adding access graph alongside policy

Author: emargetis

entitlements/entitlements.go

@@ -47,7 +47,7 @@ const (
 	OIDC                       EntitlementKind = "OIDC"
 	OktaSCIM                   EntitlementKind = "OktaSCIM"
 	OktaUserSync               EntitlementKind = "OktaUserSync"
-	Policy                     EntitlementKind = "Policy"
+	Policy                     EntitlementKind = "Policy" // TODO(emargetis) DELETE IN 21.0.0, replaced by AccessGraph
 	SAML                       EntitlementKind = "SAML"
 	SessionLocks               EntitlementKind = "SessionLocks"
 	UnrestrictedManagedUpdates EntitlementKind = "UnrestrictedManagedUpdates"

lib/auth/clusterconfig/clusterconfigv1/service.go

@@ -930,8 +930,8 @@ func (s *Service) GetClusterAccessGraphConfig(ctx context.Context, _ *clustercon
 		return nil, trace.AccessDenied("this request can be only executed by a Teleport service")
 	}
 
-	// If the policy feature is disabled in the license, return a disabled response. if cloud, return the response to allow demo mode enabling
-	if !modules.GetModules().Features().GetEntitlement(entitlements.Policy).Enabled && !modules.GetModules().Features().AccessGraph && !modules.GetModules().Features().Cloud {
+	// If the access graph feature is disabled in the license, return a disabled response. if cloud, return the response to allow demo mode enabling
+	if !modules.GetModules().Features().GetEntitlement(entitlements.AccessGraph).Enabled && !modules.GetModules().Features().AccessGraph && !modules.GetModules().Features().Cloud {
 		return &clusterconfigpb.GetClusterAccessGraphConfigResponse{
 			AccessGraph: &clusterconfigpb.AccessGraphConfig{
 				Enabled: false,
@@ -1032,7 +1032,7 @@ func (s *Service) UpdateAccessGraphSettings(ctx context.Context, req *clustercon
 		return nil, trace.Wrap(err)
 	}
 
-	if !modules.GetModules().Features().GetEntitlement(entitlements.Policy).Enabled && !modules.GetModules().Features().AccessGraph && !modules.GetModules().Features().Cloud {
+	if !modules.GetModules().Features().GetEntitlement(entitlements.AccessGraph).Enabled && !modules.GetModules().Features().AccessGraph && !modules.GetModules().Features().Cloud {
 		return nil, trace.AccessDenied("access graph is feature isn't enabled")
 	}
 
@@ -1076,7 +1076,7 @@ func (s *Service) UpsertAccessGraphSettings(ctx context.Context, req *clustercon
 		return nil, trace.Wrap(err)
 	}
 
-	if !modules.GetModules().Features().GetEntitlement(entitlements.Policy).Enabled && !modules.GetModules().Features().AccessGraph {
+	if !modules.GetModules().Features().GetEntitlement(entitlements.AccessGraph).Enabled && !modules.GetModules().Features().AccessGraph {
 		return nil, trace.AccessDenied("access graph is feature isn't enabled")
 	}
 
@@ -1120,7 +1120,7 @@ func (s *Service) ResetAccessGraphSettings(ctx context.Context, _ *clusterconfig
 		return nil, trace.Wrap(err)
 	}
 
-	if !modules.GetModules().Features().GetEntitlement(entitlements.Policy).Enabled && !modules.GetModules().Features().AccessGraph {
+	if !modules.GetModules().Features().GetEntitlement(entitlements.AccessGraph).Enabled && !modules.GetModules().Features().AccessGraph {
 		return nil, trace.AccessDenied("access graph is feature isn't enabled")
 	}
 

lib/auth/clusterconfig/clusterconfigv1/service_test.go

@@ -1873,7 +1873,7 @@ func TestGetAccessGraphConfig(t *testing.T) {
 				m := modulestest.Modules{
 					TestFeatures: modules.Features{
 						Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-							entitlements.Policy: {Enabled: true},
+							entitlements.AccessGraph: {Enabled: true},
 						},
 					},
 				}
@@ -1898,7 +1898,7 @@ func TestGetAccessGraphConfig(t *testing.T) {
 				m := modulestest.Modules{
 					TestFeatures: modules.Features{
 						Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-							entitlements.Policy: {Enabled: true},
+							entitlements.AccessGraph: {Enabled: true},
 						},
 					},
 				}
@@ -1923,7 +1923,7 @@ func TestGetAccessGraphConfig(t *testing.T) {
 				m := modulestest.Modules{
 					TestFeatures: modules.Features{
 						Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-							entitlements.Policy: {Enabled: true},
+							entitlements.AccessGraph: {Enabled: true},
 						},
 					},
 				}
@@ -2081,7 +2081,7 @@ func TestUpdateAccessGraphSettings(t *testing.T) {
 				m := modulestest.Modules{
 					TestFeatures: modules.Features{
 						Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-							entitlements.Policy: {Enabled: true},
+							entitlements.AccessGraph: {Enabled: true},
 						},
 					},
 				}
@@ -2206,7 +2206,7 @@ func TestUpsertAccessGraphSettings(t *testing.T) {
 				m := modulestest.Modules{
 					TestFeatures: modules.Features{
 						Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-							entitlements.Policy: {Enabled: true},
+							entitlements.AccessGraph: {Enabled: true},
 						},
 					},
 				}
@@ -2300,7 +2300,7 @@ func TestResetAccessGraphSettings(t *testing.T) {
 				m := modulestest.Modules{
 					TestFeatures: modules.Features{
 						Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-							entitlements.Policy: {Enabled: true},
+							entitlements.AccessGraph: {Enabled: true},
 						},
 					},
 				}

lib/auth/grpcserver_test.go

@@ -5608,7 +5608,7 @@ func TestGetAccessGraphConfig(t *testing.T) {
 	modulestest.SetTestModules(t, modulestest.Modules{
 		TestFeatures: modules.Features{
 			Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{
-				entitlements.Policy: {Enabled: true},
+				entitlements.AccessGraph: {Enabled: true},
 			},
 		},
 	})

lib/modules/modules.go

@@ -79,7 +79,7 @@ type Features struct {
 	// AccessGraph enables the usage of access graph.
 	// NOTE: this is a legacy flag that is currently used to signal
 	// that Access Graph integration is *enabled* on a cluster.
-	// *Access* to the feature is gated on the `Policy` flag.
+	// *Access* to the feature is gated on the `AccessGraph` entitlement.
 	// TODO(justinas): remove this field once "TAG enabled" status is moved to a resource in the backend.
 	AccessGraph bool
 	// AccessMonitoringConfigured contributes to the enablement of access monitoring.
@@ -137,7 +137,7 @@ func (f Features) ToProto() *proto.Features {
 		// TODO(michellescripts) DELETE IN v21.0.0
 		// Deprecated, use entitlements
 		Policy: &proto.PolicyFeature{
-			Enabled: f.GetEntitlement(entitlements.Policy).Enabled,
+			Enabled: f.GetEntitlement(entitlements.AccessGraph).Enabled || f.GetEntitlement(entitlements.Policy).Enabled,
 		},
 		AccessGraphDemoMode:  f.GetEntitlement(entitlements.AccessGraphDemoMode).Enabled,
 		ClientIPRestrictions: f.GetEntitlement(entitlements.ClientIPRestrictions).Enabled,

lib/srv/discovery/access_graph_aws.go

@@ -344,8 +344,8 @@ func (s *Server) initializeAndWatchAccessGraph(ctx context.Context, reloadCh <-c
 	)
 
 	clusterFeatures := s.Config.ClusterFeatures()
-	policy := modules.GetProtoEntitlement(&clusterFeatures, entitlements.Policy)
-	if !clusterFeatures.AccessGraph && !policy.Enabled {
+	accessGraph := modules.GetProtoEntitlement(&clusterFeatures, entitlements.AccessGraph)
+	if !clusterFeatures.AccessGraph && !accessGraph.Enabled {
 		return trace.Wrap(errTAGFeatureNotEnabled)
 	}
 
@@ -646,8 +646,8 @@ func (s *Server) startCloudtrailPoller(ctx context.Context, reloadCh <-chan stru
 	const semaphoreName = "access_graph_aws_cloudtrail_sync"
 
 	clusterFeatures := s.Config.ClusterFeatures()
-	policy := modules.GetProtoEntitlement(&clusterFeatures, entitlements.Policy)
-	if !clusterFeatures.AccessGraph && !policy.Enabled {
+	accessGraph := modules.GetProtoEntitlement(&clusterFeatures, entitlements.AccessGraph)
+	if !clusterFeatures.AccessGraph && !accessGraph.Enabled {
 		return trace.Wrap(errTAGFeatureNotEnabled)
 	}
 

lib/srv/discovery/access_graph_azure.go

@@ -216,8 +216,8 @@ func (s *Server) getAllTAGSyncAzureFetchers() []*azuresync.Fetcher {
 func (s *Server) initializeAndWatchAzureAccessGraph(ctx context.Context, reloadCh chan struct{}) error {
 	// Check if the access graph is enabled
 	clusterFeatures := s.Config.ClusterFeatures()
-	policy := modules.GetProtoEntitlement(&clusterFeatures, entitlements.Policy)
-	if !clusterFeatures.AccessGraph && !policy.Enabled {
+	accessGraph := modules.GetProtoEntitlement(&clusterFeatures, entitlements.AccessGraph)
+	if !clusterFeatures.AccessGraph && !accessGraph.Enabled {
 		return trace.Wrap(errTAGFeatureNotEnabled)
 	}
 

web/packages/teleport/src/Roles/PolicyPlaceholder.tsx

@@ -72,7 +72,8 @@ export function PolicyPlaceholder({
 
   // roleDiffProps can be undefined if not cloud and not role tester
   // enabled.
-  const hideSalesButton = (cfg.isPolicyEnabled || cfg.isCloud) && roleDiffProps;
+  const hideSalesButton =
+    (cfg.entitlements.AccessGraph.enabled || cfg.isCloud) && roleDiffProps;
 
   return (
     <Box maxWidth={promoImageWidth + 2 * 2} minWidth={300}>
@@ -90,7 +91,7 @@ export function PolicyPlaceholder({
         </Box>
         <Flex flex="0 0 auto" alignItems="start">
           {canUpdateAccessGraphSettings &&
-            !cfg.isPolicyEnabled &&
+            !cfg.entitlements.AccessGraph.enabled &&
             cfg.isCloud &&
             enableDemoMode && ( // cloud can enable a demo mode so show that button
               <ButtonPrimary

web/packages/teleport/src/Roles/RoleEditor/RoleEditor.story.tsx

@@ -43,7 +43,7 @@ import { RoleEditorDialog } from './RoleEditorDialog';
 import { unableToUpdatePreviewMessage } from './Shared';
 import { withDefaults } from './StandardEditor/withDefaults';
 
-const defaultIsPolicyEnabled = cfg.isPolicyEnabled;
+const defaultIsAccessGraphEnabled = cfg.entitlements.AccessGraph.enabled;
 const defaultGetAccessGraphRoleTesterEnabled =
   storageService.getAccessGraphRoleTesterEnabled;
 
@@ -56,13 +56,13 @@ export default {
         ctx.storeUser.getRoleAccess = () => parameters.acl;
       }
       if (args.roleDiffEnabled) {
-        cfg.isPolicyEnabled = true;
+        cfg.entitlements.AccessGraph.enabled = true;
         storageService.getAccessGraphRoleTesterEnabled = () => true;
       }
       useEffect(() => {
         // Clean up
         return () => {
-          cfg.isPolicyEnabled = defaultIsPolicyEnabled;
+          cfg.entitlements.AccessGraph.enabled = defaultIsAccessGraphEnabled;
           storageService.getAccessGraphRoleTesterEnabled =
             defaultGetAccessGraphRoleTesterEnabled;
         };

web/packages/teleport/src/Roles/RoleEditor/RoleEditor.test.tsx

@@ -48,7 +48,7 @@ import { defaultRoleVersion, newRole } from './StandardEditor/standardmodel';
 import * as StandardModelModule from './StandardEditor/standardmodel';
 import { defaultOptions, withDefaults } from './StandardEditor/withDefaults';
 
-const defaultIsPolicyEnabled = cfg.isPolicyEnabled;
+const defaultIsAccessGraphEnabled = cfg.entitlements.AccessGraph.enabled;
 
 let user: UserEvent;
 
@@ -85,7 +85,7 @@ beforeEach(() => {
 
 afterEach(() => {
   jest.restoreAllMocks();
-  cfg.isPolicyEnabled = defaultIsPolicyEnabled;
+  cfg.entitlements.AccessGraph.enabled = defaultIsAccessGraphEnabled;
 });
 
 test('rendering and switching tabs for new role', async () => {
@@ -192,7 +192,7 @@ test('rendering and switching tabs for a non-standard role', async () => {
 });
 
 it('calls onRoleUpdate on each modification in the standard editor', async () => {
-  cfg.isPolicyEnabled = true;
+  cfg.entitlements.AccessGraph.enabled = true;
   const onRoleUpdate = jest.fn();
   render(<TestRoleEditor demoMode onRoleUpdate={onRoleUpdate} />);
   expect(onRoleUpdate).toHaveBeenLastCalledWith(
@@ -208,7 +208,7 @@ it('calls onRoleUpdate on each modification in the standard editor', async () =>
 });
 
 it('calls onRoleUpdate after the first rendering of a non-standard role', async () => {
-  cfg.isPolicyEnabled = true;
+  cfg.entitlements.AccessGraph.enabled = true;
   const onRoleUpdate = jest.fn();
   const nonStandardRole = withDefaults({
     unsupportedField: true,
@@ -456,7 +456,7 @@ describe('saving a new role after editing as YAML', () => {
   });
 
   test('with Policy enabled', async () => {
-    cfg.isPolicyEnabled = true;
+    cfg.entitlements.AccessGraph.enabled = true;
     jest
       .spyOn(storageService, 'getAccessGraphRoleTesterEnabled')
       .mockReturnValue(true);