Introduce Lock resource (gravitational#7430)

ardeche07 · Jul 7, 2021 · 7c630ec · 7c630ec
1 parent f86068e
commit 7c630ec
Show file tree

Hide file tree

Showing 35 changed files with 4,426 additions and 1,141 deletions.
diff --git a/api/client/client.go b/api/client/client.go
@@ -1531,3 +1531,58 @@ func (c *Client) SetClusterAuditConfig(ctx context.Context, auditConfig types.Cl
 func (c *Client) DeleteClusterAuditConfig(ctx context.Context) error {
 	return trace.NotImplemented(notImplementedMessage)
 }
+
+// GetLock gets a lock by name.
+func (c *Client) GetLock(ctx context.Context, name string) (types.Lock, error) {
+	if name == "" {
+		return nil, trace.BadParameter("missing lock name")
+	}
+	resp, err := c.grpc.GetLock(ctx, &proto.GetLockRequest{Name: name}, c.callOpts...)
+	if err != nil {
+		return nil, trail.FromGRPC(err)
+	}
+	return resp, nil
+}
+
+// GetLocks gets all locks, matching at least one of the targets when specified.
+func (c *Client) GetLocks(ctx context.Context, targets ...types.LockTarget) ([]types.Lock, error) {
+	targetPtrs := make([]*types.LockTarget, len(targets))
+	for i := range targets {
+		targetPtrs[i] = &targets[i]
+	}
+	resp, err := c.grpc.GetLocks(ctx, &proto.GetLocksRequest{
+		Targets: targetPtrs,
+	})
+	if err != nil {
+		return nil, trail.FromGRPC(err)
+	}
+	locks := make([]types.Lock, 0, len(resp.Locks))
+	for _, lock := range resp.Locks {
+		locks = append(locks, lock)
+	}
+	return locks, nil
+}
+
+// UpsertLock upserts a lock.
+func (c *Client) UpsertLock(ctx context.Context, lock types.Lock) error {
+	lockV2, ok := lock.(*types.LockV2)
+	if !ok {
+		return trace.BadParameter("invalid type %T", lock)
+	}
+	_, err := c.grpc.UpsertLock(ctx, lockV2, c.callOpts...)
+	return trail.FromGRPC(err)
+}
+
+// DeleteLock deletes a lock.
+func (c *Client) DeleteLock(ctx context.Context, name string) error {
+	if name == "" {
+		return trace.BadParameter("missing lock name")
+	}
+	_, err := c.grpc.DeleteLock(ctx, &proto.DeleteLockRequest{Name: name}, c.callOpts...)
+	return trail.FromGRPC(err)
+}
+
+// DeleteAllLocks not implemented: can only be called locally.
+func (c *Client) DeleteAllLocks(context.Context) error {
+	return trace.NotImplemented(notImplementedMessage)
+}
diff --git a/api/client/proto/authservice.pb.go b/api/client/proto/authservice.pb.go
diff --git a/api/client/proto/authservice.proto b/api/client/proto/authservice.proto
@@ -87,6 +87,8 @@ message Event {
         // ClusterAuditConfig is a resource for cluster audit configuration.
         types.ClusterAuditConfigV2 ClusterAuditConfig = 23
             [ (gogoproto.jsontag) = "cluster_audit_config,omitempty" ];
+        // Lock is a lock resource.
+        types.LockV2 Lock = 24 [ (gogoproto.jsontag) = "lock,omitempty" ];
     }
 }
 
@@ -885,6 +887,27 @@ message ListNodesResponse {
     string NextKey = 2;
 }
 
+message GetLocksRequest {
+    // Targets is a list of targets. Every returned lock must match at least
+    // one of the targets.
+    repeated types.LockTarget Targets = 1;
+}
+
+message GetLocksResponse {
+    // Locks is a list of locks.
+    repeated types.LockV2 Locks = 1;
+}
+
+message GetLockRequest {
+    // Name is the name of the lock to get.
+    string Name = 1;
+}
+
+message DeleteLockRequest {
+    // Name is the name of the lock to delete.
+    string Name = 1;
+}
+
 // AuthService is authentication/authorization service implementation
 service AuthService {
     // SendKeepAlives allows node to send a stream of keep alive requests
@@ -1153,4 +1176,13 @@ service AuthService {
     rpc GetEvents(GetEventsRequest) returns (Events);
     // In-session request for audit events.
     rpc GetSessionEvents(GetSessionEventsRequest) returns (Events);
+
+    // GetLock gets a lock by name.
+    rpc GetLock(GetLockRequest) returns (types.LockV2);
+    // GetLocks gets all locks, matching at least one of the targets when specified.
+    rpc GetLocks(GetLocksRequest) returns (GetLocksResponse);
+    // UpsertLock upserts a lock.
+    rpc UpsertLock(types.LockV2) returns (google.protobuf.Empty);
+    // DeleteLock deletes a lock.
+    rpc DeleteLock(DeleteLockRequest) returns (google.protobuf.Empty);
 }
diff --git a/api/client/streamwatcher.go b/api/client/streamwatcher.go
@@ -178,6 +178,9 @@ func eventFromGRPC(in proto.Event) (*types.Event, error) {
 	} else if r := in.GetAuthPreference(); r != nil {
 		out.Resource = r
 		return &out, nil
+	} else if r := in.GetLock(); r != nil {
+		out.Resource = r
+		return &out, nil
 	} else {
 		return nil, trace.BadParameter("received unsupported resource %T", in.Resource)
 	}

diff --git a/api/types/constants.go b/api/types/constants.go
@@ -218,6 +218,9 @@ const (
 	// KindBilling represents access to cloud billing features
 	KindBilling = "billing"
 
+	// KindLock is a lock resource.
+	KindLock = "lock"
+
 	// V4 is the fourth version of resources.
 	V4 = "v4"
 

diff --git a/api/types/events.go b/api/types/events.go
@@ -137,6 +137,12 @@ func (kind WatchKind) Matches(e Event) (bool, error) {
 				return false, trace.Wrap(err)
 			}
 			return filter.Match(res), nil
+		case Lock:
+			var target LockTarget
+			if err := target.FromMap(kind.Filter); err != nil {
+				return false, trace.Wrap(err)
+			}
+			return target.Match(res)
 		default:
 			return false, trace.BadParameter("unfilterable resource type %T", e.Resource)
 		}

diff --git a/api/types/lock.go b/api/types/lock.go
@@ -0,0 +1,219 @@
+/*
+Copyright 2021 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package types
+
+import (
+	"time"
+
+	"github.com/gravitational/teleport/api/utils"
+
+	"github.com/gravitational/trace"
+	"github.com/jonboulle/clockwork"
+)
+
+// Lock configures locking out of a particular access vector.
+type Lock interface {
+	Resource
+
+	// Target returns the lock's target.
+	Target() LockTarget
+	// SetTarget sets the lock's target.
+	SetTarget(LockTarget)
+
+	// Message returns the message displayed to locked-out users.
+	Message() string
+	// SetMessage sets the lock's user message.
+	SetMessage(string)
+
+	// LockExpiry returns when the lock ceases to be in force.
+	LockExpiry() *time.Time
+	// SetLockExpiry sets the lock's expiry.
+	SetLockExpiry(*time.Time)
+
+	// IsInForce returns whether the lock is in force.
+	IsInForce(clockwork.Clock) bool
+}
+
+// NewLock is a convenience method to create a Lock resource.
+func NewLock(name string, spec LockSpecV2) (Lock, error) {
+	lock := &LockV2{
+		Metadata: Metadata{
+			Name: name,
+		},
+		Spec: spec,
+	}
+	if err := lock.CheckAndSetDefaults(); err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return lock, nil
+}
+
+// GetVersion returns resource version.
+func (c *LockV2) GetVersion() string {
+	return c.Version
+}
+
+// GetName returns the name of the resource.
+func (c *LockV2) GetName() string {
+	return c.Metadata.Name
+}
+
+// SetName sets the name of the resource.
+func (c *LockV2) SetName(e string) {
+	c.Metadata.Name = e
+}
+
+// SetExpiry sets expiry time for the object.
+func (c *LockV2) SetExpiry(expires time.Time) {
+	c.Metadata.SetExpiry(expires)
+}
+
+// Expiry returns object expiry setting.
+func (c *LockV2) Expiry() time.Time {
+	return c.Metadata.Expiry()
+}
+
+// GetMetadata returns object metadata.
+func (c *LockV2) GetMetadata() Metadata {
+	return c.Metadata
+}
+
+// GetResourceID returns resource ID.
+func (c *LockV2) GetResourceID() int64 {
+	return c.Metadata.ID
+}
+
+// SetResourceID sets resource ID.
+func (c *LockV2) SetResourceID(id int64) {
+	c.Metadata.ID = id
+}
+
+// GetKind returns resource kind.
+func (c *LockV2) GetKind() string {
+	return c.Kind
+}
+
+// GetSubKind returns resource subkind.
+func (c *LockV2) GetSubKind() string {
+	return c.SubKind
+}
+
+// SetSubKind sets resource subkind.
+func (c *LockV2) SetSubKind(sk string) {
+	c.SubKind = sk
+}
+
+// Target returns the lock's target.
+func (c *LockV2) Target() LockTarget {
+	return c.Spec.Target
+}
+
+// SetTarget sets the lock's target.
+func (c *LockV2) SetTarget(target LockTarget) {
+	c.Spec.Target = target
+}
+
+// Message returns the message displayed to locked-out users.
+func (c *LockV2) Message() string {
+	return c.Spec.Message
+}
+
+// SetMessage sets the lock's user message.
+func (c *LockV2) SetMessage(message string) {
+	c.Spec.Message = message
+}
+
+// LockExpiry returns when the lock ceases to be in force.
+func (c *LockV2) LockExpiry() *time.Time {
+	return c.Spec.Expires
+}
+
+// SetLockExpiry sets the lock's expiry.
+func (c *LockV2) SetLockExpiry(expiry *time.Time) {
+	c.Spec.Expires = expiry
+}
+
+// IsInForce returns whether the lock is in force.
+func (c *LockV2) IsInForce(clock clockwork.Clock) bool {
+	if c.Spec.Expires == nil {
+		return true
+	}
+	return clock.Now().Before(*c.Spec.Expires)
+}
+
+// setStaticFields sets static resource header and metadata fields.
+func (c *LockV2) setStaticFields() {
+	c.Kind = KindLock
+	c.Version = V2
+}
+
+// CheckAndSetDefaults verifies the constraints for Lock.
+func (c *LockV2) CheckAndSetDefaults() error {
+	c.setStaticFields()
+	err := c.Metadata.CheckAndSetDefaults()
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
+	return trace.Wrap(c.Spec.Target.Check())
+}
+
+// Check verifies the target's constraints.
+func (t LockTarget) Check() error {
+	targetMap, err := t.IntoMap()
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	for _, val := range targetMap {
+		if val != "" {
+			return nil
+		}
+	}
+	return trace.BadParameter("at least one target field must be set")
+}
+
+// IntoMap returns the target attributes in the form of a map.
+func (t LockTarget) IntoMap() (map[string]string, error) {
+	m := map[string]string{}
+	if err := utils.ObjectToStruct(t, &m); err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return m, nil
+}
+
+// FromMap copies values from a map into this LockTarget.
+func (t *LockTarget) FromMap(m map[string]string) error {
+	return trace.Wrap(utils.ObjectToStruct(m, t))
+}
+
+// Match returns true if the lock's target is matched by this target.
+func (t LockTarget) Match(lock Lock) (bool, error) {
+	targetMap, err := t.IntoMap()
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	lockTargetMap, err := lock.Target().IntoMap()
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	for key := range targetMap {
+		if targetMap[key] != "" && targetMap[key] != lockTargetMap[key] {
+			return false, nil
+		}
+	}
+	return true, nil
+}