Adds CRUD service for Identity Center resources #47609
Conversation
tcsc
added
the
no-changelog
| CreateAccountAssignment(context.Context, IdentityCenterAccountAssignment) (IdentityCenterAccountAssignment, error) | ||
|
|
||
| // GetAccountAssignment fetches a specific Account Assignment record. | ||
| GetAccountAssignment(context.Context, IdentityCenterAccountAssignmentID) (IdentityCenterAccountAssignment, error) |
There was a problem hiding this comment.
nit: might be a personal preference but for me It it a bit overkill to hide and wrap only 1 id string parameter with the separate type IdentityCenterAccountAssignmentID.
There was a problem hiding this comment.
I can see that. The rationale for doing this is all in the Identity Center integration code, which you can't see yet.
Rationale is that there are so many different resource types in flight in the IC integration, so I wanted to make using the wrong ID in the wrong place a compile-time error rather than a debugging session. The CRUD service seemed a reasonable boundary to pack/unpack the IDs, so that everything downstream is checked by the compiler.
But yeah, in isolation, it's very much overkill.
|
|
||
| // UpdateIdentityCenterAccount performs a conditional update on an Identity | ||
| // Center Account record, returning the updated record on success. | ||
| func (svc *IdentityCenterService) UpdateIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (services.IdentityCenterAccount, error) { |
There was a problem hiding this comment.
| func (svc *IdentityCenterService) UpdateIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (services.IdentityCenterAccount, error) { | |
| func (svc *IdentityCenterService) UpdateIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (*services.IdentityCenterAccount, error) { |
| // Identity Center Account record, returning the updated record on success. | ||
| // Be careful when mixing UpsertIdentityCenterAccount() with resources | ||
| // protected by optimistic locking | ||
| func (svc *IdentityCenterService) UpsertIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (services.IdentityCenterAccount, error) { |
There was a problem hiding this comment.
| func (svc *IdentityCenterService) UpsertIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (services.IdentityCenterAccount, error) { | |
| func (svc *IdentityCenterService) UpsertIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (*services.IdentityCenterAccount, error) { |
| } | ||
|
|
||
| // GetIdentityCenterAccount fetches a specific Identity Center Account | ||
| func (svc *IdentityCenterService) GetIdentityCenterAccount(ctx context.Context, name services.IdentityCenterAccountID) (services.IdentityCenterAccount, error) { |
There was a problem hiding this comment.
| func (svc *IdentityCenterService) GetIdentityCenterAccount(ctx context.Context, name services.IdentityCenterAccountID) (services.IdentityCenterAccount, error) { | |
| func (svc *IdentityCenterService) GetIdentityCenterAccount(ctx context.Context, name services.IdentityCenterAccountID) (*services.IdentityCenterAccount, error) { |
| } | ||
|
|
||
| // CreateIdentityCenterAccount creates a new Identity Center Account record | ||
| func (svc *IdentityCenterService) CreateIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (services.IdentityCenterAccount, error) { |
There was a problem hiding this comment.
| func (svc *IdentityCenterService) CreateIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (services.IdentityCenterAccount, error) { | |
| func (svc *IdentityCenterService) CreateIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (*services.IdentityCenterAccount, error) { |
There was a problem hiding this comment.
The services.IdentityCenterAccount is already just a pointer wrapped in a struct.
I can see making the IdentityCenterService take/return pointers for the sake of consistency, but I didn't think the extra indirection was worth it.
lib/services/identitycenter.go
Outdated
| // allow it to implement the interfaces required for use with the Unified | ||
| // Resource listing. IdentityCenterAccount simply wraps a pointer to the |
There was a problem hiding this comment.
Just to confirm. Does the IdentityCenterAccount will be handled in united resource view ?
I thought that in UI the AWS IC account will be represented by Teleport Application not by IdentityCenterAccount resource ?
There was a problem hiding this comment.
Does the IdentityCenterAccount will be handled in united resource view ?
Not in the proxy but in the auth united resource service. E.g. from the poc implementation we transform IdentityCenterAccount to App Server https://github.com/gravitational/teleport/blob/sshah/idc-dev/lib/services/unified_resource.go#L925
There was a problem hiding this comment.
LGTM after proto.Clone is used as @smallinsky suggested (if possible)
lib/services/identitycenter.go
Outdated
| // IdentityCenterAccountAssignment wraps a raw identitycenterv1.AccountAssignment | ||
| // record in a new type to allow it to implement the interfaces required for use | ||
| // with the Unified Resource listing. IdentityCenterAccountAssignment simply | ||
| // wraps a pointer to the underlying account record, and can be treated as a | ||
| // reference-like type. | ||
| // | ||
| // Copies of an IdentityCenterAccountAssignment will point to the same record. | ||
| type IdentityCenterAccountAssignment struct { | ||
| *identitycenterv1.AccountAssignment | ||
| } | ||
|
|
||
| // CloneResource creates a deep copy of the underlying account resource | ||
| func (a IdentityCenterAccountAssignment) CloneResource() IdentityCenterAccountAssignment { | ||
| var expiry *timestamppb.Timestamp | ||
| if a.Metadata.Expires != nil { | ||
| expiry = ×tamppb.Timestamp{ | ||
| Seconds: a.Metadata.Expires.Seconds, | ||
| Nanos: a.Metadata.Expires.Nanos, | ||
| } | ||
| } | ||
|
|
||
| return IdentityCenterAccountAssignment{ | ||
| AccountAssignment: &identitycenterv1.AccountAssignment{ | ||
| Kind: a.Kind, | ||
| SubKind: a.SubKind, | ||
| Version: a.Version, | ||
| Metadata: &headerv1.Metadata{ | ||
| Name: a.Metadata.Name, | ||
| Namespace: a.Metadata.Namespace, | ||
| Description: a.Metadata.Description, | ||
| Labels: maps.Clone(a.Metadata.Labels), | ||
| Expires: expiry, | ||
| Revision: a.Metadata.Revision, | ||
| }, | ||
| Spec: &identitycenterv1.AccountAssignmentSpec{ | ||
| Display: a.Spec.Display, | ||
| AccountId: a.Spec.AccountId, | ||
| AccountName: a.Spec.AccountName, | ||
| PermissionSet: &identitycenterv1.PermissionSetInfo{ | ||
| Arn: a.Spec.PermissionSet.Arn, | ||
| Name: a.Spec.PermissionSet.Name, | ||
| }, | ||
| }, | ||
| }, | ||
| } | ||
| } |
There was a problem hiding this comment.
Maybe then it makes sense to:
type IdentityCenterAccount identitycenterv1.Account
// CloneResource creates a deep copy of the underlying account resource
func (a *IdentityCenterAccount) CloneResource() *IdentityCenterAccount {
...
}I got triggered by those services.IdentityCenterAccount{Account: acct} statements in the implementation
There was a problem hiding this comment.
I tried that originally - unfortunately it hides all of the other interfaces I need on the Account. I've added some commentary to explain the odd choice of embedding the pointer in a struct.
lib/services/identitycenter.go
Outdated
| // allow it to implement the interfaces required for use with the Unified | ||
| // Resource listing. IdentityCenterAccount simply wraps a pointer to the |
There was a problem hiding this comment.
Does the IdentityCenterAccount will be handled in united resource view ?
Not in the proxy but in the auth united resource service. E.g. from the poc implementation we transform IdentityCenterAccount to App Server https://github.com/gravitational/teleport/blob/sshah/idc-dev/lib/services/unified_resource.go#L925
This is just the pure CRUD read/write. Caching & watching support coming as necessary in subsequent PRs. Co-authored-by: Pawel Kopiczko <[email protected]> Co-authored-by: Sakshyam Shah <[email protected]>
tcsc
force-pushed
the
tcsc/identitycenter-crud
branch
from
1162cae
to
c547c76
Compare
public-teleport-github-review-bot
bot
removed the request for review
from kimlisa
| } | ||
|
|
||
| // CloneResource creates a deep copy of the underlying account resource | ||
| func (a *IdentityCenterAccount) CloneResource() IdentityCenterAccount { |
There was a problem hiding this comment.
Just spotted this one is a pointer receiver and the other one is a value receiver func (a IdentityCenterAccountAssignment) CloneResource()
This is just the pure CRUD read/write. Caching & watching support coming as
necessary in subsequent PRs.