-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds CRUD service for Identity Center resources #47609
base: master
Are you sure you want to change the base?
Conversation
CreateAccountAssignment(context.Context, IdentityCenterAccountAssignment) (IdentityCenterAccountAssignment, error) | ||
|
||
// GetAccountAssignment fetches a specific Account Assignment record. | ||
GetAccountAssignment(context.Context, IdentityCenterAccountAssignmentID) (IdentityCenterAccountAssignment, error) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: might be a personal preference but for me It it a bit overkill to hide and wrap only 1 id string parameter with the separate type IdentityCenterAccountAssignmentID.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can see that. The rationale for doing this is all in the Identity Center integration code, which you can't see yet.
Rationale is that there are so many different resource types in flight in the IC integration, so I wanted to make using the wrong ID in the wrong place a compile-time error rather than a debugging session. The CRUD service seemed a reasonable boundary to pack/unpack the IDs, so that everything downstream is checked by the compiler.
But yeah, in isolation, it's very much overkill.
|
||
// UpdateIdentityCenterAccount performs a conditional update on an Identity | ||
// Center Account record, returning the updated record on success. | ||
func (svc *IdentityCenterService) UpdateIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (services.IdentityCenterAccount, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func (svc *IdentityCenterService) UpdateIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (services.IdentityCenterAccount, error) { | |
func (svc *IdentityCenterService) UpdateIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (*services.IdentityCenterAccount, error) { |
// Identity Center Account record, returning the updated record on success. | ||
// Be careful when mixing UpsertIdentityCenterAccount() with resources | ||
// protected by optimistic locking | ||
func (svc *IdentityCenterService) UpsertIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (services.IdentityCenterAccount, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func (svc *IdentityCenterService) UpsertIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (services.IdentityCenterAccount, error) { | |
func (svc *IdentityCenterService) UpsertIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (*services.IdentityCenterAccount, error) { |
} | ||
|
||
// GetIdentityCenterAccount fetches a specific Identity Center Account | ||
func (svc *IdentityCenterService) GetIdentityCenterAccount(ctx context.Context, name services.IdentityCenterAccountID) (services.IdentityCenterAccount, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func (svc *IdentityCenterService) GetIdentityCenterAccount(ctx context.Context, name services.IdentityCenterAccountID) (services.IdentityCenterAccount, error) { | |
func (svc *IdentityCenterService) GetIdentityCenterAccount(ctx context.Context, name services.IdentityCenterAccountID) (*services.IdentityCenterAccount, error) { |
} | ||
|
||
// CreateIdentityCenterAccount creates a new Identity Center Account record | ||
func (svc *IdentityCenterService) CreateIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (services.IdentityCenterAccount, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func (svc *IdentityCenterService) CreateIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (services.IdentityCenterAccount, error) { | |
func (svc *IdentityCenterService) CreateIdentityCenterAccount(ctx context.Context, acct services.IdentityCenterAccount) (*services.IdentityCenterAccount, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The services.IdentityCenterAccount
is already just a pointer wrapped in a struct
.
I can see making the IdentityCenterService
take/return pointers for the sake of consistency, but I didn't think the extra indirection was worth it.
lib/services/identitycenter.go
Outdated
// allow it to implement the interfaces required for use with the Unified | ||
// Resource listing. IdentityCenterAccount simply wraps a pointer to the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to confirm. Does the IdentityCenterAccount
will be handled in united resource view ?
I thought that in UI the AWS IC account will be represented by Teleport Application not by IdentityCenterAccount
resource ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the IdentityCenterAccount will be handled in united resource view ?
Not in the proxy but in the auth united resource service. E.g. from the poc implementation we transform IdentityCenterAccount
to App Server https://github.com/gravitational/teleport/blob/sshah/idc-dev/lib/services/unified_resource.go#L925
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM after proto.Clone
is used as @smallinsky suggested (if possible)
lib/services/identitycenter.go
Outdated
// IdentityCenterAccountAssignment wraps a raw identitycenterv1.AccountAssignment | ||
// record in a new type to allow it to implement the interfaces required for use | ||
// with the Unified Resource listing. IdentityCenterAccountAssignment simply | ||
// wraps a pointer to the underlying account record, and can be treated as a | ||
// reference-like type. | ||
// | ||
// Copies of an IdentityCenterAccountAssignment will point to the same record. | ||
type IdentityCenterAccountAssignment struct { | ||
*identitycenterv1.AccountAssignment | ||
} | ||
|
||
// CloneResource creates a deep copy of the underlying account resource | ||
func (a IdentityCenterAccountAssignment) CloneResource() IdentityCenterAccountAssignment { | ||
var expiry *timestamppb.Timestamp | ||
if a.Metadata.Expires != nil { | ||
expiry = ×tamppb.Timestamp{ | ||
Seconds: a.Metadata.Expires.Seconds, | ||
Nanos: a.Metadata.Expires.Nanos, | ||
} | ||
} | ||
|
||
return IdentityCenterAccountAssignment{ | ||
AccountAssignment: &identitycenterv1.AccountAssignment{ | ||
Kind: a.Kind, | ||
SubKind: a.SubKind, | ||
Version: a.Version, | ||
Metadata: &headerv1.Metadata{ | ||
Name: a.Metadata.Name, | ||
Namespace: a.Metadata.Namespace, | ||
Description: a.Metadata.Description, | ||
Labels: maps.Clone(a.Metadata.Labels), | ||
Expires: expiry, | ||
Revision: a.Metadata.Revision, | ||
}, | ||
Spec: &identitycenterv1.AccountAssignmentSpec{ | ||
Display: a.Spec.Display, | ||
AccountId: a.Spec.AccountId, | ||
AccountName: a.Spec.AccountName, | ||
PermissionSet: &identitycenterv1.PermissionSetInfo{ | ||
Arn: a.Spec.PermissionSet.Arn, | ||
Name: a.Spec.PermissionSet.Name, | ||
}, | ||
}, | ||
}, | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe then it makes sense to:
type IdentityCenterAccount identitycenterv1.Account
// CloneResource creates a deep copy of the underlying account resource
func (a *IdentityCenterAccount) CloneResource() *IdentityCenterAccount {
...
}
I got triggered by those services.IdentityCenterAccount{Account: acct}
statements in the implementation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried that originally - unfortunately it hides all of the other interfaces I need on the Account. I've added some commentary to explain the odd choice of embedding the pointer in a struct.
lib/services/identitycenter.go
Outdated
// allow it to implement the interfaces required for use with the Unified | ||
// Resource listing. IdentityCenterAccount simply wraps a pointer to the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the IdentityCenterAccount will be handled in united resource view ?
Not in the proxy but in the auth united resource service. E.g. from the poc implementation we transform IdentityCenterAccount
to App Server https://github.com/gravitational/teleport/blob/sshah/idc-dev/lib/services/unified_resource.go#L925
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good once existing suggestions by other reviewers are addressed.
This is just the pure CRUD read/write. Caching & watching support coming as necessary in subsequent PRs. Co-authored-by: Pawel Kopiczko <[email protected]> Co-authored-by: Sakshyam Shah <[email protected]>
1162cae
to
c547c76
Compare
} | ||
|
||
// CloneResource creates a deep copy of the underlying account resource | ||
func (a *IdentityCenterAccount) CloneResource() IdentityCenterAccount { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just spotted this one is a pointer receiver and the other one is a value receiver func (a IdentityCenterAccountAssignment) CloneResource()
This is just the pure CRUD read/write. Caching & watching support coming as
necessary in subsequent PRs.