Skip to content

Commit

Permalink
Add Query field to CrownJewel specifications (#44981)
Browse files Browse the repository at this point in the history
Introduced a Query field to the CrownJewelSpec to facilitate Access Graph queries. Updated corresponding protobuf definitions, validation logic, and tests to support the new field.
  • Loading branch information
jakule authored Aug 3, 2024
1 parent 6c1b9f9 commit facba1d
Show file tree
Hide file tree
Showing 5 changed files with 61 additions and 31 deletions.
72 changes: 42 additions & 30 deletions api/gen/proto/go/teleport/crownjewel/v1/crownjewel.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions api/proto/teleport/crownjewel/v1/crownjewel.proto
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,13 @@ message CrownJewel {
// CrownJewelSpec is the specification of a Crown Jewel.
message CrownJewelSpec {
// TeleportMatchers is a list of teleport matchers.
// DEPRECATED: Use query instead.
repeated TeleportMatcher teleport_matchers = 1;
// AWSMatchers is a list of AWS matchers.
// DEPRECATED: Use query instead.
repeated AWSMatcher aws_matchers = 2;
// Query is a Access Graph query to match resources.
string query = 3;
}

// TeleportMatcher represents a matcher for Teleport resources.
Expand Down
2 changes: 1 addition & 1 deletion lib/auth/crownjewel/object.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ func ValidateCrownJewel(jewel *crownjewelv1.CrownJewel) error {
return trace.BadParameter("crown jewel name is empty")
case jewel.Spec == nil:
return trace.BadParameter("crown jewel spec is nil")
case len(jewel.Spec.TeleportMatchers) == 0 && len(jewel.Spec.AwsMatchers) == 0:
case len(jewel.Spec.TeleportMatchers) == 0 && len(jewel.Spec.AwsMatchers) == 0 && jewel.Spec.Query == "":
return trace.BadParameter("crown jewel must have at least one matcher")
}

Expand Down
12 changes: 12 additions & 0 deletions lib/auth/crownjewel/object_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,18 @@ func TestValidateCrownJewel(t *testing.T) {
},
wantErr: require.NoError,
},
{
name: "ValidCrownJewelWithQuery",
jewel: &crownjewelv1.CrownJewel{
Metadata: &headerv1.Metadata{
Name: "test",
},
Spec: &crownjewelv1.CrownJewelSpec{
Query: "SELECT * FROM nodes",
},
},
wantErr: require.NoError,
},
{
name: "MissingMatchers",
jewel: &crownjewelv1.CrownJewel{
Expand Down
2 changes: 2 additions & 0 deletions lib/services/crown_jewels_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ func TestUnmarshalCrownJewel(t *testing.T) {
},
},
Spec: &crownjewelv1.CrownJewelSpec{
Query: "SELECT * FROM nodes",
TeleportMatchers: []*crownjewelv1.TeleportMatcher{
{
Kinds: []string{"node"},
Expand Down Expand Up @@ -106,6 +107,7 @@ metadata:
env: example
name: example-crown-jewel
spec:
query: "SELECT * FROM nodes"
aws_matchers:
- regions:
- us-west-1
Expand Down

0 comments on commit facba1d

Please sign in to comment.