Add "billing_information" RBAC resource (#5676)

* Expose GRPC client connection to plugins * Replaces global plugin state with the PluginRegistry
gravitational · Mar 15, 2021 · 3af892c · 3af892c
1 parent 76c3c08
commit 3af892c
Show file tree

Hide file tree

Showing 18 changed files with 222 additions and 136 deletions.
diff --git a/api/client/client.go b/api/client/client.go
@@ -83,6 +83,11 @@ func New(ctx context.Context, cfg Config) (*Client, error) {
 	return c, nil
 }
 
+// GetConnection returns GRPC connection
+func (c *Client) GetConnection() *grpc.ClientConn {
+	return c.conn
+}
+
 // getDialer builds a grpc dialer for the client from a ContextDialer.
 // The ContextDialer is chosen from available options, preferring one from
 // credentials, then from configuration, and lastly from addresses.

diff --git a/api/types/constants.go b/api/types/constants.go
@@ -190,6 +190,9 @@ const (
 	// KindMFADevice is an MFA device for a user.
 	KindMFADevice = "mfa_device"
 
+	// KindBilling represents access to cloud billing features
+	KindBilling = "billing"
+
 	// V3 is the third version of resources.
 	V3 = "v3"
 

diff --git a/e b/e
diff --git a/lib/auth/apiserver.go b/lib/auth/apiserver.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2015-2019 Gravitational, Inc.
+Copyright 2015-2021 Gravitational, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -35,6 +35,7 @@ import (
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/httplib"
+	"github.com/gravitational/teleport/lib/plugin"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/session"
 	"github.com/gravitational/teleport/lib/utils"
@@ -46,6 +47,7 @@ import (
 )
 
 type APIConfig struct {
+	PluginRegistry plugin.Registry
 	AuthServer     *Server
 	SessionService session.Service
 	AuditLog       events.IAuditLog
@@ -80,7 +82,7 @@ type APIServer struct {
 }
 
 // NewAPIServer returns a new instance of APIServer HTTP handler
-func NewAPIServer(config *APIConfig) http.Handler {
+func NewAPIServer(config *APIConfig) (http.Handler, error) {
 	srv := APIServer{
 		APIConfig: *config,
 		Clock:     clockwork.NewRealClock(),
@@ -246,15 +248,17 @@ func NewAPIServer(config *APIConfig) http.Handler {
 	srv.GET("/:version/events", srv.withAuth(srv.searchEvents))
 	srv.GET("/:version/events/session", srv.withAuth(srv.searchSessionEvents))
 
-	if plugin := GetPlugin(); plugin != nil {
-		plugin.AddHandlers(&srv)
+	if config.PluginRegistry != nil {
+		if err := config.PluginRegistry.RegisterAuthWebHandlers(&srv); err != nil {
+			return nil, trace.Wrap(err)
+		}
 	}
 
 	return httplib.RewritePaths(&srv.Router,
 		httplib.Rewrite("/v1/nodes", "/v1/namespaces/default/nodes"),
 		httplib.Rewrite("/v1/sessions", "/v1/namespaces/default/sessions"),
 		httplib.Rewrite("/v1/sessions/([^/]+)/(.*)", "/v1/namespaces/default/sessions/$1/$2"),
-	)
+	), nil
 }
 
 // HandlerWithAuthFunc is http handler with passed auth context

diff --git a/lib/auth/grpcserver.go b/lib/auth/grpcserver.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2018-2020 Gravitational, Inc.
+Copyright 2018-2021 Gravitational, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -57,6 +57,15 @@ type GRPCServer struct {
 	server *grpc.Server
 }
 
+// GetServer returns an instance of grpc server
+func (g *GRPCServer) GetServer() (*grpc.Server, error) {
+	if g.server == nil {
+		return nil, trace.BadParameter("grpc server has not been initialized")
+	}
+
+	return g.server, nil
+}
+
 // EmitAuditEvent emits audit event
 func (g *GRPCServer) EmitAuditEvent(ctx context.Context, req *events.OneOf) (*empty.Empty, error) {
 	auth, err := g.authenticate(ctx)

diff --git a/lib/auth/middleware.go b/lib/auth/middleware.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2017-2020 Gravitational, Inc.
+Copyright 2017-2021 Gravitational, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -126,7 +126,13 @@ func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error) {
 		AcceptedUsage: cfg.AcceptedUsage,
 		Limiter:       limiter,
 	}
-	authMiddleware.Wrap(NewAPIServer(&cfg.APIConfig))
+
+	apiServer, err := NewAPIServer(&cfg.APIConfig)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	authMiddleware.Wrap(apiServer)
 	// Wrap sets the next middleware in chain to the authMiddleware
 	limiter.WrapHandle(authMiddleware)
 	// force client auth if given
@@ -163,6 +169,12 @@ func NewTLSServer(cfg TLSServerConfig) (*TLSServer, error) {
 		return nil, trace.Wrap(err)
 	}
 
+	if cfg.PluginRegistry != nil {
+		if err := cfg.PluginRegistry.RegisterAuthServices(server.grpcServer); err != nil {
+			return nil, trace.Wrap(err)
+		}
+	}
+
 	return server, nil
 }
 

diff --git a/lib/auth/plugin.go b/lib/auth/plugin.go
diff --git a/lib/httplib/httpheaders.go b/lib/httplib/httpheaders.go
@@ -63,7 +63,8 @@ func SetIndexHTMLHeaders(h http.Header) {
 
 	// Set content policy flags
 	var cspValue = strings.Join([]string{
-		"script-src 'self'",
+		// enterprise version uses stripe.com to update billing information
+		"script-src 'self' https://js.stripe.com",
 		// 'unsafe-inline' needed for reactjs inline styles
 		"style-src 'self' 'unsafe-inline'",
 		"object-src 'none'",

diff --git a/lib/plugin/registry.go b/lib/plugin/registry.go
@@ -0,0 +1,108 @@
+/*
+Copyright 2015-2021 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package plugin
+
+import "github.com/gravitational/trace"
+
+// Plugin describes interfaces of the teleport core plugin
+type Plugin interface {
+	// GetName returns plugin name
+	GetName() string
+	// RegisterProxyWebHandlers registers new methods with the ProxyWebHandler
+	RegisterProxyWebHandlers(handler interface{}) error
+	// RegisterAuthWebHandlers registers new methods with the Auth Web Handler
+	RegisterAuthWebHandlers(service interface{}) error
+	// RegisterAuthServices registers new services on the AuthServer
+	RegisterAuthServices(server interface{}) error
+}
+
+// Registry is the plugin registry
+type Registry interface {
+	// Add adds plugin to the registry
+	Add(plugin Plugin) error
+	// RegisterProxyWebHandlers registers Teleport Proxy web handlers
+	RegisterProxyWebHandlers(hander interface{}) error
+	// RegisterAuthWebHandlers registers Teleport Auth web handlers
+	RegisterAuthWebHandlers(handler interface{}) error
+	// RegisterAuthServices registerse Teleport AuthServer services
+	RegisterAuthServices(server interface{}) error
+}
+
+// NewRegistry creates an instance of the Registry
+func NewRegistry() Registry {
+	return &registry{
+		plugins: make(map[string]Plugin),
+	}
+}
+
+type registry struct {
+	plugins map[string]Plugin
+}
+
+// Add adds plugin to the plugin registry
+func (r *registry) Add(p Plugin) error {
+	if p == nil {
+		return trace.BadParameter("missing plugin")
+	}
+
+	name := p.GetName()
+	if name == "" {
+		return trace.BadParameter("missing plugin name")
+	}
+
+	_, exists := r.plugins[name]
+	if exists {
+		return trace.AlreadyExists("plugin %v already exists", name)
+	}
+
+	r.plugins[name] = p
+
+	return nil
+}
+
+// RegisterProxyWebHandlers registers Teleport Proxy web handlers
+func (r *registry) RegisterProxyWebHandlers(hander interface{}) error {
+	for _, p := range r.plugins {
+		if err := p.RegisterProxyWebHandlers(hander); err != nil {
+			return trace.Wrap(err, "plugin %v failed to register", p.GetName())
+		}
+	}
+
+	return nil
+}
+
+// RegisterAuthWebHandlers registers Teleport Auth web handlers
+func (r *registry) RegisterAuthWebHandlers(handler interface{}) error {
+	for _, p := range r.plugins {
+		if err := p.RegisterAuthWebHandlers(handler); err != nil {
+			return trace.Wrap(err, "plugin %v failed to register", p.GetName())
+		}
+	}
+
+	return nil
+}
+
+// RegisterAuthServices registerse Teleport AuthServer services
+func (r *registry) RegisterAuthServices(server interface{}) error {
+	for _, p := range r.plugins {
+		if err := p.RegisterAuthServices(server); err != nil {
+			return trace.Wrap(err, "plugin %v failed to register", p.GetName())
+		}
+	}
+
+	return nil
+}
diff --git a/lib/service/cfg.go b/lib/service/cfg.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2015-2020 Gravitational, Inc.
+Copyright 2015-2021 Gravitational, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -38,6 +38,7 @@ import (
 	"github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/limiter"
 	"github.com/gravitational/teleport/lib/pam"
+	"github.com/gravitational/teleport/lib/plugin"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/sshca"
 	"github.com/gravitational/teleport/lib/tlsca"
@@ -200,6 +201,9 @@ type Config struct {
 
 	// Log optionally specifies the logger
 	Log utils.Logger
+
+	// PluginRegistry allows adding enterprise logic to Teleport services
+	PluginRegistry plugin.Registry
 }
 
 // ApplyToken assigns a given token to all internal services but only if token

diff --git a/lib/service/db.go b/lib/service/db.go
@@ -187,7 +187,7 @@ func (process *TeleportProcess) initDatabaseService() (retErr error) {
 	}()
 
 	// Execute this when the process running database proxy service exits.
-	process.onExit("db.stop", func(payload interface{}) {
+	process.OnExit("db.stop", func(payload interface{}) {
 		log.Info("Shutting down.")
 		if dbService != nil {
 			warnOnErr(dbService.Close(), process.log)

diff --git a/lib/service/kubernetes.go b/lib/service/kubernetes.go
@@ -265,7 +265,7 @@ func (process *TeleportProcess) initKubernetesService(log *logrus.Entry, conn *C
 	})
 
 	// Cleanup, when process is exiting.
-	process.onExit("kube.shutdown", func(payload interface{}) {
+	process.OnExit("kube.shutdown", func(payload interface{}) {
 		if asyncEmitter != nil {
 			warnOnErr(asyncEmitter.Close(), log)
 		}