[v13] Expose GetSuggestedAccessLists in AccessListClient (#35836)

* Expose `GetSuggestedAccessLists` in `AccessListClient`

Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>

* Fix typo

* Remove `ctx` from `getUser`

---------

Co-authored-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com>

api/client/accesslist/accesslist.go

@@ -286,3 +286,24 @@ func (c *Client) DeleteAccessListReview(ctx context.Context, accessListName, rev
 func (c *Client) DeleteAllAccessListReviews(ctx context.Context, accessListName string) error {
 	return trace.NotImplemented("DeleteAllAccessListReviews is not supported in the gRPC client")
 }
+
+// GetSuggestedAccessLists returns a list of access lists that are suggested for a given request.
+func (c *Client) GetSuggestedAccessLists(ctx context.Context, accessRequestID string) ([]*accesslist.AccessList, error) {
+	resp, err := c.grpcClient.GetSuggestedAccessLists(ctx, &accesslistv1.GetSuggestedAccessListsRequest{
+		AccessRequestId: accessRequestID,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	accessLists := make([]*accesslist.AccessList, len(resp.AccessLists))
+	for i, accessList := range resp.AccessLists {
+		var err error
+		accessLists[i], err = conv.FromProto(accessList)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+	}
+
+	return accessLists, nil
+}

api/proto/teleport/accesslist/v1/accesslist_service.proto

@@ -66,6 +66,9 @@ service AccessListService {
 
   // AccessRequestPromote promotes an access request to an access list.
   rpc AccessRequestPromote(AccessRequestPromoteRequest) returns (AccessRequestPromoteResponse);
+
+  // GetSuggestedAccessLists returns suggested access lists for an access request.
+  rpc GetSuggestedAccessLists(GetSuggestedAccessListsRequest) returns (GetSuggestedAccessListsResponse);
 }
 
 // GetAccessListsRequest is the request for getting all access lists.
@@ -212,7 +215,7 @@ message ListAccessListReviewsRequest {
   string next_token = 3;
 }
 
-// ListAccessListReviewsResponse is the response for getting paginated access list rviews for a particular access list.
+// ListAccessListReviewsResponse is the response for getting paginated access list reviews for a particular access list.
 message ListAccessListReviewsResponse {
   // reviews is the list of access list reviews.
   repeated Review reviews = 1;
@@ -260,3 +263,15 @@ message AccessRequestPromoteResponse {
   // AccessRequest is the updated access request.
   types.AccessRequestV3 access_request = 1;
 }
+
+// GetSuggestedAccessListsRequest is the request for suggested access lists for an access request.
+message GetSuggestedAccessListsRequest {
+  // access_request_id is the unique ID of the request.
+  string access_request_id = 1;
+}
+
+// GetSuggestedAccessListsResponse is the response for suggested access lists for an access request.
+message GetSuggestedAccessListsResponse {
+  // access_lists is the list of suggested lists.
+  repeated AccessList access_lists = 1;
+}

lib/modules/modules.go

@@ -36,6 +36,7 @@ import (
 	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib/auth/native"
 	"github.com/gravitational/teleport/lib/automaticupgrades"
+	"github.com/gravitational/teleport/lib/tlsca"
 )
 
 // Features provides supported and unsupported features
@@ -148,6 +149,21 @@ type AccessResourcesGetter interface {
 	GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)
 }
 
+type AccessListSuggestionClient interface {
+	GetUser(userName string, withSecrets bool) (types.User, error)
+	RoleGetter
+
+	GetAccessRequestAllowedPromotions(ctx context.Context, req types.AccessRequest) (*types.AccessRequestAllowedPromotions, error)
+	GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error)
+}
+
+type RoleGetter interface {
+	GetRole(ctx context.Context, name string) (types.Role, error)
+}
+type AccessListGetter interface {
+	GetAccessList(ctx context.Context, name string) (*accesslist.AccessList, error)
+}
+
 // Modules defines interface that external libraries can implement customizing
 // default teleport behavior
 type Modules interface {
@@ -165,6 +181,8 @@ type Modules interface {
 	AttestHardwareKey(context.Context, interface{}, keys.PrivateKeyPolicy, *keys.AttestationStatement, crypto.PublicKey, time.Duration) (keys.PrivateKeyPolicy, error)
 	// GenerateAccessRequestPromotions generates a list of valid promotions for given access request.
 	GenerateAccessRequestPromotions(context.Context, AccessResourcesGetter, types.AccessRequest) (*types.AccessRequestAllowedPromotions, error)
+	// GetSuggestedAccessLists generates a list of valid promotions for given access request.
+	GetSuggestedAccessLists(ctx context.Context, identity *tlsca.Identity, clt AccessListSuggestionClient, accessListGetter AccessListGetter, requestID string) ([]*accesslist.AccessList, error)
 	// EnableRecoveryCodes enables the usage of recovery codes for resetting forgotten passwords
 	EnableRecoveryCodes()
 	// EnablePlugins enables the hosted plugins runtime
@@ -269,6 +287,12 @@ func (p *defaultModules) GenerateAccessRequestPromotions(_ context.Context, _ Ac
 	return types.NewAccessRequestAllowedPromotions(nil), nil
 }
 
+func (p *defaultModules) GetSuggestedAccessLists(ctx context.Context, identity *tlsca.Identity, clt AccessListSuggestionClient,
+	accessListGetter AccessListGetter, requestID string,
+) ([]*accesslist.AccessList, error) {
+	return nil, trace.NotImplemented("GetSuggestedAccessLists not implemented")
+}
+
 // EnableRecoveryCodes enables recovery codes. This is a noop since OSS teleport does not
 // support recovery codes
 func (p *defaultModules) EnableRecoveryCodes() {

lib/services/access_list.go

@@ -47,9 +47,16 @@ type AccessListsGetter interface {
 	GetAccessListsToReview(context.Context) ([]*accesslist.AccessList, error)
 }
 
+// AccessListsSuggestionsGetter defines an interface for reading access lists suggestions.
+type AccessListsSuggestionsGetter interface {
+	// GetSuggestedAccessLists returns a list of access lists that are suggested for a given request.
+	GetSuggestedAccessLists(ctx context.Context, accessRequestID string) ([]*accesslist.AccessList, error)
+}
+
 // AccessLists defines an interface for managing AccessLists.
 type AccessLists interface {
 	AccessListsGetter
+	AccessListsSuggestionsGetter
 	AccessListMembers
 	AccessListReviews
 

lib/services/local/access_list.go

@@ -179,6 +179,11 @@ func (a *AccessListService) DeleteAllAccessLists(ctx context.Context) error {
 	return trace.Wrap(a.service.DeleteAllResources(ctx))
 }
 
+// GetSuggestedAccessLists returns a list of access lists that are suggested for a given request. This is not implemented in the local service.
+func (a *AccessListService) GetSuggestedAccessLists(ctx context.Context, accessRequestID string) ([]*accesslist.AccessList, error) {
+	return nil, trace.NotImplemented("GetSuggestedAccessLists should not be called")
+}
+
 // ListAccessListMembers returns a paginated list of all access list members.
 func (a *AccessListService) ListAccessListMembers(ctx context.Context, accessList string, pageSize int, nextToken string) ([]*accesslist.AccessListMember, string, error) {
 	var members []*accesslist.AccessListMember

tool/teleport/testenv/test_server.go

@@ -33,6 +33,7 @@ import (
 	"github.com/gravitational/teleport/api/breaker"
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/types/accesslist"
 	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib"
 	"github.com/gravitational/teleport/lib/backend"
@@ -43,6 +44,7 @@ import (
 	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/srv"
+	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
 	"github.com/gravitational/teleport/tool/teleport/common"
 )
@@ -326,6 +328,10 @@ func (p *cliModules) GenerateAccessRequestPromotions(_ context.Context, _ module
 	return &types.AccessRequestAllowedPromotions{}, nil
 }
 
+func (p *cliModules) GetSuggestedAccessLists(ctx context.Context, _ *tlsca.Identity, _ modules.AccessListSuggestionClient, _ modules.AccessListGetter, _ string) ([]*accesslist.AccessList, error) {
+	return []*accesslist.AccessList{}, nil
+}
+
 // BuildType returns build type.
 func (p *cliModules) BuildType() string {
 	return "CLI"

tool/tsh/tsh_test.go

@@ -52,6 +52,7 @@ import (
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	"github.com/gravitational/teleport/api/profile"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/types/accesslist"
 	"github.com/gravitational/teleport/api/types/events"
 	"github.com/gravitational/teleport/api/types/wrappers"
 	apiutils "github.com/gravitational/teleport/api/utils"
@@ -130,6 +131,10 @@ func (p *cliModules) GenerateAccessRequestPromotions(_ context.Context, _ module
 	return &types.AccessRequestAllowedPromotions{}, nil
 }
 
+func (p *cliModules) GetSuggestedAccessLists(ctx context.Context, _ *tlsca.Identity, _ modules.AccessListSuggestionClient, _ modules.AccessListGetter, _ string) ([]*accesslist.AccessList, error) {
+	return []*accesslist.AccessList{}, nil
+}
+
 // BuildType returns build type (OSS or Enterprise)
 func (p *cliModules) BuildType() string {
 	return "CLI"