Exposes Identity Center accounts as Apps in Unified Resource Cache

[tcsc]

For the purposes of the UI, Identity Center accounts and account
assignments are treated like special Apps. This patch exposes
Account Assignments to the UI via the Unified Resource Cache.

Includes:

• Generating an App resource from an Identity Center Account resource
• General plumbing from backend through to cache and UI

[r0mant]

I think this would benefit from a review from someone on the scale team as well who is familiar with unified resources cache. @rosstimothy Who would be best to take a look?

@tcsc Also, I think we're getting overly excited about generics and iterators and should dial back. It is my strong opinion that they hurt readability a lot and we should be using them very sparingly and only if there's a really good reason. I think it took me 3x more time to review this than it should have because of trying to comprehend what all these templated types do and why are they needed and I strongly suspect we do not need any of them.

[rosstimothy]

How is this RFD 153 style resource going to work with the ListUnifiedResources RPC which requires a legacy gogo proto style resource? I thought when we discussed this in the past we decided that these should just be applications?

[tcsc]

Accounts gets converted to an App on read

[rosstimothy]

Why can't they be inserted into the unified resource cache as an app? Wouldn't that reduce/eliminate 90% of the complexity introduced in this PR?

[tcsc]

Mainly so they are governed by the RBAC conditions for Identity Center resources, rather than app resources.

[rosstimothy]

What can't RBAC be performed against the identity center resource if it detects the appropriate subkind?

[rosstimothy]

I'd suggest splitting this up into more focused PRs. There is a lot of what feels like glued on functionality that isn't directly related to unified resource caching being included here.

[rosstimothy]

Move this out into it's own PR and leave this PR solely dedicated to unified resource caching

[rosstimothy]

Should we really panic here?

[tcsc]

I'm not sure what the correct alternative is for resources that don't implement CloneResource, short of reflect.DeepCopy.

[smallinsky]

An alternative approach would be to validate this during the LegacyToResource153() call when the adapter is created. This would allow you to return an error if the object does not fulfill the required interfaces for cloning.

We can create a new private adapter like toLegacyResourceWithLabels to avoid aligning already exiting code what uses LegacyToResource153

[tcsc]

This is why I had a separate implementation in the first place.

[rosstimothy]

This might work now, but I can imagine that it will be too limiting for a resource that wants to customize this behavior in the future.

[flyinghermit]

The value of apiconstants.AWSConsoleURL is https://console.aws.amazon.com, which sends user to the root AWS console that lets them pick account with permission set. Since we want to launch users directly to AWS console with specific account+permission set, we need URL value that contains Identity Center instance ID and account ID.

In the POC, I used StartUrl field to contain such value https://github.com/gravitational/teleport.e/blob/sshah/idc-dev/lib/aws/identitycenter/accounts.go#L156. But in our current version, we have the StartUrl field defined but we missed to enrich the field with instance ID and account ID on initial account import.

tldr; We need to update the newIdentityCenterAccount func to enrich StartUrl field and the use the value here.

[tcsc]

Updated the references here. Will update the account constructor in a later PR.

[flyinghermit]

Given your another PR #49580 and that we use account assignment resource list to let user select desired permission set for access request, why do we need to include PermissionSets field and its value?

[tcsc]

Label matching removed and replaces with custom role matchers.

[smallinsky]

Could you lave a comment explaining the custom behavior for the types.KindIdentityCenterAccount kind ?

[smallinsky]

In current state the StartUrl is never set in our backend code:

e git:(tcsc/idc-ui) rg 'StartUrl'
web/teleport/src/services/upgradeWindow/upgradeWindow.ts
16:      .get(cfg.getWindowUpgradeStartUrl(clusterId))
31:      .post(cfg.getWindowUpgradeStartUrl(clusterId), req)

web/teleport/src/config.ts
182:  getWindowUpgradeStartUrl(clusterId: string) {

lib/aws/identitycenter/equal/equal_test.go
145:			StartUrl:            "https://example.com/start",
164:			StartUrl:            "https://example.com/start",

lib/aws/identitycenter/equal/account.go
21:		s1.GetStartUrl() == s2.GetStartUrl() &&

[tcsc]

This is coming in a change discussed with @flyinghermit

[smallinsky]

Right now the RequiresRequest field is never set:

teleport/lib/web/ui/app.go

Line 188 in 4bdc809

AssignmentName: srcPS.AssignmentName,

[tcsc]

This will be used when we filter the resources based on access.

[smallinsky]

Could you add a go docs ?

[smallinsky]

The json:camel_cases seems to be inconsistent with current json style for that uses PascalCase

https://github.com/gravitational/teleport/pull/49301/files#diff-f635fca1ca174ba271760ef6e8dbe4aa703df1ba9acde1ae8828b86fb8992631R68

[smallinsky]

The naming conventions are quite vague - the asmt.PermissionSet is passed to matchExpression as accountExpression:
m.matchExpression(*(m.permissionSetARN), asmt.PermissionSet)

However, the naming of the second parameter in matchExpression suggests that it should represent an accountExpression:

func (m *IdentityCenterMatcher) matchExpression(target, accountExpression string) (bool, error) {

This inconsistency in parameter naming can be confusing and might lead to misunderstandings about the purpose of the method nad match logic.

[smallinsky]

The AWS Account assignment in the business domain is defined as an accountID and permissionSetARN pair. How is it possible that an Account Assignment is missing the permissionSetARN element?

This creates confusion for the reader and demonstrates tight coupling in the current implementation. The matcher logic tries to couple two distinct objects.

I recommend splitting the matcher into separate matchers for each object. This would also help avoid logic like m.permissionSetARN == nil, which is unclear without a broader understanding of the context.

For example, it is not immediately obvious why the permissionSetARN can be empty when matching IdentityCenterAccountAssignments in current code

for _, asmt := range role.GetIdentityCenterAccountAssignments(condition) {
    accountMatches, err := m.matchExpression(m.accountID, asmt.Account)

    if !accountMatches {
        continue
    }
    // Why permissionSetARN is nil during  GetIdentityCenterAccountAssignment match check ? 
    if m.permissionSetARN == nil {
        return true, nil
    }

    psMatches, err := m.matchExpression(*(m.permissionSetARN), asmt.PermissionSet)
}

By decoupling the logic into separate matchers, the design would become clearer and easier to maintain and reason about business domain. It would also reduce the need for special-case-if logic.

[smallinsky]

Suggested change

	})
	}
	})
	}

[smallinsky]

An alternative approach would be to validate this during the LegacyToResource153() call when the adapter is created. This would allow you to return an error if the object does not fulfill the required interfaces for cloning.

We can create a new private adapter like toLegacyResourceWithLabels to avoid aligning already exiting code what uses LegacyToResource153

[smallinsky]

I have left some comment/suggestion

Also and wonder about:
#49301 (comment)

it feels like it’s attempting to introduce multiple changes at once—such as RBAC > checks, backend updates, and adding new resources.

To make the review process more efficient and focused it might be helpful to break > these changes into separate smaller PRs his way each part can be reviewed and > discussed independently.

For example - the PR description mentions: Exposes Identity Center accounts as Apps > in Unified Resource Cache but it’s not immediately clear how or why RBAC alignment > backend changes ** adding new resources** are tied to this goal.

Splitting the changes could make the purpose of each adjustment clearer and help reviewers better understand the overall intent.

I think that this is worth to consider as it could significantly improve the review process and the overall quality of the PR.

[r0mant]

This makes much more sense than the previous iteration, lgtm once remaining feedback has been addressed.

[r0mant]

Technically Okta apps also have a different display name because their actual name is an internal Okta ID. What do we use for them?

[r0mant]

Nit: We literally never use a namespace other than "default", do we really need a separate identityCenterActionNamespace method?

I would consider just keeping identityCenterAction and hardcoding apidefaults.Namespace to keep things a little simpler.

[r0mant]

Can any of these be nil?

[r0mant]

This has been here before though and I think "allow" and "deny" code paths are slightly different so may be tricky to factor out. I think it's ok to keep as-is.

[tcsc]

Moved RBAC in to another PR

[public-teleport-github-review-bot]

@tcsc See the table below for backport results.

Branch	Result
branch/v17	Failed