Add ExternalCloudAudit permissions to user context ACL (#34289)

* Add ExternalCloudAudit permissions to user context ACL

* Add missing acl to test

lib/services/useracl.go

@@ -98,6 +98,8 @@ type UserACL struct {
 	AuditQuery ResourceAccess `json:"auditQuery"`
 	// SecurityReport defines access to security reports.
 	SecurityReport ResourceAccess `json:"securityReport"`
+	// ExternalCloudAudit defines access to manage ExternalCloudAudit
+	ExternalCloudAudit ResourceAccess `json:"externalCloudAudit"`
 	// AccessGraph defines access to access graph.
 	AccessGraph ResourceAccess `json:"accessGraph"`
 }
@@ -171,6 +173,7 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des
 	discoveryConfigsAccess := newAccess(userRoles, ctx, types.KindDiscoveryConfig)
 	lockAccess := newAccess(userRoles, ctx, types.KindLock)
 	accessListAccess := newAccess(userRoles, ctx, types.KindAccessList)
+	externalCloudAudit := newAccess(userRoles, ctx, types.KindExternalCloudAudit)
 
 	var auditQuery ResourceAccess
 	var securityReports ResourceAccess
@@ -212,6 +215,7 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des
 		AccessList:              accessListAccess,
 		AuditQuery:              auditQuery,
 		SecurityReport:          securityReports,
+		ExternalCloudAudit:      externalCloudAudit,
 		AccessGraph:             accessGraphAccess,
 	}
 }

lib/services/useracl_test.go

@@ -92,6 +92,7 @@ func TestNewUserACL(t *testing.T) {
 	require.Empty(t, cmp.Diff(userContext.AccessRequests, denied))
 	require.Empty(t, cmp.Diff(userContext.ConnectionDiagnostic, denied))
 	require.Empty(t, cmp.Diff(userContext.Desktops, allowedRW))
+	require.Empty(t, cmp.Diff(userContext.ExternalCloudAudit, denied))
 
 	require.Empty(t, cmp.Diff(userContext.Billing, denied))
 	require.True(t, userContext.Clipboard)
@@ -148,6 +149,7 @@ func TestNewUserACLCloud(t *testing.T) {
 	require.Empty(t, cmp.Diff(userContext.Nodes, allowedRW))
 	require.Empty(t, cmp.Diff(userContext.AccessRequests, allowedRW))
 	require.Empty(t, cmp.Diff(userContext.DiscoveryConfig, allowedRW))
+	require.Empty(t, cmp.Diff(userContext.ExternalCloudAudit, allowedRW))
 
 	require.True(t, userContext.Clipboard)
 	require.True(t, userContext.DesktopSessionRecording)

web/packages/teleport/src/mocks/contexts.ts

@@ -68,6 +68,7 @@ export const allAccessAcl: Acl = {
   accessList: fullAccess,
   auditQuery: fullAccess,
   securityReport: fullAccess,
+  externalCloudAudit: fullAccess,
   accessGraph: fullAccess,
 };
 

web/packages/teleport/src/services/user/makeAcl.ts

@@ -63,6 +63,8 @@ export function makeAcl(json): Acl {
   const auditQuery = json.auditQuery || defaultAccess;
   const securityReport = json.securityReport || defaultAccess;
 
+  const externalCloudAudit = json.externalCloudAudit || defaultAccess;
+
   const samlIdpServiceProvider = json.samlIdpServiceProvider || defaultAccess;
   const accessGraph = json.accessGraph || defaultAccess;
 
@@ -98,6 +100,7 @@ export function makeAcl(json): Acl {
     samlIdpServiceProvider,
     auditQuery,
     securityReport,
+    externalCloudAudit,
     accessGraph,
   };
 }

web/packages/teleport/src/services/user/types.ts

@@ -84,6 +84,7 @@ export interface Acl {
   accessList: Access;
   auditQuery: Access;
   securityReport: Access;
+  externalCloudAudit: Access;
   accessGraph: Access;
 }
 

web/packages/teleport/src/services/user/user.test.ts

@@ -128,6 +128,13 @@ test('undefined values in context response gives proper default values', async (
         create: false,
         remove: false,
       },
+      externalCloudAudit: {
+        list: false,
+        read: false,
+        edit: false,
+        create: false,
+        remove: false,
+      },
       users: {
         list: false,
         read: false,