Add AutoUpdate Client/Cache implementation (#46661)

* Add AutoUpdate Client/Cache implementation

* CR changes

* Add permission for proxy to access resources

* Rename all occurrences auto update to camelcase

* Remove auto update client wrapper

* Drop AutoUpdateServiceClient helper
Rename comments for consistency

api/client/client.go

@@ -66,6 +66,7 @@ import (
 	accesslistv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accesslist/v1"
 	accessmonitoringrulev1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1"
 	auditlogpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/auditlog/v1"
+	autoupdatev1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1"
 	clusterconfigpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
 	crownjewelv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/crownjewel/v1"
 	dbobjectv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/dbobject/v1"
@@ -2863,6 +2864,26 @@ func (c *Client) GetClusterAuditConfig(ctx context.Context) (types.ClusterAuditC
 	return resp, nil
 }
 
+// GetAutoUpdateConfig gets AutoUpdateConfig resource.
+func (c *Client) GetAutoUpdateConfig(ctx context.Context) (*autoupdatev1pb.AutoUpdateConfig, error) {
+	client := autoupdatev1pb.NewAutoUpdateServiceClient(c.conn)
+	resp, err := client.GetAutoUpdateConfig(ctx, &autoupdatev1pb.GetAutoUpdateConfigRequest{})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
+// GetAutoUpdateVersion gets AutoUpdateVersion resource.
+func (c *Client) GetAutoUpdateVersion(ctx context.Context) (*autoupdatev1pb.AutoUpdateVersion, error) {
+	client := autoupdatev1pb.NewAutoUpdateServiceClient(c.conn)
+	resp, err := client.GetAutoUpdateVersion(ctx, &autoupdatev1pb.GetAutoUpdateVersionRequest{})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
 // GetClusterAccessGraphConfig retrieves the Cluster Access Graph configuration from Auth server.
 func (c *Client) GetClusterAccessGraphConfig(ctx context.Context) (*clusterconfigpb.AccessGraphConfig, error) {
 	rsp, err := c.ClusterConfigClient().GetClusterAccessGraphConfig(ctx, &clusterconfigpb.GetClusterAccessGraphConfigRequest{})

api/client/events.go

@@ -19,6 +19,7 @@ import (
 
 	"github.com/gravitational/teleport/api/client/proto"
 	accessmonitoringrulesv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1"
+	"github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1"
 	clusterconfigpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
 	crownjewelv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/crownjewel/v1"
 	dbobjectv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/dbobject/v1"
@@ -99,6 +100,14 @@ func EventToGRPC(in types.Event) (*proto.Event, error) {
 			out.Resource = &proto.Event_StaticHostUserV2{
 				StaticHostUserV2: r,
 			}
+		case *autoupdate.AutoUpdateConfig:
+			out.Resource = &proto.Event_AutoUpdateConfig{
+				AutoUpdateConfig: r,
+			}
+		case *autoupdate.AutoUpdateVersion:
+			out.Resource = &proto.Event_AutoUpdateVersion{
+				AutoUpdateVersion: r,
+			}
 		default:
 			return nil, trace.BadParameter("resource type %T is not supported", r)
 		}
@@ -542,6 +551,12 @@ func EventFromGRPC(in *proto.Event) (*types.Event, error) {
 	} else if r := in.GetStaticHostUserV2(); r != nil {
 		out.Resource = types.Resource153ToLegacy(r)
 		return &out, nil
+	} else if r := in.GetAutoUpdateConfig(); r != nil {
+		out.Resource = types.Resource153ToLegacy(r)
+		return &out, nil
+	} else if r := in.GetAutoUpdateVersion(); r != nil {
+		out.Resource = types.Resource153ToLegacy(r)
+		return &out, nil
 	} else {
 		return nil, trace.BadParameter("received unsupported resource %T", in.Resource)
 	}

api/types/autoupdate/config_test.go

@@ -30,7 +30,7 @@ import (
 	"github.com/gravitational/teleport/api/types"
 )
 
-// TestNewAutoUpdateConfig verifies validation for auto update config resource.
+// TestNewAutoUpdateConfig verifies validation for AutoUpdateConfig resource.
 func TestNewAutoUpdateConfig(t *testing.T) {
 	tests := []struct {
 		name      string

api/types/autoupdate/version_test.go

@@ -30,7 +30,7 @@ import (
 	"github.com/gravitational/teleport/api/types"
 )
 
-// TestNewAutoUpdateVersion verifies validation for auto update version resource.
+// TestNewAutoUpdateVersion verifies validation for AutoUpdateVersion resource.
 func TestNewAutoUpdateVersion(t *testing.T) {
 	tests := []struct {
 		name      string

lib/auth/accesspoint/accesspoint.go

@@ -103,6 +103,7 @@ type Config struct {
 	WebSession              types.WebSessionInterface
 	WebToken                types.WebTokenInterface
 	WindowsDesktops         services.WindowsDesktops
+	AutoUpdateService       services.AutoUpdateServiceGetter
 }
 
 func (c *Config) CheckAndSetDefaults() error {
@@ -167,6 +168,7 @@ func NewCache(cfg Config) (*cache.Cache, error) {
 		AppSession:              cfg.AppSession,
 		Apps:                    cfg.Apps,
 		ClusterConfig:           cfg.ClusterConfig,
+		AutoUpdateService:       cfg.AutoUpdateService,
 		CrownJewels:             cfg.CrownJewels,
 		DatabaseObjects:         cfg.DatabaseObjects,
 		DatabaseServices:        cfg.DatabaseServices,

lib/auth/authclient/api.go

@@ -28,6 +28,7 @@ import (
 
 	"github.com/gravitational/teleport/api/client/proto"
 	accessmonitoringrules "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessmonitoringrules/v1"
+	"github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1"
 	clusterconfigpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
 	crownjewelv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/crownjewel/v1"
 	integrationpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/integration/v1"
@@ -306,6 +307,12 @@ type ReadProxyAccessPoint interface {
 
 	// GetUserGroup returns the specified user group resources.
 	GetUserGroup(ctx context.Context, name string) (types.UserGroup, error)
+
+	// GetAutoUpdateConfig gets the AutoUpdateConfig from the backend.
+	GetAutoUpdateConfig(ctx context.Context) (*autoupdate.AutoUpdateConfig, error)
+
+	// GetAutoUpdateVersion gets the AutoUpdateVersion from the backend.
+	GetAutoUpdateVersion(ctx context.Context) (*autoupdate.AutoUpdateVersion, error)
 }
 
 // SnowflakeSessionWatcher is watcher interface used by Snowflake web session watcher.
@@ -1176,6 +1183,12 @@ type Cache interface {
 	// DatabaseObjectsGetter defines methods for fetching database objects.
 	services.DatabaseObjectsGetter
 
+	// GetAutoUpdateConfig gets the AutoUpdateConfig from the backend.
+	GetAutoUpdateConfig(ctx context.Context) (*autoupdate.AutoUpdateConfig, error)
+
+	// GetAutoUpdateVersion gets the AutoUpdateVersion from the backend.
+	GetAutoUpdateVersion(ctx context.Context) (*autoupdate.AutoUpdateVersion, error)
+
 	// GetAccessGraphSettings returns the access graph settings.
 	GetAccessGraphSettings(context.Context) (*clusterconfigpb.AccessGraphSettings, error)
 

lib/auth/authclient/clt.go

@@ -1570,6 +1570,7 @@ type ClientI interface {
 	WebService
 	services.Status
 	services.ClusterConfiguration
+	services.AutoUpdateServiceGetter
 	services.SessionTrackerService
 	services.ConnectionsDiagnostic
 	services.SAMLIdPSession

lib/auth/autoupdate/autoupdatev1/service.go

@@ -32,24 +32,24 @@ import (
 
 // Cache defines only read-only service methods.
 type Cache interface {
-	// GetAutoUpdateConfig gets the autoupdate configuration from the backend.
+	// GetAutoUpdateConfig gets the AutoUpdateConfig from the backend.
 	GetAutoUpdateConfig(ctx context.Context) (*autoupdate.AutoUpdateConfig, error)
 
-	// GetAutoUpdateVersion gets the autoupdate version from the backend.
+	// GetAutoUpdateVersion gets the AutoUpdateVersion from the backend.
 	GetAutoUpdateVersion(ctx context.Context) (*autoupdate.AutoUpdateVersion, error)
 }
 
-// ServiceConfig holds configuration options for the autoupdate gRPC service.
+// ServiceConfig holds configuration options for the auto update gRPC service.
 type ServiceConfig struct {
 	// Authorizer is the authorizer used to check access to resources.
 	Authorizer authz.Authorizer
-	// Backend is the backend used to store autoupdate resources.
+	// Backend is the backend used to store AutoUpdate resources.
 	Backend services.AutoUpdateService
-	// Cache is the cache used to store autoupdate resources.
+	// Cache is the cache used to store AutoUpdate resources.
 	Cache Cache
 }
 
-// Service implements the gRPC API layer for the Autoupdate.
+// Service implements the gRPC API layer for the AutoUpdate.
 type Service struct {
 	autoupdate.UnimplementedAutoUpdateServiceServer
 
@@ -58,7 +58,7 @@ type Service struct {
 	cache      Cache
 }
 
-// NewService returns a new Autoupdate API service using the given storage layer and authorizer.
+// NewService returns a new AutoUpdate API service using the given storage layer and authorizer.
 func NewService(cfg ServiceConfig) (*Service, error) {
 	switch {
 	case cfg.Backend == nil:
@@ -75,7 +75,7 @@ func NewService(cfg ServiceConfig) (*Service, error) {
 	}, nil
 }
 
-// GetAutoUpdateConfig gets the current autoupdate config singleton.
+// GetAutoUpdateConfig gets the current AutoUpdateConfig singleton.
 func (s *Service) GetAutoUpdateConfig(ctx context.Context, req *autoupdate.GetAutoUpdateConfigRequest) (*autoupdate.AutoUpdateConfig, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -94,7 +94,7 @@ func (s *Service) GetAutoUpdateConfig(ctx context.Context, req *autoupdate.GetAu
 	return config, nil
 }
 
-// CreateAutoUpdateConfig creates autoupdate config singleton.
+// CreateAutoUpdateConfig creates AutoUpdateConfig singleton.
 func (s *Service) CreateAutoUpdateConfig(ctx context.Context, req *autoupdate.CreateAutoUpdateConfigRequest) (*autoupdate.AutoUpdateConfig, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -113,7 +113,7 @@ func (s *Service) CreateAutoUpdateConfig(ctx context.Context, req *autoupdate.Cr
 	return config, trace.Wrap(err)
 }
 
-// UpdateAutoUpdateConfig updates autoupdate config singleton.
+// UpdateAutoUpdateConfig updates AutoUpdateConfig singleton.
 func (s *Service) UpdateAutoUpdateConfig(ctx context.Context, req *autoupdate.UpdateAutoUpdateConfigRequest) (*autoupdate.AutoUpdateConfig, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -132,7 +132,7 @@ func (s *Service) UpdateAutoUpdateConfig(ctx context.Context, req *autoupdate.Up
 	return config, trace.Wrap(err)
 }
 
-// UpsertAutoUpdateConfig updates or creates autoupdate config singleton.
+// UpsertAutoUpdateConfig updates or creates AutoUpdateConfig singleton.
 func (s *Service) UpsertAutoUpdateConfig(ctx context.Context, req *autoupdate.UpsertAutoUpdateConfigRequest) (*autoupdate.AutoUpdateConfig, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -151,7 +151,7 @@ func (s *Service) UpsertAutoUpdateConfig(ctx context.Context, req *autoupdate.Up
 	return config, trace.Wrap(err)
 }
 
-// DeleteAutoUpdateConfig deletes autoupdate config singleton.
+// DeleteAutoUpdateConfig deletes AutoUpdateConfig singleton.
 func (s *Service) DeleteAutoUpdateConfig(ctx context.Context, req *autoupdate.DeleteAutoUpdateConfigRequest) (*emptypb.Empty, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -172,7 +172,7 @@ func (s *Service) DeleteAutoUpdateConfig(ctx context.Context, req *autoupdate.De
 	return &emptypb.Empty{}, nil
 }
 
-// GetAutoUpdateVersion gets the current autoupdate version singleton.
+// GetAutoUpdateVersion gets the current AutoUpdateVersion singleton.
 func (s *Service) GetAutoUpdateVersion(ctx context.Context, req *autoupdate.GetAutoUpdateVersionRequest) (*autoupdate.AutoUpdateVersion, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -191,7 +191,7 @@ func (s *Service) GetAutoUpdateVersion(ctx context.Context, req *autoupdate.GetA
 	return version, nil
 }
 
-// CreateAutoUpdateVersion creates autoupdate version singleton.
+// CreateAutoUpdateVersion creates AutoUpdateVersion singleton.
 func (s *Service) CreateAutoUpdateVersion(ctx context.Context, req *autoupdate.CreateAutoUpdateVersionRequest) (*autoupdate.AutoUpdateVersion, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -206,11 +206,11 @@ func (s *Service) CreateAutoUpdateVersion(ctx context.Context, req *autoupdate.C
 		return nil, trace.Wrap(err)
 	}
 
-	autoupdateVersion, err := s.backend.CreateAutoUpdateVersion(ctx, req.Version)
-	return autoupdateVersion, trace.Wrap(err)
+	autoUpdateVersion, err := s.backend.CreateAutoUpdateVersion(ctx, req.Version)
+	return autoUpdateVersion, trace.Wrap(err)
 }
 
-// UpdateAutoUpdateVersion updates autoupdate version singleton.
+// UpdateAutoUpdateVersion updates AutoUpdateVersion singleton.
 func (s *Service) UpdateAutoUpdateVersion(ctx context.Context, req *autoupdate.UpdateAutoUpdateVersionRequest) (*autoupdate.AutoUpdateVersion, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -225,11 +225,11 @@ func (s *Service) UpdateAutoUpdateVersion(ctx context.Context, req *autoupdate.U
 		return nil, trace.Wrap(err)
 	}
 
-	autoupdateVersion, err := s.backend.UpdateAutoUpdateVersion(ctx, req.Version)
-	return autoupdateVersion, trace.Wrap(err)
+	autoUpdateVersion, err := s.backend.UpdateAutoUpdateVersion(ctx, req.Version)
+	return autoUpdateVersion, trace.Wrap(err)
 }
 
-// UpsertAutoUpdateVersion updates or creates autoupdate version singleton.
+// UpsertAutoUpdateVersion updates or creates AutoUpdateVersion singleton.
 func (s *Service) UpsertAutoUpdateVersion(ctx context.Context, req *autoupdate.UpsertAutoUpdateVersionRequest) (*autoupdate.AutoUpdateVersion, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {
@@ -244,11 +244,11 @@ func (s *Service) UpsertAutoUpdateVersion(ctx context.Context, req *autoupdate.U
 		return nil, trace.Wrap(err)
 	}
 
-	autoupdateVersion, err := s.backend.UpsertAutoUpdateVersion(ctx, req.Version)
-	return autoupdateVersion, trace.Wrap(err)
+	autoUpdateVersion, err := s.backend.UpsertAutoUpdateVersion(ctx, req.Version)
+	return autoUpdateVersion, trace.Wrap(err)
 }
 
-// DeleteAutoUpdateVersion deletes autoupdate version singleton.
+// DeleteAutoUpdateVersion deletes AutoUpdateVersion singleton.
 func (s *Service) DeleteAutoUpdateVersion(ctx context.Context, req *autoupdate.DeleteAutoUpdateVersionRequest) (*emptypb.Empty, error) {
 	authCtx, err := s.authorizer.Authorize(ctx)
 	if err != nil {

lib/auth/grpcserver.go

@@ -5429,7 +5429,7 @@ func NewGRPCServer(cfg GRPCServerConfig) (*GRPCServer, error) {
 	autoUpdateServiceServer, err := autoupdatev1.NewService(autoupdatev1.ServiceConfig{
 		Authorizer: cfg.Authorizer,
 		Backend:    cfg.AuthServer.Services,
-		Cache:      cfg.AuthServer.Services,
+		Cache:      cfg.AuthServer.Cache,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)

lib/auth/helpers.go

@@ -324,6 +324,7 @@ func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error) {
 			AppSession:              svces.Identity,
 			Apps:                    svces.Apps,
 			ClusterConfig:           svces.ClusterConfiguration,
+			AutoUpdateService:       svces.AutoUpdateService,
 			CrownJewels:             svces.CrownJewels,
 			DatabaseObjects:         svces.DatabaseObjects,
 			DatabaseServices:        svces.DatabaseServices,

lib/authz/permissions.go

@@ -913,6 +913,8 @@ func roleSpecForProxy(clusterName string) types.RoleSpecV6 {
 				types.NewRule(types.KindSAMLIdPServiceProvider, services.RO()),
 				types.NewRule(types.KindUserGroup, services.RO()),
 				types.NewRule(types.KindClusterMaintenanceConfig, services.RO()),
+				types.NewRule(types.KindAutoUpdateConfig, services.RO()),
+				types.NewRule(types.KindAutoUpdateVersion, services.RO()),
 				types.NewRule(types.KindIntegration, append(services.RO(), types.VerbUse)),
 				types.NewRule(types.KindAuditQuery, services.RO()),
 				types.NewRule(types.KindSecurityReport, services.RO()),