adding access graph entitlement

Author: emargetis

entitlements/entitlements.go

@@ -18,17 +18,20 @@ package entitlements
 
 type EntitlementKind string
 
-// The EntitlementKind list should be 1:1 with the Features & FeatureStrings in salescenter/product/product.go,
+// The EntitlementKind list should be 1:1 with the Features & FeatureStrings in cloud/cloud/product/product.go,
 // except CustomTheme which is dropped. CustomTheme entitlement only toggles the ability to "set" a theme;
 // the value of that theme, if set, is stored and accessed outside of entitlements.
 //
 // All EntitlementKinds added here should also be added to AllEntitlements below and defaultEntitlements in
 // web/packages/teleport/src/entitlement.ts.
 const (
+	AccessGraph                EntitlementKind = "AccessGraph"
+	AccessGraphDemoMode        EntitlementKind = "AccessGraphDemoMode"
 	AccessLists                EntitlementKind = "AccessLists"
 	AccessMonitoring           EntitlementKind = "AccessMonitoring"
 	AccessRequests             EntitlementKind = "AccessRequests"
 	App                        EntitlementKind = "App"
+	ClientIPRestrictions       EntitlementKind = "ClientIPRestrictions"
 	CloudAuditLogRetention     EntitlementKind = "CloudAuditLogRetention"
 	DB                         EntitlementKind = "DB"
 	Desktop                    EntitlementKind = "Desktop"
@@ -39,6 +42,7 @@ const (
 	Identity                   EntitlementKind = "Identity"
 	JoinActiveSessions         EntitlementKind = "JoinActiveSessions"
 	K8s                        EntitlementKind = "K8s"
+	LicenseAutoUpdate          EntitlementKind = "LicenseAutoUpdate"
 	MobileDeviceManagement     EntitlementKind = "MobileDeviceManagement"
 	OIDC                       EntitlementKind = "OIDC"
 	OktaSCIM                   EntitlementKind = "OktaSCIM"
@@ -49,16 +53,14 @@ const (
 	UnrestrictedManagedUpdates EntitlementKind = "UnrestrictedManagedUpdates"
 	UpsellAlert                EntitlementKind = "UpsellAlert"
 	UsageReporting             EntitlementKind = "UsageReporting"
-	LicenseAutoUpdate          EntitlementKind = "LicenseAutoUpdate"
-	AccessGraphDemoMode        EntitlementKind = "AccessGraphDemoMode"
-	ClientIPRestrictions       EntitlementKind = "ClientIPRestrictions"
 	WorkloadClusters           EntitlementKind = "WorkloadClusters"
 )
 
 // AllEntitlements returns all Entitlements; should be 1:1 with the const declared above.
 var AllEntitlements = []EntitlementKind{
-	AccessLists, AccessMonitoring, AccessRequests, App, CloudAuditLogRetention, DB, Desktop, DeviceTrust,
-	ExternalAuditStorage, FeatureHiding, HSM, Identity, JoinActiveSessions, K8s, MobileDeviceManagement, OIDC, OktaSCIM,
-	OktaUserSync, Policy, SAML, SessionLocks, UnrestrictedManagedUpdates, UpsellAlert, UsageReporting, LicenseAutoUpdate, AccessGraphDemoMode,
-	ClientIPRestrictions, WorkloadClusters,
+	AccessGraph, AccessGraphDemoMode, AccessLists, AccessMonitoring, AccessRequests, App,
+	ClientIPRestrictions, CloudAuditLogRetention, DB, Desktop, DeviceTrust,
+	ExternalAuditStorage, FeatureHiding, HSM, Identity, JoinActiveSessions, K8s, LicenseAutoUpdate,
+	MobileDeviceManagement, OIDC, OktaSCIM, OktaUserSync, Policy, SAML, SessionLocks,
+	UnrestrictedManagedUpdates, UpsellAlert, UsageReporting, WorkloadClusters,
 }

lib/modules/modules_test.go

@@ -138,11 +138,14 @@ func TestFeatures_ToProto(t *testing.T) {
 		RecoveryCodes:              true,
 		AccessMonitoringConfigured: false,
 		Entitlements: map[string]*proto.EntitlementInfo{
+			string(entitlements.AccessGraph):                {Enabled: true},
+			string(entitlements.AccessGraphDemoMode):        {Enabled: true},
 			string(entitlements.AccessLists):                {Enabled: true, Limit: 111},
 			string(entitlements.AccessMonitoring):           {Enabled: true, Limit: 2113},
 			string(entitlements.AccessRequests):             {Enabled: true, Limit: 39},
 			string(entitlements.App):                        {Enabled: false},
 			string(entitlements.CloudAuditLogRetention):     {Enabled: true},
+			string(entitlements.ClientIPRestrictions):       {Enabled: true},
 			string(entitlements.DB):                         {Enabled: true},
 			string(entitlements.Desktop):                    {Enabled: true},
 			string(entitlements.DeviceTrust):                {Enabled: true, Limit: 103},
@@ -152,6 +155,7 @@ func TestFeatures_ToProto(t *testing.T) {
 			string(entitlements.Identity):                   {Enabled: true},
 			string(entitlements.JoinActiveSessions):         {Enabled: true},
 			string(entitlements.K8s):                        {Enabled: true},
+			string(entitlements.LicenseAutoUpdate):          {Enabled: true},
 			string(entitlements.MobileDeviceManagement):     {Enabled: true},
 			string(entitlements.OIDC):                       {Enabled: true},
 			string(entitlements.OktaSCIM):                   {Enabled: true},
@@ -161,10 +165,7 @@ func TestFeatures_ToProto(t *testing.T) {
 			string(entitlements.SessionLocks):               {Enabled: true},
 			string(entitlements.UpsellAlert):                {Enabled: true},
 			string(entitlements.UsageReporting):             {Enabled: true},
-			string(entitlements.LicenseAutoUpdate):          {Enabled: true},
-			string(entitlements.AccessGraphDemoMode):        {Enabled: true},
 			string(entitlements.UnrestrictedManagedUpdates): {Enabled: true},
-			string(entitlements.ClientIPRestrictions):       {Enabled: true},
 			string(entitlements.WorkloadClusters):           {Enabled: true},
 		},
 		// Deprecated fields
@@ -194,10 +195,13 @@ func TestFeatures_ToProto(t *testing.T) {
 		AccessMonitoringConfigured: false,
 		CloudAnonymizationKey:      []byte("001"),
 		Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
+			entitlements.AccessGraph:                {Enabled: true, Limit: 0},
+			entitlements.AccessGraphDemoMode:        {Enabled: true, Limit: 0},
 			entitlements.AccessLists:                {Enabled: true, Limit: 111},
 			entitlements.AccessMonitoring:           {Enabled: true, Limit: 2113},
 			entitlements.AccessRequests:             {Enabled: true, Limit: 39},
 			entitlements.App:                        {Enabled: false, Limit: 0},
+			entitlements.ClientIPRestrictions:       {Enabled: true, Limit: 0},
 			entitlements.CloudAuditLogRetention:     {Enabled: true, Limit: 0},
 			entitlements.DB:                         {Enabled: true, Limit: 0},
 			entitlements.Desktop:                    {Enabled: true, Limit: 0},
@@ -208,6 +212,7 @@ func TestFeatures_ToProto(t *testing.T) {
 			entitlements.Identity:                   {Enabled: true, Limit: 0},
 			entitlements.JoinActiveSessions:         {Enabled: true, Limit: 0},
 			entitlements.K8s:                        {Enabled: true, Limit: 0},
+			entitlements.LicenseAutoUpdate:          {Enabled: true, Limit: 0},
 			entitlements.MobileDeviceManagement:     {Enabled: true, Limit: 0},
 			entitlements.OIDC:                       {Enabled: true, Limit: 0},
 			entitlements.OktaSCIM:                   {Enabled: true, Limit: 0},
@@ -217,10 +222,7 @@ func TestFeatures_ToProto(t *testing.T) {
 			entitlements.SessionLocks:               {Enabled: true, Limit: 0},
 			entitlements.UpsellAlert:                {Enabled: true, Limit: 0},
 			entitlements.UsageReporting:             {Enabled: true, Limit: 0},
-			entitlements.LicenseAutoUpdate:          {Enabled: true, Limit: 0},
-			entitlements.AccessGraphDemoMode:        {Enabled: true, Limit: 0},
 			entitlements.UnrestrictedManagedUpdates: {Enabled: true, Limit: 0},
-			entitlements.ClientIPRestrictions:       {Enabled: true, Limit: 0},
 			entitlements.WorkloadClusters:           {Enabled: true, Limit: 0},
 		},
 	}

lib/web/apiserver.go

@@ -2061,7 +2061,7 @@ func (h *Handler) getWebConfig(w http.ResponseWriter, r *http.Request, p httprou
 		// if Entitlements are present, GetWebCfgEntitlements will populate the fields appropriately
 		Entitlements: GetWebCfgEntitlements(clusterFeatures.GetEntitlements()),
 		IdentitySecurity: webclient.IdentitySecurity{
-			IsClusterLicensed:           modules.GetProtoEntitlement(&clusterFeatures, entitlements.Policy).Enabled,
+			IsClusterLicensed:           modules.GetProtoEntitlement(&clusterFeatures, entitlements.AccessGraph).Enabled || modules.GetProtoEntitlement(&clusterFeatures, entitlements.Policy).Enabled,
 			AccessGraphConfigSet:        rsp.GetEnabled() && rsp.GetAddress() != "",
 			SessionSummarizationEnabled: sessionSummarizerEnabled,
 		},

lib/web/apiserver_test.go

@@ -4915,10 +4915,13 @@ func TestGetWebConfig_WithEntitlements(t *testing.T) {
 		AutomaticUpgrades: false,
 		Edition:           testModules.BuildType(),
 		Entitlements: map[string]webclient.EntitlementInfo{
+			string(entitlements.AccessGraph):                {Enabled: false},
+			string(entitlements.AccessGraphDemoMode):        {Enabled: false},
 			string(entitlements.AccessLists):                {Enabled: false},
 			string(entitlements.AccessMonitoring):           {Enabled: false},
 			string(entitlements.AccessRequests):             {Enabled: false},
 			string(entitlements.App):                        {Enabled: true},
+			string(entitlements.ClientIPRestrictions):       {Enabled: false},
 			string(entitlements.CloudAuditLogRetention):     {Enabled: false},
 			string(entitlements.DB):                         {Enabled: true},
 			string(entitlements.Desktop):                    {Enabled: true},
@@ -4929,6 +4932,7 @@ func TestGetWebConfig_WithEntitlements(t *testing.T) {
 			string(entitlements.Identity):                   {Enabled: false},
 			string(entitlements.JoinActiveSessions):         {Enabled: true},
 			string(entitlements.K8s):                        {Enabled: true},
+			string(entitlements.LicenseAutoUpdate):          {Enabled: false},
 			string(entitlements.MobileDeviceManagement):     {Enabled: false},
 			string(entitlements.OIDC):                       {Enabled: false},
 			string(entitlements.OktaSCIM):                   {Enabled: false},
@@ -4938,10 +4942,7 @@ func TestGetWebConfig_WithEntitlements(t *testing.T) {
 			string(entitlements.SessionLocks):               {Enabled: false},
 			string(entitlements.UpsellAlert):                {Enabled: false},
 			string(entitlements.UsageReporting):             {Enabled: false},
-			string(entitlements.LicenseAutoUpdate):          {Enabled: false},
-			string(entitlements.AccessGraphDemoMode):        {Enabled: false},
 			string(entitlements.UnrestrictedManagedUpdates): {Enabled: false},
-			string(entitlements.ClientIPRestrictions):       {Enabled: false},
 			string(entitlements.WorkloadClusters):           {Enabled: false},
 		},
 		TunnelPublicAddress:            "",

web/packages/teleport/src/entitlement.ts

@@ -18,11 +18,13 @@
 
 // entitlement list should be 1:1 with EntitlementKinds in entitlements/entitlements.go
 type entitlement =
+  | 'AccessGraph'
+  | 'AccessGraphDemoMode'
   | 'AccessLists'
   | 'AccessMonitoring'
   | 'AccessRequests'
-  | 'AccessGraphDemoMode'
   | 'App'
+  | 'ClientIPRestrictions'
   | 'CloudAuditLogRetention'
   | 'DB'
   | 'Desktop'
@@ -42,18 +44,19 @@ type entitlement =
   | 'SessionLocks'
   | 'UnrestrictedManagedUpdates'
   | 'UpsellAlert'
-  | 'UsageReporting'
-  | 'ClientIPRestrictions';
+  | 'UsageReporting';
 
 export const defaultEntitlements: Record<
   entitlement,
   { enabled: boolean; limit: number }
 > = {
+  AccessGraph: { enabled: false, limit: 0 },
+  AccessGraphDemoMode: { enabled: false, limit: 0 },
   AccessLists: { enabled: false, limit: 0 },
   AccessMonitoring: { enabled: false, limit: 0 },
-  AccessGraphDemoMode: { enabled: false, limit: 0 },
   AccessRequests: { enabled: false, limit: 0 },
   App: { enabled: false, limit: 0 },
+  ClientIPRestrictions: { enabled: false, limit: 0 },
   CloudAuditLogRetention: { enabled: false, limit: 0 },
   DB: { enabled: false, limit: 0 },
   Desktop: { enabled: false, limit: 0 },
@@ -74,5 +77,4 @@ export const defaultEntitlements: Record<
   UnrestrictedManagedUpdates: { enabled: false, limit: 0 },
   UpsellAlert: { enabled: false, limit: 0 },
   UsageReporting: { enabled: false, limit: 0 },
-  ClientIPRestrictions: { enabled: false, limit: 0 },
 };