Add request.reason.mode to role conditions (proto only)

This changes the proto type (+validation) only to declutter the original PR #49124 The real changes are in - api/proto/teleport/legacy/types/types.proto - api/types/access_request.go - lib/auth/auth_with_roles.go - lib/auth/auth_with_roles_test.go The rest is all generated.
gravitational · Nov 27, 2024 · 0a7e8a0 · 0a7e8a0
1 parent 2957938
commit 0a7e8a0
Show file tree

Hide file tree

Showing 18 changed files with 3,185 additions and 2,253 deletions.
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -3435,6 +3435,22 @@ message AccessRequestConditions {
     (gogoproto.nullable) = false,
     (gogoproto.jsontag) = "kubernetes_resources,omitempty"
   ];
+
+  // Reason defines settings for the reason for the access provided by the user.
+  AccessRequestConditionsReason Reason = 9 [(gogoproto.jsontag) = "reason,omitempty"];
+}
+
+// AccessRequestConditionsReason defines settings for the reason for the access provided by the
+// user.
+message AccessRequestConditionsReason {
+  // Mode can be either "required" or "optional". Empty string is treated as "optional". If a role
+  // has the request reason mode set to "required", then reason is required for all Access Requests
+  // requesting roles or resources allowed by this role. It applies only to users who have this
+  // role assigned.
+  string Mode = 1 [
+    (gogoproto.jsontag) = "mode,omitempty",
+    (gogoproto.casttype) = "RequestReasonMode"
+  ];
 }
 
 // AccessReviewConditions is a matcher for allow/deny restrictions on

diff --git a/api/types/access_request.go b/api/types/access_request.go
@@ -642,6 +642,47 @@ func (u *AccessRequestUpdate) Check() error {
 	return nil
 }
 
+// RequestReasonMode can be either "required" or "optional". Empty-string is treated as "optional".
+// If a role has the request reason mode set to "required", then reason is required for all Access
+// Requests requesting roles or resources allowed by this role. It applies only to users who have
+// this role assigned.
+type RequestReasonMode string
+
+const (
+	// RequestReasonModeRequired indicates required mode. See [[RequestReasonMode]] godoc for
+	// more details.
+	RequestReasonModeRequired RequestReasonMode = "required"
+	// RequestReasonModeRequired indicates optional mode. See [[RequestReasonMode]] godoc for
+	// more details.
+	RequestReasonModeOptional RequestReasonMode = "optional"
+)
+
+var allRequestReasonModes = []RequestReasonMode{
+	RequestReasonModeRequired,
+	RequestReasonModeOptional,
+}
+
+// Required checks if this mode is "required". Empty mode is treated as "optional".
+func (m RequestReasonMode) Required() bool {
+	switch m {
+	case RequestReasonModeRequired:
+		return true
+	default:
+		return false
+	}
+}
+
+// Check validates this mode value. Note that an empty value is considered invalid.
+func (m RequestReasonMode) Check() error {
+	for _, x := range allRequestReasonModes {
+		if m == x {
+			return nil
+		}
+	}
+	return trace.BadParameter("unrecognized request reason mode %q, must be one of: %v",
+		m, allRequestReasonModes)
+}
+
 // RequestStrategy is an indicator of how access requests
 // should be handled for holders of a given role.
 type RequestStrategy string

diff --git a/api/types/role.go b/api/types/role.go
@@ -92,6 +92,9 @@ type Role interface {
 	// GetRoleConditions gets the RoleConditions for the RoleConditionType.
 	GetRoleConditions(rct RoleConditionType) RoleConditions
 
+	// GetRequestReasonMode gets the RequestReasonMode for the RoleConditionType.
+	GetRequestReasonMode(RoleConditionType) RequestReasonMode
+
 	// GetLabelMatchers gets the LabelMatchers that match labels of resources of
 	// type [kind] this role is allowed or denied access to.
 	GetLabelMatchers(rct RoleConditionType, kind string) (LabelMatchers, error)
@@ -1715,10 +1718,7 @@ func (r *RoleV6) SetSearchAsRoles(rct RoleConditionType, roles []string) {
 // purposes of viewing details such as the hostname and labels of requested
 // resources.
 func (r *RoleV6) GetPreviewAsRoles(rct RoleConditionType) []string {
-	roleConditions := &r.Spec.Allow
-	if rct == Deny {
-		roleConditions = &r.Spec.Deny
-	}
+	roleConditions := r.GetRoleConditions(rct)
 	if roleConditions.ReviewRequests == nil {
 		return nil
 	}
@@ -1735,6 +1735,15 @@ func (r *RoleV6) GetRoleConditions(rct RoleConditionType) RoleConditions {
 	return roleConditions
 }
 
+// GetRoleConditions returns the role conditions for the role.
+func (r *RoleV6) GetRequestReasonMode(rct RoleConditionType) RequestReasonMode {
+	roleConditions := r.GetRoleConditions(rct)
+	if roleConditions.Request == nil || roleConditions.Request.Reason == nil {
+		return ""
+	}
+	return roleConditions.Request.Reason.Mode
+}
+
 // SetPreviewAsRoles sets the list of extra roles which should apply to a
 // reviewer while they are viewing a Resource Access Request for the
 // purposes of viewing details such as the hostname and labels of requested