[v11] [Connect] Add server hostnames in access request responses (#19549

)
gravitational · Dec 22, 2022 · a812cb2 · a812cb2
1 parent b4d399c
commit a812cb2
Show file tree

Hide file tree

Showing 10 changed files with 849 additions and 43 deletions.
diff --git a/api/types/resource.go b/api/types/resource.go
@@ -56,6 +56,11 @@ type Resource interface {
 	CheckAndSetDefaults() error
 }
 
+// ResourceDetails includes details about the resource
+type ResourceDetails struct {
+	Hostname string
+}
+
 // ResourceWithSecrets includes additional properties which must
 // be provided by resources which *may* contain secrets.
 type ResourceWithSecrets interface {

diff --git a/e b/e
diff --git a/lib/services/access_request.go b/lib/services/access_request.go
@@ -530,7 +530,6 @@ ProcessReviews:
 
 		// If we hit any denial thresholds, short-circuit immediately
 		for i, t := range thresholds {
-
 			if counts[i].denial >= t.Deny && t.Deny != 0 {
 				denied = true
 				break ProcessReviews
@@ -850,7 +849,6 @@ func NewReviewPermissionChecker(ctx context.Context, getter RequestValidatorGett
 }
 
 func (c *ReviewPermissionChecker) push(role types.Role) error {
-
 	allow, deny := role.GetAccessReviewConditions(types.Allow), role.GetAccessReviewConditions(types.Deny)
 
 	var err error
@@ -1590,6 +1588,57 @@ func roleAllowsResource(
 
 type ListResourcesRequestOption func(*proto.ListResourcesRequest)
 
+func GetResourceDetails(ctx context.Context, clusterName string, lister ResourceLister, ids []types.ResourceID) (map[string]types.ResourceDetails, error) {
+	var nodeIDs []types.ResourceID
+	for _, resourceID := range ids {
+		if resourceID.Kind != types.KindNode {
+			// The only detail we want, for now, is the server hostname, so we
+			// can skip all other resource kinds as a minor optimization.
+			continue
+		}
+		nodeIDs = append(nodeIDs, resourceID)
+	}
+
+	withExtraRoles := func(req *proto.ListResourcesRequest) {
+		req.UseSearchAsRoles = true
+		req.UsePreviewAsRoles = true
+	}
+
+	resources, err := GetResourcesByResourceIDs(ctx, lister, nodeIDs, withExtraRoles)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	result := make(map[string]types.ResourceDetails)
+	for _, resource := range resources {
+		hn, ok := resource.(interface{ GetHostname() string })
+		if !ok {
+			continue
+		}
+		id := types.ResourceID{
+			ClusterName: clusterName,
+			Kind:        resource.GetKind(),
+			Name:        resource.GetName(),
+		}
+		result[types.ResourceIDToString(id)] = types.ResourceDetails{
+			Hostname: hn.GetHostname(),
+		}
+	}
+
+	return result, nil
+}
+
+func GetNodeResourceIDsByCluster(r types.AccessRequest) map[string][]types.ResourceID {
+	resourceIDsByCluster := make(map[string][]types.ResourceID)
+	for _, resourceID := range r.GetRequestedResourceIDs() {
+		if resourceID.Kind != types.KindNode {
+			continue
+		}
+		resourceIDsByCluster[resourceID.ClusterName] = append(resourceIDsByCluster[resourceID.ClusterName], resourceID)
+	}
+	return resourceIDsByCluster
+}
+
 func GetResourcesByResourceIDs(ctx context.Context, lister ResourceLister, resourceIDs []types.ResourceID, opts ...ListResourcesRequestOption) ([]types.ResourceWithLabels, error) {
 	resourceNamesByKind := make(map[string][]string)
 	for _, resourceID := range resourceIDs {

diff --git a/lib/teleterm/api/proto/v1/access_request.proto b/lib/teleterm/api/proto/v1/access_request.proto
@@ -36,8 +36,10 @@ message AccessRequest {
   repeated string suggested_reviewers = 10;
   // thresholds specifies minimum amount of approvers or deniers. Defaults to 'default'
   repeated string threshold_names = 11;
+  // TODO(avatus) remove the resource_ids field once the changes to rely on resources instead is merged
   // a list of resourceIDs requested in the AccessRequest
   repeated ResourceID resource_ids = 12;
+  repeated Resource resources = 13;
 }
 
 message AccessRequestReview {
@@ -57,3 +59,12 @@ message ResourceID {
   string name = 2;
   string cluster_name = 3;
 }
+
+message ResourceDetails {
+  string hostname = 1;
+}
+
+message Resource {
+  ResourceID id = 1;
+  ResourceDetails details = 2;
+}
diff --git a/lib/teleterm/api/protogen/golang/v1/access_request.pb.go b/lib/teleterm/api/protogen/golang/v1/access_request.pb.go