Skip to content

Commit

Permalink
[v17] fix: check if plugin type is identity center before SAML app an…
Browse files Browse the repository at this point in the history
…d OIDC integration deletion (#50360)

* check if plugin type is PluginTypeAWSIdentityCenter and PluginAWSICSettings is not nil for delete action

* update tests to account for existence of other plugins beside identity center plugin
  • Loading branch information
flyinghermit authored Dec 17, 2024
1 parent 750c57a commit b894dd3
Show file tree
Hide file tree
Showing 5 changed files with 107 additions and 60 deletions.
34 changes: 6 additions & 28 deletions lib/auth/integration/integrationv1/service_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ import (
"github.com/gravitational/teleport/lib/authz"
"github.com/gravitational/teleport/lib/backend/memory"
"github.com/gravitational/teleport/lib/events"
"github.com/gravitational/teleport/lib/fixtures"
"github.com/gravitational/teleport/lib/services"
"github.com/gravitational/teleport/lib/services/local"
"github.com/gravitational/teleport/lib/tlsca"
Expand Down Expand Up @@ -291,15 +292,17 @@ func TestIntegrationCRUD(t *testing.T) {
Setup: func(t *testing.T, igName string) {
_, err := localClient.CreateIntegration(ctx, sampleIntegrationFn(t, igName))
require.NoError(t, err)
require.NoError(t, localClient.CreatePlugin(ctx, newPlugin(t, igName)))
// other existing plugin should not affect identity center plugin referenced integration.
require.NoError(t, localClient.CreatePlugin(ctx, fixtures.NewMattermostPlugin(t)))
require.NoError(t, localClient.CreatePlugin(ctx, fixtures.NewIdentityCenterPlugin(t, igName, igName)))
},
Test: func(ctx context.Context, resourceSvc *Service, igName string) error {
_, err := resourceSvc.DeleteIntegration(ctx, &integrationpb.DeleteIntegrationRequest{Name: igName})
return err
},
Cleanup: func(t *testing.T, igName string) {
err := localClient.DeletePlugin(ctx, newPlugin(t, igName).GetName())
require.NoError(t, err)
require.NoError(t, localClient.DeletePlugin(ctx, types.PluginTypeMattermost))
require.NoError(t, localClient.DeletePlugin(ctx, types.PluginTypeAWSIdentityCenter))
},
ErrAssertion: trace.IsBadParameter,
},
Expand Down Expand Up @@ -553,28 +556,3 @@ func newCertAuthority(t *testing.T, caType types.CertAuthType, domain string) ty

return ca
}

func newPlugin(t *testing.T, integrationName string) *types.PluginV1 {
t.Helper()
return &types.PluginV1{
Metadata: types.Metadata{
Name: types.PluginTypeAWSIdentityCenter,
Labels: map[string]string{
types.HostedPluginLabel: "true",
},
},
Spec: types.PluginSpecV1{
Settings: &types.PluginSpecV1_AwsIc{
AwsIc: &types.PluginAWSICSettings{
IntegrationName: integrationName,
Region: "test-region",
Arn: "test-arn",
AccessListDefaultOwners: []string{"user1", "user2"},
ProvisioningSpec: &types.AWSICProvisioningSpec{
BaseUrl: "https://example.com",
},
},
},
},
}
}
85 changes: 85 additions & 0 deletions lib/fixtures/plugins.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
/*
* Teleport
* Copyright (C) 2024 Gravitational, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

package fixtures

import (
"testing"

"github.com/gravitational/teleport/api/types"
)

// NewIdentityCenterPlugin returns a new types.PluginV1 with PluginSpecV1_AwsIc settings.
func NewIdentityCenterPlugin(t *testing.T, serviceProviderName, integrationName string) *types.PluginV1 {
t.Helper()
return &types.PluginV1{
Metadata: types.Metadata{
Name: types.PluginTypeAWSIdentityCenter,
Labels: map[string]string{
types.HostedPluginLabel: "true",
},
},
Spec: types.PluginSpecV1{
Settings: &types.PluginSpecV1_AwsIc{
AwsIc: &types.PluginAWSICSettings{
IntegrationName: integrationName,
Region: "test-region",
Arn: "test-arn",
AccessListDefaultOwners: []string{"user1", "user2"},
ProvisioningSpec: &types.AWSICProvisioningSpec{
BaseUrl: "https://example.com",
},
SamlIdpServiceProviderName: serviceProviderName,
},
},
},
}
}

// NewIdentityCenterPlugin returns a new types.PluginV1 with PluginSpecV1_Mattermost settings.
func NewMattermostPlugin(t *testing.T) *types.PluginV1 {
t.Helper()
return &types.PluginV1{
SubKind: types.PluginSubkindAccess,
Metadata: types.Metadata{
Labels: map[string]string{
"teleport.dev/hosted-plugin": "true",
},
Name: types.PluginTypeMattermost,
},
Spec: types.PluginSpecV1{
Settings: &types.PluginSpecV1_Mattermost{
Mattermost: &types.PluginMattermostSettings{
ServerUrl: "https://example.com",
Channel: "test_channel",
Team: "test_team",
ReportToEmail: "test@example.com",
},
},
},
Credentials: &types.PluginCredentialsV1{
Credentials: &types.PluginCredentialsV1_StaticCredentialsRef{
StaticCredentialsRef: &types.PluginStaticCredentialsRef{
Labels: map[string]string{
"plugin": "mattermost",
},
},
},
},
}
}
7 changes: 5 additions & 2 deletions lib/services/local/integrations.go
Original file line number Diff line number Diff line change
Expand Up @@ -213,8 +213,11 @@ func integrationReferencedByAWSICPlugin(ctx context.Context, bk backend.Backend,
continue
}

if pluginV1.GetType() == types.PluginType(types.PluginTypeAWSIdentityCenter) {
switch pluginV1.Spec.GetAwsIc().IntegrationName {
if pluginV1.GetType() != types.PluginType(types.PluginTypeAWSIdentityCenter) {
continue
}
if awsIC := pluginV1.Spec.GetAwsIc(); awsIC != nil {
switch awsIC.IntegrationName {
case name:
return nil, trace.BadParameter("cannot delete AWS OIDC integration currently referenced by AWS Identity Center integration %q", pluginV1.GetName())
default:
Expand Down
10 changes: 7 additions & 3 deletions lib/services/local/saml_idp_service_provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -419,9 +419,13 @@ func spReferencedByAWSICPlugin(ctx context.Context, bk backend.Backend, serviceP
if !ok {
continue
}

if pluginV1.Spec.GetAwsIc().SamlIdpServiceProviderName == serviceProviderName {
return trace.BadParameter("cannot delete SAML service provider currently referenced by AWS Identity Center integration %q", pluginV1.GetName())
if pluginV1.GetType() != types.PluginType(types.PluginTypeAWSIdentityCenter) {
continue
}
if awsIC := pluginV1.Spec.GetAwsIc(); awsIC != nil {
if awsIC.SamlIdpServiceProviderName == serviceProviderName {
return trace.BadParameter("cannot delete SAML service provider currently referenced by AWS Identity Center integration %q", pluginV1.GetName())
}
}
}

Expand Down
31 changes: 4 additions & 27 deletions lib/services/local/saml_idp_service_provider_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ import (

"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/backend/memory"
"github.com/gravitational/teleport/lib/fixtures"
"github.com/gravitational/teleport/lib/services"
)

Expand Down Expand Up @@ -613,37 +614,13 @@ func TestDeleteSAMLServiceProviderWhenReferencedByPlugin(t *testing.T) {
require.NoError(t, samlService.CreateSAMLIdPServiceProvider(ctx, sp))

// service provider should not be deleted when referenced by the plugin.
require.NoError(t, pluginService.CreatePlugin(ctx, newPlugin(t, sp.GetName())))
require.NoError(t, pluginService.CreatePlugin(ctx, fixtures.NewIdentityCenterPlugin(t, sp.GetName(), sp.GetName())))
err = samlService.DeleteSAMLIdPServiceProvider(ctx, sp.GetName())
require.ErrorContains(t, err, "referenced by AWS Identity Center integration")

// service provider should be deleted once the referenced plugin itself is deleted.
// other existing plugin should not prevent SAML service provider from deletion.
require.NoError(t, pluginService.CreatePlugin(ctx, fixtures.NewMattermostPlugin(t)))
require.NoError(t, pluginService.DeletePlugin(ctx, types.PluginTypeAWSIdentityCenter))
require.NoError(t, samlService.DeleteSAMLIdPServiceProvider(ctx, sp.GetName()))
}

func newPlugin(t *testing.T, serviceProviderName string) *types.PluginV1 {
t.Helper()
return &types.PluginV1{
Metadata: types.Metadata{
Name: types.PluginTypeAWSIdentityCenter,
Labels: map[string]string{
types.HostedPluginLabel: "true",
},
},
Spec: types.PluginSpecV1{
Settings: &types.PluginSpecV1_AwsIc{
AwsIc: &types.PluginAWSICSettings{
IntegrationName: "test-integration",
Region: "test-region",
Arn: "test-arn",
AccessListDefaultOwners: []string{"user1", "user2"},
ProvisioningSpec: &types.AWSICProvisioningSpec{
BaseUrl: "https://example.com",
},
SamlIdpServiceProviderName: serviceProviderName,
},
},
},
}
}

0 comments on commit b894dd3

Please sign in to comment.