Skip to content

Commit

Permalink
Add ReviewRequests to user ACL
Browse files Browse the repository at this point in the history
This PR exposes `allow.review_requests` capabilities in the user ACL.
This is used to conditionally render the "Access Requests" button when
feature hiding is on.
  • Loading branch information
avatus committed Nov 6, 2024
1 parent 6ac6025 commit 4a4e929
Show file tree
Hide file tree
Showing 9 changed files with 21 additions and 1 deletion.
4 changes: 4 additions & 0 deletions lib/services/useracl.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,8 @@ type UserACL struct {
CrownJewel ResourceAccess `json:"crownJewel"`
// AccessGraphSettings defines access to manage access graph settings.
AccessGraphSettings ResourceAccess `json:"accessGraphSettings"`
// ReviewRequests defines the ability to review requests
ReviewRequests bool `json:"reviewRequests"`
}

func hasAccess(roleSet RoleSet, ctx *Context, kind string, verbs ...string) bool {
Expand Down Expand Up @@ -205,6 +207,7 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des
botInstances := newAccess(userRoles, ctx, types.KindBotInstance)
crownJewelAccess := newAccess(userRoles, ctx, types.KindCrownJewel)
userTasksAccess := newAccess(userRoles, ctx, types.KindUserTask)
reviewRequests := userRoles.MaybeCanReviewRequests()

var auditQuery ResourceAccess
var securityReports ResourceAccess
Expand All @@ -218,6 +221,7 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des
AppServers: appServerAccess,
DBServers: dbServerAccess,
DB: dbAccess,
ReviewRequests: reviewRequests,
KubeServers: kubeServerAccess,
Desktops: desktopAccess,
AuthConnectors: authConnectors,
Expand Down
2 changes: 2 additions & 0 deletions lib/services/useracl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,8 @@ func TestNewUserACL(t *testing.T) {
// test that desktopRecordingEnabled being false overrides the roleSet.RecordDesktopSession() returning true
userContext = NewUserACL(user, roleSet, proto.Features{}, false, false)
require.False(t, userContext.DesktopSessionRecording)

require.False(t, userContext.ReviewRequests)
}

func TestNewUserACLCloud(t *testing.T) {
Expand Down
6 changes: 5 additions & 1 deletion web/packages/teleport/src/TopBar/TopBar.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,11 @@ export function TopBar({ CustomLogo }: TopBarProps) {
/>
)}

{topBarLinks.map(({ topMenuItem, navigationItem }) => {
{topBarLinks.map(({ topMenuItem, navigationItem, hasAccess }) => {
const canAccess = hasAccess(ctx.getFeatureFlags());
if (!canAccess) {
return;
}
const link = navigationItem.getLink(clusterId);
const currentPath = history.location.pathname;
const selected =
Expand Down
1 change: 1 addition & 0 deletions web/packages/teleport/src/mocks/contexts.ts
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ export const allAccessAcl: Acl = {
clipboardSharingEnabled: true,
desktopSessionRecordingEnabled: true,
directorySharingEnabled: true,
reviewRequests: true,
license: fullAccess,
download: fullAccess,
plugins: fullAccess,
Expand Down
2 changes: 2 additions & 0 deletions web/packages/teleport/src/services/user/makeAcl.ts
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ export function makeAcl(json): Acl {
const dbServers = json.dbServers || defaultAccess;
const db = json.db || defaultAccess;
const desktops = json.desktops || defaultAccess;
const reviewRequests = json.reviewRequests ?? false;
const connectionDiagnostic = json.connectionDiagnostic || defaultAccess;
// Defaults to true, see RFD 0049
// https://github.com/gravitational/teleport/blob/master/rfd/0049-desktop-clipboard.md#security
Expand Down Expand Up @@ -85,6 +86,7 @@ export function makeAcl(json): Acl {
kubeServers,
tokens,
accessRequests,
reviewRequests,
billing,
plugins,
integrations,
Expand Down
1 change: 1 addition & 0 deletions web/packages/teleport/src/services/user/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ export interface AccessWithUse extends Access {

export interface Acl {
directorySharingEnabled: boolean;
reviewRequests: boolean;
desktopSessionRecordingEnabled: boolean;
clipboardSharingEnabled: boolean;
authConnectors: Access;
Expand Down
1 change: 1 addition & 0 deletions web/packages/teleport/src/services/user/user.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,7 @@ test('undefined values in context response gives proper default values', async (
create: false,
remove: false,
},
reviewRequests: false,
billing: {
list: false,
read: false,
Expand Down
4 changes: 4 additions & 0 deletions web/packages/teleport/src/stores/storeUserContext.ts
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,10 @@ export default class StoreUserContext extends Store<UserContext> {
return this.state.acl.clipboardSharingEnabled;
}

getReviewRequests() {
return this.state.acl.reviewRequests;
}

getNodeAccess() {
return this.state.acl.nodes;
}
Expand Down
1 change: 1 addition & 0 deletions web/packages/teleport/src/teleportContext.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@ class TeleportContext implements types.Context {
// having list access, requestable roles, or allowed search_as_roles.
if (cfg.hideInaccessibleFeatures) {
return !!(
userContext.getReviewRequests() ||
userContext.getAccessRequestAccess().list ||
userContext.getRequestableRoles().length ||
userContext.getAllowedSearchAsRoles().length
Expand Down

0 comments on commit 4a4e929

Please sign in to comment.