[v14] Add initial future assume role to access requests

api/client/client.go

@@ -1095,11 +1095,12 @@ func (c *Client) GetAccessRequestAllowedPromotions(ctx context.Context, req type
 // SetAccessRequestState updates the state of an existing access request.
 func (c *Client) SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error {
 	setter := proto.RequestStateSetter{
-		ID:          params.RequestID,
-		State:       params.State,
-		Reason:      params.Reason,
-		Annotations: params.Annotations,
-		Roles:       params.Roles,
+		ID:              params.RequestID,
+		State:           params.State,
+		Reason:          params.Reason,
+		Annotations:     params.Annotations,
+		Roles:           params.Roles,
+		AssumeStartTime: params.AssumeStartTime,
 	}
 	if d := utils.GetDelegator(ctx); d != "" {
 		setter.Delegator = d

api/constants/constants.go

@@ -402,6 +402,12 @@ const (
 	TimeoutGetClusterAlerts = time.Millisecond * 750
 )
 
+const (
+	// MaxAssumeStartDuration latest duration into the future an access request's assume
+	// start time can be
+	MaxAssumeStartDuration = time.Hour * 24 * 7
+)
+
 const (
 	// WebAPIConnUpgrade is the HTTP web API to make the connection upgrade
 	// call.

api/proto/teleport/legacy/client/proto/authservice.proto

@@ -338,6 +338,12 @@ message RequestStateSetter {
   // Roles, if present, overrides the existing set of roles associated
   // with the access request.
   repeated string Roles = 6 [(gogoproto.jsontag) = "roles,omitempty"];
+  // AssumeStartTime is the time the requested roles can be assumed.
+  google.protobuf.Timestamp AssumeStartTime = 7 [
+    (gogoproto.stdtime) = true,
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "assume_start_time,omitempty"
+  ];
 }
 
 // RequestID is the unique identifier of an access request.

api/proto/teleport/legacy/types/events/events.proto

@@ -1379,6 +1379,13 @@ message AccessRequestCreate {
   // was promoted to.
   // This field is only populated when the request is in the PROMOTED state.
   string PromotedAccessListName = 15 [(gogoproto.jsontag) = "promoted_access_list_name,omitempty"];
+
+  // AssumeStartTime is the time the requested roles can be assumed.
+  google.protobuf.Timestamp AssumeStartTime = 16 [
+    (gogoproto.stdtime) = true,
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "assume_start_time,omitempty"
+  ];
 }
 
 // ResourceID is a unique identifier for a teleport resource. This is duplicated

api/proto/teleport/legacy/types/types.proto

@@ -2194,6 +2194,13 @@ message AccessReview {
   // AccessList is the access list that this request was promoted to.
   // This field is only populated when the request is in the PROMOTED state.
   PromotedAccessList accessList = 9 [(gogoproto.jsontag) = "access_list,omitempty"];
+
+  // AssumeStartTime is the time the requested roles can be assumed.
+  google.protobuf.Timestamp AssumeStartTime = 10 [
+    (gogoproto.stdtime) = true,
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "assume_start_time,omitempty"
+  ];
 }
 
 // AccessReviewSubmission encodes the necessary parameters for submitting
@@ -2360,6 +2367,13 @@ message AccessRequestSpecV3 {
   // was promoted to. Used by WebUI to display the title of the access list.
   // This field is only populated when the request is in the PROMOTED state.
   PromotedAccessList accessList = 20 [(gogoproto.jsontag) = "access_list,omitempty"];
+
+  // AssumeStartTime is the time the requested roles can be assumed.
+  google.protobuf.Timestamp AssumeStartTime = 21 [
+    (gogoproto.stdtime) = true,
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "assume_start_time,omitempty"
+  ];
 }
 
 // AccessRequestFilter encodes filter params for access requests.

api/types/access_request.go

@@ -49,6 +49,12 @@ type AccessRequest interface {
 	// GetAccessExpiry gets the expiration time for the elevated certificate
 	// that will be issued if the Access Request is approved.
 	GetAccessExpiry() time.Time
+	// GetAssumeStartTime gets the time the roles can be assumed
+	// if the Access Request is approved.
+	GetAssumeStartTime() *time.Time
+	// SetAssumeStartTime sets the time the roles can be assumed
+	// if the Access Request is approved.
+	SetAssumeStartTime(time.Time)
 	// SetAccessExpiry sets the expiration time for the elevated certificate
 	// that will be issued if the Access Request is approved.
 	SetAccessExpiry(time.Time)
@@ -198,6 +204,16 @@ func (r *AccessRequestV3) GetAccessExpiry() time.Time {
 	return r.Spec.Expires
 }
 
+// GetAssumeStartTime gets AssumeStartTime
+func (r *AccessRequestV3) GetAssumeStartTime() *time.Time {
+	return r.Spec.AssumeStartTime
+}
+
+// SetAssumeStartTime sets AssumeStartTime
+func (r *AccessRequestV3) SetAssumeStartTime(t time.Time) {
+	r.Spec.AssumeStartTime = &t
+}
+
 // SetAccessExpiry sets AccessExpiry
 func (r *AccessRequestV3) SetAccessExpiry(expiry time.Time) {
 	r.Spec.Expires = expiry.UTC()
@@ -606,6 +622,9 @@ type AccessRequestUpdate struct {
 	// and must be a subset of the role list originally
 	// present on the request.
 	Roles []string
+	// AssumeStartTime sets the time the requestor can assume
+	// the requested roles.
+	AssumeStartTime *time.Time
 }
 
 // Check validates the request's fields