From 4f62286cd286c373f569d2507e390f2bd6e3b258 Mon Sep 17 00:00:00 2001 From: matheus Date: Tue, 3 Dec 2024 14:47:31 -0300 Subject: [PATCH] Add Contacts RBAC (#48885) * Add Contact resource; include it in default editor permissions and web ACL * Add contacts to ACL test * Improve godocs Co-authored-by: Zac Bergquist * Add `contact` to the web user context --------- Co-authored-by: Zac Bergquist --- api/types/constants.go | 4 ++++ lib/services/presets.go | 1 + lib/services/useracl.go | 5 +++++ lib/services/useracl_test.go | 5 +++++ web/packages/teleport/src/mocks/contexts.ts | 1 + web/packages/teleport/src/services/user/makeAcl.ts | 3 +++ web/packages/teleport/src/services/user/types.ts | 1 + web/packages/teleport/src/services/user/user.test.ts | 7 +++++++ web/packages/teleport/src/stores/storeUserContext.ts | 4 ++++ 9 files changed, 31 insertions(+) diff --git a/api/types/constants.go b/api/types/constants.go index 4940e67999bf9..e8beb81d0bec0 100644 --- a/api/types/constants.go +++ b/api/types/constants.go @@ -593,6 +593,10 @@ const ( // pair that can be requested by a Teleport User. KindIdentityCenterAccountAssignment = "aws_ic_account_assignment" + // KindContact is a resource that holds contact information + // for Teleport Enterprise customers. + KindContact = "contact" + // KindGitServer represents a Git server that can proxy git commands. KindGitServer = "git_server" // SubKindGitHub specifies the GitHub subkind of a Git server. diff --git a/lib/services/presets.go b/lib/services/presets.go index 2601730179647..6af90e02110c4 100644 --- a/lib/services/presets.go +++ b/lib/services/presets.go @@ -183,6 +183,7 @@ func NewPresetEditorRole() types.Role { types.NewRule(types.KindStaticHostUser, RW()), types.NewRule(types.KindUserTask, RW()), types.NewRule(types.KindIdentityCenter, RW()), + types.NewRule(types.KindContact, RW()), }, }, }, diff --git a/lib/services/useracl.go b/lib/services/useracl.go index 5ec6fe73f1ce8..d1511651f8adc 100644 --- a/lib/services/useracl.go +++ b/lib/services/useracl.go @@ -116,6 +116,8 @@ type UserACL struct { AccessGraphSettings ResourceAccess `json:"accessGraphSettings"` // ReviewRequests defines the ability to review requests ReviewRequests bool `json:"reviewRequests"` + // Contact defines the ability to manage contacts + Contact ResourceAccess `json:"contact"` } func hasAccess(roleSet RoleSet, ctx *Context, kind string, verbs ...string) bool { @@ -216,6 +218,8 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des securityReports = newAccess(userRoles, ctx, types.KindSecurityReport) } + contact := newAccess(userRoles, ctx, types.KindContact) + return UserACL{ AccessRequests: requestAccess, AppServers: appServerAccess, @@ -257,5 +261,6 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des AccessMonitoringRule: accessMonitoringRules, CrownJewel: crownJewelAccess, AccessGraphSettings: accessGraphSettings, + Contact: contact, } } diff --git a/lib/services/useracl_test.go b/lib/services/useracl_test.go index 4bcb6a75763da..9eb19e199007e 100644 --- a/lib/services/useracl_test.go +++ b/lib/services/useracl_test.go @@ -51,6 +51,10 @@ func TestNewUserACL(t *testing.T) { Resources: []string{types.KindIntegration}, Verbs: append(RW(), types.VerbUse), }, + { + Resources: []string{types.KindContact}, + Verbs: RW(), + }, }) // not setting the rule, or explicitly denying, both denies Access @@ -104,6 +108,7 @@ func TestNewUserACL(t *testing.T) { require.True(t, userContext.DesktopSessionRecording) require.Empty(t, cmp.Diff(userContext.License, denied)) require.Empty(t, cmp.Diff(userContext.Download, denied)) + require.Empty(t, cmp.Diff(userContext.Contact, allowedRW)) // test enabling of the 'Use' verb require.Empty(t, cmp.Diff(userContext.Integrations, ResourceAccess{true, true, true, true, true, true})) diff --git a/web/packages/teleport/src/mocks/contexts.ts b/web/packages/teleport/src/mocks/contexts.ts index 8b477eb6513d0..d44f57b5da2f1 100644 --- a/web/packages/teleport/src/mocks/contexts.ts +++ b/web/packages/teleport/src/mocks/contexts.ts @@ -75,6 +75,7 @@ export const allAccessAcl: Acl = { bots: fullAccess, accessMonitoringRule: fullAccess, discoverConfigs: fullAccess, + contacts: fullAccess, }; export function getAcl(cfg?: { noAccess: boolean }) { diff --git a/web/packages/teleport/src/services/user/makeAcl.ts b/web/packages/teleport/src/services/user/makeAcl.ts index 785b27af00aa3..5fe0a7768cfa5 100644 --- a/web/packages/teleport/src/services/user/makeAcl.ts +++ b/web/packages/teleport/src/services/user/makeAcl.ts @@ -75,6 +75,8 @@ export function makeAcl(json): Acl { const discoverConfigs = json.discoverConfigs || defaultAccess; + const contacts = json.contact || defaultAccess; + return { accessList, authConnectors, @@ -112,6 +114,7 @@ export function makeAcl(json): Acl { bots, accessMonitoringRule, discoverConfigs, + contacts, }; } diff --git a/web/packages/teleport/src/services/user/types.ts b/web/packages/teleport/src/services/user/types.ts index 34d4c49d84e1c..76ea8202d8f35 100644 --- a/web/packages/teleport/src/services/user/types.ts +++ b/web/packages/teleport/src/services/user/types.ts @@ -107,6 +107,7 @@ export interface Acl { accessGraph: Access; bots: Access; accessMonitoringRule: Access; + contacts: Access; } // AllTraits represent all the traits defined for a user. diff --git a/web/packages/teleport/src/services/user/user.test.ts b/web/packages/teleport/src/services/user/user.test.ts index c9f5ce3c51a68..d75023f3f7dc4 100644 --- a/web/packages/teleport/src/services/user/user.test.ts +++ b/web/packages/teleport/src/services/user/user.test.ts @@ -278,6 +278,13 @@ test('undefined values in context response gives proper default values', async ( create: false, remove: false, }, + contacts: { + list: false, + read: false, + edit: false, + create: false, + remove: false, + }, clipboardSharingEnabled: true, desktopSessionRecordingEnabled: true, directorySharingEnabled: true, diff --git a/web/packages/teleport/src/stores/storeUserContext.ts b/web/packages/teleport/src/stores/storeUserContext.ts index 0290fda593ceb..878bf68c95405 100644 --- a/web/packages/teleport/src/stores/storeUserContext.ts +++ b/web/packages/teleport/src/stores/storeUserContext.ts @@ -251,4 +251,8 @@ export default class StoreUserContext extends Store { getBotsAccess() { return this.state.acl.bots; } + + getContactsAccess() { + return this.state.acl.contacts; + } }