Hosted plugin manager prerequisites (gravitational#23922)

* Expose Ping() in bare auth server * Handle both pointer and bare PluginStatusV1 * Add metric name * Add StatusSink * Run GCI * Move comment back to auth_with_roles * Update lib/auth/auth.go Co-authored-by: Alan Parra <[email protected]> * Rework SetStatus * Inline TryEmitStatus and use a proper context * Fix copyright notice * Fix bug in statusFromStatusCode * Test statusFromResponse * Add link to Slack API schema * Refactor statusFromStatusCode * Expand comment for Ping() * Add basic check for status in slack test * Address nits --------- Co-authored-by: Alan Parra <[email protected]>
ean · Apr 11, 2023 · aec3669 · aec3669
1 parent 548a4ea
commit aec3669
Show file tree

Hide file tree

Showing 11 changed files with 286 additions and 52 deletions.
diff --git a/api/types/plugin.go b/api/types/plugin.go
@@ -216,11 +216,8 @@ func (p *PluginV1) SetStatus(status PluginStatus) error {
 		p.Status = PluginStatusV1{}
 		return nil
 	}
-	switch status := status.(type) {
-	case PluginStatusV1:
-		p.Status = status
-	default:
-		return trace.BadParameter("unsupported plugin status type %T", status)
+	p.Status = PluginStatusV1{
+		Code: status.GetCode(),
 	}
 	return nil
 }

diff --git a/integrations/access/common/status.go b/integrations/access/common/status.go
@@ -0,0 +1,28 @@
+/*
+Copyright 2023 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package common
+
+import (
+	"context"
+
+	"github.com/gravitational/teleport/api/types"
+)
+
+// StatusSink defines a destination for PluginStatus
+type StatusSink interface {
+	Emit(ctx context.Context, s types.PluginStatus) error
+}
diff --git a/integrations/access/slack/bot.go b/integrations/access/slack/bot.go
@@ -24,6 +24,7 @@ import (
 
 	"github.com/go-resty/resty/v2"
 	"github.com/gravitational/trace"
+	log "github.com/sirupsen/logrus"
 
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/integrations/access/common"
@@ -33,6 +34,7 @@ import (
 
 const slackMaxConns = 100
 const slackHTTPTimeout = 10 * time.Second
+const statusEmitTimeout = 10 * time.Second
 
 // Bot is a slack client that works with AccessRequest.
 // It's responsible for formatting and posting a message on Slack when an
@@ -45,21 +47,38 @@ type Bot struct {
 }
 
 // onAfterResponseSlack resty error function for Slack
-func onAfterResponseSlack(_ *resty.Client, resp *resty.Response) error {
-	if !resp.IsSuccess() {
-		return trace.Errorf("slack api returned unexpected code %v", resp.StatusCode())
-	}
+func onAfterResponseSlack(sink common.StatusSink) func(_ *resty.Client, resp *resty.Response) error {
+	return func(_ *resty.Client, resp *resty.Response) error {
+		status := statusFromStatusCode(resp.StatusCode())
+		defer func() {
+			if sink == nil {
+				return
+			}
 
-	var result APIResponse
-	if err := json.Unmarshal(resp.Body(), &result); err != nil {
-		return trace.Wrap(err)
-	}
+			// No context in scope, use background with a reasonable timeout
+			ctx, cancel := context.WithTimeout(context.Background(), statusEmitTimeout)
+			defer cancel()
+			if err := sink.Emit(ctx, status); err != nil {
+				log.Errorf("Error while emitting plugin status: %v", err)
+			}
+		}()
 
-	if !result.Ok {
-		return trace.Errorf("%s", result.Error)
-	}
+		if !resp.IsSuccess() {
+			return trace.Errorf("slack api returned unexpected code %v", resp.StatusCode())
+		}
 
-	return nil
+		var result APIResponse
+		if err := json.Unmarshal(resp.Body(), &result); err != nil {
+			return trace.Wrap(err)
+		}
+		status = statusFromResponse(&result)
+
+		if !result.Ok {
+			return trace.Errorf("%s", result.Error)
+		}
+
+		return nil
+	}
 }
 
 func (b Bot) CheckHealth(ctx context.Context) error {

diff --git a/integrations/access/slack/config.go b/integrations/access/slack/config.go
@@ -35,6 +35,7 @@ type Config struct {
 	common.BaseConfig
 	Slack               common.GenericAPIConfig
 	AccessTokenProvider auth.AccessTokenProvider
+	StatusSink          common.StatusSink
 }
 
 // LoadSlackConfig reads the config file, initializes a new SlackConfig struct object, and returns it.
@@ -125,7 +126,7 @@ func (c *Config) NewBot(clusterName, webProxyAddr string) (common.MessagingBot,
 			r.SetHeader("Authorization", "Bearer "+token)
 			return nil
 		}).
-		OnAfterResponse(onAfterResponseSlack)
+		OnAfterResponse(onAfterResponseSlack(c.StatusSink))
 
 	return Bot{
 		client:      client,

diff --git a/integrations/access/slack/helpers_test.go b/integrations/access/slack/helpers_test.go
@@ -14,7 +14,13 @@
 
 package slack
 
-import "github.com/gravitational/teleport/integrations/access/common"
+import (
+	"context"
+	"sync/atomic"
+
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/integrations/access/common"
+)
 
 type SlackMessageSlice []Message
 type SlackDataMessageSet map[common.MessageData]struct{}
@@ -42,3 +48,20 @@ func (set SlackDataMessageSet) Contains(msg common.MessageData) bool {
 	_, ok := set[msg]
 	return ok
 }
+
+type fakeStatusSink struct {
+	status atomic.Pointer[types.PluginStatus]
+}
+
+func (s *fakeStatusSink) Emit(_ context.Context, status types.PluginStatus) error {
+	s.status.Store(&status)
+	return nil
+}
+
+func (s *fakeStatusSink) Get() types.PluginStatus {
+	status := s.status.Load()
+	if status == nil {
+		panic("expected status to be set, but it has not been")
+	}
+	return *status
+}
diff --git a/integrations/access/slack/slack_test.go b/integrations/access/slack/slack_test.go
@@ -54,8 +54,9 @@ type SlackSuite struct {
 		reviewer2 string
 		plugin    string
 	}
-	raceNumber int
-	fakeSlack  *FakeSlack
+	raceNumber     int
+	fakeSlack      *FakeSlack
+	fakeStatusSink *fakeStatusSink
 
 	clients          map[string]*integration.Client
 	teleportFeatures *proto.Features
@@ -190,11 +191,14 @@ func (s *SlackSuite) SetupTest() {
 
 	s.fakeSlack.StoreUser(User{Name: "Vladimir", Profile: UserProfile{Email: s.userNames.requestor}})
 
+	s.fakeStatusSink = &fakeStatusSink{}
+
 	var conf Config
 	conf.Teleport = s.teleportConfig
 	conf.Slack.Token = "000000"
 	conf.Slack.APIURL = s.fakeSlack.URL() + "/"
 	conf.AccessTokenProvider = auth.NewStaticAccessTokenProvider(conf.Slack.Token)
+	conf.StatusSink = s.fakeStatusSink
 
 	s.appConfig = &conf
 	s.SetContextTimeout(5 * time.Second)
@@ -313,6 +317,8 @@ func (s *SlackSuite) TestMessagePosting() {
 	statusLine, err := getStatusLine(messages[0])
 	require.NoError(t, err)
 	assert.Equal(t, "*Status*: ⏳ PENDING", statusLine)
+
+	assert.Equal(t, types.PluginStatusCode_RUNNING, s.fakeStatusSink.Get().GetCode())
 }
 
 func (s *SlackSuite) TestRecipientsConfig() {

diff --git a/integrations/access/slack/status.go b/integrations/access/slack/status.go
@@ -0,0 +1,55 @@
+/*
+Copyright 2023 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package slack
+
+import (
+	"net/http"
+
+	"github.com/gravitational/teleport/api/types"
+)
+
+func statusFromStatusCode(httpCode int) types.PluginStatus {
+	var code types.PluginStatusCode
+	switch {
+	case httpCode == http.StatusUnauthorized:
+		code = types.PluginStatusCode_UNAUTHORIZED
+	case httpCode >= 200 && httpCode < 400:
+		code = types.PluginStatusCode_RUNNING
+	default:
+		code = types.PluginStatusCode_OTHER_ERROR
+	}
+	return &types.PluginStatusV1{Code: code}
+}
+
+// statusFromResponse tries to map a Slack API error string
+// to a PluginStatus.
+//
+// Ref: https://github.com/slackapi/slack-api-specs/blob/bc08db49625630e3585bf2f1322128ea04f2a7f3/web-api/slack_web_openapi_v2.json
+func statusFromResponse(resp *APIResponse) types.PluginStatus {
+	if resp.Ok {
+		return &types.PluginStatusV1{Code: types.PluginStatusCode_RUNNING}
+	}
+
+	code := types.PluginStatusCode_OTHER_ERROR
+	switch resp.Error {
+	case "channel_not_found", "not_in_channel":
+		code = types.PluginStatusCode_SLACK_NOT_IN_CHANNEL
+	case "token_expired", "not_authed", "invalid_auth", "account_inactive", "token_revoked", "no_permission", "org_login_required":
+		code = types.PluginStatusCode_UNAUTHORIZED
+	}
+	return &types.PluginStatusV1{Code: code}
+}
diff --git a/integrations/access/slack/status_test.go b/integrations/access/slack/status_test.go
@@ -0,0 +1,93 @@
+/*
+Copyright 2023 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package slack
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/types"
+)
+
+func TestStatusFromStatusCode(t *testing.T) {
+	testCases := []struct {
+		httpCode int
+		want     types.PluginStatusCode
+	}{
+		{
+			httpCode: http.StatusOK,
+			want:     types.PluginStatusCode_RUNNING,
+		},
+		{
+			httpCode: http.StatusNoContent,
+			want:     types.PluginStatusCode_RUNNING,
+		},
+
+		{
+			httpCode: http.StatusUnauthorized,
+			want:     types.PluginStatusCode_UNAUTHORIZED,
+		},
+		{
+			httpCode: http.StatusInternalServerError,
+			want:     types.PluginStatusCode_OTHER_ERROR,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(fmt.Sprintf("%d", tc.httpCode), func(t *testing.T) {
+			require.Equal(t, tc.want, statusFromStatusCode(tc.httpCode).GetCode())
+		})
+	}
+}
+
+func TestStatusFromResponse(t *testing.T) {
+	testCases := []struct {
+		name     string
+		response *APIResponse
+		want     types.PluginStatusCode
+	}{
+		{
+			name:     "ok",
+			response: &APIResponse{Ok: true},
+			want:     types.PluginStatusCode_RUNNING,
+		},
+		{
+			name:     "not_in_channel",
+			response: &APIResponse{Error: "not_in_channel"},
+			want:     types.PluginStatusCode_SLACK_NOT_IN_CHANNEL,
+		},
+		{
+			name:     "unauthorized",
+			response: &APIResponse{Error: "token_revoked"},
+			want:     types.PluginStatusCode_UNAUTHORIZED,
+		},
+		{
+			name:     "other",
+			response: &APIResponse{Error: "some_error"},
+			want:     types.PluginStatusCode_OTHER_ERROR,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			require.Equal(t, tc.want, statusFromResponse(tc.response).GetCode())
+		})
+	}
+}