From 254035561331c4ecb1f53d5770a5bfadb69d06c3 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Tue, 17 Dec 2024 16:06:54 -0600 Subject: [PATCH 01/34] Protobuf and configuration for Access Graph Azure Discovery --- api/types/types.pb.go | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/api/types/types.pb.go b/api/types/types.pb.go index a49edaacc6d5b..baccdfd1835f1 100644 --- a/api/types/types.pb.go +++ b/api/types/types.pb.go @@ -50870,6 +50870,47 @@ func (m *AccessGraphAzureSync) MarshalTo(dAtA []byte) (int, error) { return m.MarshalToSizedBuffer(dAtA[:size]) } +func (m *AccessGraphAzureSync) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if len(m.Integration) > 0 { + i -= len(m.Integration) + copy(dAtA[i:], m.Integration) + i = encodeVarintTypes(dAtA, i, uint64(len(m.Integration))) + i-- + dAtA[i] = 0x1a + } + if len(m.SubscriptionID) > 0 { + i -= len(m.SubscriptionID) + copy(dAtA[i:], m.SubscriptionID) + i = encodeVarintTypes(dAtA, i, uint64(len(m.SubscriptionID))) + i-- + dAtA[i] = 0x12 + } + return len(dAtA) - i, nil +} + +func (m *AccessGraphAzureSync) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *AccessGraphAzureSync) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + func (m *AccessGraphAzureSync) MarshalToSizedBuffer(dAtA []byte) (int, error) { i := len(dAtA) _ = i From 64a4c182dfa58492df7e6dd94a3a9ab2123d76a6 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Tue, 17 Dec 2024 16:49:05 -0600 Subject: [PATCH 02/34] Adding the Azure sync module functions along with new cloud client functionality --- go.mod | 1 + lib/cloud/azure/roleassignments.go | 57 +++++ lib/cloud/azure/roledefinitions.go | 57 +++++ lib/cloud/clients.go | 28 +- .../fetchers/azure-sync/msggraphclient.go | 240 ++++++++++++++++++ .../fetchers/azure-sync/principals.go | 82 ++++++ .../fetchers/azure-sync/reconcile.go | 165 ++++++++++++ .../fetchers/azure-sync/reconcile_test.go | 191 ++++++++++++++ .../fetchers/azure-sync/roleassignments.go | 63 +++++ .../fetchers/azure-sync/roledefinitions.go | 77 ++++++ .../fetchers/azure-sync/virtualmachines.go | 56 ++++ 11 files changed, 1016 insertions(+), 1 deletion(-) create mode 100644 lib/cloud/azure/roleassignments.go create mode 100644 lib/cloud/azure/roledefinitions.go create mode 100644 lib/srv/discovery/fetchers/azure-sync/msggraphclient.go create mode 100644 lib/srv/discovery/fetchers/azure-sync/principals.go create mode 100644 lib/srv/discovery/fetchers/azure-sync/reconcile.go create mode 100644 lib/srv/discovery/fetchers/azure-sync/reconcile_test.go create mode 100644 lib/srv/discovery/fetchers/azure-sync/roleassignments.go create mode 100644 lib/srv/discovery/fetchers/azure-sync/roledefinitions.go create mode 100644 lib/srv/discovery/fetchers/azure-sync/virtualmachines.go diff --git a/go.mod b/go.mod index 3c35132910093..168e6f92a6c0c 100644 --- a/go.mod +++ b/go.mod @@ -16,6 +16,7 @@ require ( connectrpc.com/connect v1.18.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6 v6.3.0 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.2.0 diff --git a/lib/cloud/azure/roleassignments.go b/lib/cloud/azure/roleassignments.go new file mode 100644 index 0000000000000..114bceef88b96 --- /dev/null +++ b/lib/cloud/azure/roleassignments.go @@ -0,0 +1,57 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package azure + +import ( + "context" + + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" + "github.com/gravitational/trace" +) + +// RoleAssignmentsClient wraps the Azure API to provide a high level subset of functionality +type RoleAssignmentsClient struct { + cli *armauthorization.RoleAssignmentsClient +} + +// NewRoleAssignmentsClient creates a new client for a given subscription and credentials +func NewRoleAssignmentsClient(subscription string, cred azcore.TokenCredential, options *arm.ClientOptions) (*RoleAssignmentsClient, error) { + clientFactory, err := armauthorization.NewClientFactory(subscription, cred, options) + if err != nil { + return nil, trace.Wrap(err) + } + roleDefCli := clientFactory.NewRoleAssignmentsClient() + return &RoleAssignmentsClient{cli: roleDefCli}, nil +} + +// ListRoleAssignments returns role assignments for a given scope +func (c *RoleAssignmentsClient) ListRoleAssignments(ctx context.Context, scope string) ([]*armauthorization.RoleAssignment, error) { + pager := c.cli.NewListForScopePager(scope, nil) + var roleDefs []*armauthorization.RoleAssignment + for pager.More() { + page, err := pager.NextPage(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + roleDefs = append(roleDefs, page.Value...) + } + return roleDefs, nil +} diff --git a/lib/cloud/azure/roledefinitions.go b/lib/cloud/azure/roledefinitions.go new file mode 100644 index 0000000000000..cdc46196aa530 --- /dev/null +++ b/lib/cloud/azure/roledefinitions.go @@ -0,0 +1,57 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package azure + +import ( + "context" + + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" + "github.com/gravitational/trace" +) + +// RoleDefinitionsClient wraps the Azure API to provide a high level subset of functionality +type RoleDefinitionsClient struct { + cli *armauthorization.RoleDefinitionsClient +} + +// NewRoleDefinitionsClient creates a new client for a given subscription and credentials +func NewRoleDefinitionsClient(subscription string, cred azcore.TokenCredential, options *arm.ClientOptions) (*RoleDefinitionsClient, error) { + clientFactory, err := armauthorization.NewClientFactory(subscription, cred, options) + if err != nil { + return nil, trace.Wrap(err) + } + roleDefCli := clientFactory.NewRoleDefinitionsClient() + return &RoleDefinitionsClient{cli: roleDefCli}, nil +} + +// ListRoleDefinitions returns role definitions for a given scope +func (c *RoleDefinitionsClient) ListRoleDefinitions(ctx context.Context, scope string) ([]*armauthorization.RoleDefinition, error) { + pager := c.cli.NewListPager(scope, nil) + var roleDefs []*armauthorization.RoleDefinition + for pager.More() { + page, err := pager.NextPage(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + roleDefs = append(roleDefs, page.Value...) + } + return roleDefs, nil +} diff --git a/lib/cloud/clients.go b/lib/cloud/clients.go index 99c2deb4001f0..ee4c228ddbb31 100644 --- a/lib/cloud/clients.go +++ b/lib/cloud/clients.go @@ -352,6 +352,10 @@ type azureClients struct { azurePostgresFlexServersClients azure.ClientMap[azure.PostgresFlexServersClient] // azureRunCommandClients contains the cached Azure Run Command clients. azureRunCommandClients azure.ClientMap[azure.RunCommandClient] + // azureRoleDefinitionsClients contains the cached Azure Role Definitions clients. + azureRoleDefinitionsClients azure.ClientMap[azure.RoleDefinitionsClient] + // azureRoleAssignmentsClients contains the cached Azure Role Assignments clients. + azureRoleAssignmentsClients azure.ClientMap[azure.RoleAssignmentsClient] } // credentialsSource defines where the credentials must come from. @@ -743,6 +747,16 @@ func (c *cloudClients) GetAzureRunCommandClient(subscription string) (azure.RunC return c.azureRunCommandClients.Get(subscription, c.GetAzureCredential) } +// GetAzureRoleDefinitionsClient returns an Azure Role Definitions client +func (c *cloudClients) GetAzureRoleDefinitionsClient(subscription string) (azure.RoleDefinitionsClient, error) { + return c.azureRoleDefinitionsClients.Get(subscription, c.GetAzureCredential) +} + +// GetAzureRoleAssignmentsClient returns an Azure Role Assignments client +func (c *cloudClients) GetAzureRoleAssignmentsClient(subscription string) (azure.RoleAssignmentsClient, error) { + return c.azureRoleAssignmentsClients.Get(subscription, c.GetAzureCredential) +} + // Close closes all initialized clients. func (c *cloudClients) Close() (err error) { c.mtx.Lock() @@ -1050,6 +1064,8 @@ type TestCloudClients struct { AzureMySQLFlex azure.MySQLFlexServersClient AzurePostgresFlex azure.PostgresFlexServersClient AzureRunCommand azure.RunCommandClient + AzureRoleDefinitions azure.RoleDefinitionsClient + AzureRoleAssignments azure.RoleAssignmentsClient } // GetAWSSession returns AWS session for the specified region, optionally @@ -1294,11 +1310,21 @@ func (c *TestCloudClients) GetAzurePostgresFlexServersClient(subscription string return c.AzurePostgresFlex, nil } -// GetAzureRunCommand returns an Azure Run Command client for the given subscription. +// GetAzureRunCommandClient returns an Azure Run Command client for the given subscription. func (c *TestCloudClients) GetAzureRunCommandClient(subscription string) (azure.RunCommandClient, error) { return c.AzureRunCommand, nil } +// GetAzureRoleDefinitionsClient returns an Azure Role Definitions client for the given subscription. +func (c *TestCloudClients) GetAzureRoleDefinitionsClient(subscription string) (azure.RoleDefinitionsClient, error) { + return c.AzureRoleDefinitions, nil +} + +// GetAzureRoleAssignmentsClient returns an Azure Role Assignments client for the given subscription. +func (c *TestCloudClients) GetAzureRoleAssignmentsClient(subscription string) (azure.RoleAssignmentsClient, error) { + return c.AzureRoleAssignments, nil +} + // Close closes all initialized clients. func (c *TestCloudClients) Close() error { return nil diff --git a/lib/srv/discovery/fetchers/azure-sync/msggraphclient.go b/lib/srv/discovery/fetchers/azure-sync/msggraphclient.go new file mode 100644 index 0000000000000..75d2960d7fa55 --- /dev/null +++ b/lib/srv/discovery/fetchers/azure-sync/msggraphclient.go @@ -0,0 +1,240 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package azure_sync + +import ( + "bytes" + "context" + "encoding/json" + "fmt" + "io" + "net/http" + "net/url" + "strings" + "time" + + "github.com/Azure/azure-sdk-for-go/sdk/azcore" +) + +// GraphClient represents generic MS API client +type GraphClient struct { + token azcore.AccessToken +} + +const ( + usersSuffix = "users" + groupsSuffix = "groups" + servicePrincipalsSuffix = "servicePrincipals" + graphBaseURL = "https://graph.microsoft.com/v1.0" + httpTimeout = time.Second * 30 +) + +// graphError represents MS Graph error +type graphError struct { + E struct { + Code string `json:"code"` + Message string `json:"message"` + } `json:"error"` +} + +// genericGraphResponse represents the utility struct for parsing MS Graph API response +type genericGraphResponse struct { + Context string `json:"@odata.context"` + Count int `json:"@odata.count"` + NextLink string `json:"@odata.nextLink"` + Value json.RawMessage `json:"value"` +} + +// User represents user resource +type User struct { + ID string `json:"id"` + Name string `json:"displayName"` + MemberOf []Membership `json:"memberOf"` +} + +type Membership struct { + Type string `json:"@odata.type"` + ID string `json:"id"` +} + +// request represents generic request structure +type request struct { + // Method HTTP method + Method string + // URL which overrides URL construction + URL *string + // Path to a resource + Path string + // Expand $expand value + Expand []string + // Filter $filter value + Filter string + // Body request body + Body string + // Response represents template structure for a response + Response interface{} + // Err represents template structure for an error + Err error + // SuccessCode http code representing success + SuccessCode int +} + +// GetURL builds the request URL +func (r *request) GetURL() (string, error) { + if r.URL != nil { + return *r.URL, nil + } + u, err := url.Parse(graphBaseURL) + if err != nil { + return "", err + } + + data := url.Values{} + if len(r.Expand) > 0 { + data.Set("$expand", strings.Join(r.Expand, ",")) + } + if r.Filter != "" { + data.Set("$filter", r.Filter) + } + + u.Path = u.Path + "/" + r.Path + u.RawQuery = data.Encode() + + return u.String(), nil +} + +// NewGraphClient creates MS Graph API client +func NewGraphClient(token azcore.AccessToken) *GraphClient { + return &GraphClient{ + token: token, + } +} + +// Error returns error string +func (e graphError) Error() string { + return e.E.Code + " " + e.E.Message +} + +func (c *GraphClient) ListUsers(ctx context.Context) ([]User, error) { + return c.listIdentities(ctx, usersSuffix, []string{"memberOf"}) +} + +func (c *GraphClient) ListGroups(ctx context.Context) ([]User, error) { + return c.listIdentities(ctx, groupsSuffix, []string{"memberOf"}) +} + +func (c *GraphClient) ListServicePrincipals(ctx context.Context) ([]User, error) { + return c.listIdentities(ctx, servicePrincipalsSuffix, []string{"memberOf"}) +} + +func (c *GraphClient) listIdentities(ctx context.Context, idType string, expand []string) ([]User, error) { + var users []User + var nextLink *string + for { + g := &genericGraphResponse{} + req := request{ + Method: http.MethodGet, + Path: idType, + Expand: expand, + Response: &g, + Err: &graphError{}, + URL: nextLink, + } + err := c.request(ctx, req) + if err != nil { + return nil, err + } + var newUsers []User + err = json.NewDecoder(bytes.NewReader(g.Value)).Decode(&newUsers) + if err != nil { + return nil, err + } + users = append(users, newUsers...) + if g.NextLink == "" { + break + } + nextLink = &g.NextLink + } + + return users, nil +} + +// request sends the request to the graph/bot service and returns response body as bytes slice +func (c *GraphClient) request(ctx context.Context, req request) error { + reqUrl, err := req.GetURL() + if err != nil { + return err + } + + r, err := http.NewRequestWithContext(ctx, req.Method, reqUrl, strings.NewReader(req.Body)) + if err != nil { + return err + } + + r.Header.Set("Authorization", "Bearer "+c.token.Token) + r.Header.Set("Content-Type", "application/json") + + client := http.Client{Timeout: httpTimeout} + resp, err := client.Do(r) + if err != nil { + return err + } + + defer func(r *http.Response) { + _ = r.Body.Close() + }(resp) + + b, err := io.ReadAll(resp.Body) + if err != nil { + return err + } + + expectedCode := req.SuccessCode + if expectedCode == 0 { + expectedCode = http.StatusOK + } + + if expectedCode == resp.StatusCode { + if req.Response == nil { + return nil + } + + err := json.NewDecoder(bytes.NewReader(b)).Decode(req.Response) + if err != nil { + return err + } + } else { + if req.Err == nil { + return fmt.Errorf("Error requesting MS Graph API: %v", string(b)) + } + + err := json.NewDecoder(bytes.NewReader(b)).Decode(req.Err) + if err != nil { + return err + } + + if req.Err.Error() == "" { + return fmt.Errorf("Error requesting MS Graph API. Expected response code was %v, but is %v", expectedCode, resp.StatusCode) + } + + return req.Err + } + + return nil +} diff --git a/lib/srv/discovery/fetchers/azure-sync/principals.go b/lib/srv/discovery/fetchers/azure-sync/principals.go new file mode 100644 index 0000000000000..850e0cb389f71 --- /dev/null +++ b/lib/srv/discovery/fetchers/azure-sync/principals.go @@ -0,0 +1,82 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package azure_sync + +import ( + "context" + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "slices" + + "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "github.com/gravitational/trace" + "google.golang.org/protobuf/types/known/timestamppb" + + accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" +) + +const groupType = "#microsoft.graph.group" +const defaultGraphScope = "https://graph.microsoft.com/.default" + +// fetchPrincipals fetches the Azure principals (users, groups, and service principals) using the Graph API +func fetchPrincipals(ctx context.Context, subscriptionID string, cred azcore.TokenCredential) ([]*accessgraphv1alpha.AzurePrincipal, error) { + // Get the graph client + scopes := []string{defaultGraphScope} + token, err := cred.GetToken(ctx, policy.TokenRequestOptions{Scopes: scopes}) + if err != nil { + return nil, trace.Wrap(err) + } + cli := NewGraphClient(token) + + // Fetch the users, groups, and managed identities + users, err := cli.ListUsers(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + groups, err := cli.ListGroups(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + svcPrincipals, err := cli.ListServicePrincipals(ctx) + if err != nil { + return nil, trace.Wrap(err) + } + principals := slices.Concat(users, groups, svcPrincipals) + + // Return the users as protobuf messages + pbPrincipals := make([]*accessgraphv1alpha.AzurePrincipal, 0, len(principals)) + for _, principal := range principals { + // Extract group membership + memberOf := make([]string, 0) + for _, member := range principal.MemberOf { + if member.Type == groupType { + memberOf = append(memberOf, member.ID) + } + } + // Create the protobuf principal and append it to the list + pbPrincipal := &accessgraphv1alpha.AzurePrincipal{ + Id: principal.ID, + SubscriptionId: subscriptionID, + LastSyncTime: timestamppb.Now(), + DisplayName: principal.Name, + MemberOf: memberOf, + } + pbPrincipals = append(pbPrincipals, pbPrincipal) + } + return pbPrincipals, nil +} diff --git a/lib/srv/discovery/fetchers/azure-sync/reconcile.go b/lib/srv/discovery/fetchers/azure-sync/reconcile.go new file mode 100644 index 0000000000000..2b54c8cfac911 --- /dev/null +++ b/lib/srv/discovery/fetchers/azure-sync/reconcile.go @@ -0,0 +1,165 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package azure_sync + +import ( + "fmt" + + "google.golang.org/protobuf/proto" + + accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" + "github.com/gravitational/teleport/lib/srv/discovery/common" +) + +// MergeResources merges Azure resources fetched from multiple configured Azure fetchers +func MergeResources(results ...*Resources) *Resources { + if len(results) == 0 { + return &Resources{} + } + if len(results) == 1 { + return results[0] + } + result := &Resources{} + for _, r := range results { + result.Principals = append(result.Principals, r.Principals...) + result.RoleAssignments = append(result.RoleAssignments, r.RoleAssignments...) + result.RoleDefinitions = append(result.RoleDefinitions, r.RoleDefinitions...) + result.VirtualMachines = append(result.VirtualMachines, r.VirtualMachines...) + } + result.Principals = common.DeduplicateSlice(result.Principals, azurePrincipalsKey) + result.RoleAssignments = common.DeduplicateSlice(result.RoleAssignments, azureRoleAssignKey) + result.RoleDefinitions = common.DeduplicateSlice(result.RoleDefinitions, azureRoleDefKey) + result.VirtualMachines = common.DeduplicateSlice(result.VirtualMachines, azureVmKey) + return result +} + +// newResourceList creates a new resource list message +func newResourceList() *accessgraphv1alpha.AzureResourceList { + return &accessgraphv1alpha.AzureResourceList{ + Resources: make([]*accessgraphv1alpha.AzureResource, 0), + } +} + +// ReconcileResults compares previously and currently fetched results and determines which resources to upsert and +// which to delete. +func ReconcileResults(old *Resources, new *Resources) (upsert, delete *accessgraphv1alpha.AzureResourceList) { + upsert, delete = newResourceList(), newResourceList() + reconciledResources := []*reconcilePair{ + reconcile(old.Principals, new.Principals, azurePrincipalsKey, azurePrincipalsWrap), + reconcile(old.RoleAssignments, new.RoleAssignments, azureRoleAssignKey, azureRoleAssignWrap), + reconcile(old.RoleDefinitions, new.RoleDefinitions, azureRoleDefKey, azureRoleDefWrap), + reconcile(old.VirtualMachines, new.VirtualMachines, azureVmKey, azureVmWrap), + } + for _, res := range reconciledResources { + upsert.Resources = append(upsert.Resources, res.upsert.Resources...) + delete.Resources = append(delete.Resources, res.delete.Resources...) + } + return upsert, delete +} + +// reconcilePair contains the Azure resources to upsert and delete +type reconcilePair struct { + upsert, delete *accessgraphv1alpha.AzureResourceList +} + +// reconcile compares old and new items to build a list of resources to upsert and delete in the Access Graph +func reconcile[T proto.Message]( + oldItems []T, + newItems []T, + keyFn func(T) string, + wrapFn func(T) *accessgraphv1alpha.AzureResource, +) *reconcilePair { + // Remove duplicates from the new items + newItems = common.DeduplicateSlice(newItems, keyFn) + upsertRes := newResourceList() + deleteRes := newResourceList() + + // Delete all old items if there are no new items + if len(newItems) == 0 { + for _, item := range oldItems { + deleteRes.Resources = append(deleteRes.Resources, wrapFn(item)) + } + return &reconcilePair{upsertRes, deleteRes} + } + + // Create all new items if there are no old items + if len(oldItems) == 0 { + for _, item := range newItems { + upsertRes.Resources = append(upsertRes.Resources, wrapFn(item)) + } + return &reconcilePair{upsertRes, deleteRes} + } + + // Map old and new items by their key + oldMap := make(map[string]T, len(oldItems)) + for _, item := range oldItems { + oldMap[keyFn(item)] = item + } + newMap := make(map[string]T, len(newItems)) + for _, item := range newItems { + newMap[keyFn(item)] = item + } + + // Append new or modified items to the upsert list + for _, item := range newItems { + if oldItem, ok := oldMap[keyFn(item)]; !ok || !proto.Equal(oldItem, item) { + upsertRes.Resources = append(upsertRes.Resources, wrapFn(item)) + } + } + + // Append removed items to the delete list + for _, item := range oldItems { + if _, ok := newMap[keyFn(item)]; !ok { + deleteRes.Resources = append(deleteRes.Resources, wrapFn(item)) + } + } + return &reconcilePair{upsertRes, deleteRes} +} + +func azurePrincipalsKey(user *accessgraphv1alpha.AzurePrincipal) string { + return fmt.Sprintf("%s:%s", user.SubscriptionId, user.Id) +} + +func azurePrincipalsWrap(principal *accessgraphv1alpha.AzurePrincipal) *accessgraphv1alpha.AzureResource { + return &accessgraphv1alpha.AzureResource{Resource: &accessgraphv1alpha.AzureResource_Principal{Principal: principal}} +} + +func azureRoleAssignKey(roleAssign *accessgraphv1alpha.AzureRoleAssignment) string { + return fmt.Sprintf("%s:%s", roleAssign.SubscriptionId, roleAssign.Id) +} + +func azureRoleAssignWrap(roleAssign *accessgraphv1alpha.AzureRoleAssignment) *accessgraphv1alpha.AzureResource { + return &accessgraphv1alpha.AzureResource{Resource: &accessgraphv1alpha.AzureResource_RoleAssignment{RoleAssignment: roleAssign}} +} + +func azureRoleDefKey(roleDef *accessgraphv1alpha.AzureRoleDefinition) string { + return fmt.Sprintf("%s:%s", roleDef.SubscriptionId, roleDef.Id) +} + +func azureRoleDefWrap(roleDef *accessgraphv1alpha.AzureRoleDefinition) *accessgraphv1alpha.AzureResource { + return &accessgraphv1alpha.AzureResource{Resource: &accessgraphv1alpha.AzureResource_RoleDefinition{RoleDefinition: roleDef}} +} + +func azureVmKey(vm *accessgraphv1alpha.AzureVirtualMachine) string { + return fmt.Sprintf("%s:%s", vm.SubscriptionId, vm.Id) +} + +func azureVmWrap(vm *accessgraphv1alpha.AzureVirtualMachine) *accessgraphv1alpha.AzureResource { + return &accessgraphv1alpha.AzureResource{Resource: &accessgraphv1alpha.AzureResource_VirtualMachine{VirtualMachine: vm}} +} diff --git a/lib/srv/discovery/fetchers/azure-sync/reconcile_test.go b/lib/srv/discovery/fetchers/azure-sync/reconcile_test.go new file mode 100644 index 0000000000000..28b293bcf1f8d --- /dev/null +++ b/lib/srv/discovery/fetchers/azure-sync/reconcile_test.go @@ -0,0 +1,191 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ +package azure_sync + +import ( + "testing" + + "github.com/stretchr/testify/require" + + accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" +) + +func TestReconcileResults(t *testing.T) { + principals := generatePrincipals() + roleDefs := generateRoleDefs() + roleAssigns := generateRoleAssigns() + vms := generateVms() + + tests := []struct { + oldResults *Resources + newResults *Resources + expectedUpserts *accessgraphv1alpha.AzureResourceList + expectedDeletes *accessgraphv1alpha.AzureResourceList + }{ + // Overlapping old and new results + { + oldResults: &Resources{ + Principals: principals[0:2], + RoleDefinitions: roleDefs[0:2], + RoleAssignments: roleAssigns[0:2], + VirtualMachines: vms[0:2], + }, + newResults: &Resources{ + Principals: principals[1:3], + RoleDefinitions: roleDefs[1:3], + RoleAssignments: roleAssigns[1:3], + VirtualMachines: vms[1:3], + }, + expectedUpserts: generateExpected(principals[2:3], roleDefs[2:3], roleAssigns[2:3], vms[2:3]), + expectedDeletes: generateExpected(principals[0:1], roleDefs[0:1], roleAssigns[0:1], vms[0:1]), + }, + // Completely new results + { + oldResults: &Resources{ + Principals: nil, + RoleDefinitions: nil, + RoleAssignments: nil, + VirtualMachines: nil, + }, + newResults: &Resources{ + Principals: principals[1:3], + RoleDefinitions: roleDefs[1:3], + RoleAssignments: roleAssigns[1:3], + VirtualMachines: vms[1:3], + }, + expectedUpserts: generateExpected(principals[1:3], roleDefs[1:3], roleAssigns[1:3], vms[1:3]), + expectedDeletes: generateExpected(nil, nil, nil, nil), + }, + // No new results + { + oldResults: &Resources{ + Principals: principals[1:3], + RoleDefinitions: roleDefs[1:3], + RoleAssignments: roleAssigns[1:3], + VirtualMachines: vms[1:3], + }, + newResults: &Resources{ + Principals: nil, + RoleDefinitions: nil, + RoleAssignments: nil, + VirtualMachines: nil, + }, + expectedUpserts: generateExpected(nil, nil, nil, nil), + expectedDeletes: generateExpected(principals[1:3], roleDefs[1:3], roleAssigns[1:3], vms[1:3]), + }, + } + + for _, tt := range tests { + upserts, deletes := ReconcileResults(tt.oldResults, tt.newResults) + require.ElementsMatch(t, upserts.Resources, tt.expectedUpserts.Resources) + require.ElementsMatch(t, deletes.Resources, tt.expectedDeletes.Resources) + } + +} + +func generateExpected( + principals []*accessgraphv1alpha.AzurePrincipal, + roleDefs []*accessgraphv1alpha.AzureRoleDefinition, + roleAssigns []*accessgraphv1alpha.AzureRoleAssignment, + vms []*accessgraphv1alpha.AzureVirtualMachine, +) *accessgraphv1alpha.AzureResourceList { + resList := &accessgraphv1alpha.AzureResourceList{ + Resources: make([]*accessgraphv1alpha.AzureResource, 0), + } + for _, principal := range principals { + resList.Resources = append(resList.Resources, azurePrincipalsWrap(principal)) + } + for _, roleDef := range roleDefs { + resList.Resources = append(resList.Resources, azureRoleDefWrap(roleDef)) + } + for _, roleAssign := range roleAssigns { + resList.Resources = append(resList.Resources, azureRoleAssignWrap(roleAssign)) + } + for _, vm := range vms { + resList.Resources = append(resList.Resources, azureVmWrap(vm)) + } + return resList +} + +func generatePrincipals() []*accessgraphv1alpha.AzurePrincipal { + return []*accessgraphv1alpha.AzurePrincipal{ + { + Id: "/principals/foo", + DisplayName: "userFoo", + }, + { + Id: "/principals/bar", + DisplayName: "userBar", + }, + { + Id: "/principals/charles", + DisplayName: "userCharles", + }, + } +} + +func generateRoleDefs() []*accessgraphv1alpha.AzureRoleDefinition { + return []*accessgraphv1alpha.AzureRoleDefinition{ + { + Id: "/roledefinitions/foo", + Name: "roleFoo", + }, + { + Id: "/roledefinitions/bar", + Name: "roleBar", + }, + { + Id: "/roledefinitions/charles", + Name: "roleCharles", + }, + } +} + +func generateRoleAssigns() []*accessgraphv1alpha.AzureRoleAssignment { + return []*accessgraphv1alpha.AzureRoleAssignment{ + { + Id: "/roleassignments/foo", + PrincipalId: "userFoo", + }, + { + Id: "/roleassignments/bar", + PrincipalId: "userBar", + }, + { + Id: "/roleassignments/charles", + PrincipalId: "userCharles", + }, + } +} + +func generateVms() []*accessgraphv1alpha.AzureVirtualMachine { + return []*accessgraphv1alpha.AzureVirtualMachine{ + { + Id: "/vms/foo", + Name: "userFoo", + }, + { + Id: "/vms/bar", + Name: "userBar", + }, + { + Id: "/vms/charles", + Name: "userCharles", + }, + } +} diff --git a/lib/srv/discovery/fetchers/azure-sync/roleassignments.go b/lib/srv/discovery/fetchers/azure-sync/roleassignments.go new file mode 100644 index 0000000000000..58cfa89c8ae3e --- /dev/null +++ b/lib/srv/discovery/fetchers/azure-sync/roleassignments.go @@ -0,0 +1,63 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package azure_sync + +import ( + "context" + "fmt" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" + + "github.com/gravitational/trace" + "google.golang.org/protobuf/types/known/timestamppb" + + accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" +) + +// RoleAssignmentsClient specifies the methods used to fetch role assignments from Azure +type RoleAssignmentsClient interface { + ListRoleAssignments(ctx context.Context, scope string) ([]*armauthorization.RoleAssignment, error) +} + +// fetchRoleAssignments fetches Azure role assignments using the Azure role assignments API +func fetchRoleAssignments( + ctx context.Context, + subscriptionID string, + cli RoleAssignmentsClient, +) ([]*accessgraphv1alpha.AzureRoleAssignment, error) { + // List the role definitions + roleAssigns, err := cli.ListRoleAssignments(ctx, fmt.Sprintf("/subscriptions/%s", subscriptionID)) + if err != nil { + return nil, trace.Wrap(err) + } + + // Convert to protobuf format + pbRoleAssigns := make([]*accessgraphv1alpha.AzureRoleAssignment, 0, len(roleAssigns)) + for _, roleAssign := range roleAssigns { + pbRoleAssign := &accessgraphv1alpha.AzureRoleAssignment{ + Id: *roleAssign.ID, + SubscriptionId: subscriptionID, + LastSyncTime: timestamppb.Now(), + PrincipalId: *roleAssign.Properties.PrincipalID, + RoleDefinitionId: *roleAssign.Properties.RoleDefinitionID, + Scope: *roleAssign.Properties.Scope, + } + pbRoleAssigns = append(pbRoleAssigns, pbRoleAssign) + } + return pbRoleAssigns, nil +} diff --git a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go new file mode 100644 index 0000000000000..3af31524f47b0 --- /dev/null +++ b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go @@ -0,0 +1,77 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package azure_sync + +import ( + "context" + "fmt" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" + + "github.com/gravitational/trace" + "google.golang.org/protobuf/types/known/timestamppb" + + accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" +) + +// RoleDefinitionsClient specifies the methods used to fetch roles from Azure +type RoleDefinitionsClient interface { + ListRoleDefinitions(ctx context.Context, scope string) ([]*armauthorization.RoleDefinition, error) +} + +func (a *Fetcher) fetchRoleDefinitions( + ctx context.Context, + subscriptionID string, + cli RoleDefinitionsClient, +) ([]*accessgraphv1alpha.AzureRoleDefinition, error) { + // List the role definitions + roleDefs, err := cli.ListRoleDefinitions(ctx, fmt.Sprintf("/subscriptions/%s", subscriptionID)) + if err != nil { + return nil, trace.Wrap(err) + } + + // Convert to protobuf format + pbRoleDefs := make([]*accessgraphv1alpha.AzureRoleDefinition, 0, len(roleDefs)) + for _, roleDef := range roleDefs { + pbPerms := make([]*accessgraphv1alpha.AzureRBACPermission, 0, len(roleDef.Properties.Permissions)) + for _, perm := range roleDef.Properties.Permissions { + pbPerm := accessgraphv1alpha.AzureRBACPermission{ + Actions: ptrsToList(perm.Actions), + NotActions: ptrsToList(perm.NotActions), + } + pbPerms = append(pbPerms, &pbPerm) + } + pbRoleDef := &accessgraphv1alpha.AzureRoleDefinition{ + Id: *roleDef.ID, + Name: *roleDef.Properties.RoleName, + SubscriptionId: a.SubscriptionID, + LastSyncTime: timestamppb.Now(), + Permissions: pbPerms, + } + pbRoleDefs = append(pbRoleDefs, pbRoleDef) + } + return pbRoleDefs, nil +} + +func ptrsToList(ptrs []*string) []string { + strList := make([]string, 0, len(ptrs)) + for _, ptr := range ptrs { + strList = append(strList, *ptr) + } + return strList +} diff --git a/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go b/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go new file mode 100644 index 0000000000000..39477cf096ade --- /dev/null +++ b/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go @@ -0,0 +1,56 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package azure_sync + +import ( + "context" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6" + + "github.com/gravitational/trace" + "google.golang.org/protobuf/types/known/timestamppb" + + accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" +) + +const allResourceGroups = "*" + +// VirtualMachinesClient specifies the methods used to fetch virtual machines from Azure +type VirtualMachinesClient interface { + ListVirtualMachines(ctx context.Context, resourceGroup string) ([]*armcompute.VirtualMachine, error) +} + +func fetchVirtualMachines(ctx context.Context, subscriptionID string, cli VirtualMachinesClient) ([]*accessgraphv1alpha.AzureVirtualMachine, error) { + vms, err := cli.ListVirtualMachines(ctx, allResourceGroups) + if err != nil { + return nil, trace.Wrap(err) + } + + // Return the VMs as protobuf messages + pbVms := make([]*accessgraphv1alpha.AzureVirtualMachine, 0, len(vms)) + for _, vm := range vms { + pbVm := accessgraphv1alpha.AzureVirtualMachine{ + Id: *vm.ID, + SubscriptionId: subscriptionID, + LastSyncTime: timestamppb.Now(), + Name: *vm.Name, + } + pbVms = append(pbVms, &pbVm) + } + return pbVms, nil +} From 666b4823899b9b3eda4d92e28ed9d572b4b2b2f0 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Tue, 17 Dec 2024 16:58:20 -0600 Subject: [PATCH 03/34] Forgot to decouple role definitions fetching function from the fetcher --- lib/srv/discovery/fetchers/azure-sync/roledefinitions.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go index 3af31524f47b0..35dfce444188c 100644 --- a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go +++ b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go @@ -34,7 +34,7 @@ type RoleDefinitionsClient interface { ListRoleDefinitions(ctx context.Context, scope string) ([]*armauthorization.RoleDefinition, error) } -func (a *Fetcher) fetchRoleDefinitions( +func fetchRoleDefinitions( ctx context.Context, subscriptionID string, cli RoleDefinitionsClient, @@ -59,7 +59,7 @@ func (a *Fetcher) fetchRoleDefinitions( pbRoleDef := &accessgraphv1alpha.AzureRoleDefinition{ Id: *roleDef.ID, Name: *roleDef.Properties.RoleName, - SubscriptionId: a.SubscriptionID, + SubscriptionId: subscriptionID, LastSyncTime: timestamppb.Now(), Permissions: pbPerms, } From 64ee74ca28cff147d75b385a09aa96df74515f34 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Tue, 17 Dec 2024 17:12:53 -0600 Subject: [PATCH 04/34] Moving reconciliation to the upstream azure sync PR --- .../fetchers/azure-sync/reconcile.go | 165 ------------------ 1 file changed, 165 deletions(-) delete mode 100644 lib/srv/discovery/fetchers/azure-sync/reconcile.go diff --git a/lib/srv/discovery/fetchers/azure-sync/reconcile.go b/lib/srv/discovery/fetchers/azure-sync/reconcile.go deleted file mode 100644 index 2b54c8cfac911..0000000000000 --- a/lib/srv/discovery/fetchers/azure-sync/reconcile.go +++ /dev/null @@ -1,165 +0,0 @@ -/* - * Teleport - * Copyright (C) 2024 Gravitational, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ - -package azure_sync - -import ( - "fmt" - - "google.golang.org/protobuf/proto" - - accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" - "github.com/gravitational/teleport/lib/srv/discovery/common" -) - -// MergeResources merges Azure resources fetched from multiple configured Azure fetchers -func MergeResources(results ...*Resources) *Resources { - if len(results) == 0 { - return &Resources{} - } - if len(results) == 1 { - return results[0] - } - result := &Resources{} - for _, r := range results { - result.Principals = append(result.Principals, r.Principals...) - result.RoleAssignments = append(result.RoleAssignments, r.RoleAssignments...) - result.RoleDefinitions = append(result.RoleDefinitions, r.RoleDefinitions...) - result.VirtualMachines = append(result.VirtualMachines, r.VirtualMachines...) - } - result.Principals = common.DeduplicateSlice(result.Principals, azurePrincipalsKey) - result.RoleAssignments = common.DeduplicateSlice(result.RoleAssignments, azureRoleAssignKey) - result.RoleDefinitions = common.DeduplicateSlice(result.RoleDefinitions, azureRoleDefKey) - result.VirtualMachines = common.DeduplicateSlice(result.VirtualMachines, azureVmKey) - return result -} - -// newResourceList creates a new resource list message -func newResourceList() *accessgraphv1alpha.AzureResourceList { - return &accessgraphv1alpha.AzureResourceList{ - Resources: make([]*accessgraphv1alpha.AzureResource, 0), - } -} - -// ReconcileResults compares previously and currently fetched results and determines which resources to upsert and -// which to delete. -func ReconcileResults(old *Resources, new *Resources) (upsert, delete *accessgraphv1alpha.AzureResourceList) { - upsert, delete = newResourceList(), newResourceList() - reconciledResources := []*reconcilePair{ - reconcile(old.Principals, new.Principals, azurePrincipalsKey, azurePrincipalsWrap), - reconcile(old.RoleAssignments, new.RoleAssignments, azureRoleAssignKey, azureRoleAssignWrap), - reconcile(old.RoleDefinitions, new.RoleDefinitions, azureRoleDefKey, azureRoleDefWrap), - reconcile(old.VirtualMachines, new.VirtualMachines, azureVmKey, azureVmWrap), - } - for _, res := range reconciledResources { - upsert.Resources = append(upsert.Resources, res.upsert.Resources...) - delete.Resources = append(delete.Resources, res.delete.Resources...) - } - return upsert, delete -} - -// reconcilePair contains the Azure resources to upsert and delete -type reconcilePair struct { - upsert, delete *accessgraphv1alpha.AzureResourceList -} - -// reconcile compares old and new items to build a list of resources to upsert and delete in the Access Graph -func reconcile[T proto.Message]( - oldItems []T, - newItems []T, - keyFn func(T) string, - wrapFn func(T) *accessgraphv1alpha.AzureResource, -) *reconcilePair { - // Remove duplicates from the new items - newItems = common.DeduplicateSlice(newItems, keyFn) - upsertRes := newResourceList() - deleteRes := newResourceList() - - // Delete all old items if there are no new items - if len(newItems) == 0 { - for _, item := range oldItems { - deleteRes.Resources = append(deleteRes.Resources, wrapFn(item)) - } - return &reconcilePair{upsertRes, deleteRes} - } - - // Create all new items if there are no old items - if len(oldItems) == 0 { - for _, item := range newItems { - upsertRes.Resources = append(upsertRes.Resources, wrapFn(item)) - } - return &reconcilePair{upsertRes, deleteRes} - } - - // Map old and new items by their key - oldMap := make(map[string]T, len(oldItems)) - for _, item := range oldItems { - oldMap[keyFn(item)] = item - } - newMap := make(map[string]T, len(newItems)) - for _, item := range newItems { - newMap[keyFn(item)] = item - } - - // Append new or modified items to the upsert list - for _, item := range newItems { - if oldItem, ok := oldMap[keyFn(item)]; !ok || !proto.Equal(oldItem, item) { - upsertRes.Resources = append(upsertRes.Resources, wrapFn(item)) - } - } - - // Append removed items to the delete list - for _, item := range oldItems { - if _, ok := newMap[keyFn(item)]; !ok { - deleteRes.Resources = append(deleteRes.Resources, wrapFn(item)) - } - } - return &reconcilePair{upsertRes, deleteRes} -} - -func azurePrincipalsKey(user *accessgraphv1alpha.AzurePrincipal) string { - return fmt.Sprintf("%s:%s", user.SubscriptionId, user.Id) -} - -func azurePrincipalsWrap(principal *accessgraphv1alpha.AzurePrincipal) *accessgraphv1alpha.AzureResource { - return &accessgraphv1alpha.AzureResource{Resource: &accessgraphv1alpha.AzureResource_Principal{Principal: principal}} -} - -func azureRoleAssignKey(roleAssign *accessgraphv1alpha.AzureRoleAssignment) string { - return fmt.Sprintf("%s:%s", roleAssign.SubscriptionId, roleAssign.Id) -} - -func azureRoleAssignWrap(roleAssign *accessgraphv1alpha.AzureRoleAssignment) *accessgraphv1alpha.AzureResource { - return &accessgraphv1alpha.AzureResource{Resource: &accessgraphv1alpha.AzureResource_RoleAssignment{RoleAssignment: roleAssign}} -} - -func azureRoleDefKey(roleDef *accessgraphv1alpha.AzureRoleDefinition) string { - return fmt.Sprintf("%s:%s", roleDef.SubscriptionId, roleDef.Id) -} - -func azureRoleDefWrap(roleDef *accessgraphv1alpha.AzureRoleDefinition) *accessgraphv1alpha.AzureResource { - return &accessgraphv1alpha.AzureResource{Resource: &accessgraphv1alpha.AzureResource_RoleDefinition{RoleDefinition: roleDef}} -} - -func azureVmKey(vm *accessgraphv1alpha.AzureVirtualMachine) string { - return fmt.Sprintf("%s:%s", vm.SubscriptionId, vm.Id) -} - -func azureVmWrap(vm *accessgraphv1alpha.AzureVirtualMachine) *accessgraphv1alpha.AzureResource { - return &accessgraphv1alpha.AzureResource{Resource: &accessgraphv1alpha.AzureResource_VirtualMachine{VirtualMachine: vm}} -} From f4ed0e3eecb0dc33cfe7edce968639c2252be423 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Tue, 17 Dec 2024 17:15:42 -0600 Subject: [PATCH 05/34] Moving reconciliation test to the upstream azure sync PR --- .../fetchers/azure-sync/reconcile_test.go | 191 ------------------ 1 file changed, 191 deletions(-) delete mode 100644 lib/srv/discovery/fetchers/azure-sync/reconcile_test.go diff --git a/lib/srv/discovery/fetchers/azure-sync/reconcile_test.go b/lib/srv/discovery/fetchers/azure-sync/reconcile_test.go deleted file mode 100644 index 28b293bcf1f8d..0000000000000 --- a/lib/srv/discovery/fetchers/azure-sync/reconcile_test.go +++ /dev/null @@ -1,191 +0,0 @@ -/* - * Teleport - * Copyright (C) 2024 Gravitational, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ -package azure_sync - -import ( - "testing" - - "github.com/stretchr/testify/require" - - accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" -) - -func TestReconcileResults(t *testing.T) { - principals := generatePrincipals() - roleDefs := generateRoleDefs() - roleAssigns := generateRoleAssigns() - vms := generateVms() - - tests := []struct { - oldResults *Resources - newResults *Resources - expectedUpserts *accessgraphv1alpha.AzureResourceList - expectedDeletes *accessgraphv1alpha.AzureResourceList - }{ - // Overlapping old and new results - { - oldResults: &Resources{ - Principals: principals[0:2], - RoleDefinitions: roleDefs[0:2], - RoleAssignments: roleAssigns[0:2], - VirtualMachines: vms[0:2], - }, - newResults: &Resources{ - Principals: principals[1:3], - RoleDefinitions: roleDefs[1:3], - RoleAssignments: roleAssigns[1:3], - VirtualMachines: vms[1:3], - }, - expectedUpserts: generateExpected(principals[2:3], roleDefs[2:3], roleAssigns[2:3], vms[2:3]), - expectedDeletes: generateExpected(principals[0:1], roleDefs[0:1], roleAssigns[0:1], vms[0:1]), - }, - // Completely new results - { - oldResults: &Resources{ - Principals: nil, - RoleDefinitions: nil, - RoleAssignments: nil, - VirtualMachines: nil, - }, - newResults: &Resources{ - Principals: principals[1:3], - RoleDefinitions: roleDefs[1:3], - RoleAssignments: roleAssigns[1:3], - VirtualMachines: vms[1:3], - }, - expectedUpserts: generateExpected(principals[1:3], roleDefs[1:3], roleAssigns[1:3], vms[1:3]), - expectedDeletes: generateExpected(nil, nil, nil, nil), - }, - // No new results - { - oldResults: &Resources{ - Principals: principals[1:3], - RoleDefinitions: roleDefs[1:3], - RoleAssignments: roleAssigns[1:3], - VirtualMachines: vms[1:3], - }, - newResults: &Resources{ - Principals: nil, - RoleDefinitions: nil, - RoleAssignments: nil, - VirtualMachines: nil, - }, - expectedUpserts: generateExpected(nil, nil, nil, nil), - expectedDeletes: generateExpected(principals[1:3], roleDefs[1:3], roleAssigns[1:3], vms[1:3]), - }, - } - - for _, tt := range tests { - upserts, deletes := ReconcileResults(tt.oldResults, tt.newResults) - require.ElementsMatch(t, upserts.Resources, tt.expectedUpserts.Resources) - require.ElementsMatch(t, deletes.Resources, tt.expectedDeletes.Resources) - } - -} - -func generateExpected( - principals []*accessgraphv1alpha.AzurePrincipal, - roleDefs []*accessgraphv1alpha.AzureRoleDefinition, - roleAssigns []*accessgraphv1alpha.AzureRoleAssignment, - vms []*accessgraphv1alpha.AzureVirtualMachine, -) *accessgraphv1alpha.AzureResourceList { - resList := &accessgraphv1alpha.AzureResourceList{ - Resources: make([]*accessgraphv1alpha.AzureResource, 0), - } - for _, principal := range principals { - resList.Resources = append(resList.Resources, azurePrincipalsWrap(principal)) - } - for _, roleDef := range roleDefs { - resList.Resources = append(resList.Resources, azureRoleDefWrap(roleDef)) - } - for _, roleAssign := range roleAssigns { - resList.Resources = append(resList.Resources, azureRoleAssignWrap(roleAssign)) - } - for _, vm := range vms { - resList.Resources = append(resList.Resources, azureVmWrap(vm)) - } - return resList -} - -func generatePrincipals() []*accessgraphv1alpha.AzurePrincipal { - return []*accessgraphv1alpha.AzurePrincipal{ - { - Id: "/principals/foo", - DisplayName: "userFoo", - }, - { - Id: "/principals/bar", - DisplayName: "userBar", - }, - { - Id: "/principals/charles", - DisplayName: "userCharles", - }, - } -} - -func generateRoleDefs() []*accessgraphv1alpha.AzureRoleDefinition { - return []*accessgraphv1alpha.AzureRoleDefinition{ - { - Id: "/roledefinitions/foo", - Name: "roleFoo", - }, - { - Id: "/roledefinitions/bar", - Name: "roleBar", - }, - { - Id: "/roledefinitions/charles", - Name: "roleCharles", - }, - } -} - -func generateRoleAssigns() []*accessgraphv1alpha.AzureRoleAssignment { - return []*accessgraphv1alpha.AzureRoleAssignment{ - { - Id: "/roleassignments/foo", - PrincipalId: "userFoo", - }, - { - Id: "/roleassignments/bar", - PrincipalId: "userBar", - }, - { - Id: "/roleassignments/charles", - PrincipalId: "userCharles", - }, - } -} - -func generateVms() []*accessgraphv1alpha.AzureVirtualMachine { - return []*accessgraphv1alpha.AzureVirtualMachine{ - { - Id: "/vms/foo", - Name: "userFoo", - }, - { - Id: "/vms/bar", - Name: "userBar", - }, - { - Id: "/vms/charles", - Name: "userCharles", - }, - } -} From 597ba7998a9da870a62ce854a00fa7a65f0d3cfe Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Tue, 17 Dec 2024 17:29:20 -0600 Subject: [PATCH 06/34] Updating go.sum --- integrations/event-handler/go.mod | 1 + integrations/event-handler/go.sum | 6 ++++-- integrations/terraform/go.mod | 1 + integrations/terraform/go.sum | 4 ++++ 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/integrations/event-handler/go.mod b/integrations/event-handler/go.mod index 19d919b359e39..2a4ec93e2f6ac 100644 --- a/integrations/event-handler/go.mod +++ b/integrations/event-handler/go.mod @@ -37,6 +37,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6 v6.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.2.0 // indirect diff --git a/integrations/event-handler/go.sum b/integrations/event-handler/go.sum index 1f0435df0d184..722ec657f427c 100644 --- a/integrations/event-handler/go.sum +++ b/integrations/event-handler/go.sum @@ -631,8 +631,10 @@ github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0 h1:+m0M/LFxN43KvUL github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0/go.mod h1:PwOyop78lveYMRs6oCxjiVyBdyCgIYH6XHIVZO9/SFQ= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0 h1:JAebRMoc3vL+Nd97GBprHYHucO4+wlW+tNbBIumqJlk= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0 h1:Hp+EScFOu9HeCbeW8WU2yQPJd4gGwhMgKxWe+G6jNzw= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0/go.mod h1:/pz8dyNQe+Ey3yBp/XuYz7oqX8YDNWVpPB0hH3XWfbc= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0 h1:zDeQI/PaWztI2tcrGO/9RIMey9NvqYbnyttf/0P3QWM= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v5 v5.0.0 h1:5n7dPVqsWfVKw+ZiEKSd3Kzu7gwBkbEBkeXb8rgaE9Q= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v5 v5.0.0/go.mod h1:HcZY0PHPo/7d75p99lB6lK0qYOP4vLRJUBpiehYXtLQ= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6 v6.3.0 h1:4ZTvMq5AWtRIPM06RzdfKwKyVJ0eUOfm4QUBVDQFqQ4= diff --git a/integrations/terraform/go.mod b/integrations/terraform/go.mod index 5222dc914a105..3f0a69be92443 100644 --- a/integrations/terraform/go.mod +++ b/integrations/terraform/go.mod @@ -43,6 +43,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6 v6.3.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi v1.2.0 // indirect diff --git a/integrations/terraform/go.sum b/integrations/terraform/go.sum index 106e4e41c759b..3a089467eaca8 100644 --- a/integrations/terraform/go.sum +++ b/integrations/terraform/go.sum @@ -644,6 +644,10 @@ github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0 h1:+m0M/LFxN43KvUL github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0/go.mod h1:PwOyop78lveYMRs6oCxjiVyBdyCgIYH6XHIVZO9/SFQ= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0 h1:Hp+EScFOu9HeCbeW8WU2yQPJd4gGwhMgKxWe+G6jNzw= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0/go.mod h1:/pz8dyNQe+Ey3yBp/XuYz7oqX8YDNWVpPB0hH3XWfbc= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0 h1:zDeQI/PaWztI2tcrGO/9RIMey9NvqYbnyttf/0P3QWM= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0 h1:JAebRMoc3vL+Nd97GBprHYHucO4+wlW+tNbBIumqJlk= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v5 v5.0.0 h1:5n7dPVqsWfVKw+ZiEKSd3Kzu7gwBkbEBkeXb8rgaE9Q= From 1edb6de75ec06a78a6d37aaefe9f51fb7725bfd5 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Wed, 18 Dec 2024 15:14:34 -0600 Subject: [PATCH 07/34] Fixing rebase after protobuf gen --- api/types/types.pb.go | 41 ----------------------------------------- 1 file changed, 41 deletions(-) diff --git a/api/types/types.pb.go b/api/types/types.pb.go index baccdfd1835f1..a49edaacc6d5b 100644 --- a/api/types/types.pb.go +++ b/api/types/types.pb.go @@ -50870,47 +50870,6 @@ func (m *AccessGraphAzureSync) MarshalTo(dAtA []byte) (int, error) { return m.MarshalToSizedBuffer(dAtA[:size]) } -func (m *AccessGraphAzureSync) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if m.XXX_unrecognized != nil { - i -= len(m.XXX_unrecognized) - copy(dAtA[i:], m.XXX_unrecognized) - } - if len(m.Integration) > 0 { - i -= len(m.Integration) - copy(dAtA[i:], m.Integration) - i = encodeVarintTypes(dAtA, i, uint64(len(m.Integration))) - i-- - dAtA[i] = 0x1a - } - if len(m.SubscriptionID) > 0 { - i -= len(m.SubscriptionID) - copy(dAtA[i:], m.SubscriptionID) - i = encodeVarintTypes(dAtA, i, uint64(len(m.SubscriptionID))) - i-- - dAtA[i] = 0x12 - } - return len(dAtA) - i, nil -} - -func (m *AccessGraphAzureSync) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *AccessGraphAzureSync) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - func (m *AccessGraphAzureSync) MarshalToSizedBuffer(dAtA []byte) (int, error) { i := len(dAtA) _ = i From 0f7a40593220cc22813cfb38aad4e23de2647334 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Thu, 19 Dec 2024 01:06:20 -0600 Subject: [PATCH 08/34] Nolinting until upstream PRs --- lib/srv/discovery/fetchers/azure-sync/principals.go | 8 ++++---- .../discovery/fetchers/azure-sync/roleassignments.go | 10 +++------- .../discovery/fetchers/azure-sync/roledefinitions.go | 12 ++++-------- .../discovery/fetchers/azure-sync/virtualmachines.go | 6 +++--- 4 files changed, 14 insertions(+), 22 deletions(-) diff --git a/lib/srv/discovery/fetchers/azure-sync/principals.go b/lib/srv/discovery/fetchers/azure-sync/principals.go index 850e0cb389f71..f20878e7e3a61 100644 --- a/lib/srv/discovery/fetchers/azure-sync/principals.go +++ b/lib/srv/discovery/fetchers/azure-sync/principals.go @@ -20,9 +20,9 @@ package azure_sync import ( "context" - "github.com/Azure/azure-sdk-for-go/sdk/azcore" "slices" + "github.com/Azure/azure-sdk-for-go/sdk/azcore" //nolint:unused // used in a dependent PR "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/gravitational/trace" "google.golang.org/protobuf/types/known/timestamppb" @@ -30,11 +30,11 @@ import ( accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" ) -const groupType = "#microsoft.graph.group" -const defaultGraphScope = "https://graph.microsoft.com/.default" +const groupType = "#microsoft.graph.group" //nolint:unused // used in a dependent PR +const defaultGraphScope = "https://graph.microsoft.com/.default" //nolint:unused // used in a dependent PR // fetchPrincipals fetches the Azure principals (users, groups, and service principals) using the Graph API -func fetchPrincipals(ctx context.Context, subscriptionID string, cred azcore.TokenCredential) ([]*accessgraphv1alpha.AzurePrincipal, error) { +func fetchPrincipals(ctx context.Context, subscriptionID string, cred azcore.TokenCredential) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint:unused // used in a dependent PR // Get the graph client scopes := []string{defaultGraphScope} token, err := cred.GetToken(ctx, policy.TokenRequestOptions{Scopes: scopes}) diff --git a/lib/srv/discovery/fetchers/azure-sync/roleassignments.go b/lib/srv/discovery/fetchers/azure-sync/roleassignments.go index 58cfa89c8ae3e..0844b22a4fc94 100644 --- a/lib/srv/discovery/fetchers/azure-sync/roleassignments.go +++ b/lib/srv/discovery/fetchers/azure-sync/roleassignments.go @@ -20,9 +20,9 @@ package azure_sync import ( "context" - "fmt" - "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" + "fmt" //nolint:unused // used in a dependent PR + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" "github.com/gravitational/trace" "google.golang.org/protobuf/types/known/timestamppb" @@ -35,11 +35,7 @@ type RoleAssignmentsClient interface { } // fetchRoleAssignments fetches Azure role assignments using the Azure role assignments API -func fetchRoleAssignments( - ctx context.Context, - subscriptionID string, - cli RoleAssignmentsClient, -) ([]*accessgraphv1alpha.AzureRoleAssignment, error) { +func fetchRoleAssignments(ctx context.Context, subscriptionID string, cli RoleAssignmentsClient) ([]*accessgraphv1alpha.AzureRoleAssignment, error) { //nolint:unused // invoked in a dependent PR // List the role definitions roleAssigns, err := cli.ListRoleAssignments(ctx, fmt.Sprintf("/subscriptions/%s", subscriptionID)) if err != nil { diff --git a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go index 35dfce444188c..03b5c38f9a056 100644 --- a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go +++ b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go @@ -20,9 +20,9 @@ package azure_sync import ( "context" - "fmt" - "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" + "fmt" //nolint:golint // used in a dependent PR + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" "github.com/gravitational/trace" "google.golang.org/protobuf/types/known/timestamppb" @@ -34,11 +34,7 @@ type RoleDefinitionsClient interface { ListRoleDefinitions(ctx context.Context, scope string) ([]*armauthorization.RoleDefinition, error) } -func fetchRoleDefinitions( - ctx context.Context, - subscriptionID string, - cli RoleDefinitionsClient, -) ([]*accessgraphv1alpha.AzureRoleDefinition, error) { +func fetchRoleDefinitions(ctx context.Context, subscriptionID string, cli RoleDefinitionsClient) ([]*accessgraphv1alpha.AzureRoleDefinition, error) { //nolint:unused // used in a dependent PR // List the role definitions roleDefs, err := cli.ListRoleDefinitions(ctx, fmt.Sprintf("/subscriptions/%s", subscriptionID)) if err != nil { @@ -68,7 +64,7 @@ func fetchRoleDefinitions( return pbRoleDefs, nil } -func ptrsToList(ptrs []*string) []string { +func ptrsToList(ptrs []*string) []string { //nolint:unused // used in a dependent PR strList := make([]string, 0, len(ptrs)) for _, ptr := range ptrs { strList = append(strList, *ptr) diff --git a/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go b/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go index 39477cf096ade..743061b5d0f9a 100644 --- a/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go +++ b/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go @@ -20,22 +20,22 @@ package azure_sync import ( "context" - "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6" + "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6" "github.com/gravitational/trace" "google.golang.org/protobuf/types/known/timestamppb" accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" ) -const allResourceGroups = "*" +const allResourceGroups = "*" //nolint:unused // used in a dependent PR // VirtualMachinesClient specifies the methods used to fetch virtual machines from Azure type VirtualMachinesClient interface { ListVirtualMachines(ctx context.Context, resourceGroup string) ([]*armcompute.VirtualMachine, error) } -func fetchVirtualMachines(ctx context.Context, subscriptionID string, cli VirtualMachinesClient) ([]*accessgraphv1alpha.AzureVirtualMachine, error) { +func fetchVirtualMachines(ctx context.Context, subscriptionID string, cli VirtualMachinesClient) ([]*accessgraphv1alpha.AzureVirtualMachine, error) { //nolint:unused // invoked in a dependent PR vms, err := cli.ListVirtualMachines(ctx, allResourceGroups) if err != nil { return nil, trace.Wrap(err) From 1fa09cf40f40f0bd56ec6386761a947eb21fd447 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Thu, 19 Dec 2024 17:47:38 -0600 Subject: [PATCH 09/34] Updating to use existing msgraph client --- lib/msgraph/models.go | 10 +- lib/msgraph/paginated.go | 17 +- .../fetchers/azure-sync/msggraphclient.go | 240 ------------------ .../fetchers/azure-sync/principals.go | 92 ++++--- 4 files changed, 82 insertions(+), 277 deletions(-) delete mode 100644 lib/srv/discovery/fetchers/azure-sync/msggraphclient.go diff --git a/lib/msgraph/models.go b/lib/msgraph/models.go index 52c3e97cfec7b..4f2181f81055d 100644 --- a/lib/msgraph/models.go +++ b/lib/msgraph/models.go @@ -28,9 +28,15 @@ type GroupMember interface { isGroupMember() } +type Membership struct { + Type string `json:"@odata.type"` + ID string `json:"id"` +} + type DirectoryObject struct { - ID *string `json:"id,omitempty"` - DisplayName *string `json:"displayName,omitempty"` + ID *string `json:"id,omitempty"` + DisplayName *string `json:"displayName,omitempty"` + MemberOf []Membership `json:"memberOf,omitempty"` } type Group struct { diff --git a/lib/msgraph/paginated.go b/lib/msgraph/paginated.go index 51c587f19d074..cc25162ef849f 100644 --- a/lib/msgraph/paginated.go +++ b/lib/msgraph/paginated.go @@ -54,7 +54,14 @@ func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, f fun func (c *Client) iterate(ctx context.Context, endpoint string, f func(json.RawMessage) bool) error { uri := *c.baseURL uri.Path = path.Join(uri.Path, endpoint) - uri.RawQuery = url.Values{"$top": {strconv.Itoa(c.pageSize)}}.Encode() + uri.RawQuery = url.Values{ + "$top": { + strconv.Itoa(c.pageSize), + }, + "$expand": { + "memberOf", + }, + }.Encode() uriString := uri.String() for uriString != "" { resp, err := c.request(ctx, http.MethodGet, uriString, nil) @@ -101,6 +108,14 @@ func (c *Client) IterateUsers(ctx context.Context, f func(*User) bool) error { return iterateSimple(c, ctx, "users", f) } +// IterateServicePrincipals lists all service principals in the Entra ID directory using pagination. +// `f` will be called for each object in the result set. +// if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). +// Ref: [https://learn.microsoft.com/en-us/graph/api/user-list]. +func (c *Client) IterateServicePrincipals(ctx context.Context, f func(principal *ServicePrincipal) bool) error { + return iterateSimple(c, ctx, "servicePrincipals", f) +} + // IterateGroupMembers lists all members for the given Entra ID group using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). diff --git a/lib/srv/discovery/fetchers/azure-sync/msggraphclient.go b/lib/srv/discovery/fetchers/azure-sync/msggraphclient.go deleted file mode 100644 index 75d2960d7fa55..0000000000000 --- a/lib/srv/discovery/fetchers/azure-sync/msggraphclient.go +++ /dev/null @@ -1,240 +0,0 @@ -/* - * Teleport - * Copyright (C) 2024 Gravitational, Inc. - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ - -package azure_sync - -import ( - "bytes" - "context" - "encoding/json" - "fmt" - "io" - "net/http" - "net/url" - "strings" - "time" - - "github.com/Azure/azure-sdk-for-go/sdk/azcore" -) - -// GraphClient represents generic MS API client -type GraphClient struct { - token azcore.AccessToken -} - -const ( - usersSuffix = "users" - groupsSuffix = "groups" - servicePrincipalsSuffix = "servicePrincipals" - graphBaseURL = "https://graph.microsoft.com/v1.0" - httpTimeout = time.Second * 30 -) - -// graphError represents MS Graph error -type graphError struct { - E struct { - Code string `json:"code"` - Message string `json:"message"` - } `json:"error"` -} - -// genericGraphResponse represents the utility struct for parsing MS Graph API response -type genericGraphResponse struct { - Context string `json:"@odata.context"` - Count int `json:"@odata.count"` - NextLink string `json:"@odata.nextLink"` - Value json.RawMessage `json:"value"` -} - -// User represents user resource -type User struct { - ID string `json:"id"` - Name string `json:"displayName"` - MemberOf []Membership `json:"memberOf"` -} - -type Membership struct { - Type string `json:"@odata.type"` - ID string `json:"id"` -} - -// request represents generic request structure -type request struct { - // Method HTTP method - Method string - // URL which overrides URL construction - URL *string - // Path to a resource - Path string - // Expand $expand value - Expand []string - // Filter $filter value - Filter string - // Body request body - Body string - // Response represents template structure for a response - Response interface{} - // Err represents template structure for an error - Err error - // SuccessCode http code representing success - SuccessCode int -} - -// GetURL builds the request URL -func (r *request) GetURL() (string, error) { - if r.URL != nil { - return *r.URL, nil - } - u, err := url.Parse(graphBaseURL) - if err != nil { - return "", err - } - - data := url.Values{} - if len(r.Expand) > 0 { - data.Set("$expand", strings.Join(r.Expand, ",")) - } - if r.Filter != "" { - data.Set("$filter", r.Filter) - } - - u.Path = u.Path + "/" + r.Path - u.RawQuery = data.Encode() - - return u.String(), nil -} - -// NewGraphClient creates MS Graph API client -func NewGraphClient(token azcore.AccessToken) *GraphClient { - return &GraphClient{ - token: token, - } -} - -// Error returns error string -func (e graphError) Error() string { - return e.E.Code + " " + e.E.Message -} - -func (c *GraphClient) ListUsers(ctx context.Context) ([]User, error) { - return c.listIdentities(ctx, usersSuffix, []string{"memberOf"}) -} - -func (c *GraphClient) ListGroups(ctx context.Context) ([]User, error) { - return c.listIdentities(ctx, groupsSuffix, []string{"memberOf"}) -} - -func (c *GraphClient) ListServicePrincipals(ctx context.Context) ([]User, error) { - return c.listIdentities(ctx, servicePrincipalsSuffix, []string{"memberOf"}) -} - -func (c *GraphClient) listIdentities(ctx context.Context, idType string, expand []string) ([]User, error) { - var users []User - var nextLink *string - for { - g := &genericGraphResponse{} - req := request{ - Method: http.MethodGet, - Path: idType, - Expand: expand, - Response: &g, - Err: &graphError{}, - URL: nextLink, - } - err := c.request(ctx, req) - if err != nil { - return nil, err - } - var newUsers []User - err = json.NewDecoder(bytes.NewReader(g.Value)).Decode(&newUsers) - if err != nil { - return nil, err - } - users = append(users, newUsers...) - if g.NextLink == "" { - break - } - nextLink = &g.NextLink - } - - return users, nil -} - -// request sends the request to the graph/bot service and returns response body as bytes slice -func (c *GraphClient) request(ctx context.Context, req request) error { - reqUrl, err := req.GetURL() - if err != nil { - return err - } - - r, err := http.NewRequestWithContext(ctx, req.Method, reqUrl, strings.NewReader(req.Body)) - if err != nil { - return err - } - - r.Header.Set("Authorization", "Bearer "+c.token.Token) - r.Header.Set("Content-Type", "application/json") - - client := http.Client{Timeout: httpTimeout} - resp, err := client.Do(r) - if err != nil { - return err - } - - defer func(r *http.Response) { - _ = r.Body.Close() - }(resp) - - b, err := io.ReadAll(resp.Body) - if err != nil { - return err - } - - expectedCode := req.SuccessCode - if expectedCode == 0 { - expectedCode = http.StatusOK - } - - if expectedCode == resp.StatusCode { - if req.Response == nil { - return nil - } - - err := json.NewDecoder(bytes.NewReader(b)).Decode(req.Response) - if err != nil { - return err - } - } else { - if req.Err == nil { - return fmt.Errorf("Error requesting MS Graph API: %v", string(b)) - } - - err := json.NewDecoder(bytes.NewReader(b)).Decode(req.Err) - if err != nil { - return err - } - - if req.Err.Error() == "" { - return fmt.Errorf("Error requesting MS Graph API. Expected response code was %v, but is %v", expectedCode, resp.StatusCode) - } - - return req.Err - } - - return nil -} diff --git a/lib/srv/discovery/fetchers/azure-sync/principals.go b/lib/srv/discovery/fetchers/azure-sync/principals.go index f20878e7e3a61..757c78255ed46 100644 --- a/lib/srv/discovery/fetchers/azure-sync/principals.go +++ b/lib/srv/discovery/fetchers/azure-sync/principals.go @@ -20,63 +20,87 @@ package azure_sync import ( "context" - "slices" - - "github.com/Azure/azure-sdk-for-go/sdk/azcore" //nolint:unused // used in a dependent PR - "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "github.com/gravitational/teleport/lib/msgraph" "github.com/gravitational/trace" "google.golang.org/protobuf/types/known/timestamppb" accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" ) -const groupType = "#microsoft.graph.group" //nolint:unused // used in a dependent PR -const defaultGraphScope = "https://graph.microsoft.com/.default" //nolint:unused // used in a dependent PR - // fetchPrincipals fetches the Azure principals (users, groups, and service principals) using the Graph API -func fetchPrincipals(ctx context.Context, subscriptionID string, cred azcore.TokenCredential) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint:unused // used in a dependent PR - // Get the graph client - scopes := []string{defaultGraphScope} - token, err := cred.GetToken(ctx, policy.TokenRequestOptions{Scopes: scopes}) +func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Client) ([]*accessgraphv1alpha.AzurePrincipal, error) { + // Fetch the users, groups, and service principals + var users []*msgraph.User + err := cli.IterateUsers(ctx, func(user *msgraph.User) bool { + users = append(users, user) + return true + }) if err != nil { return nil, trace.Wrap(err) } - cli := NewGraphClient(token) - // Fetch the users, groups, and managed identities - users, err := cli.ListUsers(ctx) - if err != nil { - return nil, trace.Wrap(err) - } - groups, err := cli.ListGroups(ctx) + var groups []*msgraph.Group + err = cli.IterateGroups(ctx, func(group *msgraph.Group) bool { + groups = append(groups, group) + return true + }) if err != nil { return nil, trace.Wrap(err) } - svcPrincipals, err := cli.ListServicePrincipals(ctx) + + var servicePrincipals []*msgraph.ServicePrincipal + err = cli.IterateServicePrincipals(ctx, func(servicePrincipal *msgraph.ServicePrincipal) bool { + servicePrincipals = append(servicePrincipals, servicePrincipal) + return true + }) if err != nil { return nil, trace.Wrap(err) } - principals := slices.Concat(users, groups, svcPrincipals) - // Return the users as protobuf messages - pbPrincipals := make([]*accessgraphv1alpha.AzurePrincipal, 0, len(principals)) - for _, principal := range principals { - // Extract group membership - memberOf := make([]string, 0) - for _, member := range principal.MemberOf { - if member.Type == groupType { - memberOf = append(memberOf, member.ID) - } + // Return the users, groups, and service principals as protobuf messages + var pbPrincipals []*accessgraphv1alpha.AzurePrincipal + for _, user := range users { + var memberOf []string + for _, member := range user.MemberOf { + memberOf = append(memberOf, member.ID) + } + pbPrincipals = append(pbPrincipals, &accessgraphv1alpha.AzurePrincipal{ + Id: *user.ID, + SubscriptionId: subscriptionID, + LastSyncTime: timestamppb.Now(), + DisplayName: *user.DisplayName, + MemberOf: memberOf, + ObjectType: "user", + }) + } + for _, group := range groups { + var memberOf []string + for _, member := range group.MemberOf { + memberOf = append(memberOf, member.ID) } - // Create the protobuf principal and append it to the list - pbPrincipal := &accessgraphv1alpha.AzurePrincipal{ - Id: principal.ID, + pbPrincipals = append(pbPrincipals, &accessgraphv1alpha.AzurePrincipal{ + Id: *group.ID, SubscriptionId: subscriptionID, LastSyncTime: timestamppb.Now(), - DisplayName: principal.Name, + DisplayName: *group.DisplayName, MemberOf: memberOf, + ObjectType: "group", + }) + } + for _, sp := range servicePrincipals { + var memberOf []string + for _, member := range sp.MemberOf { + memberOf = append(memberOf, member.ID) } - pbPrincipals = append(pbPrincipals, pbPrincipal) + pbPrincipals = append(pbPrincipals, &accessgraphv1alpha.AzurePrincipal{ + Id: *sp.ID, + SubscriptionId: subscriptionID, + LastSyncTime: timestamppb.Now(), + DisplayName: *sp.DisplayName, + MemberOf: memberOf, + ObjectType: "servicePrincipal", + }) } + return pbPrincipals, nil } From 3b70c0b031ca66caa1cb718e6711a1d40915eb9e Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Thu, 19 Dec 2024 20:54:10 -0600 Subject: [PATCH 10/34] Adding protection around nil values --- .../fetchers/azure-sync/principals.go | 21 +++++++++++++++---- .../fetchers/azure-sync/roleassignments.go | 13 ++++++++++-- .../fetchers/azure-sync/roledefinitions.go | 18 ++++++++++++++-- .../fetchers/azure-sync/virtualmachines.go | 7 ++++++- 4 files changed, 50 insertions(+), 9 deletions(-) diff --git a/lib/srv/discovery/fetchers/azure-sync/principals.go b/lib/srv/discovery/fetchers/azure-sync/principals.go index 757c78255ed46..0cd9572f06212 100644 --- a/lib/srv/discovery/fetchers/azure-sync/principals.go +++ b/lib/srv/discovery/fetchers/azure-sync/principals.go @@ -20,15 +20,16 @@ package azure_sync import ( "context" - "github.com/gravitational/teleport/lib/msgraph" + "github.com/gravitational/trace" "google.golang.org/protobuf/types/known/timestamppb" accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" + "github.com/gravitational/teleport/lib/msgraph" ) // fetchPrincipals fetches the Azure principals (users, groups, and service principals) using the Graph API -func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Client) ([]*accessgraphv1alpha.AzurePrincipal, error) { +func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Client) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint: unused // invoked in a dependent PR // Fetch the users, groups, and service principals var users []*msgraph.User err := cli.IterateUsers(ctx, func(user *msgraph.User) bool { @@ -58,8 +59,13 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl } // Return the users, groups, and service principals as protobuf messages + var fetchErrs []error var pbPrincipals []*accessgraphv1alpha.AzurePrincipal for _, user := range users { + if user.ID == nil || user.DisplayName == nil { + fetchErrs = append(fetchErrs, trace.BadParameter("nil values on msgraph User object: %v", user)) + continue + } var memberOf []string for _, member := range user.MemberOf { memberOf = append(memberOf, member.ID) @@ -74,6 +80,10 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl }) } for _, group := range groups { + if group.ID == nil || group.DisplayName == nil { + fetchErrs = append(fetchErrs, trace.BadParameter("nil values on msgraph User object: %v", group)) + continue + } var memberOf []string for _, member := range group.MemberOf { memberOf = append(memberOf, member.ID) @@ -88,6 +98,10 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl }) } for _, sp := range servicePrincipals { + if sp.ID == nil || sp.DisplayName == nil { + fetchErrs = append(fetchErrs, trace.BadParameter("nil values on msgraph User object: %v", sp)) + continue + } var memberOf []string for _, member := range sp.MemberOf { memberOf = append(memberOf, member.ID) @@ -101,6 +115,5 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl ObjectType: "servicePrincipal", }) } - - return pbPrincipals, nil + return pbPrincipals, trace.NewAggregate(fetchErrs...) } diff --git a/lib/srv/discovery/fetchers/azure-sync/roleassignments.go b/lib/srv/discovery/fetchers/azure-sync/roleassignments.go index 0844b22a4fc94..4490346e15047 100644 --- a/lib/srv/discovery/fetchers/azure-sync/roleassignments.go +++ b/lib/srv/discovery/fetchers/azure-sync/roleassignments.go @@ -20,7 +20,7 @@ package azure_sync import ( "context" - "fmt" //nolint:unused // used in a dependent PR + "fmt" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" "github.com/gravitational/trace" @@ -44,7 +44,16 @@ func fetchRoleAssignments(ctx context.Context, subscriptionID string, cli RoleAs // Convert to protobuf format pbRoleAssigns := make([]*accessgraphv1alpha.AzureRoleAssignment, 0, len(roleAssigns)) + var fetchErrs []error for _, roleAssign := range roleAssigns { + if roleAssign.ID == nil || + roleAssign.Properties == nil || + roleAssign.Properties.PrincipalID == nil || + roleAssign.Properties.Scope == nil { + fetchErrs = append(fetchErrs, + trace.BadParameter("nil values on AzureRoleAssignment object: %v", roleAssign)) + continue + } pbRoleAssign := &accessgraphv1alpha.AzureRoleAssignment{ Id: *roleAssign.ID, SubscriptionId: subscriptionID, @@ -55,5 +64,5 @@ func fetchRoleAssignments(ctx context.Context, subscriptionID string, cli RoleAs } pbRoleAssigns = append(pbRoleAssigns, pbRoleAssign) } - return pbRoleAssigns, nil + return pbRoleAssigns, trace.NewAggregate(fetchErrs...) } diff --git a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go index 03b5c38f9a056..889c9664f00bc 100644 --- a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go +++ b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go @@ -43,9 +43,21 @@ func fetchRoleDefinitions(ctx context.Context, subscriptionID string, cli RoleDe // Convert to protobuf format pbRoleDefs := make([]*accessgraphv1alpha.AzureRoleDefinition, 0, len(roleDefs)) + var fetchErrs []error for _, roleDef := range roleDefs { + if roleDef.ID == nil || + roleDef.Properties == nil || + roleDef.Properties.Permissions == nil || + roleDef.Properties.RoleName == nil { + fetchErrs = append(fetchErrs, trace.BadParameter("nil values on AzureRoleDefinition object: %v", roleDef)) + continue + } pbPerms := make([]*accessgraphv1alpha.AzureRBACPermission, 0, len(roleDef.Properties.Permissions)) for _, perm := range roleDef.Properties.Permissions { + if perm.Actions == nil || perm.NotActions == nil { + fetchErrs = append(fetchErrs, trace.BadParameter("nil values on Permission object: %v", perm)) + continue + } pbPerm := accessgraphv1alpha.AzureRBACPermission{ Actions: ptrsToList(perm.Actions), NotActions: ptrsToList(perm.NotActions), @@ -61,13 +73,15 @@ func fetchRoleDefinitions(ctx context.Context, subscriptionID string, cli RoleDe } pbRoleDefs = append(pbRoleDefs, pbRoleDef) } - return pbRoleDefs, nil + return pbRoleDefs, trace.NewAggregate(fetchErrs...) } func ptrsToList(ptrs []*string) []string { //nolint:unused // used in a dependent PR strList := make([]string, 0, len(ptrs)) for _, ptr := range ptrs { - strList = append(strList, *ptr) + if ptr != nil { + strList = append(strList, *ptr) + } } return strList } diff --git a/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go b/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go index 743061b5d0f9a..8e4de7a7c2971 100644 --- a/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go +++ b/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go @@ -43,7 +43,12 @@ func fetchVirtualMachines(ctx context.Context, subscriptionID string, cli Virtua // Return the VMs as protobuf messages pbVms := make([]*accessgraphv1alpha.AzureVirtualMachine, 0, len(vms)) + var fetchErrs []error for _, vm := range vms { + if vm.ID == nil || vm.Name == nil { + fetchErrs = append(fetchErrs, trace.BadParameter("nil values on AzureVirtualMachine object: %v", vm)) + continue + } pbVm := accessgraphv1alpha.AzureVirtualMachine{ Id: *vm.ID, SubscriptionId: subscriptionID, @@ -52,5 +57,5 @@ func fetchVirtualMachines(ctx context.Context, subscriptionID string, cli Virtua } pbVms = append(pbVms, &pbVm) } - return pbVms, nil + return pbVms, trace.NewAggregate(fetchErrs...) } From 69486a2a3ddd876a4e24df78eff1e1a8922630e5 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 20 Dec 2024 11:28:30 -0600 Subject: [PATCH 11/34] PR feedback --- lib/integrations/azureoidc/accessgraph.go | 2 +- lib/msgraph/client_test.go | 4 +- lib/msgraph/paginated.go | 39 +++++----- .../fetchers/azure-sync/principals.go | 73 +++++-------------- 4 files changed, 44 insertions(+), 74 deletions(-) diff --git a/lib/integrations/azureoidc/accessgraph.go b/lib/integrations/azureoidc/accessgraph.go index 6cf43a41c3291..d7462f32aca58 100644 --- a/lib/integrations/azureoidc/accessgraph.go +++ b/lib/integrations/azureoidc/accessgraph.go @@ -116,7 +116,7 @@ func CreateTAGCacheFile(ctx context.Context) error { } cache := &TAGInfoCache{} - err = graphClient.IterateApplications(ctx, func(app *msgraph.Application) bool { + err = graphClient.IterateApplications(ctx, nil, func(app *msgraph.Application) bool { appID := app.AppID if appID == nil { slog.WarnContext(ctx, "app ID is nil", "app", app) diff --git a/lib/msgraph/client_test.go b/lib/msgraph/client_test.go index 174b8f924ce14..c302d91cc2f6f 100644 --- a/lib/msgraph/client_test.go +++ b/lib/msgraph/client_test.go @@ -186,7 +186,7 @@ func TestIterateUsers_Empty(t *testing.T) { baseURL: uri, pageSize: defaultPageSize, } - err = client.IterateUsers(context.Background(), func(*User) bool { + err = client.IterateUsers(context.Background(), nil, func(*User) bool { assert.Fail(t, "should never get called") return true }) @@ -215,7 +215,7 @@ func TestIterateUsers(t *testing.T) { } var users []*User - err = client.IterateUsers(context.Background(), func(u *User) bool { + err = client.IterateUsers(context.Background(), nil, func(u *User) bool { users = append(users, u) return true }) diff --git a/lib/msgraph/paginated.go b/lib/msgraph/paginated.go index cc25162ef849f..89140b1879c5f 100644 --- a/lib/msgraph/paginated.go +++ b/lib/msgraph/paginated.go @@ -30,9 +30,9 @@ import ( ) // iterateSimple implements pagination for "simple" object lists, where additional logic isn't needed -func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, f func(*T) bool) error { +func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, params *url.Values, f func(*T) bool) error { var err error - itErr := c.iterate(ctx, endpoint, func(msg json.RawMessage) bool { + itErr := c.iterate(ctx, endpoint, params, func(msg json.RawMessage) bool { var page []T if err = json.Unmarshal(msg, &page); err != nil { return false @@ -51,17 +51,22 @@ func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, f fun } // iterate implements pagination for "list" endpoints. -func (c *Client) iterate(ctx context.Context, endpoint string, f func(json.RawMessage) bool) error { +func (c *Client) iterate(ctx context.Context, endpoint string, params *url.Values, f func(json.RawMessage) bool) error { uri := *c.baseURL uri.Path = path.Join(uri.Path, endpoint) - uri.RawQuery = url.Values{ + rawQuery := url.Values{ "$top": { strconv.Itoa(c.pageSize), }, - "$expand": { - "memberOf", - }, - }.Encode() + } + if params != nil { + for key, values := range *params { + for _, value := range values { + rawQuery.Add(key, value) + } + } + } + uri.RawQuery = rawQuery.Encode() uriString := uri.String() for uriString != "" { resp, err := c.request(ctx, http.MethodGet, uriString, nil) @@ -88,32 +93,32 @@ func (c *Client) iterate(ctx context.Context, endpoint string, f func(json.RawMe // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/application-list]. -func (c *Client) IterateApplications(ctx context.Context, f func(*Application) bool) error { - return iterateSimple(c, ctx, "applications", f) +func (c *Client) IterateApplications(ctx context.Context, params *url.Values, f func(*Application) bool) error { + return iterateSimple(c, ctx, "applications", params, f) } // IterateGroups lists all groups in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/group-list]. -func (c *Client) IterateGroups(ctx context.Context, f func(*Group) bool) error { - return iterateSimple(c, ctx, "groups", f) +func (c *Client) IterateGroups(ctx context.Context, params *url.Values, f func(*Group) bool) error { + return iterateSimple(c, ctx, "groups", params, f) } // IterateUsers lists all users in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/user-list]. -func (c *Client) IterateUsers(ctx context.Context, f func(*User) bool) error { - return iterateSimple(c, ctx, "users", f) +func (c *Client) IterateUsers(ctx context.Context, params *url.Values, f func(*User) bool) error { + return iterateSimple(c, ctx, "users", params, f) } // IterateServicePrincipals lists all service principals in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/user-list]. -func (c *Client) IterateServicePrincipals(ctx context.Context, f func(principal *ServicePrincipal) bool) error { - return iterateSimple(c, ctx, "servicePrincipals", f) +func (c *Client) IterateServicePrincipals(ctx context.Context, params *url.Values, f func(principal *ServicePrincipal) bool) error { + return iterateSimple(c, ctx, "servicePrincipals", params, f) } // IterateGroupMembers lists all members for the given Entra ID group using pagination. @@ -122,7 +127,7 @@ func (c *Client) IterateServicePrincipals(ctx context.Context, f func(principal // Ref: [https://learn.microsoft.com/en-us/graph/api/group-list-members]. func (c *Client) IterateGroupMembers(ctx context.Context, groupID string, f func(GroupMember) bool) error { var err error - itErr := c.iterate(ctx, path.Join("groups", groupID, "members"), func(msg json.RawMessage) bool { + itErr := c.iterate(ctx, path.Join("groups", groupID, "members"), nil, func(msg json.RawMessage) bool { var page []json.RawMessage if err = json.Unmarshal(msg, &page); err != nil { return false diff --git a/lib/srv/discovery/fetchers/azure-sync/principals.go b/lib/srv/discovery/fetchers/azure-sync/principals.go index 0cd9572f06212..ab8ae3e48bb64 100644 --- a/lib/srv/discovery/fetchers/azure-sync/principals.go +++ b/lib/srv/discovery/fetchers/azure-sync/principals.go @@ -20,6 +20,7 @@ package azure_sync import ( "context" + "net/url" "github.com/gravitational/trace" "google.golang.org/protobuf/types/known/timestamppb" @@ -30,28 +31,28 @@ import ( // fetchPrincipals fetches the Azure principals (users, groups, and service principals) using the Graph API func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Client) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint: unused // invoked in a dependent PR - // Fetch the users, groups, and service principals - var users []*msgraph.User - err := cli.IterateUsers(ctx, func(user *msgraph.User) bool { - users = append(users, user) + var params = &url.Values{ + "$expand": []string{"memberOf"}, + } + + // Fetch the users, groups, and service principals as directory objects + var dirObjs []msgraph.DirectoryObject + err := cli.IterateUsers(ctx, params, func(user *msgraph.User) bool { + dirObjs = append(dirObjs, user.DirectoryObject) return true }) if err != nil { return nil, trace.Wrap(err) } - - var groups []*msgraph.Group - err = cli.IterateGroups(ctx, func(group *msgraph.Group) bool { - groups = append(groups, group) + err = cli.IterateGroups(ctx, params, func(group *msgraph.Group) bool { + dirObjs = append(dirObjs, group.DirectoryObject) return true }) if err != nil { return nil, trace.Wrap(err) } - - var servicePrincipals []*msgraph.ServicePrincipal - err = cli.IterateServicePrincipals(ctx, func(servicePrincipal *msgraph.ServicePrincipal) bool { - servicePrincipals = append(servicePrincipals, servicePrincipal) + err = cli.IterateServicePrincipals(ctx, params, func(servicePrincipal *msgraph.ServicePrincipal) bool { + dirObjs = append(dirObjs, servicePrincipal.DirectoryObject) return true }) if err != nil { @@ -61,59 +62,23 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl // Return the users, groups, and service principals as protobuf messages var fetchErrs []error var pbPrincipals []*accessgraphv1alpha.AzurePrincipal - for _, user := range users { - if user.ID == nil || user.DisplayName == nil { - fetchErrs = append(fetchErrs, trace.BadParameter("nil values on msgraph User object: %v", user)) + for _, dirObj := range dirObjs { + if dirObj.ID == nil || dirObj.DisplayName == nil { + fetchErrs = append(fetchErrs, trace.BadParameter("nil values on msgraph directory object: %v", dirObj)) continue } var memberOf []string - for _, member := range user.MemberOf { + for _, member := range dirObj.MemberOf { memberOf = append(memberOf, member.ID) } pbPrincipals = append(pbPrincipals, &accessgraphv1alpha.AzurePrincipal{ - Id: *user.ID, + Id: *dirObj.ID, SubscriptionId: subscriptionID, LastSyncTime: timestamppb.Now(), - DisplayName: *user.DisplayName, + DisplayName: *dirObj.DisplayName, MemberOf: memberOf, ObjectType: "user", }) } - for _, group := range groups { - if group.ID == nil || group.DisplayName == nil { - fetchErrs = append(fetchErrs, trace.BadParameter("nil values on msgraph User object: %v", group)) - continue - } - var memberOf []string - for _, member := range group.MemberOf { - memberOf = append(memberOf, member.ID) - } - pbPrincipals = append(pbPrincipals, &accessgraphv1alpha.AzurePrincipal{ - Id: *group.ID, - SubscriptionId: subscriptionID, - LastSyncTime: timestamppb.Now(), - DisplayName: *group.DisplayName, - MemberOf: memberOf, - ObjectType: "group", - }) - } - for _, sp := range servicePrincipals { - if sp.ID == nil || sp.DisplayName == nil { - fetchErrs = append(fetchErrs, trace.BadParameter("nil values on msgraph User object: %v", sp)) - continue - } - var memberOf []string - for _, member := range sp.MemberOf { - memberOf = append(memberOf, member.ID) - } - pbPrincipals = append(pbPrincipals, &accessgraphv1alpha.AzurePrincipal{ - Id: *sp.ID, - SubscriptionId: subscriptionID, - LastSyncTime: timestamppb.Now(), - DisplayName: *sp.DisplayName, - MemberOf: memberOf, - ObjectType: "servicePrincipal", - }) - } return pbPrincipals, trace.NewAggregate(fetchErrs...) } From 861b5624a1a4a6e75cbf8cc3b79d6e8fb6433a4f Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 20 Dec 2024 16:28:48 -0600 Subject: [PATCH 12/34] Updating principal fetching to incorporate metadata from principal subtypes --- .../fetchers/azure-sync/principals.go | 35 +++++++++++++------ 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/lib/srv/discovery/fetchers/azure-sync/principals.go b/lib/srv/discovery/fetchers/azure-sync/principals.go index ab8ae3e48bb64..f372ee8de756e 100644 --- a/lib/srv/discovery/fetchers/azure-sync/principals.go +++ b/lib/srv/discovery/fetchers/azure-sync/principals.go @@ -29,6 +29,15 @@ import ( "github.com/gravitational/teleport/lib/msgraph" ) +type dirObjMetadata struct { + objectType string +} + +type queryResult struct { + metadata dirObjMetadata + dirObj msgraph.DirectoryObject +} + // fetchPrincipals fetches the Azure principals (users, groups, and service principals) using the Graph API func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Client) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint: unused // invoked in a dependent PR var params = &url.Values{ @@ -36,23 +45,26 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl } // Fetch the users, groups, and service principals as directory objects - var dirObjs []msgraph.DirectoryObject + var queryResults []queryResult err := cli.IterateUsers(ctx, params, func(user *msgraph.User) bool { - dirObjs = append(dirObjs, user.DirectoryObject) + res := queryResult{metadata: dirObjMetadata{objectType: "user"}, dirObj: user.DirectoryObject} + queryResults = append(queryResults, res) return true }) if err != nil { return nil, trace.Wrap(err) } err = cli.IterateGroups(ctx, params, func(group *msgraph.Group) bool { - dirObjs = append(dirObjs, group.DirectoryObject) + res := queryResult{metadata: dirObjMetadata{objectType: "group"}, dirObj: group.DirectoryObject} + queryResults = append(queryResults, res) return true }) if err != nil { return nil, trace.Wrap(err) } err = cli.IterateServicePrincipals(ctx, params, func(servicePrincipal *msgraph.ServicePrincipal) bool { - dirObjs = append(dirObjs, servicePrincipal.DirectoryObject) + res := queryResult{metadata: dirObjMetadata{objectType: "servicePrincipal"}, dirObj: servicePrincipal.DirectoryObject} + queryResults = append(queryResults, res) return true }) if err != nil { @@ -62,22 +74,23 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl // Return the users, groups, and service principals as protobuf messages var fetchErrs []error var pbPrincipals []*accessgraphv1alpha.AzurePrincipal - for _, dirObj := range dirObjs { - if dirObj.ID == nil || dirObj.DisplayName == nil { - fetchErrs = append(fetchErrs, trace.BadParameter("nil values on msgraph directory object: %v", dirObj)) + for _, res := range queryResults { + if res.dirObj.ID == nil || res.dirObj.DisplayName == nil { + fetchErrs = append(fetchErrs, + trace.BadParameter("nil values on msgraph directory object: %v", res.dirObj)) continue } var memberOf []string - for _, member := range dirObj.MemberOf { + for _, member := range res.dirObj.MemberOf { memberOf = append(memberOf, member.ID) } pbPrincipals = append(pbPrincipals, &accessgraphv1alpha.AzurePrincipal{ - Id: *dirObj.ID, + Id: *res.dirObj.ID, SubscriptionId: subscriptionID, LastSyncTime: timestamppb.Now(), - DisplayName: *dirObj.DisplayName, + DisplayName: *res.dirObj.DisplayName, MemberOf: memberOf, - ObjectType: "user", + ObjectType: res.metadata.objectType, }) } return pbPrincipals, trace.NewAggregate(fetchErrs...) From 37e3dda6f90fba2a50c74a6f37a075e459817d07 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Mon, 30 Dec 2024 11:16:30 -0600 Subject: [PATCH 13/34] Updating opts to not leak URL parameters --- lib/msgraph/paginated.go | 37 +++++++++++-------- .../fetchers/azure-sync/principals.go | 12 +++--- 2 files changed, 26 insertions(+), 23 deletions(-) diff --git a/lib/msgraph/paginated.go b/lib/msgraph/paginated.go index 89140b1879c5f..27189f25d3697 100644 --- a/lib/msgraph/paginated.go +++ b/lib/msgraph/paginated.go @@ -29,10 +29,17 @@ import ( "github.com/gravitational/trace" ) +const expandParameter = "$expand" +const expandMemberOf = "memberOf" + +type IterateOptions struct { + ExpandMembers bool +} + // iterateSimple implements pagination for "simple" object lists, where additional logic isn't needed -func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, params *url.Values, f func(*T) bool) error { +func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, opts *IterateOptions, f func(*T) bool) error { var err error - itErr := c.iterate(ctx, endpoint, params, func(msg json.RawMessage) bool { + itErr := c.iterate(ctx, endpoint, opts, func(msg json.RawMessage) bool { var page []T if err = json.Unmarshal(msg, &page); err != nil { return false @@ -51,7 +58,7 @@ func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, param } // iterate implements pagination for "list" endpoints. -func (c *Client) iterate(ctx context.Context, endpoint string, params *url.Values, f func(json.RawMessage) bool) error { +func (c *Client) iterate(ctx context.Context, endpoint string, opts *IterateOptions, f func(json.RawMessage) bool) error { uri := *c.baseURL uri.Path = path.Join(uri.Path, endpoint) rawQuery := url.Values{ @@ -59,11 +66,9 @@ func (c *Client) iterate(ctx context.Context, endpoint string, params *url.Value strconv.Itoa(c.pageSize), }, } - if params != nil { - for key, values := range *params { - for _, value := range values { - rawQuery.Add(key, value) - } + if opts != nil { + if opts.ExpandMembers { + rawQuery.Set(expandParameter, expandMemberOf) } } uri.RawQuery = rawQuery.Encode() @@ -93,32 +98,32 @@ func (c *Client) iterate(ctx context.Context, endpoint string, params *url.Value // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/application-list]. -func (c *Client) IterateApplications(ctx context.Context, params *url.Values, f func(*Application) bool) error { - return iterateSimple(c, ctx, "applications", params, f) +func (c *Client) IterateApplications(ctx context.Context, opts *IterateOptions, f func(*Application) bool) error { + return iterateSimple(c, ctx, "applications", opts, f) } // IterateGroups lists all groups in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/group-list]. -func (c *Client) IterateGroups(ctx context.Context, params *url.Values, f func(*Group) bool) error { - return iterateSimple(c, ctx, "groups", params, f) +func (c *Client) IterateGroups(ctx context.Context, opts *IterateOptions, f func(*Group) bool) error { + return iterateSimple(c, ctx, "groups", opts, f) } // IterateUsers lists all users in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/user-list]. -func (c *Client) IterateUsers(ctx context.Context, params *url.Values, f func(*User) bool) error { - return iterateSimple(c, ctx, "users", params, f) +func (c *Client) IterateUsers(ctx context.Context, opts *IterateOptions, f func(*User) bool) error { + return iterateSimple(c, ctx, "users", opts, f) } // IterateServicePrincipals lists all service principals in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/user-list]. -func (c *Client) IterateServicePrincipals(ctx context.Context, params *url.Values, f func(principal *ServicePrincipal) bool) error { - return iterateSimple(c, ctx, "servicePrincipals", params, f) +func (c *Client) IterateServicePrincipals(ctx context.Context, opts *IterateOptions, f func(principal *ServicePrincipal) bool) error { + return iterateSimple(c, ctx, "servicePrincipals", opts, f) } // IterateGroupMembers lists all members for the given Entra ID group using pagination. diff --git a/lib/srv/discovery/fetchers/azure-sync/principals.go b/lib/srv/discovery/fetchers/azure-sync/principals.go index f372ee8de756e..7c8aa651c4e43 100644 --- a/lib/srv/discovery/fetchers/azure-sync/principals.go +++ b/lib/srv/discovery/fetchers/azure-sync/principals.go @@ -20,8 +20,6 @@ package azure_sync import ( "context" - "net/url" - "github.com/gravitational/trace" "google.golang.org/protobuf/types/known/timestamppb" @@ -40,13 +38,13 @@ type queryResult struct { // fetchPrincipals fetches the Azure principals (users, groups, and service principals) using the Graph API func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Client) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint: unused // invoked in a dependent PR - var params = &url.Values{ - "$expand": []string{"memberOf"}, + var opts = &msgraph.IterateOptions{ + ExpandMembers: true, } // Fetch the users, groups, and service principals as directory objects var queryResults []queryResult - err := cli.IterateUsers(ctx, params, func(user *msgraph.User) bool { + err := cli.IterateUsers(ctx, opts, func(user *msgraph.User) bool { res := queryResult{metadata: dirObjMetadata{objectType: "user"}, dirObj: user.DirectoryObject} queryResults = append(queryResults, res) return true @@ -54,7 +52,7 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl if err != nil { return nil, trace.Wrap(err) } - err = cli.IterateGroups(ctx, params, func(group *msgraph.Group) bool { + err = cli.IterateGroups(ctx, opts, func(group *msgraph.Group) bool { res := queryResult{metadata: dirObjMetadata{objectType: "group"}, dirObj: group.DirectoryObject} queryResults = append(queryResults, res) return true @@ -62,7 +60,7 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl if err != nil { return nil, trace.Wrap(err) } - err = cli.IterateServicePrincipals(ctx, params, func(servicePrincipal *msgraph.ServicePrincipal) bool { + err = cli.IterateServicePrincipals(ctx, opts, func(servicePrincipal *msgraph.ServicePrincipal) bool { res := queryResult{metadata: dirObjMetadata{objectType: "servicePrincipal"}, dirObj: servicePrincipal.DirectoryObject} queryResults = append(queryResults, res) return true From cce7007fcb9b7c3e962fb8d67ebccf1e230c9cbc Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Tue, 31 Dec 2024 11:33:05 -0600 Subject: [PATCH 14/34] Conformant package name --- lib/srv/discovery/fetchers/azure-sync/principals.go | 2 +- lib/srv/discovery/fetchers/azure-sync/roleassignments.go | 2 +- lib/srv/discovery/fetchers/azure-sync/roledefinitions.go | 2 +- lib/srv/discovery/fetchers/azure-sync/virtualmachines.go | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/srv/discovery/fetchers/azure-sync/principals.go b/lib/srv/discovery/fetchers/azure-sync/principals.go index 7c8aa651c4e43..0bf3335756eca 100644 --- a/lib/srv/discovery/fetchers/azure-sync/principals.go +++ b/lib/srv/discovery/fetchers/azure-sync/principals.go @@ -16,7 +16,7 @@ * along with this program. If not, see . */ -package azure_sync +package azuresync import ( "context" diff --git a/lib/srv/discovery/fetchers/azure-sync/roleassignments.go b/lib/srv/discovery/fetchers/azure-sync/roleassignments.go index 4490346e15047..a97fe69727ef8 100644 --- a/lib/srv/discovery/fetchers/azure-sync/roleassignments.go +++ b/lib/srv/discovery/fetchers/azure-sync/roleassignments.go @@ -16,7 +16,7 @@ * along with this program. If not, see . */ -package azure_sync +package azuresync import ( "context" diff --git a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go index 889c9664f00bc..dc6a0a48e752f 100644 --- a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go +++ b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go @@ -16,7 +16,7 @@ * along with this program. If not, see . */ -package azure_sync +package azuresync import ( "context" diff --git a/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go b/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go index 8e4de7a7c2971..12658e6a9b009 100644 --- a/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go +++ b/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go @@ -16,7 +16,7 @@ * along with this program. If not, see . */ -package azure_sync +package azuresync import ( "context" From d498564266e1d8336c68d7e9e159aad92f5a3947 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Mon, 6 Jan 2025 13:25:30 -0600 Subject: [PATCH 15/34] Using variadic options --- lib/integrations/azureoidc/accessgraph.go | 2 +- lib/msgraph/client_test.go | 4 +- lib/msgraph/paginated.go | 50 +++++++++++-------- .../fetchers/azure-sync/principals.go | 16 +++--- 4 files changed, 39 insertions(+), 33 deletions(-) diff --git a/lib/integrations/azureoidc/accessgraph.go b/lib/integrations/azureoidc/accessgraph.go index d7462f32aca58..6cf43a41c3291 100644 --- a/lib/integrations/azureoidc/accessgraph.go +++ b/lib/integrations/azureoidc/accessgraph.go @@ -116,7 +116,7 @@ func CreateTAGCacheFile(ctx context.Context) error { } cache := &TAGInfoCache{} - err = graphClient.IterateApplications(ctx, nil, func(app *msgraph.Application) bool { + err = graphClient.IterateApplications(ctx, func(app *msgraph.Application) bool { appID := app.AppID if appID == nil { slog.WarnContext(ctx, "app ID is nil", "app", app) diff --git a/lib/msgraph/client_test.go b/lib/msgraph/client_test.go index c302d91cc2f6f..174b8f924ce14 100644 --- a/lib/msgraph/client_test.go +++ b/lib/msgraph/client_test.go @@ -186,7 +186,7 @@ func TestIterateUsers_Empty(t *testing.T) { baseURL: uri, pageSize: defaultPageSize, } - err = client.IterateUsers(context.Background(), nil, func(*User) bool { + err = client.IterateUsers(context.Background(), func(*User) bool { assert.Fail(t, "should never get called") return true }) @@ -215,7 +215,7 @@ func TestIterateUsers(t *testing.T) { } var users []*User - err = client.IterateUsers(context.Background(), nil, func(u *User) bool { + err = client.IterateUsers(context.Background(), func(u *User) bool { users = append(users, u) return true }) diff --git a/lib/msgraph/paginated.go b/lib/msgraph/paginated.go index 27189f25d3697..649ffa88ff022 100644 --- a/lib/msgraph/paginated.go +++ b/lib/msgraph/paginated.go @@ -32,14 +32,22 @@ import ( const expandParameter = "$expand" const expandMemberOf = "memberOf" -type IterateOptions struct { +type IterateConfig struct { ExpandMembers bool } +type IterateConfigOption func(*IterateConfig) + +func IterateWithExpandMembers() IterateConfigOption { + return func(cfg *IterateConfig) { + cfg.ExpandMembers = true + } +} + // iterateSimple implements pagination for "simple" object lists, where additional logic isn't needed -func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, opts *IterateOptions, f func(*T) bool) error { +func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, f func(*T) bool, opts ...IterateConfigOption) error { var err error - itErr := c.iterate(ctx, endpoint, opts, func(msg json.RawMessage) bool { + itErr := c.iterate(ctx, endpoint, func(msg json.RawMessage) bool { var page []T if err = json.Unmarshal(msg, &page); err != nil { return false @@ -50,7 +58,7 @@ func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, opts } } return true - }) + }, opts...) if err != nil { return trace.Wrap(err) } @@ -58,7 +66,7 @@ func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, opts } // iterate implements pagination for "list" endpoints. -func (c *Client) iterate(ctx context.Context, endpoint string, opts *IterateOptions, f func(json.RawMessage) bool) error { +func (c *Client) iterate(ctx context.Context, endpoint string, f func(json.RawMessage) bool, opts ...IterateConfigOption) error { uri := *c.baseURL uri.Path = path.Join(uri.Path, endpoint) rawQuery := url.Values{ @@ -66,10 +74,12 @@ func (c *Client) iterate(ctx context.Context, endpoint string, opts *IterateOpti strconv.Itoa(c.pageSize), }, } - if opts != nil { - if opts.ExpandMembers { - rawQuery.Set(expandParameter, expandMemberOf) - } + cfg := IterateConfig{} + for _, opt := range opts { + opt(&cfg) + } + if cfg.ExpandMembers { + rawQuery.Set(expandParameter, expandMemberOf) } uri.RawQuery = rawQuery.Encode() uriString := uri.String() @@ -98,41 +108,41 @@ func (c *Client) iterate(ctx context.Context, endpoint string, opts *IterateOpti // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/application-list]. -func (c *Client) IterateApplications(ctx context.Context, opts *IterateOptions, f func(*Application) bool) error { - return iterateSimple(c, ctx, "applications", opts, f) +func (c *Client) IterateApplications(ctx context.Context, f func(*Application) bool, opts ...IterateConfigOption) error { + return iterateSimple(c, ctx, "applications", f, opts...) } // IterateGroups lists all groups in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/group-list]. -func (c *Client) IterateGroups(ctx context.Context, opts *IterateOptions, f func(*Group) bool) error { - return iterateSimple(c, ctx, "groups", opts, f) +func (c *Client) IterateGroups(ctx context.Context, f func(*Group) bool, opts ...IterateConfigOption) error { + return iterateSimple(c, ctx, "groups", f, opts...) } // IterateUsers lists all users in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/user-list]. -func (c *Client) IterateUsers(ctx context.Context, opts *IterateOptions, f func(*User) bool) error { - return iterateSimple(c, ctx, "users", opts, f) +func (c *Client) IterateUsers(ctx context.Context, f func(*User) bool, opts ...IterateConfigOption) error { + return iterateSimple(c, ctx, "users", f, opts...) } // IterateServicePrincipals lists all service principals in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/user-list]. -func (c *Client) IterateServicePrincipals(ctx context.Context, opts *IterateOptions, f func(principal *ServicePrincipal) bool) error { - return iterateSimple(c, ctx, "servicePrincipals", opts, f) +func (c *Client) IterateServicePrincipals(ctx context.Context, f func(principal *ServicePrincipal) bool, opts ...IterateConfigOption) error { + return iterateSimple(c, ctx, "servicePrincipals", f, opts...) } // IterateGroupMembers lists all members for the given Entra ID group using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/group-list-members]. -func (c *Client) IterateGroupMembers(ctx context.Context, groupID string, f func(GroupMember) bool) error { +func (c *Client) IterateGroupMembers(ctx context.Context, groupID string, f func(GroupMember) bool, opts ...IterateConfigOption) error { var err error - itErr := c.iterate(ctx, path.Join("groups", groupID, "members"), nil, func(msg json.RawMessage) bool { + itErr := c.iterate(ctx, path.Join("groups", groupID, "members"), func(msg json.RawMessage) bool { var page []json.RawMessage if err = json.Unmarshal(msg, &page); err != nil { return false @@ -155,7 +165,7 @@ func (c *Client) IterateGroupMembers(ctx context.Context, groupID string, f func } } return true - }) + }, opts...) if err != nil { return trace.Wrap(err) } diff --git a/lib/srv/discovery/fetchers/azure-sync/principals.go b/lib/srv/discovery/fetchers/azure-sync/principals.go index 0bf3335756eca..ccce425f953d2 100644 --- a/lib/srv/discovery/fetchers/azure-sync/principals.go +++ b/lib/srv/discovery/fetchers/azure-sync/principals.go @@ -38,33 +38,29 @@ type queryResult struct { // fetchPrincipals fetches the Azure principals (users, groups, and service principals) using the Graph API func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Client) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint: unused // invoked in a dependent PR - var opts = &msgraph.IterateOptions{ - ExpandMembers: true, - } - // Fetch the users, groups, and service principals as directory objects var queryResults []queryResult - err := cli.IterateUsers(ctx, opts, func(user *msgraph.User) bool { + err := cli.IterateUsers(ctx, func(user *msgraph.User) bool { res := queryResult{metadata: dirObjMetadata{objectType: "user"}, dirObj: user.DirectoryObject} queryResults = append(queryResults, res) return true - }) + }, msgraph.IterateWithExpandMembers()) if err != nil { return nil, trace.Wrap(err) } - err = cli.IterateGroups(ctx, opts, func(group *msgraph.Group) bool { + err = cli.IterateGroups(ctx, func(group *msgraph.Group) bool { res := queryResult{metadata: dirObjMetadata{objectType: "group"}, dirObj: group.DirectoryObject} queryResults = append(queryResults, res) return true - }) + }, msgraph.IterateWithExpandMembers()) if err != nil { return nil, trace.Wrap(err) } - err = cli.IterateServicePrincipals(ctx, opts, func(servicePrincipal *msgraph.ServicePrincipal) bool { + err = cli.IterateServicePrincipals(ctx, func(servicePrincipal *msgraph.ServicePrincipal) bool { res := queryResult{metadata: dirObjMetadata{objectType: "servicePrincipal"}, dirObj: servicePrincipal.DirectoryObject} queryResults = append(queryResults, res) return true - }) + }, msgraph.IterateWithExpandMembers()) if err != nil { return nil, trace.Wrap(err) } From 672677280d1751b0dff9d55042821631d91c0b30 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Mon, 6 Jan 2025 13:33:22 -0600 Subject: [PATCH 16/34] PR feedback --- lib/msgraph/paginated.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/msgraph/paginated.go b/lib/msgraph/paginated.go index 649ffa88ff022..860b9e41c480a 100644 --- a/lib/msgraph/paginated.go +++ b/lib/msgraph/paginated.go @@ -29,7 +29,10 @@ import ( "github.com/gravitational/trace" ) +// expandParameter is supplied to the graph API to expand specific fields of returned objects, e.g. 'memberOf' const expandParameter = "$expand" + +// expandMemberOf is a specific field which the $expand parameter will provide in the returned objects const expandMemberOf = "memberOf" type IterateConfig struct { @@ -131,7 +134,7 @@ func (c *Client) IterateUsers(ctx context.Context, f func(*User) bool, opts ...I // IterateServicePrincipals lists all service principals in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). -// Ref: [https://learn.microsoft.com/en-us/graph/api/user-list]. +// Ref: [https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list]. func (c *Client) IterateServicePrincipals(ctx context.Context, f func(principal *ServicePrincipal) bool, opts ...IterateConfigOption) error { return iterateSimple(c, ctx, "servicePrincipals", f, opts...) } From bacbe4955202e3250ffbca9d4106a7f3ede3411d Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Mon, 6 Jan 2025 13:50:45 -0600 Subject: [PATCH 17/34] Removing memberOf expansion --- lib/msgraph/models.go | 5 +- lib/msgraph/paginated.go | 51 +++++-------------- .../fetchers/azure-sync/principals.go | 11 ++-- 3 files changed, 18 insertions(+), 49 deletions(-) diff --git a/lib/msgraph/models.go b/lib/msgraph/models.go index 4f2181f81055d..f76d3deaab858 100644 --- a/lib/msgraph/models.go +++ b/lib/msgraph/models.go @@ -34,9 +34,8 @@ type Membership struct { } type DirectoryObject struct { - ID *string `json:"id,omitempty"` - DisplayName *string `json:"displayName,omitempty"` - MemberOf []Membership `json:"memberOf,omitempty"` + ID *string `json:"id,omitempty"` + DisplayName *string `json:"displayName,omitempty"` } type Group struct { diff --git a/lib/msgraph/paginated.go b/lib/msgraph/paginated.go index 860b9e41c480a..f61d19754cc8e 100644 --- a/lib/msgraph/paginated.go +++ b/lib/msgraph/paginated.go @@ -29,26 +29,8 @@ import ( "github.com/gravitational/trace" ) -// expandParameter is supplied to the graph API to expand specific fields of returned objects, e.g. 'memberOf' -const expandParameter = "$expand" - -// expandMemberOf is a specific field which the $expand parameter will provide in the returned objects -const expandMemberOf = "memberOf" - -type IterateConfig struct { - ExpandMembers bool -} - -type IterateConfigOption func(*IterateConfig) - -func IterateWithExpandMembers() IterateConfigOption { - return func(cfg *IterateConfig) { - cfg.ExpandMembers = true - } -} - // iterateSimple implements pagination for "simple" object lists, where additional logic isn't needed -func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, f func(*T) bool, opts ...IterateConfigOption) error { +func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, f func(*T) bool) error { var err error itErr := c.iterate(ctx, endpoint, func(msg json.RawMessage) bool { var page []T @@ -61,7 +43,7 @@ func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, f fun } } return true - }, opts...) + }) if err != nil { return trace.Wrap(err) } @@ -69,7 +51,7 @@ func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, f fun } // iterate implements pagination for "list" endpoints. -func (c *Client) iterate(ctx context.Context, endpoint string, f func(json.RawMessage) bool, opts ...IterateConfigOption) error { +func (c *Client) iterate(ctx context.Context, endpoint string, f func(json.RawMessage) bool) error { uri := *c.baseURL uri.Path = path.Join(uri.Path, endpoint) rawQuery := url.Values{ @@ -77,13 +59,6 @@ func (c *Client) iterate(ctx context.Context, endpoint string, f func(json.RawMe strconv.Itoa(c.pageSize), }, } - cfg := IterateConfig{} - for _, opt := range opts { - opt(&cfg) - } - if cfg.ExpandMembers { - rawQuery.Set(expandParameter, expandMemberOf) - } uri.RawQuery = rawQuery.Encode() uriString := uri.String() for uriString != "" { @@ -111,39 +86,39 @@ func (c *Client) iterate(ctx context.Context, endpoint string, f func(json.RawMe // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/application-list]. -func (c *Client) IterateApplications(ctx context.Context, f func(*Application) bool, opts ...IterateConfigOption) error { - return iterateSimple(c, ctx, "applications", f, opts...) +func (c *Client) IterateApplications(ctx context.Context, f func(*Application) bool) error { + return iterateSimple(c, ctx, "applications", f) } // IterateGroups lists all groups in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/group-list]. -func (c *Client) IterateGroups(ctx context.Context, f func(*Group) bool, opts ...IterateConfigOption) error { - return iterateSimple(c, ctx, "groups", f, opts...) +func (c *Client) IterateGroups(ctx context.Context, f func(*Group) bool) error { + return iterateSimple(c, ctx, "groups", f) } // IterateUsers lists all users in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/user-list]. -func (c *Client) IterateUsers(ctx context.Context, f func(*User) bool, opts ...IterateConfigOption) error { - return iterateSimple(c, ctx, "users", f, opts...) +func (c *Client) IterateUsers(ctx context.Context, f func(*User) bool) error { + return iterateSimple(c, ctx, "users", f) } // IterateServicePrincipals lists all service principals in the Entra ID directory using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list]. -func (c *Client) IterateServicePrincipals(ctx context.Context, f func(principal *ServicePrincipal) bool, opts ...IterateConfigOption) error { - return iterateSimple(c, ctx, "servicePrincipals", f, opts...) +func (c *Client) IterateServicePrincipals(ctx context.Context, f func(principal *ServicePrincipal) bool) error { + return iterateSimple(c, ctx, "servicePrincipals", f) } // IterateGroupMembers lists all members for the given Entra ID group using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/group-list-members]. -func (c *Client) IterateGroupMembers(ctx context.Context, groupID string, f func(GroupMember) bool, opts ...IterateConfigOption) error { +func (c *Client) IterateGroupMembers(ctx context.Context, groupID string, f func(GroupMember) bool) error { var err error itErr := c.iterate(ctx, path.Join("groups", groupID, "members"), func(msg json.RawMessage) bool { var page []json.RawMessage @@ -168,7 +143,7 @@ func (c *Client) IterateGroupMembers(ctx context.Context, groupID string, f func } } return true - }, opts...) + }) if err != nil { return trace.Wrap(err) } diff --git a/lib/srv/discovery/fetchers/azure-sync/principals.go b/lib/srv/discovery/fetchers/azure-sync/principals.go index ccce425f953d2..217ce35ddfc99 100644 --- a/lib/srv/discovery/fetchers/azure-sync/principals.go +++ b/lib/srv/discovery/fetchers/azure-sync/principals.go @@ -44,7 +44,7 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl res := queryResult{metadata: dirObjMetadata{objectType: "user"}, dirObj: user.DirectoryObject} queryResults = append(queryResults, res) return true - }, msgraph.IterateWithExpandMembers()) + }) if err != nil { return nil, trace.Wrap(err) } @@ -52,7 +52,7 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl res := queryResult{metadata: dirObjMetadata{objectType: "group"}, dirObj: group.DirectoryObject} queryResults = append(queryResults, res) return true - }, msgraph.IterateWithExpandMembers()) + }) if err != nil { return nil, trace.Wrap(err) } @@ -60,7 +60,7 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl res := queryResult{metadata: dirObjMetadata{objectType: "servicePrincipal"}, dirObj: servicePrincipal.DirectoryObject} queryResults = append(queryResults, res) return true - }, msgraph.IterateWithExpandMembers()) + }) if err != nil { return nil, trace.Wrap(err) } @@ -74,16 +74,11 @@ func fetchPrincipals(ctx context.Context, subscriptionID string, cli *msgraph.Cl trace.BadParameter("nil values on msgraph directory object: %v", res.dirObj)) continue } - var memberOf []string - for _, member := range res.dirObj.MemberOf { - memberOf = append(memberOf, member.ID) - } pbPrincipals = append(pbPrincipals, &accessgraphv1alpha.AzurePrincipal{ Id: *res.dirObj.ID, SubscriptionId: subscriptionID, LastSyncTime: timestamppb.Now(), DisplayName: *res.dirObj.DisplayName, - MemberOf: memberOf, ObjectType: res.metadata.objectType, }) } From fa9d8a64763c4ceb4df919cbac150621cbc206a0 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Mon, 6 Jan 2025 23:15:04 -0600 Subject: [PATCH 18/34] Expanding memberships by calling memberOf on each user --- lib/msgraph/models.go | 9 ++++++ lib/msgraph/paginated.go | 23 +++++++++++++++ .../fetchers/azure-sync/memberships.go | 29 +++++++++++++++++++ 3 files changed, 61 insertions(+) create mode 100644 lib/srv/discovery/fetchers/azure-sync/memberships.go diff --git a/lib/msgraph/models.go b/lib/msgraph/models.go index f76d3deaab858..fc2d9a5fee1e1 100644 --- a/lib/msgraph/models.go +++ b/lib/msgraph/models.go @@ -184,3 +184,12 @@ func decodeGroupMember(msg json.RawMessage) (GroupMember, error) { return member, trace.Wrap(err) } + +func decodeDirectoryObject(msg json.RawMessage) (*DirectoryObject, error) { + var d *DirectoryObject + err := json.Unmarshal(msg, &d) + if err != nil { + return nil, trace.Wrap(err) + } + return d, nil +} diff --git a/lib/msgraph/paginated.go b/lib/msgraph/paginated.go index f61d19754cc8e..8140dfd93c1f0 100644 --- a/lib/msgraph/paginated.go +++ b/lib/msgraph/paginated.go @@ -114,6 +114,29 @@ func (c *Client) IterateServicePrincipals(ctx context.Context, f func(principal return iterateSimple(c, ctx, "servicePrincipals", f) } +func (c *Client) IterateUserMembership(ctx context.Context, userID string, f func(obj *DirectoryObject) bool) error { + var err error + itErr := c.iterate(ctx, path.Join("users", userID, "memberOf"), func(msg json.RawMessage) bool { + var page []json.RawMessage + if err = json.Unmarshal(msg, &page); err != nil { + return false + } + for _, entry := range page { + var d *DirectoryObject + err := json.Unmarshal(entry, &d) + if err != nil { + return false + } + f(d) + } + return true + }) + if err != nil { + return trace.Wrap(err) + } + return trace.Wrap(itErr) +} + // IterateGroupMembers lists all members for the given Entra ID group using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). diff --git a/lib/srv/discovery/fetchers/azure-sync/memberships.go b/lib/srv/discovery/fetchers/azure-sync/memberships.go new file mode 100644 index 0000000000000..4a5b324451bfe --- /dev/null +++ b/lib/srv/discovery/fetchers/azure-sync/memberships.go @@ -0,0 +1,29 @@ +package azuresync + +import ( + "context" + accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" + "github.com/gravitational/teleport/lib/msgraph" + "github.com/gravitational/trace" + "golang.org/x/sync/errgroup" +) + +const parallelism = 10 + +func expandMemberships(ctx context.Context, cli *msgraph.Client, principals []*accessgraphv1alpha.AzurePrincipal) error { + var eg errgroup.Group + eg.SetLimit(parallelism) + for _, principal := range principals { + eg.Go(func() error { + err := cli.IterateUserMembership(ctx, principal.Id, func(obj *msgraph.DirectoryObject) bool { + principal.MemberOf = append(principal.MemberOf, *obj.ID) + return true + }) + if err != nil { + return trace.Wrap(err) + } + return nil + }) + } + return eg.Wait() +} From 8f07e78330420fbb844cc4f4dfe9a63f204e0de8 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Tue, 7 Jan 2025 10:41:20 -0600 Subject: [PATCH 19/34] Also returning expanded principals for improved readability --- lib/srv/discovery/fetchers/azure-sync/memberships.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/srv/discovery/fetchers/azure-sync/memberships.go b/lib/srv/discovery/fetchers/azure-sync/memberships.go index 4a5b324451bfe..ef022661e07fe 100644 --- a/lib/srv/discovery/fetchers/azure-sync/memberships.go +++ b/lib/srv/discovery/fetchers/azure-sync/memberships.go @@ -10,7 +10,10 @@ import ( const parallelism = 10 -func expandMemberships(ctx context.Context, cli *msgraph.Client, principals []*accessgraphv1alpha.AzurePrincipal) error { +func expandMemberships( + ctx context.Context, + cli *msgraph.Client, principals []*accessgraphv1alpha.AzurePrincipal, +) ([]*accessgraphv1alpha.AzurePrincipal, error) { var eg errgroup.Group eg.SetLimit(parallelism) for _, principal := range principals { @@ -25,5 +28,5 @@ func expandMemberships(ctx context.Context, cli *msgraph.Client, principals []*a return nil }) } - return eg.Wait() + return principals, eg.Wait() } From f075bc8585fae7e5f8b2cf57351520676f710b30 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Tue, 7 Jan 2025 14:21:11 -0600 Subject: [PATCH 20/34] Removing ptrToList --- .../fetchers/azure-sync/roledefinitions.go | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go index dc6a0a48e752f..529d0f2070c9c 100644 --- a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go +++ b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go @@ -21,6 +21,7 @@ package azuresync import ( "context" "fmt" //nolint:golint // used in a dependent PR + "github.com/gravitational/teleport/lib/utils/slices" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" "github.com/gravitational/trace" @@ -59,8 +60,8 @@ func fetchRoleDefinitions(ctx context.Context, subscriptionID string, cli RoleDe continue } pbPerm := accessgraphv1alpha.AzureRBACPermission{ - Actions: ptrsToList(perm.Actions), - NotActions: ptrsToList(perm.NotActions), + Actions: slices.FromPointers(perm.Actions), + NotActions: slices.FromPointers(perm.NotActions), } pbPerms = append(pbPerms, &pbPerm) } @@ -75,13 +76,3 @@ func fetchRoleDefinitions(ctx context.Context, subscriptionID string, cli RoleDe } return pbRoleDefs, trace.NewAggregate(fetchErrs...) } - -func ptrsToList(ptrs []*string) []string { //nolint:unused // used in a dependent PR - strList := make([]string, 0, len(ptrs)) - for _, ptr := range ptrs { - if ptr != nil { - strList = append(strList, *ptr) - } - } - return strList -} From 2b5b928f6ce16016cb89b1f08372c9d21627acc4 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Wed, 8 Jan 2025 22:30:19 -0600 Subject: [PATCH 21/34] PR feedback --- lib/msgraph/models.go | 9 ----- lib/msgraph/paginated.go | 34 ++++--------------- .../fetchers/azure-sync/memberships.go | 11 +++--- .../fetchers/azure-sync/principals.go | 1 + .../fetchers/azure-sync/roledefinitions.go | 6 ++-- .../fetchers/azure-sync/virtualmachines.go | 2 +- 6 files changed, 17 insertions(+), 46 deletions(-) diff --git a/lib/msgraph/models.go b/lib/msgraph/models.go index fc2d9a5fee1e1..f76d3deaab858 100644 --- a/lib/msgraph/models.go +++ b/lib/msgraph/models.go @@ -184,12 +184,3 @@ func decodeGroupMember(msg json.RawMessage) (GroupMember, error) { return member, trace.Wrap(err) } - -func decodeDirectoryObject(msg json.RawMessage) (*DirectoryObject, error) { - var d *DirectoryObject - err := json.Unmarshal(msg, &d) - if err != nil { - return nil, trace.Wrap(err) - } - return d, nil -} diff --git a/lib/msgraph/paginated.go b/lib/msgraph/paginated.go index 8140dfd93c1f0..da44a4f442a1b 100644 --- a/lib/msgraph/paginated.go +++ b/lib/msgraph/paginated.go @@ -54,12 +54,7 @@ func iterateSimple[T any](c *Client, ctx context.Context, endpoint string, f fun func (c *Client) iterate(ctx context.Context, endpoint string, f func(json.RawMessage) bool) error { uri := *c.baseURL uri.Path = path.Join(uri.Path, endpoint) - rawQuery := url.Values{ - "$top": { - strconv.Itoa(c.pageSize), - }, - } - uri.RawQuery = rawQuery.Encode() + uri.RawQuery = url.Values{"$top": {strconv.Itoa(c.pageSize)}}.Encode() uriString := uri.String() for uriString != "" { resp, err := c.request(ctx, http.MethodGet, uriString, nil) @@ -114,27 +109,12 @@ func (c *Client) IterateServicePrincipals(ctx context.Context, f func(principal return iterateSimple(c, ctx, "servicePrincipals", f) } -func (c *Client) IterateUserMembership(ctx context.Context, userID string, f func(obj *DirectoryObject) bool) error { - var err error - itErr := c.iterate(ctx, path.Join("users", userID, "memberOf"), func(msg json.RawMessage) bool { - var page []json.RawMessage - if err = json.Unmarshal(msg, &page); err != nil { - return false - } - for _, entry := range page { - var d *DirectoryObject - err := json.Unmarshal(entry, &d) - if err != nil { - return false - } - f(d) - } - return true - }) - if err != nil { - return trace.Wrap(err) - } - return trace.Wrap(itErr) +// IterateUserMembership lists all group memberships for a given user ID as directory objects. +// `f` will be called for each directory object in the result set. +// if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). +// Ref: [https://learn.microsoft.com/en-us/graph/api/group-list-memberof]. +func (c *Client) IterateUserMembership(ctx context.Context, userID string, f func(object *DirectoryObject) bool) error { + return iterateSimple(c, ctx, path.Join("users", userID, "memberOf"), f) } // IterateGroupMembers lists all members for the given Entra ID group using pagination. diff --git a/lib/srv/discovery/fetchers/azure-sync/memberships.go b/lib/srv/discovery/fetchers/azure-sync/memberships.go index ef022661e07fe..639bab5f4b0ad 100644 --- a/lib/srv/discovery/fetchers/azure-sync/memberships.go +++ b/lib/srv/discovery/fetchers/azure-sync/memberships.go @@ -2,18 +2,17 @@ package azuresync import ( "context" - accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" - "github.com/gravitational/teleport/lib/msgraph" + "github.com/gravitational/trace" "golang.org/x/sync/errgroup" + + accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" + "github.com/gravitational/teleport/lib/msgraph" ) const parallelism = 10 -func expandMemberships( - ctx context.Context, - cli *msgraph.Client, principals []*accessgraphv1alpha.AzurePrincipal, -) ([]*accessgraphv1alpha.AzurePrincipal, error) { +func expandMemberships(ctx context.Context, cli *msgraph.Client, principals []*accessgraphv1alpha.AzurePrincipal) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint:unused // invoked in a dependent PR var eg errgroup.Group eg.SetLimit(parallelism) for _, principal := range principals { diff --git a/lib/srv/discovery/fetchers/azure-sync/principals.go b/lib/srv/discovery/fetchers/azure-sync/principals.go index 217ce35ddfc99..27ad1c472c891 100644 --- a/lib/srv/discovery/fetchers/azure-sync/principals.go +++ b/lib/srv/discovery/fetchers/azure-sync/principals.go @@ -20,6 +20,7 @@ package azuresync import ( "context" + "github.com/gravitational/trace" "google.golang.org/protobuf/types/known/timestamppb" diff --git a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go index 529d0f2070c9c..485117f898b81 100644 --- a/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go +++ b/lib/srv/discovery/fetchers/azure-sync/roledefinitions.go @@ -20,14 +20,14 @@ package azuresync import ( "context" - "fmt" //nolint:golint // used in a dependent PR - "github.com/gravitational/teleport/lib/utils/slices" + "fmt" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2" "github.com/gravitational/trace" "google.golang.org/protobuf/types/known/timestamppb" accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" + "github.com/gravitational/teleport/lib/utils/slices" ) // RoleDefinitionsClient specifies the methods used to fetch roles from Azure @@ -55,7 +55,7 @@ func fetchRoleDefinitions(ctx context.Context, subscriptionID string, cli RoleDe } pbPerms := make([]*accessgraphv1alpha.AzureRBACPermission, 0, len(roleDef.Properties.Permissions)) for _, perm := range roleDef.Properties.Permissions { - if perm.Actions == nil || perm.NotActions == nil { + if perm.Actions == nil && perm.NotActions == nil { fetchErrs = append(fetchErrs, trace.BadParameter("nil values on Permission object: %v", perm)) continue } diff --git a/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go b/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go index 12658e6a9b009..25876037a54f0 100644 --- a/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go +++ b/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go @@ -28,7 +28,7 @@ import ( accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" ) -const allResourceGroups = "*" //nolint:unused // used in a dependent PR +const allResourceGroups = "*" // VirtualMachinesClient specifies the methods used to fetch virtual machines from Azure type VirtualMachinesClient interface { From 057255704f4522a6759eed99478baecadeed685f Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Wed, 8 Jan 2025 22:40:43 -0600 Subject: [PATCH 22/34] Rebase go.sum stuff --- go.mod | 3 ++- go.sum | 2 ++ integrations/event-handler/go.sum | 4 ++-- integrations/terraform/go.sum | 2 -- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 168e6f92a6c0c..5f6ea6c216c5c 100644 --- a/go.mod +++ b/go.mod @@ -242,6 +242,8 @@ require ( software.sslmate.com/src/go-pkcs12 v0.5.0 ) +require github.com/xanzy/go-gitlab v0.115.0 + require ( cel.dev/expr v0.19.1 // indirect cloud.google.com/go v0.117.0 // indirect @@ -519,7 +521,6 @@ require ( github.com/vbatts/tar-split v0.11.5 // indirect github.com/weppos/publicsuffix-go v0.30.3-0.20240510084413-5f1d03393b3d // indirect github.com/x448/float16 v0.8.4 // indirect - github.com/xanzy/go-gitlab v0.115.0 // indirect github.com/xdg-go/pbkdf2 v1.0.0 // indirect github.com/xdg-go/scram v1.1.2 // indirect github.com/xdg-go/stringprep v1.0.4 // indirect diff --git a/go.sum b/go.sum index 5665c4f7280c7..4363b60320fe7 100644 --- a/go.sum +++ b/go.sum @@ -668,6 +668,8 @@ github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLC github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0 h1:Hp+EScFOu9HeCbeW8WU2yQPJd4gGwhMgKxWe+G6jNzw= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0/go.mod h1:/pz8dyNQe+Ey3yBp/XuYz7oqX8YDNWVpPB0hH3XWfbc= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0 h1:JAebRMoc3vL+Nd97GBprHYHucO4+wlW+tNbBIumqJlk= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v5 v5.0.0 h1:5n7dPVqsWfVKw+ZiEKSd3Kzu7gwBkbEBkeXb8rgaE9Q= diff --git a/integrations/event-handler/go.sum b/integrations/event-handler/go.sum index 722ec657f427c..fbd5df9b4923f 100644 --- a/integrations/event-handler/go.sum +++ b/integrations/event-handler/go.sum @@ -633,8 +633,8 @@ github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xP github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0 h1:Hp+EScFOu9HeCbeW8WU2yQPJd4gGwhMgKxWe+G6jNzw= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0/go.mod h1:/pz8dyNQe+Ey3yBp/XuYz7oqX8YDNWVpPB0hH3XWfbc= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0 h1:zDeQI/PaWztI2tcrGO/9RIMey9NvqYbnyttf/0P3QWM= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0 h1:JAebRMoc3vL+Nd97GBprHYHucO4+wlW+tNbBIumqJlk= +github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v5 v5.0.0 h1:5n7dPVqsWfVKw+ZiEKSd3Kzu7gwBkbEBkeXb8rgaE9Q= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v5 v5.0.0/go.mod h1:HcZY0PHPo/7d75p99lB6lK0qYOP4vLRJUBpiehYXtLQ= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v6 v6.3.0 h1:4ZTvMq5AWtRIPM06RzdfKwKyVJ0eUOfm4QUBVDQFqQ4= diff --git a/integrations/terraform/go.sum b/integrations/terraform/go.sum index 3a089467eaca8..d1d69898fab8c 100644 --- a/integrations/terraform/go.sum +++ b/integrations/terraform/go.sum @@ -646,8 +646,6 @@ github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xP github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0 h1:Hp+EScFOu9HeCbeW8WU2yQPJd4gGwhMgKxWe+G6jNzw= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2 v2.2.0/go.mod h1:/pz8dyNQe+Ey3yBp/XuYz7oqX8YDNWVpPB0hH3XWfbc= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0 h1:zDeQI/PaWztI2tcrGO/9RIMey9NvqYbnyttf/0P3QWM= -github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.1.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0 h1:JAebRMoc3vL+Nd97GBprHYHucO4+wlW+tNbBIumqJlk= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v6 v6.2.0/go.mod h1:zflC9v4VfViJrSvcvplqws/yGXVbUEMZi/iHpZdSPWA= github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/containerservice/armcontainerservice/v5 v5.0.0 h1:5n7dPVqsWfVKw+ZiEKSd3Kzu7gwBkbEBkeXb8rgaE9Q= From 4959c11acfb0e0834c62b7885ebc9388054e38da Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Wed, 8 Jan 2025 22:47:34 -0600 Subject: [PATCH 23/34] Go mod tidy --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 5f6ea6c216c5c..bfa0fd76ec889 100644 --- a/go.mod +++ b/go.mod @@ -242,7 +242,7 @@ require ( software.sslmate.com/src/go-pkcs12 v0.5.0 ) -require github.com/xanzy/go-gitlab v0.115.0 +require github.com/xanzy/go-gitlab v0.115.0 // indirect require ( cel.dev/expr v0.19.1 // indirect From 8ac788ceb5fefa35ea4aa178843ec9a62d893cde Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Wed, 8 Jan 2025 23:01:43 -0600 Subject: [PATCH 24/34] Linting --- lib/srv/discovery/fetchers/azure-sync/memberships.go | 2 +- lib/srv/discovery/fetchers/azure-sync/principals.go | 4 ++-- lib/srv/discovery/fetchers/azure-sync/virtualmachines.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/srv/discovery/fetchers/azure-sync/memberships.go b/lib/srv/discovery/fetchers/azure-sync/memberships.go index 639bab5f4b0ad..5d2d2efd329a6 100644 --- a/lib/srv/discovery/fetchers/azure-sync/memberships.go +++ b/lib/srv/discovery/fetchers/azure-sync/memberships.go @@ -10,7 +10,7 @@ import ( "github.com/gravitational/teleport/lib/msgraph" ) -const parallelism = 10 +const parallelism = 10 //nolint:unused // invoked in a dependent PR func expandMemberships(ctx context.Context, cli *msgraph.Client, principals []*accessgraphv1alpha.AzurePrincipal) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint:unused // invoked in a dependent PR var eg errgroup.Group diff --git a/lib/srv/discovery/fetchers/azure-sync/principals.go b/lib/srv/discovery/fetchers/azure-sync/principals.go index 27ad1c472c891..073d6c4713e0c 100644 --- a/lib/srv/discovery/fetchers/azure-sync/principals.go +++ b/lib/srv/discovery/fetchers/azure-sync/principals.go @@ -28,11 +28,11 @@ import ( "github.com/gravitational/teleport/lib/msgraph" ) -type dirObjMetadata struct { +type dirObjMetadata struct { //nolint:unused // invoked in a dependent PR objectType string } -type queryResult struct { +type queryResult struct { //nolint:unused // invoked in a dependent PR metadata dirObjMetadata dirObj msgraph.DirectoryObject } diff --git a/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go b/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go index 25876037a54f0..cf0d068db7b0c 100644 --- a/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go +++ b/lib/srv/discovery/fetchers/azure-sync/virtualmachines.go @@ -28,7 +28,7 @@ import ( accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha" ) -const allResourceGroups = "*" +const allResourceGroups = "*" //nolint:unused // invoked in a dependent PR // VirtualMachinesClient specifies the methods used to fetch virtual machines from Azure type VirtualMachinesClient interface { From 194ae3ef2b1d667eac687466d380e1ddb44fce76 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Wed, 8 Jan 2025 23:12:40 -0600 Subject: [PATCH 25/34] Linting --- .../fetchers/azure-sync/memberships.go | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/lib/srv/discovery/fetchers/azure-sync/memberships.go b/lib/srv/discovery/fetchers/azure-sync/memberships.go index 5d2d2efd329a6..7c8653f6655a8 100644 --- a/lib/srv/discovery/fetchers/azure-sync/memberships.go +++ b/lib/srv/discovery/fetchers/azure-sync/memberships.go @@ -1,3 +1,21 @@ +/* + * Teleport + * Copyright (C) 2025 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + package azuresync import ( From 1eacf074f6121b999f829b9e7a475c4ea6caa8fa Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Thu, 9 Jan 2025 00:08:35 -0600 Subject: [PATCH 26/34] Collecting errors from fetching memberships and using a WithContext error group --- .../discovery/fetchers/azure-sync/memberships.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/lib/srv/discovery/fetchers/azure-sync/memberships.go b/lib/srv/discovery/fetchers/azure-sync/memberships.go index 7c8653f6655a8..9232e3d94fb47 100644 --- a/lib/srv/discovery/fetchers/azure-sync/memberships.go +++ b/lib/srv/discovery/fetchers/azure-sync/memberships.go @@ -31,8 +31,9 @@ import ( const parallelism = 10 //nolint:unused // invoked in a dependent PR func expandMemberships(ctx context.Context, cli *msgraph.Client, principals []*accessgraphv1alpha.AzurePrincipal) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint:unused // invoked in a dependent PR - var eg errgroup.Group + eg, _ := errgroup.WithContext(ctx) eg.SetLimit(parallelism) + errCh := make(chan error, len(principals)) for _, principal := range principals { eg.Go(func() error { err := cli.IterateUserMembership(ctx, principal.Id, func(obj *msgraph.DirectoryObject) bool { @@ -40,10 +41,18 @@ func expandMemberships(ctx context.Context, cli *msgraph.Client, principals []*a return true }) if err != nil { - return trace.Wrap(err) + errCh <- err } return nil }) } - return principals, eg.Wait() + _ = eg.Wait() + var errs []error + for chErr := range errCh { + errs = append(errs, chErr) + } + if len(errs) > 0 { + return nil, trace.NewAggregate(errs...) + } + return principals, nil } From 4cf25c4d57a113ede43e14ed588970b0fe1ea936 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Thu, 9 Jan 2025 10:36:27 -0600 Subject: [PATCH 27/34] Fixing go.mod --- go.mod | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/go.mod b/go.mod index bfa0fd76ec889..168e6f92a6c0c 100644 --- a/go.mod +++ b/go.mod @@ -242,8 +242,6 @@ require ( software.sslmate.com/src/go-pkcs12 v0.5.0 ) -require github.com/xanzy/go-gitlab v0.115.0 // indirect - require ( cel.dev/expr v0.19.1 // indirect cloud.google.com/go v0.117.0 // indirect @@ -521,6 +519,7 @@ require ( github.com/vbatts/tar-split v0.11.5 // indirect github.com/weppos/publicsuffix-go v0.30.3-0.20240510084413-5f1d03393b3d // indirect github.com/x448/float16 v0.8.4 // indirect + github.com/xanzy/go-gitlab v0.115.0 // indirect github.com/xdg-go/pbkdf2 v1.0.0 // indirect github.com/xdg-go/scram v1.1.2 // indirect github.com/xdg-go/stringprep v1.0.4 // indirect From ae6bba68915eb7a4c4065cc4b871b89da098c086 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 10 Jan 2025 10:00:39 -0600 Subject: [PATCH 28/34] Update lib/msgraph/paginated.go Co-authored-by: Tiago Silva --- lib/msgraph/paginated.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msgraph/paginated.go b/lib/msgraph/paginated.go index da44a4f442a1b..0321b8a326d9c 100644 --- a/lib/msgraph/paginated.go +++ b/lib/msgraph/paginated.go @@ -109,11 +109,11 @@ func (c *Client) IterateServicePrincipals(ctx context.Context, f func(principal return iterateSimple(c, ctx, "servicePrincipals", f) } -// IterateUserMembership lists all group memberships for a given user ID as directory objects. +// IterateUserMemberships lists all group memberships for a given user ID as directory objects. // `f` will be called for each directory object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). // Ref: [https://learn.microsoft.com/en-us/graph/api/group-list-memberof]. -func (c *Client) IterateUserMembership(ctx context.Context, userID string, f func(object *DirectoryObject) bool) error { +func (c *Client) IterateUserMemberships(ctx context.Context, userID string, f func(object *DirectoryObject) bool) error { return iterateSimple(c, ctx, path.Join("users", userID, "memberOf"), f) } From aafeb058d2b546cce3cc8f0170ada65e3de154d6 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 10 Jan 2025 10:11:21 -0600 Subject: [PATCH 29/34] PR feedback --- lib/msgraph/models.go | 5 ----- lib/srv/discovery/fetchers/azure-sync/memberships.go | 11 +++-------- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/lib/msgraph/models.go b/lib/msgraph/models.go index f76d3deaab858..52c3e97cfec7b 100644 --- a/lib/msgraph/models.go +++ b/lib/msgraph/models.go @@ -28,11 +28,6 @@ type GroupMember interface { isGroupMember() } -type Membership struct { - Type string `json:"@odata.type"` - ID string `json:"id"` -} - type DirectoryObject struct { ID *string `json:"id,omitempty"` DisplayName *string `json:"displayName,omitempty"` diff --git a/lib/srv/discovery/fetchers/azure-sync/memberships.go b/lib/srv/discovery/fetchers/azure-sync/memberships.go index 9232e3d94fb47..e583577f9c421 100644 --- a/lib/srv/discovery/fetchers/azure-sync/memberships.go +++ b/lib/srv/discovery/fetchers/azure-sync/memberships.go @@ -30,6 +30,7 @@ import ( const parallelism = 10 //nolint:unused // invoked in a dependent PR +// expandMemberships adds membership data to AzurePrincipal objects by querying the Graph API for group memberships func expandMemberships(ctx context.Context, cli *msgraph.Client, principals []*accessgraphv1alpha.AzurePrincipal) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint:unused // invoked in a dependent PR eg, _ := errgroup.WithContext(ctx) eg.SetLimit(parallelism) @@ -47,12 +48,6 @@ func expandMemberships(ctx context.Context, cli *msgraph.Client, principals []*a }) } _ = eg.Wait() - var errs []error - for chErr := range errCh { - errs = append(errs, chErr) - } - if len(errs) > 0 { - return nil, trace.NewAggregate(errs...) - } - return principals, nil + close(errCh) + return principals, trace.NewAggregateFromChannel(errCh, ctx) } From 8b3cd5dd0d7530e4e09a9902bab308ef4c1329ff Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 10 Jan 2025 10:22:11 -0600 Subject: [PATCH 30/34] e ref update --- e | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e b/e index 498f643ea9033..b486de24a443a 160000 --- a/e +++ b/e @@ -1 +1 @@ -Subproject commit 498f643ea9033b1235359d83c310caadb18305d2 +Subproject commit b486de24a443a9f8eb3e349009af14d11814ff5c From c2319c67acd530ce040ff16fdfdd27ccb3da7b56 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 10 Jan 2025 11:08:03 -0600 Subject: [PATCH 31/34] e ref update --- e | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e b/e index b486de24a443a..498f643ea9033 160000 --- a/e +++ b/e @@ -1 +1 @@ -Subproject commit b486de24a443a9f8eb3e349009af14d11814ff5c +Subproject commit 498f643ea9033b1235359d83c310caadb18305d2 From acf14153515aaf16431220453aa8d89ec3c1dd4b Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Fri, 10 Jan 2025 11:15:23 -0600 Subject: [PATCH 32/34] Fixing method --- lib/srv/discovery/fetchers/azure-sync/memberships.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/srv/discovery/fetchers/azure-sync/memberships.go b/lib/srv/discovery/fetchers/azure-sync/memberships.go index e583577f9c421..d0e645d6de553 100644 --- a/lib/srv/discovery/fetchers/azure-sync/memberships.go +++ b/lib/srv/discovery/fetchers/azure-sync/memberships.go @@ -37,7 +37,7 @@ func expandMemberships(ctx context.Context, cli *msgraph.Client, principals []*a errCh := make(chan error, len(principals)) for _, principal := range principals { eg.Go(func() error { - err := cli.IterateUserMembership(ctx, principal.Id, func(obj *msgraph.DirectoryObject) bool { + err := cli.IterateUserMemberships(ctx, principal.Id, func(obj *msgraph.DirectoryObject) bool { principal.MemberOf = append(principal.MemberOf, *obj.ID) return true }) From 3c90b4dcc7a25a72e76fc797d4c22bf7d0bc9c27 Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Sat, 11 Jan 2025 17:39:25 -0600 Subject: [PATCH 33/34] Fetching group members from groups rather than memberships of each principal --- lib/msgraph/paginated.go | 8 -------- .../fetchers/azure-sync/memberships.go | 19 ++++++++++++++++--- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/lib/msgraph/paginated.go b/lib/msgraph/paginated.go index 0321b8a326d9c..a0b9488af9d70 100644 --- a/lib/msgraph/paginated.go +++ b/lib/msgraph/paginated.go @@ -109,14 +109,6 @@ func (c *Client) IterateServicePrincipals(ctx context.Context, f func(principal return iterateSimple(c, ctx, "servicePrincipals", f) } -// IterateUserMemberships lists all group memberships for a given user ID as directory objects. -// `f` will be called for each directory object in the result set. -// if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). -// Ref: [https://learn.microsoft.com/en-us/graph/api/group-list-memberof]. -func (c *Client) IterateUserMemberships(ctx context.Context, userID string, f func(object *DirectoryObject) bool) error { - return iterateSimple(c, ctx, path.Join("users", userID, "memberOf"), f) -} - // IterateGroupMembers lists all members for the given Entra ID group using pagination. // `f` will be called for each object in the result set. // if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop). diff --git a/lib/srv/discovery/fetchers/azure-sync/memberships.go b/lib/srv/discovery/fetchers/azure-sync/memberships.go index d0e645d6de553..ffd32e899501a 100644 --- a/lib/srv/discovery/fetchers/azure-sync/memberships.go +++ b/lib/srv/discovery/fetchers/azure-sync/memberships.go @@ -20,7 +20,6 @@ package azuresync import ( "context" - "github.com/gravitational/trace" "golang.org/x/sync/errgroup" @@ -28,17 +27,31 @@ import ( "github.com/gravitational/teleport/lib/msgraph" ) +const groupType = "group" + const parallelism = 10 //nolint:unused // invoked in a dependent PR // expandMemberships adds membership data to AzurePrincipal objects by querying the Graph API for group memberships func expandMemberships(ctx context.Context, cli *msgraph.Client, principals []*accessgraphv1alpha.AzurePrincipal) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint:unused // invoked in a dependent PR + // Map principals by ID + var principalsMap = make(map[string]*accessgraphv1alpha.AzurePrincipal) + for _, principal := range principals { + principalsMap[principal.Id] = principal + } + // Iterate through the Azure groups and add the group ID as a membership for its corresponding principal eg, _ := errgroup.WithContext(ctx) eg.SetLimit(parallelism) errCh := make(chan error, len(principals)) for _, principal := range principals { + if principal.ObjectType != "group" { + continue + } + group := principal eg.Go(func() error { - err := cli.IterateUserMemberships(ctx, principal.Id, func(obj *msgraph.DirectoryObject) bool { - principal.MemberOf = append(principal.MemberOf, *obj.ID) + err := cli.IterateGroupMembers(ctx, group.Id, func(member msgraph.GroupMember) bool { + if memberPrincipal, ok := principalsMap[*member.GetID()]; ok { + memberPrincipal.MemberOf = append(memberPrincipal.MemberOf, group.Id) + } return true }) if err != nil { From c7cd6830a93ffee8ef7b17d682765196d6fb4b8c Mon Sep 17 00:00:00 2001 From: Matt Brock Date: Sat, 11 Jan 2025 17:41:24 -0600 Subject: [PATCH 34/34] Linting --- lib/srv/discovery/fetchers/azure-sync/memberships.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/srv/discovery/fetchers/azure-sync/memberships.go b/lib/srv/discovery/fetchers/azure-sync/memberships.go index ffd32e899501a..f05be8f72567c 100644 --- a/lib/srv/discovery/fetchers/azure-sync/memberships.go +++ b/lib/srv/discovery/fetchers/azure-sync/memberships.go @@ -20,6 +20,7 @@ package azuresync import ( "context" + "github.com/gravitational/trace" "golang.org/x/sync/errgroup" @@ -27,8 +28,6 @@ import ( "github.com/gravitational/teleport/lib/msgraph" ) -const groupType = "group" - const parallelism = 10 //nolint:unused // invoked in a dependent PR // expandMemberships adds membership data to AzurePrincipal objects by querying the Graph API for group memberships