[Backport v6] Add Roles V4

CHANGELOG.md

@@ -5,6 +5,7 @@
 This release of Teleport contains multiple improvements.
 
 * Added support for `regexp.replace(variable, expression, replacement)` in role templates.
+* Added V4 roles with stricter default allow labels. V4 roles are backward-compatible with V3 roles, and are completely opt-in.
 
 ## 6.2.3
 

api/client/client.go

@@ -30,6 +30,7 @@ import (
 	"github.com/gravitational/teleport/api/client/webclient"
 	"github.com/gravitational/teleport/api/constants"
 	"github.com/gravitational/teleport/api/defaults"
+	"github.com/gravitational/teleport/api/metadata"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/types/events"
 	"github.com/gravitational/teleport/api/utils"
@@ -278,6 +279,8 @@ func (c *Client) dialGRPC(ctx context.Context, addr string) error {
 		c.c.DialOpts,
 		grpc.WithContextDialer(c.grpcDialer()),
 		grpc.WithTransportCredentials(credentials.NewTLS(c.tlsConfig)),
+		grpc.WithUnaryInterceptor(metadata.UnaryClientInterceptor),
+		grpc.WithStreamInterceptor(metadata.StreamClientInterceptor),
 	)
 
 	var err error
@@ -935,11 +938,11 @@ func (c *Client) GetRoles(ctx context.Context) ([]types.Role, error) {
 
 // UpsertRole creates or updates role
 func (c *Client) UpsertRole(ctx context.Context, role types.Role) error {
-	roleV3, ok := role.(*types.RoleV3)
+	roleV4, ok := role.(*types.RoleV4)
 	if !ok {
 		return trace.BadParameter("invalid type %T", role)
 	}
-	_, err := c.grpc.UpsertRole(ctx, roleV3, c.callOpts...)
+	_, err := c.grpc.UpsertRole(ctx, roleV4, c.callOpts...)
 	return trail.FromGRPC(err)
 }
 

api/client/doc_test.go

@@ -34,7 +34,7 @@ func ExampleClient_roleCRUD() {
 	defer clt.Close()
 
 	// Resource Spec structs reflect their Resource's yaml definition.
-	roleSpec := types.RoleSpecV3{
+	roleSpec := types.RoleSpecV4{
 		Options: types.RoleOptions{
 			MaxSessionTTL: types.Duration(time.Hour),
 		},

api/client/proto/authservice.proto

@@ -49,7 +49,7 @@ message Event {
         // User is a user resource
         types.UserV2 User = 8 [ (gogoproto.jsontag) = "user,omitempty" ];
         // Role is a role resource
-        types.RoleV3 Role = 9 [ (gogoproto.jsontag) = "role,omitempty" ];
+        types.RoleV4 Role = 9 [ (gogoproto.jsontag) = "role,omitempty" ];
         // Namespace is a namespace resource
         types.Namespace Namespace = 10 [ (gogoproto.jsontag) = "namespace,omitempty" ];
         // Server is a node or proxy resource
@@ -582,7 +582,7 @@ message GetRoleRequest {
 // GetRolesResponse is a response to querying for all roles.
 message GetRolesResponse {
     // Roles is a list of roles.
-    repeated types.RoleV3 Roles = 1;
+    repeated types.RoleV4 Roles = 1;
 }
 
 // DeleteRoleRequest is a request to delete a role.
@@ -1009,11 +1009,11 @@ service AuthService {
     rpc GenerateDatabaseCert(DatabaseCertRequest) returns (DatabaseCertResponse);
 
     // GetRole retrieves a role described by the given request.
-    rpc GetRole(GetRoleRequest) returns (types.RoleV3);
+    rpc GetRole(GetRoleRequest) returns (types.RoleV4);
     // GetRole retrieves all roles.
     rpc GetRoles(google.protobuf.Empty) returns (GetRolesResponse);
     // UpsertRole upserts a role in a backend.
-    rpc UpsertRole(types.RoleV3) returns (google.protobuf.Empty);
+    rpc UpsertRole(types.RoleV4) returns (google.protobuf.Empty);
     // DeleteRole deletes an existing role in a backend described by the given request.
     rpc DeleteRole(DeleteRoleRequest) returns (google.protobuf.Empty);
 

api/constants/constants.go

@@ -156,3 +156,8 @@ const (
 	// stored in a profile (./tsh/keys/profilename/username.pub).
 	FileExtPub = ".pub"
 )
+
+const (
+	// TODO(Joerger): change this to generated value
+	Version = "6.3.0-dev"
+)

api/metadata/metadata.go

@@ -0,0 +1,86 @@
+/*
+Copyright 2021 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package metadata
+
+import (
+	"context"
+
+	"github.com/gravitational/teleport/api/constants"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+)
+
+const (
+	VersionKey = "version"
+)
+
+// defaultMetadata returns the default metadata which will be added to all outgoing calls.
+func defaultMetadata() map[string]string {
+	return map[string]string{
+		VersionKey: constants.Version,
+	}
+}
+
+// AddMetadataToContext returns a new context copied from ctx with the given
+// raw metadata added. Metadata already set on the given context for any key
+// will not be overridden, but new key/value pairs will always be added.
+func AddMetadataToContext(ctx context.Context, raw map[string]string) context.Context {
+	md := metadata.New(raw)
+	if existingMd, ok := metadata.FromOutgoingContext(ctx); ok {
+		for key, vals := range existingMd {
+			md.Set(key, vals...)
+		}
+	}
+	return metadata.NewOutgoingContext(ctx, md)
+}
+
+// DisableInterceptors can be set on the client context with context.WithValue(ctx, DisableInterceptors{}, struct{}{})
+// to stop the client interceptors from adding any metadata to the context (useful for testing).
+type DisableInterceptors struct{}
+
+// StreamClientInterceptor intercepts a GRPC client stream call and adds
+// default metadata to the context.
+func StreamClientInterceptor(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, streamer grpc.Streamer, opts ...grpc.CallOption) (grpc.ClientStream, error) {
+	if disable := ctx.Value(DisableInterceptors{}); disable == nil {
+		ctx = AddMetadataToContext(ctx, defaultMetadata())
+	}
+	return streamer(ctx, desc, cc, method, opts...)
+}
+
+// UnaryClientInterceptor intercepts a GRPC client unary call and adds default
+// metadata to the context.
+func UnaryClientInterceptor(ctx context.Context, method string, req, reply interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
+	if disable := ctx.Value(DisableInterceptors{}); disable == nil {
+		ctx = AddMetadataToContext(ctx, defaultMetadata())
+	}
+	return invoker(ctx, method, req, reply, cc, opts...)
+}
+
+// ClientVersionFromContext can be called from a GRPC server method to return
+// the client version that was added to the GRPC metadata by
+// StreamClientInterceptor or UnaryClientInterceptor on the client.
+func ClientVersionFromContext(ctx context.Context) (string, bool) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return "", false
+	}
+	versionList := md.Get(VersionKey)
+	if len(versionList) != 1 {
+		return "", false
+	}
+	return versionList[0], true
+}

api/types/constants.go

@@ -197,6 +197,9 @@ const (
 	// KindBilling represents access to cloud billing features
 	KindBilling = "billing"
 
+	// V4 is the fourth version of resources.
+	V4 = "v4"
+
 	// V3 is the third version of resources.
 	V3 = "v3"