Adds user sync flag to the Okta plugin settings (#33140)

* Up-revs the Okta plugin settings version

Adds a version field to the OktaPlugin settings and updates the associated
protocol files and tests. This is in preparation for adding new behaviour
to the Okta plugin, and will allow Teleport to determine if a plugin
installation was created by the current version of Teleport (and should
get the new behaviour), or an old version (which will get no surprising
behavioural changes)

changing the behaviour of the Okta plugin depending
if the plugin is created from a current or old version of Teleport.

* revert structure up-rev

* Fix spelling

* Revert to simple flag

* Test tidyup

* Update api/types/plugin_test.go

Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>

---------

Co-authored-by: Forrest <30576607+fspmarshall@users.noreply.github.com>

api/proto/teleport/legacy/types/types.proto

@@ -5506,6 +5506,9 @@ message PluginOktaSettings {
 
   // OrgUrl is the Okta organization URL to use for API communication.
   string org_url = 1;
+
+  // EnableUserSync controls the user sync in the Okta integration service.
+  bool enable_user_sync = 2;
 }
 
 // Defines a set of discord channel IDs

api/types/plugin_test.go

@@ -201,34 +201,63 @@ func TestPluginOpsgenieValidation(t *testing.T) {
 	}
 }
 
+func requireBadParameterWith(msg string) require.ErrorAssertionFunc {
+	return func(t require.TestingT, err error, args ...interface{}) {
+		require.True(t, trace.IsBadParameter(err), "error: %v", err)
+		require.Contains(t, err.Error(), msg)
+	}
+}
+
 func TestPluginOktaValidation(t *testing.T) {
+	validSettings := &PluginSpecV1_Okta{
+		Okta: &PluginOktaSettings{
+			OrgUrl:         "https://test.okta.com",
+			EnableUserSync: true,
+		},
+	}
+
+	validCreds := &PluginCredentialsV1{
+		Credentials: &PluginCredentialsV1_StaticCredentialsRef{
+			&PluginStaticCredentialsRef{
+				Labels: map[string]string{
+					"label1": "value1",
+				},
+			},
+		},
+	}
+
 	testCases := []struct {
-		name      string
-		settings  *PluginSpecV1_Okta
-		creds     *PluginCredentialsV1
-		assertErr require.ErrorAssertionFunc
+		name        string
+		settings    *PluginSpecV1_Okta
+		creds       *PluginCredentialsV1
+		assertErr   require.ErrorAssertionFunc
+		assertValue func(*testing.T, *PluginOktaSettings)
 	}{
+		{
+			name:      "valid values are preserved",
+			settings:  validSettings,
+			creds:     validCreds,
+			assertErr: require.NoError,
+			assertValue: func(t *testing.T, settings *PluginOktaSettings) {
+				require.Equal(t, "https://test.okta.com", settings.OrgUrl)
+				require.True(t, settings.EnableUserSync)
+			},
+		},
 		{
 			name: "no settings",
 			settings: &PluginSpecV1_Okta{
 				Okta: nil,
 			},
-			creds: nil,
-			assertErr: func(t require.TestingT, err error, args ...any) {
-				require.True(t, trace.IsBadParameter(err))
-				require.Contains(t, err.Error(), "missing Okta settings")
-			},
+			creds:     validCreds,
+			assertErr: requireBadParameterWith("missing Okta settings"),
 		},
 		{
 			name: "no org URL",
 			settings: &PluginSpecV1_Okta{
 				Okta: &PluginOktaSettings{},
 			},
-			creds: nil,
-			assertErr: func(t require.TestingT, err error, args ...any) {
-				require.True(t, trace.IsBadParameter(err))
-				require.Contains(t, err.Error(), "org_url must be set")
-			},
+			creds:     validCreds,
+			assertErr: requireBadParameterWith("org_url must be set"),
 		},
 		{
 			name: "no credentials inner",
@@ -237,11 +266,8 @@ func TestPluginOktaValidation(t *testing.T) {
 					OrgUrl: "https://test.okta.com",
 				},
 			},
-			creds: &PluginCredentialsV1{},
-			assertErr: func(t require.TestingT, err error, args ...any) {
-				require.True(t, trace.IsBadParameter(err))
-				require.Contains(t, err.Error(), "must be used with the static credentials ref type")
-			},
+			creds:     &PluginCredentialsV1{},
+			assertErr: requireBadParameterWith("must be used with the static credentials ref type"),
 		},
 		{
 			name: "invalid credential type (oauth2)",
@@ -253,10 +279,7 @@ func TestPluginOktaValidation(t *testing.T) {
 			creds: &PluginCredentialsV1{
 				Credentials: &PluginCredentialsV1_Oauth2AccessToken{},
 			},
-			assertErr: func(t require.TestingT, err error, args ...any) {
-				require.True(t, trace.IsBadParameter(err))
-				require.Contains(t, err.Error(), "must be used with the static credentials ref type")
-			},
+			assertErr: requireBadParameterWith("must be used with the static credentials ref type"),
 		},
 		{
 			name: "invalid credentials (static credentials)",
@@ -272,29 +295,18 @@ func TestPluginOktaValidation(t *testing.T) {
 					},
 				},
 			},
-			assertErr: func(t require.TestingT, err error, args ...any) {
-				require.True(t, trace.IsBadParameter(err))
-				require.Contains(t, err.Error(), "labels must be specified")
-			},
-		},
-		{
-			name: "valid credentials (static credentials)",
+			assertErr: requireBadParameterWith("labels must be specified"),
+		}, {
+			name: "EnableUserSync defaults to false",
 			settings: &PluginSpecV1_Okta{
 				Okta: &PluginOktaSettings{
 					OrgUrl: "https://test.okta.com",
 				},
 			},
-			creds: &PluginCredentialsV1{
-				Credentials: &PluginCredentialsV1_StaticCredentialsRef{
-					&PluginStaticCredentialsRef{
-						Labels: map[string]string{
-							"label1": "value1",
-						},
-					},
-				},
-			},
-			assertErr: func(t require.TestingT, err error, args ...any) {
-				require.NoError(t, err)
+			creds:     validCreds,
+			assertErr: require.NoError,
+			assertValue: func(t *testing.T, settings *PluginOktaSettings) {
+				require.False(t, settings.EnableUserSync)
 			},
 		},
 	}
@@ -305,6 +317,9 @@ func TestPluginOktaValidation(t *testing.T) {
 				Settings: tc.settings,
 			}, tc.creds)
 			tc.assertErr(t, plugin.CheckAndSetDefaults())
+			if tc.assertValue != nil {
+				tc.assertValue(t, plugin.Spec.GetOkta())
+			}
 		})
 	}
 }