbUpdate}, + }, + }) + require.NoError(t, err) + authorizedClient, err := srv.NewClient(auth.TestUser(authorizedUser.GetName())) + require.NoError(t, err) + unauthorizedUser, _, err := auth.CreateUserAndRole( + srv.Auth(), + "unauthorized", + []string{}, + []types.Rule{}, + ) + require.NoError(t, err) + unauthorizedClient, err := srv.NewClient(auth.TestUser(unauthorizedUser.GetName())) + require.NoError(t, err) + + tests := []struct { + name string + client *authclient.Client + req *workloadidentityv1pb.UpsertWorkloadIdentityRequest + requireError require.ErrorAssertionFunc + checkResultReturned bool + requireEvent *events.WorkloadIdentityCreate + }{ + { + name: "success", + client: authorizedClient, + req: &workloadidentityv1pb.UpsertWorkloadIdentityRequest{ + WorkloadIdentity: &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "new", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/example", + }, + }, + }, + }, + requireError: require.NoError, + checkResultReturned: true, + requireEvent: &events.WorkloadIdentityCreate{ + Metadata: events.Metadata{ + Code: libevents.WorkloadIdentityCreateCode, + Type: libevents.WorkloadIdentityCreateEvent, + }, + ResourceMetadata: events.ResourceMetadata{ + Name: "new", + }, + UserMetadata: events.UserMetadata{ + User: authorizedUser.GetName(), + UserKind: events.UserKind_USER_KIND_HUMAN, + }, + }, + }, + { + name: "validation fail", + client: authorizedClient, + req: &workloadidentityv1pb.UpsertWorkloadIdentityRequest{ + WorkloadIdentity: &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "new", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "", + }, + }, + }, + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsBadParameter(err)) + require.ErrorContains(t, err, "spec.spiffe.id: is required") + }, + }, + { + name: "unauthorized", + client: unauthorizedClient, + req: &workloadidentityv1pb.UpsertWorkloadIdentityRequest{ + WorkloadIdentity: &workloadidentityv1pb.WorkloadIdentity{ + Kind: types.KindWorkloadIdentity, + Version: types.V1, + Metadata: &headerv1.Metadata{ + Name: "unauthorized", + }, + Spec: &workloadidentityv1pb.WorkloadIdentitySpec{ + Spiffe: &workloadidentityv1pb.WorkloadIdentitySPIFFE{ + Id: "/example", + }, + }, + }, + }, + requireError: func(t require.TestingT, err error, i ...interface{}) { + require.True(t, trace.IsAccessDenied(err)) + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + eventRecorder.Reset() + client := workloadidentityv1pb.NewWorkloadIdentityResourceServiceClient( + tt.client.GetConnection(), + ) + res, err := client.UpsertWorkloadIdentity(ctx, tt.req) + tt.requireError(t, err) + + if tt.checkResultReturned { + require.NotEmpty(t, res.Metadata.Revision) + // Expect returned result to match request, but also have a + // revision + require.Empty( + t, + cmp.Diff( + res, + tt.req.WorkloadIdentity, + protocmp.Transform(), + protocmp.IgnoreFields(&headerv1.Metadata{}, "revision"), + ), + ) + // Expect the value fetched from the store to match returned + // item. + fetched, err := srv.Auth().GetWorkloadIdentity(ctx, res.Metadata.Name) + require.NoError(t, err) + require.Empty( + t, + cmp.Diff( + res, + fetched, + protocmp.Transform(), + ), + ) + } + if tt.requireEvent != nil { + evt, ok := eventRecorder.LastEvent().(*events.WorkloadIdentityCreate) + require.True(t, ok) + require.NotEmpty(t, evt.ConnectionMetadata.RemoteAddr) + require.Empty(t, cmp.Diff( + evt, + tt.requireEvent, + cmpopts.IgnoreFields(events.WorkloadIdentityCreate{}, "ConnectionMetadata", "WorkloadIdentityData"), + )) + } + }) + } +} diff --git a/lib/services/local/spiffe_federations_test.go b/lib/services/local/spiffe_federations_test.go index edc9a1ac3c1f9..7ce3ffaa25529 100644 --- a/lib/services/local/spiffe_federations_test.go +++ b/lib/services/local/spiffe_federations_test.go @@ -246,7 +246,7 @@ func TestSPIFFEFederationService_DeleteSPIFFEFederation(t *testing.T) { require.True(t, trace.IsNotFound(err)) }) t.Run("not found", func(t *testing.T) { - _, err := service.GetSPIFFEFederation(ctx, "foo.example.com") + err := service.DeleteSPIFFEFederation(ctx, "foo.example.com") require.Error(t, err) require.True(t, trace.IsNotFound(err)) }) diff --git a/lib/services/presets.go b/lib/services/presets.go index 6af90e02110c4..d82ba05a4f4b2 100644 --- a/lib/services/presets.go +++ b/lib/services/presets.go @@ -184,6 +184,7 @@ func NewPresetEditorRole() types.Role { types.NewRule(types.KindUserTask, RW()), types.NewRule(types.KindIdentityCenter, RW()), types.NewRule(types.KindContact, RW()), + types.NewRule(types.KindWorkloadIdentity, RW()), }, }, }, @@ -614,6 +615,7 @@ func NewPresetTerraformProviderRole() types.Role { types.KindInstaller, types.KindAccessMonitoringRule, types.KindStaticHostUser, + types.KindWorkloadIdentity, }, Verbs: RW(), },