From 9a0162db4550b96432e63533b7599d40c9731cc5 Mon Sep 17 00:00:00 2001 From: flyinghermit Date: Tue, 17 Dec 2024 14:52:29 -0500 Subject: [PATCH 1/2] check if plugin type is PluginTypeAWSIdentityCenter and PluginAWSICSettings is not nil for delete action --- lib/services/local/integrations.go | 7 +++++-- lib/services/local/saml_idp_service_provider.go | 10 +++++++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/lib/services/local/integrations.go b/lib/services/local/integrations.go index 3b9842ee79690..3b1248f69c54f 100644 --- a/lib/services/local/integrations.go +++ b/lib/services/local/integrations.go @@ -213,8 +213,11 @@ func integrationReferencedByAWSICPlugin(ctx context.Context, bk backend.Backend, continue } - if pluginV1.GetType() == types.PluginType(types.PluginTypeAWSIdentityCenter) { - switch pluginV1.Spec.GetAwsIc().IntegrationName { + if pluginV1.GetType() != types.PluginType(types.PluginTypeAWSIdentityCenter) { + continue + } + if awsIC := pluginV1.Spec.GetAwsIc(); awsIC != nil { + switch awsIC.IntegrationName { case name: return nil, trace.BadParameter("cannot delete AWS OIDC integration currently referenced by AWS Identity Center integration %q", pluginV1.GetName()) default: diff --git a/lib/services/local/saml_idp_service_provider.go b/lib/services/local/saml_idp_service_provider.go index da99ef05d8ad0..6b08cf084afd9 100644 --- a/lib/services/local/saml_idp_service_provider.go +++ b/lib/services/local/saml_idp_service_provider.go @@ -419,9 +419,13 @@ func spReferencedByAWSICPlugin(ctx context.Context, bk backend.Backend, serviceP if !ok { continue } - - if pluginV1.Spec.GetAwsIc().SamlIdpServiceProviderName == serviceProviderName { - return trace.BadParameter("cannot delete SAML service provider currently referenced by AWS Identity Center integration %q", pluginV1.GetName()) + if pluginV1.GetType() != types.PluginType(types.PluginTypeAWSIdentityCenter) { + continue + } + if awsIC := pluginV1.Spec.GetAwsIc(); awsIC != nil { + if awsIC.SamlIdpServiceProviderName == serviceProviderName { + return trace.BadParameter("cannot delete SAML service provider currently referenced by AWS Identity Center integration %q", pluginV1.GetName()) + } } } From e7a980a9a885052b683195dd61be4bdb29341f4a Mon Sep 17 00:00:00 2001 From: flyinghermit Date: Tue, 17 Dec 2024 17:29:25 -0500 Subject: [PATCH 2/2] update tests to account for existence of other plugins beside identity center plugin --- .../integration/integrationv1/service_test.go | 34 ++------ lib/fixtures/plugins.go | 85 +++++++++++++++++++ .../local/saml_idp_service_provider_test.go | 31 +------ 3 files changed, 95 insertions(+), 55 deletions(-) create mode 100644 lib/fixtures/plugins.go diff --git a/lib/auth/integration/integrationv1/service_test.go b/lib/auth/integration/integrationv1/service_test.go index 3316cf239d0e8..e8ae3268d1c45 100644 --- a/lib/auth/integration/integrationv1/service_test.go +++ b/lib/auth/integration/integrationv1/service_test.go @@ -34,6 +34,7 @@ import ( "github.com/gravitational/teleport/lib/authz" "github.com/gravitational/teleport/lib/backend/memory" "github.com/gravitational/teleport/lib/events" + "github.com/gravitational/teleport/lib/fixtures" "github.com/gravitational/teleport/lib/services" "github.com/gravitational/teleport/lib/services/local" "github.com/gravitational/teleport/lib/tlsca" @@ -291,15 +292,17 @@ func TestIntegrationCRUD(t *testing.T) { Setup: func(t *testing.T, igName string) { _, err := localClient.CreateIntegration(ctx, sampleIntegrationFn(t, igName)) require.NoError(t, err) - require.NoError(t, localClient.CreatePlugin(ctx, newPlugin(t, igName))) + // other existing plugin should not affect identity center plugin referenced integration. + require.NoError(t, localClient.CreatePlugin(ctx, fixtures.NewMattermostPlugin(t))) + require.NoError(t, localClient.CreatePlugin(ctx, fixtures.NewIdentityCenterPlugin(t, igName, igName))) }, Test: func(ctx context.Context, resourceSvc *Service, igName string) error { _, err := resourceSvc.DeleteIntegration(ctx, &integrationpb.DeleteIntegrationRequest{Name: igName}) return err }, Cleanup: func(t *testing.T, igName string) { - err := localClient.DeletePlugin(ctx, newPlugin(t, igName).GetName()) - require.NoError(t, err) + require.NoError(t, localClient.DeletePlugin(ctx, types.PluginTypeMattermost)) + require.NoError(t, localClient.DeletePlugin(ctx, types.PluginTypeAWSIdentityCenter)) }, ErrAssertion: trace.IsBadParameter, }, @@ -553,28 +556,3 @@ func newCertAuthority(t *testing.T, caType types.CertAuthType, domain string) ty return ca } - -func newPlugin(t *testing.T, integrationName string) *types.PluginV1 { - t.Helper() - return &types.PluginV1{ - Metadata: types.Metadata{ - Name: types.PluginTypeAWSIdentityCenter, - Labels: map[string]string{ - types.HostedPluginLabel: "true", - }, - }, - Spec: types.PluginSpecV1{ - Settings: &types.PluginSpecV1_AwsIc{ - AwsIc: &types.PluginAWSICSettings{ - IntegrationName: integrationName, - Region: "test-region", - Arn: "test-arn", - AccessListDefaultOwners: []string{"user1", "user2"}, - ProvisioningSpec: &types.AWSICProvisioningSpec{ - BaseUrl: "https://example.com", - }, - }, - }, - }, - } -} diff --git a/lib/fixtures/plugins.go b/lib/fixtures/plugins.go new file mode 100644 index 0000000000000..1d3a0f5b8f662 --- /dev/null +++ b/lib/fixtures/plugins.go @@ -0,0 +1,85 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package fixtures + +import ( + "testing" + + "github.com/gravitational/teleport/api/types" +) + +// NewIdentityCenterPlugin returns a new types.PluginV1 with PluginSpecV1_AwsIc settings. +func NewIdentityCenterPlugin(t *testing.T, serviceProviderName, integrationName string) *types.PluginV1 { + t.Helper() + return &types.PluginV1{ + Metadata: types.Metadata{ + Name: types.PluginTypeAWSIdentityCenter, + Labels: map[string]string{ + types.HostedPluginLabel: "true", + }, + }, + Spec: types.PluginSpecV1{ + Settings: &types.PluginSpecV1_AwsIc{ + AwsIc: &types.PluginAWSICSettings{ + IntegrationName: integrationName, + Region: "test-region", + Arn: "test-arn", + AccessListDefaultOwners: []string{"user1", "user2"}, + ProvisioningSpec: &types.AWSICProvisioningSpec{ + BaseUrl: "https://example.com", + }, + SamlIdpServiceProviderName: serviceProviderName, + }, + }, + }, + } +} + +// NewIdentityCenterPlugin returns a new types.PluginV1 with PluginSpecV1_Mattermost settings. +func NewMattermostPlugin(t *testing.T) *types.PluginV1 { + t.Helper() + return &types.PluginV1{ + SubKind: types.PluginSubkindAccess, + Metadata: types.Metadata{ + Labels: map[string]string{ + "teleport.dev/hosted-plugin": "true", + }, + Name: types.PluginTypeMattermost, + }, + Spec: types.PluginSpecV1{ + Settings: &types.PluginSpecV1_Mattermost{ + Mattermost: &types.PluginMattermostSettings{ + ServerUrl: "https://example.com", + Channel: "test_channel", + Team: "test_team", + ReportToEmail: "test@example.com", + }, + }, + }, + Credentials: &types.PluginCredentialsV1{ + Credentials: &types.PluginCredentialsV1_StaticCredentialsRef{ + StaticCredentialsRef: &types.PluginStaticCredentialsRef{ + Labels: map[string]string{ + "plugin": "mattermost", + }, + }, + }, + }, + } +} diff --git a/lib/services/local/saml_idp_service_provider_test.go b/lib/services/local/saml_idp_service_provider_test.go index aafdedba9a5da..b1161ec577d2b 100644 --- a/lib/services/local/saml_idp_service_provider_test.go +++ b/lib/services/local/saml_idp_service_provider_test.go @@ -36,6 +36,7 @@ import ( "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/backend/memory" + "github.com/gravitational/teleport/lib/fixtures" "github.com/gravitational/teleport/lib/services" ) @@ -613,37 +614,13 @@ func TestDeleteSAMLServiceProviderWhenReferencedByPlugin(t *testing.T) { require.NoError(t, samlService.CreateSAMLIdPServiceProvider(ctx, sp)) // service provider should not be deleted when referenced by the plugin. - require.NoError(t, pluginService.CreatePlugin(ctx, newPlugin(t, sp.GetName()))) + require.NoError(t, pluginService.CreatePlugin(ctx, fixtures.NewIdentityCenterPlugin(t, sp.GetName(), sp.GetName()))) err = samlService.DeleteSAMLIdPServiceProvider(ctx, sp.GetName()) require.ErrorContains(t, err, "referenced by AWS Identity Center integration") // service provider should be deleted once the referenced plugin itself is deleted. + // other existing plugin should not prevent SAML service provider from deletion. + require.NoError(t, pluginService.CreatePlugin(ctx, fixtures.NewMattermostPlugin(t))) require.NoError(t, pluginService.DeletePlugin(ctx, types.PluginTypeAWSIdentityCenter)) require.NoError(t, samlService.DeleteSAMLIdPServiceProvider(ctx, sp.GetName())) } - -func newPlugin(t *testing.T, serviceProviderName string) *types.PluginV1 { - t.Helper() - return &types.PluginV1{ - Metadata: types.Metadata{ - Name: types.PluginTypeAWSIdentityCenter, - Labels: map[string]string{ - types.HostedPluginLabel: "true", - }, - }, - Spec: types.PluginSpecV1{ - Settings: &types.PluginSpecV1_AwsIc{ - AwsIc: &types.PluginAWSICSettings{ - IntegrationName: "test-integration", - Region: "test-region", - Arn: "test-arn", - AccessListDefaultOwners: []string{"user1", "user2"}, - ProvisioningSpec: &types.AWSICProvisioningSpec{ - BaseUrl: "https://example.com", - }, - SamlIdpServiceProviderName: serviceProviderName, - }, - }, - }, - } -}