gravitational · vapopov · Dec 12, 2024 · Nov 14, 2024 · Dec 6, 2024 · Dec 10, 2024
diff --git a/lib/auth/autoupdate/autoupdatev1/service.go b/lib/auth/autoupdate/autoupdatev1/service.go
@@ -30,6 +30,7 @@ import (
 	apievents "github.com/gravitational/teleport/api/types/events"
 	"github.com/gravitational/teleport/lib/authz"
 	"github.com/gravitational/teleport/lib/events"
+	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/services"
 )
 
@@ -292,6 +293,11 @@ func (s *Service) CreateAutoUpdateVersion(ctx context.Context, req *autoupdate.C
 		return nil, trace.Wrap(err)
 	}
 
+	if modules.GetModules().Features().Cloud && !isAdmin(authCtx) {
+		return nil, trace.AccessDenied("only role %q is allowed to modifying %q in cloud",
+			types.RoleAdmin, types.KindAutoUpdateVersion)
+	}
+
 	if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbCreate); err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -333,6 +339,11 @@ func (s *Service) UpdateAutoUpdateVersion(ctx context.Context, req *autoupdate.U
 		return nil, trace.Wrap(err)
 	}
 
+	if modules.GetModules().Features().Cloud && !isAdmin(authCtx) {
+		return nil, trace.AccessDenied("only role %q is allowed to modifying %q in cloud",
+			types.RoleAdmin, types.KindAutoUpdateVersion)
+	}
+
 	if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbUpdate); err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -374,6 +385,11 @@ func (s *Service) UpsertAutoUpdateVersion(ctx context.Context, req *autoupdate.U
 		return nil, trace.Wrap(err)
 	}
 
+	if modules.GetModules().Features().Cloud && !isAdmin(authCtx) {
+		return nil, trace.AccessDenied("only role %q is allowed to modifying %q in cloud",
+			types.RoleAdmin, types.KindAutoUpdateVersion)
+	}
+
 	if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbCreate, types.VerbUpdate); err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -415,6 +431,11 @@ func (s *Service) DeleteAutoUpdateVersion(ctx context.Context, req *autoupdate.D
 		return nil, trace.Wrap(err)
 	}
 
+	if modules.GetModules().Features().Cloud && !isAdmin(authCtx) {
+		return nil, trace.AccessDenied("only role %q is allowed to modifying %q in cloud",
+			types.RoleAdmin, types.KindAutoUpdateVersion)
+	}
+
 	if err := authCtx.CheckAccessToKind(types.KindAutoUpdateVersion, types.VerbDelete); err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -589,3 +610,8 @@ func (s *Service) emitEvent(ctx context.Context, e apievents.AuditEvent) {
 		)
 	}
 }
+
+// isAdmin returns true if the given context has the builtin admin role.
+func isAdmin(authCtx *authz.Context) bool {
+	return authz.HasBuiltinRole(*authCtx, string(types.RoleAdmin))
+}
diff --git a/lib/modules/modules.go b/lib/modules/modules.go
@@ -34,7 +34,6 @@ import (
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/client/proto"
-	"github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/types/accesslist"
 	"github.com/gravitational/teleport/api/utils/keys"
@@ -333,8 +332,11 @@ func GetModules() Modules {
 var ErrCannotDisableSecondFactor = errors.New("cannot disable multi-factor authentication")
 
 // ValidateResource performs additional resource checks.
-func ValidateResource(res any) error {
-	if GetModules().Features().Cloud || !IsInsecureTestMode() {
+func ValidateResource(res types.Resource) error {
+	// todo(tross): DELETE WHEN ABLE TO [remove env var, leave insecure test mode]
+	if GetModules().Features().Cloud ||
+		(os.Getenv(teleport.EnvVarAllowNoSecondFactor) != "yes" && !IsInsecureTestMode()) {
+
 		switch r := res.(type) {
 		case types.AuthPreference:
 			if !r.IsSecondFactorEnforced() {
@@ -357,8 +359,6 @@ func ValidateResource(res any) error {
 		if !r.GetProxyChecksHostKeys() {
 			return trace.BadParameter("cannot disable strict host key checking on Cloud")
 		}
-	case autoupdate.AutoUpdateVersion:
-		return trace.BadParameter("cannot modify auto update version on Cloud")
 	}
 	return nil
 }

diff --git a/lib/services/local/autoupdate.go b/lib/services/local/autoupdate.go
@@ -27,7 +27,6 @@ import (
 	"github.com/gravitational/teleport/api/types"
 	update "github.com/gravitational/teleport/api/types/autoupdate"
 	"github.com/gravitational/teleport/lib/backend"
-	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/services/local/generic"
 )
@@ -143,9 +142,6 @@ func (s *AutoUpdateService) CreateAutoUpdateVersion(
 	ctx context.Context,
 	v *autoupdate.AutoUpdateVersion,
 ) (*autoupdate.AutoUpdateVersion, error) {
-	if err := modules.ValidateResource(v); err != nil {
-		return nil, trace.Wrap(err)
-	}
 	version, err := s.version.CreateResource(ctx, v)
 	return version, trace.Wrap(err)
 }
@@ -155,9 +151,6 @@ func (s *AutoUpdateService) UpdateAutoUpdateVersion(
 	ctx context.Context,
 	v *autoupdate.AutoUpdateVersion,
 ) (*autoupdate.AutoUpdateVersion, error) {
-	if err := modules.ValidateResource(v); err != nil {
-		return nil, trace.Wrap(err)
-	}
 	version, err := s.version.ConditionalUpdateResource(ctx, v)
 	return version, trace.Wrap(err)
 }
@@ -167,9 +160,6 @@ func (s *AutoUpdateService) UpsertAutoUpdateVersion(
 	ctx context.Context,
 	v *autoupdate.AutoUpdateVersion,
 ) (*autoupdate.AutoUpdateVersion, error) {
-	if err := modules.ValidateResource(v); err != nil {
-		return nil, trace.Wrap(err)
-	}
 	version, err := s.version.UpsertResource(ctx, v)
 	return version, trace.Wrap(err)
 }

diff --git a/lib/services/presets.go b/lib/services/presets.go
@@ -184,6 +184,9 @@ func NewPresetEditorRole() types.Role {
 					types.NewRule(types.KindUserTask, RW()),
 					types.NewRule(types.KindIdentityCenter, RW()),
 					types.NewRule(types.KindContact, RW()),
+					types.NewRule(types.KindAutoUpdateVersion, RW()),
+					types.NewRule(types.KindAutoUpdateConfig, RW()),
+					types.NewRule(types.KindAutoUpdateAgentRollout, RW()),
 				},
 			},
 		},