From 5efe41b6c323b5e856af0ce86e84c81068d0b82e Mon Sep 17 00:00:00 2001 From: Trent Clarke Date: Fri, 29 Nov 2024 11:17:12 +1100 Subject: [PATCH] Adds Roles for IC resource access requests --- constants.go | 15 ++++++ lib/auth/init.go | 3 ++ lib/services/presets.go | 106 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 124 insertions(+) diff --git a/constants.go b/constants.go index 0f07d97b89bd5..47e7dd4462002 100644 --- a/constants.go +++ b/constants.go @@ -698,6 +698,21 @@ const ( // access to Okta resources. This will be used by the Okta requester role to // search for Okta resources. SystemOktaAccessRoleName = "okta-access" + + // SystemIdentityCenterRequesterRoleName specifies the name of a system role + // that allows a user to request access to AWS Identity Center resources via + // Access Requests. + SystemIdentityCenterRequesterRoleName = "aws-ic-requester" + + // SystemIdentityCenterReviewerRoleName specifies the name of a system role + // that grants a user the ability tp review Access Requests access for AWS + // Identity Center resources . + SystemIdentityCenterReviewerRoleName = "aws-ic-reviewer" + + // SystemIdentityCenterRequesterRoleName specifies the name of a system role + // that grants a user access to AWS Identity Center resources via + // Access Requests. + SystemIdentityCenterAccessRoleName = "aws-ic-access" ) var PresetRoles = []string{PresetEditorRoleName, PresetAccessRoleName, PresetAuditorRoleName} diff --git a/lib/auth/init.go b/lib/auth/init.go index 10987111ba6e1..43cd0b2ea6554 100644 --- a/lib/auth/init.go +++ b/lib/auth/init.go @@ -1033,6 +1033,9 @@ func GetPresetRoles() []types.Role { services.NewSystemOktaAccessRole(), services.NewSystemOktaRequesterRole(), services.NewPresetTerraformProviderRole(), + services.NewSystemIdentityCenterAccessRole(), + services.NewSystemIdentityCenterRequesterRole(), + services.NewSystemIdentityCenterReviewerRole(), } // Certain `New$FooRole()` functions will return a nil role if the diff --git a/lib/services/presets.go b/lib/services/presets.go index 6af90e02110c4..3073e1a16f8b5 100644 --- a/lib/services/presets.go +++ b/lib/services/presets.go @@ -28,6 +28,7 @@ import ( "github.com/gravitational/teleport/api/constants" apidefaults "github.com/gravitational/teleport/api/defaults" "github.com/gravitational/teleport/api/types" + "github.com/gravitational/teleport/api/types/common" apiutils "github.com/gravitational/teleport/api/utils" "github.com/gravitational/teleport/lib/modules" ) @@ -562,6 +563,111 @@ func NewSystemOktaRequesterRole() types.Role { return role } +// NewSystemIdentityCenterAccessRole creates a role that allows access to AWS +// IdentityCenter resources via Access Requests +func NewSystemIdentityCenterAccessRole() types.Role { + if modules.GetModules().BuildType() != modules.BuildEnterprise { + return nil + } + + return &types.RoleV6{ + Kind: types.KindRole, + Version: types.V7, + Metadata: types.Metadata{ + Name: teleport.SystemIdentityCenterAccessRoleName, + Namespace: apidefaults.Namespace, + Description: "Access AWS IdentityCenter resources", + Labels: map[string]string{ + types.TeleportInternalResourceType: types.SystemResource, + types.OriginLabel: common.OriginAWSIdentityCenter, + }, + }, + Spec: types.RoleSpecV6{ + Allow: types.RoleConditions{ + AccountAssignmentLabels: types.Labels{ + types.OriginLabel: []string{common.OriginAWSIdentityCenter}, + }, + Rules: []types.Rule{ + types.NewRule(types.KindIdentityCenter, RO()), + }, + }, + }, + } +} + +// NewSystemIdentityCenterRequesterRole creates a role that allows a user to +// request access to AWS IdentityCenter resources via Access Requests +func NewSystemIdentityCenterRequesterRole() types.Role { + if modules.GetModules().BuildType() != modules.BuildEnterprise { + return nil + } + + return &types.RoleV6{ + Kind: types.KindRole, + Version: types.V7, + Metadata: types.Metadata{ + Name: teleport.SystemIdentityCenterRequesterRoleName, + Namespace: apidefaults.Namespace, + Description: "Request AWS IdentityCenter resources", + Labels: map[string]string{ + types.TeleportInternalResourceType: types.SystemResource, + types.OriginLabel: common.OriginAWSIdentityCenter, + }, + }, + Spec: types.RoleSpecV6{ + Allow: types.RoleConditions{ + Request: &types.AccessRequestConditions{ + Roles: []string{ + teleport.SystemIdentityCenterAccessRoleName, + }, + SearchAsRoles: []string{ + teleport.SystemIdentityCenterAccessRoleName, + }, + }, + }, + }, + } +} + +// NewSystemIdentityCenterReviewerRole creates a role that allows a user to +// review Access Requests for AWS IdentityCenter resources via Access Requests +func NewSystemIdentityCenterReviewerRole() types.Role { + if modules.GetModules().BuildType() != modules.BuildEnterprise { + return nil + } + + return &types.RoleV6{ + Kind: types.KindRole, + Version: types.V7, + Metadata: types.Metadata{ + Name: teleport.SystemIdentityCenterReviewerRoleName, + Namespace: apidefaults.Namespace, + Description: "Request AWS IdentityCenter resources", + Labels: map[string]string{ + types.TeleportInternalResourceType: types.SystemResource, + types.OriginLabel: common.OriginAWSIdentityCenter, + }, + }, + Spec: types.RoleSpecV6{ + Allow: types.RoleConditions{ + Request: &types.AccessRequestConditions{ + SearchAsRoles: []string{ + teleport.SystemIdentityCenterAccessRoleName, + }, + }, + ReviewRequests: &types.AccessReviewConditions{ + Roles: []string{ + teleport.SystemIdentityCenterAccessRoleName, + }, + PreviewAsRoles: []string{ + teleport.SystemIdentityCenterAccessRoleName, + }, + }, + }, + }, + } +} + // NewPresetTerraformProviderRole returns a new pre-defined role for the Teleport Terraform provider. // This role can edit any Terraform-supported resource. func NewPresetTerraformProviderRole() types.Role {