From bca21fb751dcfd8faf497a96630503e41239acdc Mon Sep 17 00:00:00 2001
From: Tiago Silva <tiago.silva@goteleport.com>
Date: Wed, 10 Jul 2024 19:34:31 +0100
Subject: [PATCH 1/2] [sec_scan][14] create `AccessGraphSettings` on first auth
 init

This PR adds a init script that sets `AccessGraphSettings` into Teleport backend when auth first inits and there is no `AccessGraphSettings`.

This PR is part of https://github.com/gravitational/access-graph/issues/637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
---
 lib/auth/init.go | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/lib/auth/init.go b/lib/auth/init.go
index bc4e05f7ba43d..09fd6ff22d62e 100644
--- a/lib/auth/init.go
+++ b/lib/auth/init.go
@@ -43,9 +43,11 @@ import (
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/client/proto"
 	apidefaults "github.com/gravitational/teleport/api/defaults"
+	clusterconfigpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
 	dbobjectimportrulev1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/dbobjectimportrule/v1"
 	machineidv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/types/clusterconfig"
 	apievents "github.com/gravitational/teleport/api/types/events"
 	"github.com/gravitational/teleport/lib"
 	"github.com/gravitational/teleport/lib/auth/dbobjectimportrule/dbobjectimportrulev1"
@@ -437,6 +439,12 @@ func initCluster(ctx context.Context, cfg InitConfig, asrv *Server) error {
 		return trace.Wrap(initializeSessionRecordingConfig(ctx, asrv, cfg.SessionRecordingConfig))
 	})
 
+	g.Go(func() error {
+		ctx, span := cfg.Tracer.Start(gctx, "auth/InitializeAccessGraphSettings")
+		defer span.End()
+		return trace.Wrap(initializeAccessGraphSettings(ctx, asrv))
+	})
+
 	g.Go(func() error {
 		ctx, span := cfg.Tracer.Start(gctx, "auth/initializeAuthPreference")
 		defer span.End()
@@ -860,6 +868,36 @@ func initializeSessionRecordingConfig(ctx context.Context, asrv *Server, newRecC
 	return trace.LimitExceeded("failed to initialize session recording config in %v iterations", iterationLimit)
 }
 
+func initializeAccessGraphSettings(ctx context.Context, asrv *Server) error {
+	const iterationLimit = 3
+	for i := 0; i < iterationLimit; i++ {
+		stored, err := asrv.Services.GetAccessGraphSettings(ctx)
+		if err != nil && !trace.IsNotFound(err) {
+			return trace.Wrap(err)
+		}
+
+		if stored != nil {
+			return nil
+		}
+		stored, err = clusterconfig.NewAccessGraphSettings(&clusterconfigpb.AccessGraphSettingsSpec{
+			SecretsScanConfig: clusterconfigpb.AccessGraphSecretsScanConfig_ACCESS_GRAPH_SECRETS_SCAN_CONFIG_DISABLED,
+		})
+		if err != nil {
+			return trace.Wrap(err)
+		}
+		log.Infof("Creating access graph settings: %v.", stored)
+		_, err = asrv.CreateAccessGraphSettings(ctx, stored)
+		if trace.IsAlreadyExists(err) {
+			continue
+		}
+
+		return trace.Wrap(err)
+
+	}
+
+	return trace.LimitExceeded("failed to initialize access graph settings in %v iterations", iterationLimit)
+}
+
 // shouldInitReplaceResourceWithOrigin determines whether the candidate
 // resource should be used to replace the stored resource during auth server
 // initialization.  Dynamically configured resources must not be overwritten

From d6c55100344f67f595c7d6d09e50131a387bb6b9 Mon Sep 17 00:00:00 2001
From: Tiago Silva <tiago.silva@goteleport.com>
Date: Fri, 19 Jul 2024 12:27:50 +0100
Subject: [PATCH 2/2] remove iterations

---
 lib/auth/init.go | 39 +++++++++++++++++----------------------
 1 file changed, 17 insertions(+), 22 deletions(-)

diff --git a/lib/auth/init.go b/lib/auth/init.go
index 09fd6ff22d62e..02e598816eb47 100644
--- a/lib/auth/init.go
+++ b/lib/auth/init.go
@@ -869,33 +869,28 @@ func initializeSessionRecordingConfig(ctx context.Context, asrv *Server, newRecC
 }
 
 func initializeAccessGraphSettings(ctx context.Context, asrv *Server) error {
-	const iterationLimit = 3
-	for i := 0; i < iterationLimit; i++ {
-		stored, err := asrv.Services.GetAccessGraphSettings(ctx)
-		if err != nil && !trace.IsNotFound(err) {
-			return trace.Wrap(err)
-		}
-
-		if stored != nil {
-			return nil
-		}
-		stored, err = clusterconfig.NewAccessGraphSettings(&clusterconfigpb.AccessGraphSettingsSpec{
-			SecretsScanConfig: clusterconfigpb.AccessGraphSecretsScanConfig_ACCESS_GRAPH_SECRETS_SCAN_CONFIG_DISABLED,
-		})
-		if err != nil {
-			return trace.Wrap(err)
-		}
-		log.Infof("Creating access graph settings: %v.", stored)
-		_, err = asrv.CreateAccessGraphSettings(ctx, stored)
-		if trace.IsAlreadyExists(err) {
-			continue
-		}
+	stored, err := asrv.Services.GetAccessGraphSettings(ctx)
+	if err != nil && !trace.IsNotFound(err) {
+		return trace.Wrap(err)
+	}
+	if stored != nil {
+		return nil
+	}
 
+	stored, err = clusterconfig.NewAccessGraphSettings(&clusterconfigpb.AccessGraphSettingsSpec{
+		SecretsScanConfig: clusterconfigpb.AccessGraphSecretsScanConfig_ACCESS_GRAPH_SECRETS_SCAN_CONFIG_DISABLED,
+	})
+	if err != nil {
 		return trace.Wrap(err)
+	}
 
+	log.Infof("Creating access graph settings: %v.", stored)
+	_, err = asrv.CreateAccessGraphSettings(ctx, stored)
+	if trace.IsAlreadyExists(err) {
+		return nil
 	}
 
-	return trace.LimitExceeded("failed to initialize access graph settings in %v iterations", iterationLimit)
+	return trace.Wrap(err)
 }
 
 // shouldInitReplaceResourceWithOrigin determines whether the candidate