[v18] web: Add web eksAuditLogs to integration configure endpoint

Extend the web endpoint for the webscript for integrations configure
access-graph-cloud-sync-iam.sh to add the `eksAuditLogs` query param to
configure with EKS audit logs enabled. Add tests for this endpoint as
there were none.

Author: camscale

lib/web/integrations_awsoidc.go

@@ -25,6 +25,7 @@ import (
 	"maps"
 	"net/http"
 	"slices"
+	"strconv"
 	"strings"
 
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
@@ -1379,6 +1380,19 @@ func (h *Handler) awsAccessGraphOIDCSync(w http.ResponseWriter, r *http.Request,
 		}
 	}
 
+	if eksAuditLogs := queryParams.Get("eksAuditLogs"); eksAuditLogs != "" {
+		enabled, err := strconv.ParseBool(eksAuditLogs)
+		if err != nil {
+			// The error returned by ParseBool contains no more information than this
+			// error. As we canot wrap both it and trace.BadParameter, we do the
+			// latter as a preferred error type.
+			return nil, trace.BadParameter("invalid boolean value for eksAuditLogs %q", eksAuditLogs)
+		}
+		if enabled {
+			argsList = append(argsList, "--eks-audit-logs")
+		}
+	}
+
 	script, err := oneoff.BuildScript(oneoff.OneOffScriptParams{
 		EntrypointArgs: strings.Join(argsList, " "),
 		SuccessMessage: "Success! You can now go back to the Teleport Web UI to complete the Access Graph AWS Sync enrollment.",

lib/web/integrations_awsoidc_test.go

@@ -310,13 +310,173 @@ func TestBuildEC2SSMIAMScript(t *testing.T) {
 	}
 }
 
+func TestBuildAccessGraphCloudSyncIAMScript(t *testing.T) {
+	t.Parallel()
+	isBadParamErrFn := func(tt require.TestingT, err error, i ...any) {
+		require.True(tt, trace.IsBadParameter(err), "expected bad parameter, got %v", err)
+	}
+
+	env := newWebPack(t, 1)
+
+	// Unauthenticated client for script downloading.
+	anonymousHTTPClient := env.proxies[0].newClient(t)
+	pathVars := []string{
+		"webapi",
+		"scripts",
+		"integrations",
+		"configure",
+		"access-graph-cloud-sync-iam.sh",
+	}
+	endpoint := anonymousHTTPClient.Endpoint(pathVars...)
+
+	role := "myRole"
+	awsAccountID := "123456789012"
+	sqsUrl := "https://sqs.us-west-2.amazonaws.com/123456789012/queue-name"
+	cloudTrailS3Bucket := "arn:aws:s3:::bucket-name"
+	kmsKey1 := "arn:aws:kms:us-west-2:123456789012:key/00000000-1111-2222-3333-444444444444"
+	kmsKey2 := "arn:aws:kms:us-west-2:123456789012:key/55555555-6666-7777-8888-999999999999"
+
+	tests := []struct {
+		name                 string
+		reqRelativeURL       string
+		reqQuery             url.Values
+		errCheck             require.ErrorAssertionFunc
+		expectedTeleportArgs string
+	}{
+		{
+			name: "valid",
+			reqQuery: url.Values{
+				"kind":         []string{"aws-iam"},
+				"role":         []string{role},
+				"awsAccountID": []string{awsAccountID},
+			},
+			errCheck: require.NoError,
+			expectedTeleportArgs: "integration configure access-graph aws-iam" +
+				" --role=" + role +
+				" --aws-account-id=" + awsAccountID,
+		},
+		{
+			name: "valid with cloud trail",
+			reqQuery: url.Values{
+				"kind":               []string{"aws-iam"},
+				"role":               []string{role},
+				"awsAccountID":       []string{awsAccountID},
+				"sqsUrl":             []string{sqsUrl},
+				"cloudTrailS3Bucket": []string{cloudTrailS3Bucket},
+				"kmsKeysARNs":        []string{kmsKey1, kmsKey2},
+			},
+			errCheck: require.NoError,
+			expectedTeleportArgs: "integration configure access-graph aws-iam" +
+				" --role=" + role +
+				" --aws-account-id=" + awsAccountID +
+				" --sqs-queue-url=" + sqsUrl +
+				" --cloud-trail-bucket=" + cloudTrailS3Bucket +
+				" --kms-key=" + kmsKey1 +
+				" --kms-key=" + kmsKey2,
+		},
+		{
+			name: "valid with eks audit logs",
+			reqQuery: url.Values{
+				"kind":         []string{"aws-iam"},
+				"role":         []string{role},
+				"awsAccountID": []string{awsAccountID},
+				"eksAuditLogs": []string{"true"},
+			},
+			errCheck: require.NoError,
+			expectedTeleportArgs: "integration configure access-graph aws-iam" +
+				" --role=" + role +
+				" --aws-account-id=" + awsAccountID +
+				" --eks-audit-logs",
+		},
+		{
+			name: "valid with cloud trail and eks audit logs",
+			reqQuery: url.Values{
+				"kind":               []string{"aws-iam"},
+				"role":               []string{role},
+				"awsAccountID":       []string{awsAccountID},
+				"sqsUrl":             []string{sqsUrl},
+				"cloudTrailS3Bucket": []string{cloudTrailS3Bucket},
+				"kmsKeysARNs":        []string{kmsKey1, kmsKey2},
+				"eksAuditLogs":       []string{"true"},
+			},
+			errCheck: require.NoError,
+			expectedTeleportArgs: "integration configure access-graph aws-iam" +
+				" --role=" + role +
+				" --aws-account-id=" + awsAccountID +
+				" --sqs-queue-url=" + sqsUrl +
+				" --cloud-trail-bucket=" + cloudTrailS3Bucket +
+				" --kms-key=" + kmsKey1 +
+				" --kms-key=" + kmsKey2 +
+				" --eks-audit-logs",
+		},
+		{
+			name: "valid with symbols in role",
+			reqQuery: url.Values{
+				"kind":         []string{"aws-iam"},
+				"role":         []string{"Test+1=2,3.4@5-6_7"},
+				"awsAccountID": []string{"123456789012"},
+			},
+			errCheck: require.NoError,
+			expectedTeleportArgs: "integration configure access-graph aws-iam " +
+				"--role=Test\\+1=2,3.4\\@5-6_7 " +
+				"--aws-account-id=123456789012",
+		},
+		{
+			name: "missing kind",
+			reqQuery: url.Values{
+				"role":         []string{"myRole"},
+				"awsAccountID": []string{"123456789012"},
+			},
+			errCheck: isBadParamErrFn,
+		},
+		{
+			name: "missing role",
+			reqQuery: url.Values{
+				"kind":         []string{"aws-iam"},
+				"awsAccountID": []string{"123456789012"},
+			},
+			errCheck: isBadParamErrFn,
+		},
+		{
+			name: "missing awsAccountID",
+			reqQuery: url.Values{
+				"kind": []string{"aws-iam"},
+				"role": []string{"myRole"},
+			},
+			errCheck: isBadParamErrFn,
+		},
+		{
+			name: "trying to inject escape sequence into query params",
+			reqQuery: url.Values{
+				"kind":         []string{"aws-iam"},
+				"role":         []string{"'; rm -rf /tmp/dir; echo '"},
+				"awsAccountID": []string{"123456789012"},
+			},
+			errCheck: isBadParamErrFn,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			resp, err := anonymousHTTPClient.Get(t.Context(), endpoint, tc.reqQuery)
+			tc.errCheck(t, err)
+			if err != nil {
+				return
+			}
+
+			require.Contains(t, string(resp.Bytes()),
+				fmt.Sprintf("entrypointArgs='%s'\n", tc.expectedTeleportArgs),
+			)
+		})
+	}
+}
+
 func TestBuildAWSAppAccessConfigureIAMScript(t *testing.T) {
 	t.Parallel()
 	isBadParamErrFn := func(tt require.TestingT, err error, i ...any) {
 		require.True(tt, trace.IsBadParameter(err), "expected bad parameter, got %v", err)
 	}
 
-	ctx := context.Background()
 	env := newWebPack(t, 1)
 
 	// Unauthenticated client for script downloading.
@@ -372,7 +532,7 @@ func TestBuildAWSAppAccessConfigureIAMScript(t *testing.T) {
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			resp, err := anonymousHTTPClient.Get(ctx, endpoint, tc.reqQuery)
+			resp, err := anonymousHTTPClient.Get(t.Context(), endpoint, tc.reqQuery)
 			tc.errCheck(t, err)
 			if err != nil {
 				return