[v14] Add Access Monitoring Ping Auth Response Feature flag (#33585)

gravitational · Oct 17, 2023 · 967165c · 967165c
1 parent 5d109b1
commit 967165c
Show file tree

Hide file tree

Showing 12 changed files with 954 additions and 847 deletions.
diff --git a/api/client/proto/authservice.pb.go b/api/client/proto/authservice.pb.go
diff --git a/api/proto/teleport/legacy/client/proto/authservice.proto b/api/proto/teleport/legacy/client/proto/authservice.proto
@@ -503,6 +503,8 @@ message Features {
   AccessRequestsFeature AccessRequests = 21 [(gogoproto.jsontag) = "access_requests,omitempty"];
   // CustomTheme holds the name of WebUI custom theme.
   string CustomTheme = 22 [(gogoproto.jsontag) = "custom_theme,omitempty"];
+  // IdentityGovernance holds the Identity Governance feature settings (Access Monitoring)
+  bool IdentityGovernance = 23 [(gogoproto.jsontag) = "identity_governance,omitempty"];
 }
 
 // DeviceTrustFeature holds the Device Trust feature general and usage-based

diff --git a/lib/auth/auth.go b/lib/auth/auth.go
@@ -342,27 +342,28 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 
 	closeCtx, cancelFunc := context.WithCancel(context.TODO())
 	as := Server{
-		bk:                  cfg.Backend,
-		clock:               cfg.Clock,
-		limiter:             limiter,
-		Authority:           cfg.Authority,
-		AuthServiceName:     cfg.AuthServiceName,
-		ServerID:            cfg.HostUUID,
-		githubClients:       make(map[string]*githubClient),
-		cancelFunc:          cancelFunc,
-		closeCtx:            closeCtx,
-		emitter:             cfg.Emitter,
-		Streamer:            cfg.Streamer,
-		Unstable:            local.NewUnstableService(cfg.Backend, cfg.AssertionReplayService),
-		Services:            services,
-		Cache:               services,
-		keyStore:            keyStore,
-		traceClient:         cfg.TraceClient,
-		fips:                cfg.FIPS,
-		loadAllCAs:          cfg.LoadAllCAs,
-		httpClientForAWSSTS: cfg.HTTPClientForAWSSTS,
-		embeddingsRetriever: cfg.EmbeddingRetriever,
-		embedder:            cfg.EmbeddingClient,
+		bk:                      cfg.Backend,
+		clock:                   cfg.Clock,
+		limiter:                 limiter,
+		Authority:               cfg.Authority,
+		AuthServiceName:         cfg.AuthServiceName,
+		ServerID:                cfg.HostUUID,
+		githubClients:           make(map[string]*githubClient),
+		cancelFunc:              cancelFunc,
+		closeCtx:                closeCtx,
+		emitter:                 cfg.Emitter,
+		Streamer:                cfg.Streamer,
+		Unstable:                local.NewUnstableService(cfg.Backend, cfg.AssertionReplayService),
+		Services:                services,
+		Cache:                   services,
+		keyStore:                keyStore,
+		traceClient:             cfg.TraceClient,
+		fips:                    cfg.FIPS,
+		loadAllCAs:              cfg.LoadAllCAs,
+		httpClientForAWSSTS:     cfg.HTTPClientForAWSSTS,
+		embeddingsRetriever:     cfg.EmbeddingRetriever,
+		embedder:                cfg.EmbeddingClient,
+		accessMonitoringEnabled: cfg.AccessMonitoringEnabled,
 	}
 	as.inventory = inventory.NewController(&as, services, inventory.WithAuthServerID(cfg.HostUUID))
 	for _, o := range opts {
@@ -787,6 +788,9 @@ type Server struct {
 
 	// embedder is an embedder client used to generate embeddings.
 	embedder embedding.Embedder
+
+	// accessMonitoringEnabled is a flag that indicates whether access monitoring is enabled.
+	accessMonitoringEnabled bool
 }
 
 // SetSAMLService registers svc as the SAMLService that provides the SAML
@@ -5052,11 +5056,16 @@ func (a *Server) Ping(ctx context.Context) (proto.PingResponse, error) {
 	if err != nil {
 		return proto.PingResponse{}, trace.Wrap(err)
 	}
+	features := modules.GetModules().Features().ToProto()
+
+	if a.accessMonitoringEnabled {
+		features.IdentityGovernance = a.accessMonitoringEnabled
+	}
 
 	return proto.PingResponse{
 		ClusterName:     cn.GetClusterName(),
 		ServerVersion:   teleport.Version,
-		ServerFeatures:  modules.GetModules().Features().ToProto(),
+		ServerFeatures:  features,
 		ProxyPublicAddr: a.getProxyPublicAddr(),
 		IsBoring:        modules.GetModules().IsBoringBinary(),
 		LoadAllCAs:      a.loadAllCAs,

diff --git a/lib/auth/init.go b/lib/auth/init.go
@@ -264,6 +264,9 @@ type InitConfig struct {
 
 	// Tracer used to create spans.
 	Tracer oteltrace.Tracer
+
+	// AccessMonitoringEnabled is true if access monitoring is enabled.
+	AccessMonitoringEnabled bool
 }
 
 // Init instantiates and configures an instance of AuthServer

diff --git a/lib/service/service.go b/lib/service/service.go
@@ -1769,6 +1769,7 @@ func (process *TeleportProcess) initAuthService() error {
 			TraceClient:             traceClt,
 			FIPS:                    cfg.FIPS,
 			LoadAllCAs:              cfg.Auth.LoadAllCAs,
+			AccessMonitoringEnabled: cfg.Auth.IsAccessMonitoringEnabled(),
 			Clock:                   cfg.Clock,
 			HTTPClientForAWSSTS:     cfg.Auth.HTTPClientForAWSSTS,
 			EmbeddingRetriever:      embeddingsRetriever,

diff --git a/lib/service/servicecfg/auth.go b/lib/service/servicecfg/auth.go
@@ -147,6 +147,11 @@ type AccessMonitoringOptions struct {
 	ReportResults string `yaml:"report_results,omitempty"`
 }
 
+// IsAccessMonitoringEnabled returns true if access monitoring is enabled.
+func (a *AuthConfig) IsAccessMonitoringEnabled() bool {
+	return a.AccessMonitoring != nil && a.AccessMonitoring.Enabled
+}
+
 // CheckAndSetDefaults checks and sets default values for any missing fields.
 func (a *AccessMonitoringOptions) CheckAndSetDefaults() error {
 	var err error

diff --git a/lib/services/useracl.go b/lib/services/useracl.go
@@ -123,7 +123,7 @@ func newAccess(roleSet RoleSet, ctx *Context, kind string) ResourceAccess {
 }
 
 // NewUserACL builds an ACL for a user based on their roles.
-func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, desktopRecordingEnabled bool) UserACL {
+func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, desktopRecordingEnabled, accessMonitoringEnabled bool) UserACL {
 	ctx := &Context{User: user}
 	recordedSessionAccess := newAccess(userRoles, ctx, types.KindSession)
 	activeSessionAccess := newAccess(userRoles, ctx, types.KindSSHSession)
@@ -168,8 +168,13 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des
 	discoveryConfigsAccess := newAccess(userRoles, ctx, types.KindDiscoveryConfig)
 	lockAccess := newAccess(userRoles, ctx, types.KindLock)
 	accessListAccess := newAccess(userRoles, ctx, types.KindAccessList)
-	auditQuery := newAccess(userRoles, ctx, types.KindAuditQuery)
-	securityReports := newAccess(userRoles, ctx, types.KindSecurityReport)
+
+	var auditQuery ResourceAccess
+	var securityReports ResourceAccess
+	if accessMonitoringEnabled {
+		auditQuery = newAccess(userRoles, ctx, types.KindAuditQuery)
+		securityReports = newAccess(userRoles, ctx, types.KindSecurityReport)
+	}
 
 	return UserACL{
 		AccessRequests:          requestAccess,

diff --git a/lib/services/useracl_test.go b/lib/services/useracl_test.go
@@ -72,7 +72,7 @@ func TestNewUserACL(t *testing.T) {
 	})
 
 	roleSet := []types.Role{role1, role2}
-	userContext := NewUserACL(user, roleSet, proto.Features{}, true)
+	userContext := NewUserACL(user, roleSet, proto.Features{}, true, false)
 
 	allowedRW := ResourceAccess{true, true, true, true, true, false}
 	denied := ResourceAccess{false, false, false, false, false, false}
@@ -102,11 +102,11 @@ func TestNewUserACL(t *testing.T) {
 	// test enabling of the 'Use' verb
 	require.Empty(t, cmp.Diff(userContext.Integrations, ResourceAccess{true, true, true, true, true, true}))
 
-	userContext = NewUserACL(user, roleSet, proto.Features{Cloud: true}, true)
+	userContext = NewUserACL(user, roleSet, proto.Features{Cloud: true}, true, false)
 	require.Empty(t, cmp.Diff(userContext.Billing, ResourceAccess{true, true, false, false, false, false}))
 
 	// test that desktopRecordingEnabled being false overrides the roleSet.RecordDesktopSession() returning true
-	userContext = NewUserACL(user, roleSet, proto.Features{}, false)
+	userContext = NewUserACL(user, roleSet, proto.Features{}, false, false)
 	require.Equal(t, userContext.DesktopSessionRecording, false)
 }
 
@@ -133,7 +133,7 @@ func TestNewUserACLCloud(t *testing.T) {
 
 	allowedRW := ResourceAccess{true, true, true, true, true, false}
 
-	userContext := NewUserACL(user, roleSet, proto.Features{Cloud: true}, true)
+	userContext := NewUserACL(user, roleSet, proto.Features{Cloud: true}, true, false)
 
 	require.Empty(t, cmp.Diff(userContext.AuthConnectors, allowedRW))
 	require.Empty(t, cmp.Diff(userContext.TrustedClusters, allowedRW))
@@ -156,3 +156,33 @@ func TestNewUserACLCloud(t *testing.T) {
 	require.Empty(t, cmp.Diff(userContext.Billing, allowedRW))
 	require.Empty(t, cmp.Diff(userContext.Desktops, allowedRW))
 }
+
+func TestNewAccessMonitoring(t *testing.T) {
+	t.Parallel()
+	user := &types.UserV2{
+		Metadata: types.Metadata{},
+	}
+	role := &types.RoleV6{}
+	role.SetNamespaces(types.Allow, []string{"*"})
+	role.SetRules(types.Allow, []types.Rule{
+		{
+			Resources: []string{"*"},
+			Verbs:     append(RW(), types.VerbUse),
+		},
+	})
+
+	roleSet := []types.Role{role}
+
+	t.Run("access monitoring enabled", func(t *testing.T) {
+		allowed := ResourceAccess{true, true, true, true, true, true}
+		userContext := NewUserACL(user, roleSet, proto.Features{}, false, true)
+		require.Empty(t, cmp.Diff(userContext.AuditQuery, allowed))
+		require.Empty(t, cmp.Diff(userContext.SecurityReport, allowed))
+	})
+	t.Run("access monitoring disabled", func(t *testing.T) {
+		allowed := ResourceAccess{false, false, false, false, false, false}
+		userContext := NewUserACL(user, roleSet, proto.Features{}, false, false)
+		require.Empty(t, cmp.Diff(userContext.AuditQuery, allowed))
+		require.Empty(t, cmp.Diff(userContext.SecurityReport, allowed))
+	})
+}
diff --git a/lib/teleterm/clusters/cluster.go b/lib/teleterm/clusters/cluster.go
@@ -138,7 +138,7 @@ func (c *Cluster) GetWithDetails(ctx context.Context) (*ClusterWithDetails, erro
 		}
 
 		roleSet := services.NewRoleSet(roles...)
-		userACL := services.NewUserACL(user, roleSet, *authPingResponse.ServerFeatures, false)
+		userACL := services.NewUserACL(user, roleSet, *authPingResponse.ServerFeatures, false, false)
 
 		acl = &api.ACL{
 			RecordedSessions: convertToAPIResourceAccess(userACL.RecordedSessions),

diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go
@@ -953,7 +953,13 @@ func (h *Handler) getUserContext(w http.ResponseWriter, r *http.Request, p httpr
 	}
 	desktopRecordingEnabled := recConfig.GetMode() != types.RecordOff
 
-	userContext, err := ui.NewUserContext(user, accessChecker.Roles(), h.ClusterFeatures, desktopRecordingEnabled)
+	pingResp, err := clt.Ping(r.Context())
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	accessMonitoringEnabled := pingResp.ServerFeatures != nil && pingResp.ServerFeatures.IdentityGovernance
+
+	userContext, err := ui.NewUserContext(user, accessChecker.Roles(), h.ClusterFeatures, desktopRecordingEnabled, accessMonitoringEnabled)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

diff --git a/lib/web/ui/usercontext.go b/lib/web/ui/usercontext.go
@@ -92,8 +92,8 @@ func getAccessStrategy(roleset services.RoleSet) accessStrategy {
 }
 
 // NewUserContext returns user context
-func NewUserContext(user types.User, userRoles services.RoleSet, features proto.Features, desktopRecordingEnabled bool) (*UserContext, error) {
-	acl := services.NewUserACL(user, userRoles, features, desktopRecordingEnabled)
+func NewUserContext(user types.User, userRoles services.RoleSet, features proto.Features, desktopRecordingEnabled, accessMonitoringEnabled bool) (*UserContext, error) {
+	acl := services.NewUserACL(user, userRoles, features, desktopRecordingEnabled, accessMonitoringEnabled)
 	accessStrategy := getAccessStrategy(userRoles)
 
 	// local user

diff --git a/lib/web/ui/usercontext_test.go b/lib/web/ui/usercontext_test.go
@@ -44,7 +44,7 @@ func TestNewUserContext(t *testing.T) {
 	role2.SetNamespaces(types.Allow, []string{apidefaults.Namespace})
 
 	roleSet := []types.Role{role1, role2}
-	userContext, err := NewUserContext(user, roleSet, proto.Features{}, true)
+	userContext, err := NewUserContext(user, roleSet, proto.Features{}, true, false)
 	require.NoError(t, err)
 
 	// test user name
@@ -59,7 +59,7 @@ func TestNewUserContext(t *testing.T) {
 
 	// test sso auth type
 	user.Spec.GithubIdentities = []types.ExternalIdentity{{ConnectorID: "foo", Username: "bar"}}
-	userContext, err = NewUserContext(user, roleSet, proto.Features{}, true)
+	userContext, err = NewUserContext(user, roleSet, proto.Features{}, true, false)
 	require.NoError(t, err)
 	require.Equal(t, userContext.AuthType, authSSO)
 }
@@ -78,7 +78,7 @@ func TestNewUserContextCloud(t *testing.T) {
 
 	roleSet := []types.Role{role}
 
-	userContext, err := NewUserContext(user, roleSet, proto.Features{Cloud: true}, true)
+	userContext, err := NewUserContext(user, roleSet, proto.Features{Cloud: true}, true, false)
 	require.NoError(t, err)
 
 	require.Equal(t, userContext.Name, "root")