access request role mapping prototype

gravitational · Oct 26, 2020 · a6d9bea · a6d9bea
1 parent 24a0bd2
commit a6d9bea
Show file tree

Hide file tree

Showing 4 changed files with 745 additions and 365 deletions.
diff --git a/lib/services/access_request.go b/lib/services/access_request.go
@@ -283,15 +283,34 @@ func NewAccessRequest(user string, roles ...string) (AccessRequest, error) {
 	return &req, nil
 }
 
+func (c AccessRequestConditions) GetTraitMappings() TraitMappingSet {
+	tm := make([]TraitMapping, 0, len(c.ClaimsToRoles))
+	for _, mapping := range c.ClaimsToRoles {
+		tm = append(tm, TraitMapping{
+			Trait: mapping.Claim,
+			Value: mapping.Value,
+			Roles: mapping.Roles,
+		})
+	}
+	return TraitMappingSet(tm)
+}
+
 type UserAndRoleGetter interface {
 	UserGetter
 	RoleGetter
 	GetRoles() ([]Role, error)
 }
 
 type requestRoleMatcher struct {
-	Allow []parse.Matcher
-	Deny  []parse.Matcher
+	traits map[string][]string
+	Allow  []parse.Matcher
+	Deny   []parse.Matcher
+}
+
+func newRequestRoleMatcher(traits map[string][]string) requestRoleMatcher {
+	return requestRoleMatcher{
+		traits: traits,
+	}
 }
 
 func (m *requestRoleMatcher) push(role Role) error {
@@ -303,6 +322,14 @@ func (m *requestRoleMatcher) push(role Role) error {
 		m.Deny = append(m.Deny, md)
 	}
 
+	for _, d := range role.GetAccessRequestConditions(Deny).GetTraitMappings().TraitsToRoles(m.traits) {
+		md, err := parse.NewMatcher(d)
+		if err != nil {
+			return trace.Wrap(err)
+		}
+		m.Deny = append(m.Deny, md)
+	}
+
 	for _, a := range role.GetAccessRequestConditions(Allow).Roles {
 		ma, err := parse.NewMatcher(a)
 		if err != nil {
@@ -311,6 +338,14 @@ func (m *requestRoleMatcher) push(role Role) error {
 		m.Allow = append(m.Allow, ma)
 	}
 
+	for _, a := range role.GetAccessRequestConditions(Allow).GetTraitMappings().TraitsToRoles(m.traits) {
+		ma, err := parse.NewMatcher(a)
+		if err != nil {
+			return trace.Wrap(err)
+		}
+		m.Allow = append(m.Allow, ma)
+	}
+
 	return nil
 }
 
@@ -335,7 +370,7 @@ func ValidateAccessRequest(getter UserAndRoleGetter, req AccessRequest, expandRo
 	}
 
 	var requireReason bool
-	var matcher requestRoleMatcher
+	matcher := newRequestRoleMatcher(user.GetTraits())
 
 	for _, roleName := range user.GetRoles() {
 		role, err := getter.GetRole(roleName)

diff --git a/lib/services/role.go b/lib/services/role.go
@@ -2365,7 +2365,21 @@ const RoleSpecV3SchemaDefinitions = `
 		  "roles": {
 		    "type": "array",
 			"items": { "type": "string" }
-		  }
+		  },
+          "claims_to_roles": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+              "claim": {"type": "string"},
+              "value": {"type": "string"},
+              "roles": {
+                "type": "array",
+                "items": {
+                  "type": "string"
+                }
+              }
+            }
+          }
 		}
 	  },
       "rules": {