[v17] Add Contacts RBAC (#48885) (#49938)

* Add Contacts RBAC (#48885) * Add Contact resource; include it in default editor permissions and web ACL * Add contacts to ACL test * Improve godocs Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Add `contact` to the web user context --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Fix merge conflict --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
gravitational · Dec 9, 2024 · 6effb6a · 6effb6a
1 parent 4d0386f
commit 6effb6a
Show file tree

Hide file tree

Showing 9 changed files with 31 additions and 0 deletions.
diff --git a/api/types/constants.go b/api/types/constants.go
@@ -593,6 +593,10 @@ const (
 	// pair that can be requested by a Teleport User.
 	KindIdentityCenterAccountAssignment = "aws_ic_account_assignment"
 
+	// KindContact is a resource that holds contact information
+	// for Teleport Enterprise customers.
+	KindContact = "contact"
+
 	// KindWorkloadIdentity is the WorkloadIdentity resource.
 	KindWorkloadIdentity = "workload_identity"
 

diff --git a/lib/services/presets.go b/lib/services/presets.go
@@ -183,6 +183,7 @@ func NewPresetEditorRole() types.Role {
 					types.NewRule(types.KindStaticHostUser, RW()),
 					types.NewRule(types.KindUserTask, RW()),
 					types.NewRule(types.KindIdentityCenter, RW()),
+					types.NewRule(types.KindContact, RW()),
 				},
 			},
 		},

diff --git a/lib/services/useracl.go b/lib/services/useracl.go
@@ -116,6 +116,8 @@ type UserACL struct {
 	AccessGraphSettings ResourceAccess `json:"accessGraphSettings"`
 	// ReviewRequests defines the ability to review requests
 	ReviewRequests bool `json:"reviewRequests"`
+	// Contact defines the ability to manage contacts
+	Contact ResourceAccess `json:"contact"`
 }
 
 func hasAccess(roleSet RoleSet, ctx *Context, kind string, verbs ...string) bool {
@@ -216,6 +218,8 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des
 		securityReports = newAccess(userRoles, ctx, types.KindSecurityReport)
 	}
 
+	contact := newAccess(userRoles, ctx, types.KindContact)
+
 	return UserACL{
 		AccessRequests:          requestAccess,
 		AppServers:              appServerAccess,
@@ -257,5 +261,6 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des
 		AccessMonitoringRule:    accessMonitoringRules,
 		CrownJewel:              crownJewelAccess,
 		AccessGraphSettings:     accessGraphSettings,
+		Contact:                 contact,
 	}
 }
diff --git a/lib/services/useracl_test.go b/lib/services/useracl_test.go
@@ -51,6 +51,10 @@ func TestNewUserACL(t *testing.T) {
 			Resources: []string{types.KindIntegration},
 			Verbs:     append(RW(), types.VerbUse),
 		},
+		{
+			Resources: []string{types.KindContact},
+			Verbs:     RW(),
+		},
 	})
 
 	// not setting the rule, or explicitly denying, both denies Access
@@ -104,6 +108,7 @@ func TestNewUserACL(t *testing.T) {
 	require.True(t, userContext.DesktopSessionRecording)
 	require.Empty(t, cmp.Diff(userContext.License, denied))
 	require.Empty(t, cmp.Diff(userContext.Download, denied))
+	require.Empty(t, cmp.Diff(userContext.Contact, allowedRW))
 
 	// test enabling of the 'Use' verb
 	require.Empty(t, cmp.Diff(userContext.Integrations, ResourceAccess{true, true, true, true, true, true}))

diff --git a/web/packages/teleport/src/mocks/contexts.ts b/web/packages/teleport/src/mocks/contexts.ts
@@ -75,6 +75,7 @@ export const allAccessAcl: Acl = {
   bots: fullAccess,
   accessMonitoringRule: fullAccess,
   discoverConfigs: fullAccess,
+  contacts: fullAccess,
 };
 
 export function getAcl(cfg?: { noAccess: boolean }) {

diff --git a/web/packages/teleport/src/services/user/makeAcl.ts b/web/packages/teleport/src/services/user/makeAcl.ts
@@ -75,6 +75,8 @@ export function makeAcl(json): Acl {
 
   const discoverConfigs = json.discoverConfigs || defaultAccess;
 
+  const contacts = json.contact || defaultAccess;
+
   return {
     accessList,
     authConnectors,
@@ -112,6 +114,7 @@ export function makeAcl(json): Acl {
     bots,
     accessMonitoringRule,
     discoverConfigs,
+    contacts,
   };
 }
 

diff --git a/web/packages/teleport/src/services/user/types.ts b/web/packages/teleport/src/services/user/types.ts
@@ -107,6 +107,7 @@ export interface Acl {
   accessGraph: Access;
   bots: Access;
   accessMonitoringRule: Access;
+  contacts: Access;
 }
 
 // AllTraits represent all the traits defined for a user.

diff --git a/web/packages/teleport/src/services/user/user.test.ts b/web/packages/teleport/src/services/user/user.test.ts
@@ -278,6 +278,13 @@ test('undefined values in context response gives proper default values', async (
       create: false,
       remove: false,
     },
+    contacts: {
+      list: false,
+      read: false,
+      edit: false,
+      create: false,
+      remove: false,
+    },
     clipboardSharingEnabled: true,
     desktopSessionRecordingEnabled: true,
     directorySharingEnabled: true,

diff --git a/web/packages/teleport/src/stores/storeUserContext.ts b/web/packages/teleport/src/stores/storeUserContext.ts
@@ -251,4 +251,8 @@ export default class StoreUserContext extends Store<UserContext> {
   getBotsAccess() {
     return this.state.acl.bots;
   }
+
+  getContactsAccess() {
+    return this.state.acl.contacts;
+  }
 }