replacing policy with access graph

Author: emargetis

api/client/webclient/webconfig.go

@@ -100,9 +100,9 @@ type WebConfig struct {
 	// IsIGSEnabled is true if [Features.IdentityGovernance] = true
 	// Deprecated, use entitlements
 	IsIGSEnabled bool `json:"isIgsEnabled"`
-	// IsPolicyEnabled is true if [Features.Policy] = true
+	// IsAccessGraphEnabled is true if [Features.Policy] = true
 	// Deprecated, use entitlements
-	IsPolicyEnabled bool `json:"isPolicyEnabled"`
+	IsAccessGraphEnabled bool `json:"isAcessGraphEnabled"`
 	// TODO (avatus) delete in v18
 	// IsPolicyRoleVisualizerEnabled is the graph visualizer for diffs made
 	// when editing roles in the Web UI. This defaults to true, but has an environment

e

@@ -45,7 +45,6 @@ const (
 	OIDC                       EntitlementKind = "OIDC"
 	OktaSCIM                   EntitlementKind = "OktaSCIM"
 	OktaUserSync               EntitlementKind = "OktaUserSync"
-	Policy                     EntitlementKind = "Policy"
 	SAML                       EntitlementKind = "SAML"
 	SessionLocks               EntitlementKind = "SessionLocks"
 	UnrestrictedManagedUpdates EntitlementKind = "UnrestrictedManagedUpdates"
@@ -54,14 +53,15 @@ const (
 	LicenseAutoUpdate          EntitlementKind = "LicenseAutoUpdate"
 	AccessGraphDemoMode        EntitlementKind = "AccessGraphDemoMode"
 	ClientIPRestrictions       EntitlementKind = "ClientIPRestrictions"
+	AccessGraph                EntitlementKind = "AccessGraph"
 )
 
 // AllEntitlements returns all Entitlements; should be 1:1 with the const declared above.
 var AllEntitlements = []EntitlementKind{
 	AccessLists, AccessMonitoring, AccessRequests, App, CloudAuditLogRetention, DB, Desktop, DeviceTrust,
 	ExternalAuditStorage, FeatureHiding, HSM, Identity, JoinActiveSessions, K8s, MobileDeviceManagement, OIDC, OktaSCIM,
-	OktaUserSync, Policy, SAML, SessionLocks, UnrestrictedManagedUpdates, UpsellAlert, UsageReporting, LicenseAutoUpdate, AccessGraphDemoMode,
-	ClientIPRestrictions,
+	OktaUserSync, SAML, SessionLocks, UnrestrictedManagedUpdates, UpsellAlert, UsageReporting, LicenseAutoUpdate, AccessGraphDemoMode,
+	ClientIPRestrictions, AccessGraph,
 }
 
 // BackfillFeatures ensures entitlements are backwards compatible.
@@ -82,7 +82,7 @@ func BackfillFeatures(features *proto.Features) {
 	features.Entitlements[string(JoinActiveSessions)] = &proto.EntitlementInfo{Enabled: features.GetJoinActiveSessions()}
 	features.Entitlements[string(MobileDeviceManagement)] = &proto.EntitlementInfo{Enabled: features.GetMobileDeviceManagement()}
 	features.Entitlements[string(OIDC)] = &proto.EntitlementInfo{Enabled: features.GetOIDC()}
-	features.Entitlements[string(Policy)] = &proto.EntitlementInfo{Enabled: features.GetPolicy().GetEnabled()}
+	features.Entitlements[string(AccessGraph)] = &proto.EntitlementInfo{Enabled: features.GetAccessGraph()}
 	features.Entitlements[string(SAML)] = &proto.EntitlementInfo{Enabled: features.GetSAML()}
 	features.Entitlements[string(K8s)] = &proto.EntitlementInfo{Enabled: features.GetKubernetes()}
 	features.Entitlements[string(App)] = &proto.EntitlementInfo{Enabled: features.GetApp()}

entitlements/entitlements.go

@@ -87,7 +87,6 @@ func TestBackfillFeatures(t *testing.T) {
 					string(OIDC):                       {Enabled: true},
 					string(OktaSCIM):                   {Enabled: true},
 					string(OktaUserSync):               {Enabled: true},
-					string(Policy):                     {Enabled: true},
 					string(SAML):                       {Enabled: true},
 					string(SessionLocks):               {Enabled: true},
 					string(UpsellAlert):                {Enabled: true},
@@ -96,6 +95,7 @@ func TestBackfillFeatures(t *testing.T) {
 					string(AccessGraphDemoMode):        {Enabled: true},
 					string(UnrestrictedManagedUpdates): {Enabled: true},
 					string(ClientIPRestrictions):       {Enabled: true},
+					string(AccessGraph):                {Enabled: true},
 				},
 			},
 			expected: map[string]*proto.EntitlementInfo{
@@ -117,7 +117,6 @@ func TestBackfillFeatures(t *testing.T) {
 				string(OIDC):                       {Enabled: true},
 				string(OktaSCIM):                   {Enabled: true},
 				string(OktaUserSync):               {Enabled: true},
-				string(Policy):                     {Enabled: true},
 				string(SAML):                       {Enabled: true},
 				string(SessionLocks):               {Enabled: true},
 				string(UpsellAlert):                {Enabled: true},
@@ -126,6 +125,7 @@ func TestBackfillFeatures(t *testing.T) {
 				string(AccessGraphDemoMode):        {Enabled: true},
 				string(UnrestrictedManagedUpdates): {Enabled: true},
 				string(ClientIPRestrictions):       {Enabled: true},
+				string(AccessGraph):                {Enabled: true},
 			},
 		},
 		{
@@ -194,9 +194,9 @@ func TestBackfillFeatures(t *testing.T) {
 				string(OIDC):                   {Enabled: true},
 				string(OktaSCIM):               {Enabled: true},
 				string(OktaUserSync):           {Enabled: true},
-				string(Policy):                 {Enabled: true},
 				string(SAML):                   {Enabled: true},
 				string(SessionLocks):           {Enabled: true},
+				string(AccessGraph):            {Enabled: true},
 				// defaults, no legacy equivalent
 				string(UsageReporting):             {Enabled: false},
 				string(UpsellAlert):                {Enabled: false},
@@ -270,7 +270,7 @@ func TestBackfillFeatures(t *testing.T) {
 				string(K8s):                    {Enabled: true},
 				string(MobileDeviceManagement): {Enabled: true},
 				string(OIDC):                   {Enabled: true},
-				string(Policy):                 {Enabled: true},
+				string(AccessGraph):            {Enabled: true},
 				string(SAML):                   {Enabled: true},
 
 				// defaults, no legacy equivalent

entitlements/entitlements_test.go

@@ -931,7 +931,7 @@ func (s *Service) GetClusterAccessGraphConfig(ctx context.Context, _ *clustercon
 	}
 
 	// If the policy feature is disabled in the license, return a disabled response. if cloud, return the response to allow demo mode enabling
-	if !modules.GetModules().Features().GetEntitlement(entitlements.Policy).Enabled && !modules.GetModules().Features().AccessGraph && !modules.GetModules().Features().Cloud {
+	if !modules.GetModules().Features().GetEntitlement(entitlements.AccessGraph).Enabled && !modules.GetModules().Features().AccessGraph && !modules.GetModules().Features().Cloud {
 		return &clusterconfigpb.GetClusterAccessGraphConfigResponse{
 			AccessGraph: &clusterconfigpb.AccessGraphConfig{
 				Enabled: false,
@@ -1032,7 +1032,7 @@ func (s *Service) UpdateAccessGraphSettings(ctx context.Context, req *clustercon
 		return nil, trace.Wrap(err)
 	}
 
-	if !modules.GetModules().Features().GetEntitlement(entitlements.Policy).Enabled && !modules.GetModules().Features().AccessGraph && !modules.GetModules().Features().Cloud {
+	if !modules.GetModules().Features().GetEntitlement(entitlements.AccessGraph).Enabled && !modules.GetModules().Features().AccessGraph && !modules.GetModules().Features().Cloud {
 		return nil, trace.AccessDenied("access graph is feature isn't enabled")
 	}
 
@@ -1076,7 +1076,7 @@ func (s *Service) UpsertAccessGraphSettings(ctx context.Context, req *clustercon
 		return nil, trace.Wrap(err)
 	}
 
-	if !modules.GetModules().Features().GetEntitlement(entitlements.Policy).Enabled && !modules.GetModules().Features().AccessGraph {
+	if !modules.GetModules().Features().GetEntitlement(entitlements.AccessGraph).Enabled && !modules.GetModules().Features().AccessGraph {
 		return nil, trace.AccessDenied("access graph is feature isn't enabled")
 	}
 
@@ -1120,7 +1120,7 @@ func (s *Service) ResetAccessGraphSettings(ctx context.Context, _ *clusterconfig
 		return nil, trace.Wrap(err)
 	}
 
-	if !modules.GetModules().Features().GetEntitlement(entitlements.Policy).Enabled && !modules.GetModules().Features().AccessGraph {
+	if !modules.GetModules().Features().GetEntitlement(entitlements.AccessGraph).Enabled && !modules.GetModules().Features().AccessGraph {
 		return nil, trace.AccessDenied("access graph is feature isn't enabled")
 	}
 

lib/auth/clusterconfig/clusterconfigv1/service.go

@@ -1870,7 +1870,7 @@ func TestGetAccessGraphConfig(t *testing.T) {
 				m := modulestest.Modules{
 					TestFeatures: modules.Features{
 						Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-							entitlements.Policy: {Enabled: true},
+							entitlements.AccessGraph: {Enabled: true},
 						},
 					},
 				}
@@ -1895,7 +1895,7 @@ func TestGetAccessGraphConfig(t *testing.T) {
 				m := modulestest.Modules{
 					TestFeatures: modules.Features{
 						Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-							entitlements.Policy: {Enabled: true},
+							entitlements.AccessGraph: {Enabled: true},
 						},
 					},
 				}
@@ -1920,7 +1920,7 @@ func TestGetAccessGraphConfig(t *testing.T) {
 				m := modulestest.Modules{
 					TestFeatures: modules.Features{
 						Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-							entitlements.Policy: {Enabled: true},
+							entitlements.AccessGraph: {Enabled: true},
 						},
 					},
 				}
@@ -2078,7 +2078,7 @@ func TestUpdateAccessGraphSettings(t *testing.T) {
 				m := modulestest.Modules{
 					TestFeatures: modules.Features{
 						Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-							entitlements.Policy: {Enabled: true},
+							entitlements.AccessGraph: {Enabled: true},
 						},
 					},
 				}
@@ -2203,7 +2203,7 @@ func TestUpsertAccessGraphSettings(t *testing.T) {
 				m := modulestest.Modules{
 					TestFeatures: modules.Features{
 						Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-							entitlements.Policy: {Enabled: true},
+							entitlements.AccessGraph: {Enabled: true},
 						},
 					},
 				}
@@ -2297,7 +2297,7 @@ func TestResetAccessGraphSettings(t *testing.T) {
 				m := modulestest.Modules{
 					TestFeatures: modules.Features{
 						Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-							entitlements.Policy: {Enabled: true},
+							entitlements.AccessGraph: {Enabled: true},
 						},
 					},
 				}

lib/auth/clusterconfig/clusterconfigv1/service_test.go

@@ -5600,7 +5600,7 @@ func TestGetAccessGraphConfig(t *testing.T) {
 	modulestest.SetTestModules(t, modulestest.Modules{
 		TestFeatures: modules.Features{
 			Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-				entitlements.Policy: {Enabled: true},
+				entitlements.AccessGraph: {Enabled: true},
 			},
 		},
 	})

lib/auth/grpcserver_test.go

@@ -79,7 +79,7 @@ type Features struct {
 	// AccessGraph enables the usage of access graph.
 	// NOTE: this is a legacy flag that is currently used to signal
 	// that Access Graph integration is *enabled* on a cluster.
-	// *Access* to the feature is gated on the `Policy` flag.
+	// *Access* to the feature is gated on the `AccessGraph` flag.
 	// TODO(justinas): remove this field once "TAG enabled" status is moved to a resource in the backend.
 	AccessGraph bool
 	// AccessMonitoringConfigured contributes to the enablement of access monitoring.
@@ -168,7 +168,7 @@ func setLegacyLogic(protoF *proto.Features, f Features) {
 		CreateLimit: f.GetEntitlement(entitlements.AccessLists).Limit,
 	}
 	protoF.Policy = &proto.PolicyFeature{
-		Enabled: f.GetEntitlement(entitlements.Policy).Enabled,
+		Enabled: f.GetEntitlement(entitlements.AccessGraph).Enabled,
 	}
 }
 

lib/modules/modules.go

@@ -156,7 +156,6 @@ func TestFeatures_ToProto(t *testing.T) {
 			string(entitlements.OIDC):                       {Enabled: true},
 			string(entitlements.OktaSCIM):                   {Enabled: true},
 			string(entitlements.OktaUserSync):               {Enabled: true},
-			string(entitlements.Policy):                     {Enabled: true},
 			string(entitlements.SAML):                       {Enabled: true},
 			string(entitlements.SessionLocks):               {Enabled: true},
 			string(entitlements.UpsellAlert):                {Enabled: true},
@@ -165,6 +164,7 @@ func TestFeatures_ToProto(t *testing.T) {
 			string(entitlements.AccessGraphDemoMode):        {Enabled: true},
 			string(entitlements.UnrestrictedManagedUpdates): {Enabled: true},
 			string(entitlements.ClientIPRestrictions):       {Enabled: true},
+			string(entitlements.AccessGraph):                {Enabled: true},
 		},
 		//	 Legacy Fields; remove in v18
 		Kubernetes:             true,
@@ -234,7 +234,6 @@ func TestFeatures_ToProto(t *testing.T) {
 			entitlements.OIDC:                       {Enabled: true, Limit: 0},
 			entitlements.OktaSCIM:                   {Enabled: true, Limit: 0},
 			entitlements.OktaUserSync:               {Enabled: true, Limit: 0},
-			entitlements.Policy:                     {Enabled: true, Limit: 0},
 			entitlements.SAML:                       {Enabled: true, Limit: 0},
 			entitlements.SessionLocks:               {Enabled: true, Limit: 0},
 			entitlements.UpsellAlert:                {Enabled: true, Limit: 0},
@@ -243,6 +242,7 @@ func TestFeatures_ToProto(t *testing.T) {
 			entitlements.AccessGraphDemoMode:        {Enabled: true, Limit: 0},
 			entitlements.UnrestrictedManagedUpdates: {Enabled: true, Limit: 0},
 			entitlements.ClientIPRestrictions:       {Enabled: true, Limit: 0},
+			entitlements.AccessGraph:                {Enabled: true, Limit: 0},
 		},
 	}
 

lib/modules/modules_test.go

@@ -344,7 +344,7 @@ func (s *Server) initializeAndWatchAccessGraph(ctx context.Context, reloadCh <-c
 	)
 
 	clusterFeatures := s.Config.ClusterFeatures()
-	policy := modules.GetProtoEntitlement(&clusterFeatures, entitlements.Policy)
+	policy := modules.GetProtoEntitlement(&clusterFeatures, entitlements.AccessGraph)
 	if !clusterFeatures.AccessGraph && !policy.Enabled {
 		return trace.Wrap(errTAGFeatureNotEnabled)
 	}
@@ -646,7 +646,7 @@ func (s *Server) startCloudtrailPoller(ctx context.Context, reloadCh <-chan stru
 	const semaphoreName = "access_graph_aws_cloudtrail_sync"
 
 	clusterFeatures := s.Config.ClusterFeatures()
-	policy := modules.GetProtoEntitlement(&clusterFeatures, entitlements.Policy)
+	policy := modules.GetProtoEntitlement(&clusterFeatures, entitlements.AccessGraph)
 	if !clusterFeatures.AccessGraph && !policy.Enabled {
 		return trace.Wrap(errTAGFeatureNotEnabled)
 	}