Hide review box if user cannot review access requests

oss counterpart for gravitational/teleport.e#5628 This adds some testing to the view as well as the equivalent to the web solution for Connect. Connect was missing the [recently added](#48536) `ReviewRequests` field in the user ACL, so I added it here. Because this is handled in the tsh code, we don't have to worry about backward compatibility here for Connect right?
gravitational · Dec 4, 2024 · 3883a1d · 3883a1d
1 parent 6a83f9e
commit 3883a1d
Show file tree

Hide file tree

Showing 8 changed files with 139 additions and 35 deletions.
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/cluster.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/cluster.pb.go
diff --git a/gen/proto/ts/teleport/lib/teleterm/v1/cluster_pb.ts b/gen/proto/ts/teleport/lib/teleterm/v1/cluster_pb.ts
diff --git a/lib/teleterm/clusters/cluster.go b/lib/teleterm/clusters/cluster.go
@@ -213,6 +213,7 @@ func (c *Cluster) GetWithDetails(ctx context.Context, authClient authclient.Clie
 		Dbs:              convertToAPIResourceAccess(userACL.DBServers),
 		Kubeservers:      convertToAPIResourceAccess(userACL.KubeServers),
 		AccessRequests:   convertToAPIResourceAccess(userACL.AccessRequests),
+		ReviewRequests:   &userACL.ReviewRequests,
 	}
 
 	withDetails := &ClusterWithDetails{

diff --git a/proto/teleport/lib/teleterm/v1/cluster.proto b/proto/teleport/lib/teleterm/v1/cluster.proto
@@ -141,6 +141,8 @@ message ACL {
   ResourceAccess recorded_sessions = 13;
   // active_sessions defines access to active sessions.
   ResourceAccess active_sessions = 14;
+  // review_requests defines the ability to review requests
+  optional bool review_requests = 15;
 }
 
 // ResourceAccess describes access verbs

diff --git a/...ared/components/AccessRequests/ReviewRequests/RequestView/RequestReview/RequestReview.tsx b/...ared/components/AccessRequests/ReviewRequests/RequestView/RequestReview/RequestReview.tsx
@@ -114,6 +114,7 @@ export default function RequestReview({
     <Validation>
       {({ validator }) => (
         <Box
+          data-testid="review_box"
           border="1px solid"
           borderColor="levels.sunken"
           mt={7}

diff --git a/...packages/shared/components/AccessRequests/ReviewRequests/RequestView/RequestView.test.tsx b/...packages/shared/components/AccessRequests/ReviewRequests/RequestView/RequestView.test.tsx
@@ -0,0 +1,70 @@
+/**
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+import { render, screen } from 'design/utils/testing';
+
+import { makeEmptyAttempt, makeSuccessAttempt } from 'shared/hooks/useAsync';
+
+import { requestRolePending } from '../../fixtures';
+
+import { RequestView, RequestViewProps } from './RequestView';
+import { RequestFlags } from './types';
+
+const reviewBoxId = 'review_box';
+
+const sampleFlags: RequestFlags = {
+  canAssume: false,
+  isAssumed: false,
+  canDelete: false,
+  canReview: true,
+  ownRequest: false,
+  isPromoted: false,
+};
+
+const sample: RequestViewProps = {
+  user: 'loggedInUsername',
+  fetchRequestAttempt: makeSuccessAttempt(requestRolePending),
+  submitReviewAttempt: makeEmptyAttempt(),
+  getFlags: () => sampleFlags,
+  confirmDelete: false,
+  toggleConfirmDelete: () => null,
+  submitReview: () => null,
+  assumeRole: () => null,
+  fetchSuggestedAccessListsAttempt: makeSuccessAttempt([]),
+  assumeRoleAttempt: makeEmptyAttempt(),
+  assumeAccessList: () => null,
+  deleteRequestAttempt: makeEmptyAttempt(),
+  deleteRequest: () => null,
+};
+
+describe('Request View', () => {
+  test('renders review box if user can review', async () => {
+    render(<RequestView {...sample} />);
+    expect(screen.getByTestId(reviewBoxId)).toBeInTheDocument();
+  });
+
+  test('does not render review box is user cannot review', async () => {
+    const testState = {
+      ...sample,
+      getFlags: () => ({ ...sampleFlags, canReview: false }),
+    };
+
+    render(<RequestView {...testState} />);
+    expect(screen.queryByTestId(reviewBoxId)).not.toBeInTheDocument();
+  });
+});
diff --git a/web/packages/teleterm/src/services/tshd/testHelpers.ts b/web/packages/teleterm/src/services/tshd/testHelpers.ts
@@ -225,6 +225,7 @@ export const makeLoggedInUser = (
       delete: true,
       use: true,
     },
+    reviewRequests: true,
   },
   sshLogins: [],
   roles: [],

diff --git a/...ages/teleterm/src/ui/DocumentAccessRequests/ReviewAccessRequest/useReviewAccessRequest.ts b/...ages/teleterm/src/ui/DocumentAccessRequests/ReviewAccessRequest/useReviewAccessRequest.ts
@@ -181,11 +181,13 @@ function getRequestFlags(
     ? reviewed.state === 'PENDING'
     : request.state === 'PENDING';
 
+  const canReview = !ownRequest && isPendingState && user.acl.reviewRequests;
+
   return {
     canAssume,
     isAssumed,
     canDelete,
-    canReview: !ownRequest && isPendingState,
+    canReview,
     isPromoted,
     ownRequest,
   };