Add WorkloadIdentityLabelsExpression

gravitational · Dec 12, 2024 · 65ed124 · 65ed124
1 parent 3778ffb
commit 65ed124
Show file tree

Hide file tree

Showing 3 changed files with 1,957 additions and 1,904 deletions.
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -3448,6 +3448,9 @@ message RoleConditions {
     (gogoproto.jsontag) = "workload_identity_labels,omitempty",
     (gogoproto.customtype) = "Labels"
   ];
+  // WorkloadIdentityLabelsExpression is a predicate expression used to
+  // allow/deny access to issuing a WorkloadIdentity.
+  string WorkloadIdentityLabelsExpression = 45 [(gogoproto.jsontag) = "workload_identity_labels_expression,omitempty"];
 }
 
 // IdentityCenterAccountAssignment captures an AWS Identity Center account

diff --git a/api/types/role.go b/api/types/role.go
@@ -1998,7 +1998,7 @@ func (r *RoleV6) GetLabelMatchers(rct RoleConditionType, kind string) (LabelMatc
 	case KindGitServer:
 		return r.makeGitServerLabelMatchers(cond), nil
 	case KindWorkloadIdentity:
-		return LabelMatchers{cond.WorkloadIdentityLabels, ""}, nil
+		return LabelMatchers{cond.WorkloadIdentityLabels, cond.WorkloadIdentityLabelsExpression}, nil
 	}
 	return LabelMatchers{}, trace.BadParameter("can't get label matchers for resource kind %q", kind)
 }
@@ -2054,6 +2054,7 @@ func (r *RoleV6) SetLabelMatchers(rct RoleConditionType, kind string, labelMatch
 		return nil
 	case KindWorkloadIdentity:
 		cond.WorkloadIdentityLabels = labelMatchers.Labels
+		cond.WorkloadIdentityLabelsExpression = labelMatchers.Expression
 		return nil
 	}
 	return trace.BadParameter("can't set label matchers for resource kind %q", kind)