mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 08:43:58 +00:00
Add ExternalCloudAudit permissions to user context ACL (#34289)
* Add ExternalCloudAudit permissions to user context ACL * Add missing acl to test
This commit is contained in:
parent
7f3c58df1f
commit
b9d1d8eb41
|
@ -98,6 +98,8 @@ type UserACL struct {
|
|||
AuditQuery ResourceAccess `json:"auditQuery"`
|
||||
// SecurityReport defines access to security reports.
|
||||
SecurityReport ResourceAccess `json:"securityReport"`
|
||||
// ExternalCloudAudit defines access to manage ExternalCloudAudit
|
||||
ExternalCloudAudit ResourceAccess `json:"externalCloudAudit"`
|
||||
// AccessGraph defines access to access graph.
|
||||
AccessGraph ResourceAccess `json:"accessGraph"`
|
||||
}
|
||||
|
@ -171,6 +173,7 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des
|
|||
discoveryConfigsAccess := newAccess(userRoles, ctx, types.KindDiscoveryConfig)
|
||||
lockAccess := newAccess(userRoles, ctx, types.KindLock)
|
||||
accessListAccess := newAccess(userRoles, ctx, types.KindAccessList)
|
||||
externalCloudAudit := newAccess(userRoles, ctx, types.KindExternalCloudAudit)
|
||||
|
||||
var auditQuery ResourceAccess
|
||||
var securityReports ResourceAccess
|
||||
|
@ -212,6 +215,7 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des
|
|||
AccessList: accessListAccess,
|
||||
AuditQuery: auditQuery,
|
||||
SecurityReport: securityReports,
|
||||
ExternalCloudAudit: externalCloudAudit,
|
||||
AccessGraph: accessGraphAccess,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -92,6 +92,7 @@ func TestNewUserACL(t *testing.T) {
|
|||
require.Empty(t, cmp.Diff(userContext.AccessRequests, denied))
|
||||
require.Empty(t, cmp.Diff(userContext.ConnectionDiagnostic, denied))
|
||||
require.Empty(t, cmp.Diff(userContext.Desktops, allowedRW))
|
||||
require.Empty(t, cmp.Diff(userContext.ExternalCloudAudit, denied))
|
||||
|
||||
require.Empty(t, cmp.Diff(userContext.Billing, denied))
|
||||
require.True(t, userContext.Clipboard)
|
||||
|
@ -148,6 +149,7 @@ func TestNewUserACLCloud(t *testing.T) {
|
|||
require.Empty(t, cmp.Diff(userContext.Nodes, allowedRW))
|
||||
require.Empty(t, cmp.Diff(userContext.AccessRequests, allowedRW))
|
||||
require.Empty(t, cmp.Diff(userContext.DiscoveryConfig, allowedRW))
|
||||
require.Empty(t, cmp.Diff(userContext.ExternalCloudAudit, allowedRW))
|
||||
|
||||
require.True(t, userContext.Clipboard)
|
||||
require.True(t, userContext.DesktopSessionRecording)
|
||||
|
|
|
@ -68,6 +68,7 @@ export const allAccessAcl: Acl = {
|
|||
accessList: fullAccess,
|
||||
auditQuery: fullAccess,
|
||||
securityReport: fullAccess,
|
||||
externalCloudAudit: fullAccess,
|
||||
accessGraph: fullAccess,
|
||||
};
|
||||
|
||||
|
|
|
@ -63,6 +63,8 @@ export function makeAcl(json): Acl {
|
|||
const auditQuery = json.auditQuery || defaultAccess;
|
||||
const securityReport = json.securityReport || defaultAccess;
|
||||
|
||||
const externalCloudAudit = json.externalCloudAudit || defaultAccess;
|
||||
|
||||
const samlIdpServiceProvider = json.samlIdpServiceProvider || defaultAccess;
|
||||
const accessGraph = json.accessGraph || defaultAccess;
|
||||
|
||||
|
@ -98,6 +100,7 @@ export function makeAcl(json): Acl {
|
|||
samlIdpServiceProvider,
|
||||
auditQuery,
|
||||
securityReport,
|
||||
externalCloudAudit,
|
||||
accessGraph,
|
||||
};
|
||||
}
|
||||
|
|
|
@ -84,6 +84,7 @@ export interface Acl {
|
|||
accessList: Access;
|
||||
auditQuery: Access;
|
||||
securityReport: Access;
|
||||
externalCloudAudit: Access;
|
||||
accessGraph: Access;
|
||||
}
|
||||
|
||||
|
|
|
@ -128,6 +128,13 @@ test('undefined values in context response gives proper default values', async (
|
|||
create: false,
|
||||
remove: false,
|
||||
},
|
||||
externalCloudAudit: {
|
||||
list: false,
|
||||
read: false,
|
||||
edit: false,
|
||||
create: false,
|
||||
remove: false,
|
||||
},
|
||||
users: {
|
||||
list: false,
|
||||
read: false,
|
||||
|
|
Loading…
Reference in a new issue