[entraid] add field to support system credentials instead of OIDC (#4…

…7861) (#47886) * [entraid] add field to support system credentials instead of OIDC This PR introduces two new fields for Entra Plugins' settings: - `tenant_id`: Is the Directory to sync - `credentials_source`: defaults to system credentials instead of using OIDC to authenticate to Entra ID Both these fields are required for clusters whose access is private and can't be reached from the internet. For those cases, Azure can't validate the OIDC token Teleport shares. * handle code review comments --------- Signed-off-by: Tiago Silva <[email protected]>
gravitational · Oct 28, 2024 · f8fe0ef · f8fe0ef
1 parent 08407f0
commit f8fe0ef
Show file tree

Hide file tree

Showing 4 changed files with 1,890 additions and 1,741 deletions.
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -6216,8 +6216,28 @@ message PluginEntraIDSyncSettings {
   // DefaultOwners are the default owners for all imported access lists.
   repeated string default_owners = 1;
 
-  // SSOConnectorID is the name of the Teleport SSO connector created and used by the Entra ID plugin
+  // SSOConnectorID is the name of the Teleport SSO connector created and used by the Entra ID plugin.
   string sso_connector_id = 2;
+
+  // credentials_source specifies the source of the credentials used for authentication with Azure.
+  EntraIDCredentialsSource credentials_source = 3;
+
+  // tenant_id refers to the Azure Directory that this plugin synchronizes with.
+  // This field is populated on a best-effort basis for legacy plugins but mandatory for plugins created after its introduction.
+  // For existing plugins, it is filled in using the Entra integration when utilized.
+  string tenant_id = 4;
+}
+
+// EntraIDCredentialsSource defines the credentials source for Entra ID.
+enum EntraIDCredentialsSource {
+  // ENTRAID_CREDENTIALS_SOURCE_UNKNOWN is used when the credentials source is not specified.
+  // Due to legacy reasons, UNKNOWN is handled as OIDC.
+  ENTRAID_CREDENTIALS_SOURCE_UNKNOWN = 0;
+  // ENTRAID_CREDENTIALS_SOURCE_OIDC indicates that the plugin will authenticate with Azure/Entra ID using OIDC.
+  ENTRAID_CREDENTIALS_SOURCE_OIDC = 1;
+  // ENTRAID_CREDENTIALS_SOURCE_SYSTEM_CREDENTIALS means the plugin will rely on system-provided credentials
+  // for authentication with Azure Entra ID, especially for clusters with no internet access.
+  ENTRAID_CREDENTIALS_SOURCE_SYSTEM_CREDENTIALS = 2;
 }
 
 // AccessGraphSettings controls settings for syncing access graph specific data.

diff --git a/api/types/plugin.go b/api/types/plugin.go
@@ -318,6 +318,11 @@ func (p *PluginV1) CheckAndSetDefaults() error {
 		if err := settings.EntraId.Validate(); err != nil {
 			return trace.Wrap(err)
 		}
+		// backfill the credentials source if it's not set.
+		if settings.EntraId.SyncSettings.CredentialsSource == EntraIDCredentialsSource_ENTRAID_CREDENTIALS_SOURCE_UNKNOWN {
+			settings.EntraId.SyncSettings.CredentialsSource = EntraIDCredentialsSource_ENTRAID_CREDENTIALS_SOURCE_OIDC
+		}
+
 	case *PluginSpecV1_Scim:
 		if settings.Scim == nil {
 			return trace.BadParameter("Must be used with SCIM settings")

diff --git a/api/types/plugin_test.go b/api/types/plugin_test.go
@@ -855,8 +855,9 @@ func TestPluginEntraIDValidation(t *testing.T) {
 		return &PluginSpecV1_EntraId{
 			EntraId: &PluginEntraIDSettings{
 				SyncSettings: &PluginEntraIDSyncSettings{
-					DefaultOwners:  []string{"admin"},
-					SsoConnectorId: "myconnector",
+					DefaultOwners:     []string{"admin"},
+					SsoConnectorId:    "myconnector",
+					CredentialsSource: EntraIDCredentialsSource_ENTRAID_CREDENTIALS_SOURCE_OIDC,
 				},
 			},
 		}