user acl for device trust ui (#23493)

* feat: user acl for device trust ui * Update lib/web/ui/usercontext.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * revert e ref to current from master * Update web/packages/teleport/src/stores/storeUserContext.ts Co-authored-by: Lisa Kim <lisa@goteleport.com> * Update web/packages/teleport/src/teleportContext.tsx Co-authored-by: Lisa Kim <lisa@goteleport.com> * update defaultAllowRules to RW() * commend added to highlight preset rules should be same when added to defaultAllowRules --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Lisa Kim <lisa@goteleport.com>
2024-10-20 09:13:39 +00:00 · 2023-03-24 10:11:04 +05:45 · 2023-03-24 10:11:04 +05:45 · 786be9ef0c
parent c26d911cfd
commit 786be9ef0c
9 changed files with 25 additions and 0 deletions
--- a/lib/services/presets.go
+++ b/lib/services/presets.go
@ -189,6 +189,7 @@ func NewPresetAuditorRole() types.Role {

 // defaultAllowRules has the Allow rules that should be set as default when they were not explicitly defined.
 // This is used to update the current cluster roles when deploying a new resource.
+// Rules defined in preset template should be exactly the same rule when added here.
 func defaultAllowRules() map[string][]types.Rule {
 	return map[string][]types.Rule{
 		teleport.PresetAuditorRoleName: {
@ -203,6 +204,7 @@ func defaultAllowRules() map[string][]types.Rule {
 			types.NewRule(types.KindSAMLIdPServiceProvider, RW()),
 			types.NewRule(types.KindOktaImportRule, RW()),
 			types.NewRule(types.KindOktaAssignment, RW()),
+			types.NewRule(types.KindDevice, append(RW(), types.VerbCreateEnrollToken, types.VerbEnroll)),
 		},
 	}
 }
--- a/lib/web/ui/usercontext.go
+++ b/lib/web/ui/usercontext.go
@ -95,6 +95,8 @@ type userACL struct {
 	License access `json:"license"`
 	// Plugins defines whether the user has access to manage hosted plugin instances
 	Plugins access `json:"plugins"`
+	// DeviceTrust defines access to device trust.
+	DeviceTrust access `json:"deviceTrust"`
 }

 type authType string
@ -204,6 +206,7 @@ func NewUserContext(user types.User, userRoles services.RoleSet, features proto.
 	directorySharing := userRoles.DesktopDirectorySharing()
 	download := newAccess(userRoles, ctx, types.KindDownload)
 	license := newAccess(userRoles, ctx, types.KindLicense)
+	deviceTrust := newAccess(userRoles, ctx, types.KindDevice)

 	acl := userACL{
 		AccessRequests:          requestAccess,
@ -229,6 +232,7 @@ func NewUserContext(user types.User, userRoles services.RoleSet, features proto.
 		Download:                download,
 		License:                 license,
 		Plugins:                 pluginsAccess,
+		DeviceTrust:             deviceTrust,
 	}

 	// local user
--- a/web/packages/teleport/src/mocks/contexts.ts
+++ b/web/packages/teleport/src/mocks/contexts.ts
@ -51,6 +51,7 @@ export const fullAcl: Acl = {
  license: fullAccess,
  download: fullAccess,
  plugins: fullAccess,
+  deviceTrust: fullAccess,
 };

 export const userContext = makeUserContext({
--- a/web/packages/teleport/src/services/user/makeAcl.ts
+++ b/web/packages/teleport/src/services/user/makeAcl.ts
@ -54,6 +54,8 @@ export default function makeAcl(json): Acl {
  const license = json.license || defaultAccess;
  const download = json.download || defaultAccess;

+  const deviceTrust = json.deviceTrust || defaultAccess;
+
  return {
    authConnectors,
    trustedClusters,
@ -78,6 +80,7 @@ export default function makeAcl(json): Acl {
    connectionDiagnostic,
    license,
    download,
+    deviceTrust,
  };
 }

--- a/web/packages/teleport/src/services/user/types.ts
+++ b/web/packages/teleport/src/services/user/types.ts
@ -71,6 +71,7 @@ export interface Acl {
  license: Access;
  download: Access;
  plugins: Access;
+  deviceTrust: Access;
 }

 export interface User {
--- a/web/packages/teleport/src/services/user/user.test.ts
+++ b/web/packages/teleport/src/services/user/user.test.ts
@ -190,6 +190,13 @@ test('undefined values in context response gives proper default values', async (
        create: false,
        remove: false,
      },
+      deviceTrust: {
+        list: false,
+        read: false,
+        edit: false,
+        create: false,
+        remove: false,
+      },
      clipboardSharingEnabled: true,
      desktopSessionRecordingEnabled: true,
      directorySharingEnabled: true,
--- a/web/packages/teleport/src/stores/storeUserContext.ts
+++ b/web/packages/teleport/src/stores/storeUserContext.ts
@ -175,4 +175,8 @@ export default class StoreUserContext extends Store<UserContext> {
  hasPluginsAccess() {
    return this.state.acl.plugins.list || this.state.acl.plugins.create;
  }
+
+  getDeviceTrustAccess() {
+    return this.state.acl.deviceTrust;
+  }
 }
--- a/web/packages/teleport/src/teleportContext.tsx
+++ b/web/packages/teleport/src/teleportContext.tsx
@ -98,6 +98,7 @@ class TeleportContext implements types.Context {
        downloadCenter: false,
        discover: false,
        plugins: false,
+        deviceTrust: false,
      };
    }

@ -120,6 +121,7 @@ class TeleportContext implements types.Context {
      downloadCenter: userContext.hasDownloadCenterListAccess(),
      discover: userContext.hasDiscoverAccess(),
      plugins: userContext.hasPluginsAccess(),
+      deviceTrust: userContext.getDeviceTrustAccess().list,
    };
  }
 }
--- a/web/packages/teleport/src/types.ts
+++ b/web/packages/teleport/src/types.ts
@ -90,4 +90,5 @@ export interface FeatureFlags {
  downloadCenter: boolean;
  discover: boolean;
  plugins: boolean;
+  deviceTrust: boolean;
 }