Web: define request mode field

gravitational · Oct 9, 2024 · a0af6ce · a0af6ce
1 parent f65e790
commit a0af6ce
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 4 deletions.
diff --git a/web/packages/teleport/src/services/kube/types.ts b/web/packages/teleport/src/services/kube/types.ts
@@ -27,11 +27,13 @@ export interface Kube {
 }
 
 /**
- * Add kind consts as we go.
- * Supported kube subresources:
+ * Only the web UI supported kinds are defined.
+ * All supported backend kube subresources:
  * https://github.com/gravitational/teleport/blob/c86f46db17fe149240e30fa0748621239e36c72a/api/types/constants.go#L1233
+ *
+ * Wildcard means any of the kube subresources.
  */
-export type KubeResourceKind = 'namespace';
+export type KubeResourceKind = 'namespace' | '*';
 
 /**
  * Refers to kube_cluster's subresources like namespaces, pods, etc

diff --git a/web/packages/teleport/src/services/user/makeUserContext.ts b/web/packages/teleport/src/services/user/makeUserContext.ts
@@ -54,6 +54,9 @@ function makeAccessCapabilities(json): AccessCapabilities {
   return {
     requestableRoles: json.requestableRoles || [],
     suggestedReviewers: json.suggestedReviewers || [],
+    requestMode: {
+      kubernetesResources: json.requestMode?.kubernetesResources || [],
+    },
   };
 }
 

diff --git a/web/packages/teleport/src/services/user/types.ts b/web/packages/teleport/src/services/user/types.ts
@@ -18,16 +18,27 @@
 
 import { Cluster } from 'teleport/services/clusters';
 
+import { KubeResourceKind } from '../kube';
+
 export type AuthType = 'local' | 'sso' | 'passwordless';
 
 export interface AccessStrategy {
   type: 'optional' | 'always' | 'reason';
   prompt: string;
 }
 
+interface RequestModeKubeResource {
+  kind: KubeResourceKind;
+}
+
+interface AccessRequestMode {
+  kubernetesResources: RequestModeKubeResource[];
+}
+
 export interface AccessCapabilities {
   requestableRoles: string[];
   suggestedReviewers: string[];
+  requestMode: AccessRequestMode;
 }
 
 export interface UserContext {

diff --git a/web/packages/teleport/src/services/user/user.test.ts b/web/packages/teleport/src/services/user/user.test.ts
@@ -289,7 +289,11 @@ test('undefined values in context response gives proper default values', async (
     // Test undefined access strategy is set to default optional.
     accessStrategy: { type: 'optional', prompt: '' },
     // Test undefined roles and reviewers are set to empty arrays.
-    accessCapabilities: { requestableRoles: [], suggestedReviewers: [] },
+    accessCapabilities: {
+      requestableRoles: [],
+      suggestedReviewers: [],
+      requestMode: { kubernetesResources: [] },
+    },
     allowedSearchAsRoles: [],
     passwordState: PasswordState.PASSWORD_STATE_UNSPECIFIED,
   });

diff --git a/web/packages/teleport/src/stores/storeUserContext.ts b/web/packages/teleport/src/stores/storeUserContext.ts
@@ -19,6 +19,7 @@
 import { Store } from 'shared/libs/stores';
 
 import cfg from 'teleport/config';
+import { KubeResourceKind } from 'teleport/services/kube';
 
 import { UserContext } from 'teleport/services/user';
 
@@ -73,6 +74,12 @@ export default class StoreUserContext extends Store<UserContext> {
     return this.state.acl.kubeServers;
   }
 
+  getAllowedKubeSubresourceKinds(): KubeResourceKind[] {
+    const kubeResources =
+      this.state.accessCapabilities.requestMode.kubernetesResources;
+    return kubeResources.map(kubeResource => kubeResource.kind);
+  }
+
   getTokenAccess() {
     return this.state.acl.tokens;
   }