upcoming: [UIE-9597] - IAM Parent/Child: Align proxy logic with delegate users (linode#13336)

* save progress

* save progress

* fix storage conventions

* e2e fixes

* SwitchAccount fix

* last e2e

* Added changeset: IAM Parent/Child: Align proxy logic with delegate users

* post rebase fixes

Author: abailly-akamai

packages/manager/.changeset/pr-13336-upcoming-features-1769688950083.md

@@ -0,0 +1,5 @@
+---
+"@linode/manager": Upcoming Features
+---
+
+IAM Parent/Child: Align proxy logic with delegate users ([#13336](https://github.com/linode/manager/pull/13336))

packages/manager/cypress/e2e/core/account/account-cancellation.spec.ts

@@ -29,8 +29,8 @@ import {
 import { accountFactory } from 'src/factories/account';
 import {
   CHILD_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT,
+  DELEGATE_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT,
   PARENT_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT,
-  PROXY_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT,
 } from 'src/features/Account/constants';
 
 import type { CancelAccount } from '@linode/api-v4';
@@ -302,7 +302,7 @@ describe('Parent/Child account cancellation', () => {
           .trigger('mouseover');
         // Click the button first, then confirm the tooltip is shown.
         ui.tooltip
-          .findByText(PROXY_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT)
+          .findByText(DELEGATE_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT)
           .should('be.visible');
       });
   });

packages/manager/cypress/e2e/core/account/personal-access-tokens.spec.ts

@@ -15,7 +15,7 @@ import { ui } from 'support/ui';
 import { randomLabel, randomString } from 'support/util/random';
 
 import { appTokenFactory } from 'src/factories/oauth';
-import { PROXY_USER_RESTRICTED_TOOLTIP_TEXT } from 'src/features/Account/constants';
+import { DELEGATE_USER_RESTRICTED_TOOLTIP_TEXT } from 'src/features/Account/constants';
 
 import type { Token } from '@linode/api-v4';
 
@@ -370,7 +370,7 @@ describe('Personal access tokens', () => {
       });
 
     ui.tooltip
-      .findByText(PROXY_USER_RESTRICTED_TOOLTIP_TEXT)
+      .findByText(DELEGATE_USER_RESTRICTED_TOOLTIP_TEXT)
       .should('be.visible');
 
     // Confirm that token has not been renamed, initiate revocation.
@@ -405,7 +405,7 @@ describe('Personal access tokens', () => {
       .click();
 
     ui.tooltip
-      .findByText(PROXY_USER_RESTRICTED_TOOLTIP_TEXT)
+      .findByText(DELEGATE_USER_RESTRICTED_TOOLTIP_TEXT)
       .should('be.visible');
 
     // Confirm that token is removed from list after revoking.

…anager/src/components/AvatarForProxy.tsx …src/components/AvatarForDelegateUser.tsxpackages/manager/src/components/AvatarForProxy.tsx renamed to packages/manager/src/components/AvatarForDelegateUser.tsx packages/manager/src/components/AvatarForProxy.tsx renamed to packages/manager/src/components/AvatarForDelegateUser.tsx

@@ -2,14 +2,14 @@ import { Box } from '@linode/ui';
 import { styled } from '@mui/material/styles';
 import * as React from 'react';
 
-import ProxyUserIcon from 'src/assets/icons/parent-child.svg';
+import DelegateUserIcon from 'src/assets/icons/parent-child.svg';
 
 interface Props {
   height?: number;
   width?: number;
 }
 
-export const AvatarForProxy = ({ height = 34, width = 34 }: Props) => {
+export const AvatarForDelegateUser = ({ height = 34, width = 34 }: Props) => {
   return (
     <Box
       sx={(theme) => ({
@@ -32,14 +32,14 @@ export const AvatarForProxy = ({ height = 34, width = 34 }: Props) => {
           width: `calc(${width}px - 6px)`,
         })}
       >
-        <StyledProxyUserIcon />
+        <StyledDelegateUserIcon />
       </Box>
     </Box>
   );
 };
 
-const StyledProxyUserIcon = styled(ProxyUserIcon, {
-  label: 'styledProxyUserIcon',
+const StyledDelegateUserIcon = styled(DelegateUserIcon, {
+  label: 'styledDelegateUserIcon',
 })(({ theme }) => ({
   bottom: 0,
   left: 0,

packages/manager/src/dev-tools/components/ExtraPresetProfileAndGrants.tsx

@@ -248,6 +248,7 @@ export const ExtraPresetProfileAndGrants = ({
                   <option value="child">Child</option>
                   <option value="parent">Parent</option>
                   <option value="proxy">Proxy</option>
+                  <option value="delegate">Delegate</option>
                   <option value="default">Default</option>
                 </select>
               </label>

packages/manager/src/features/Account/AccountLanding.tsx

@@ -1,4 +1,4 @@
-import { useAccount, useProfile } from '@linode/queries';
+import { useAccount } from '@linode/queries';
 import {
   Outlet,
   useLocation,
@@ -23,6 +23,7 @@ import { useTabs } from 'src/hooks/useTabs';
 import { sendSwitchAccountEvent } from 'src/utilities/analytics/customEventAnalytics';
 
 import { PlatformMaintenanceBanner } from '../../components/PlatformMaintenanceBanner/PlatformMaintenanceBanner';
+import { useDelegationRole } from '../IAM/hooks/useDelegationRole';
 import { useIsIAMDelegationEnabled } from '../IAM/hooks/useIsIAMEnabled';
 import { usePermissions } from '../IAM/hooks/usePermissions';
 import { SwitchAccountButton } from './SwitchAccountButton';
@@ -37,7 +38,12 @@ export const AccountLanding = () => {
     strict: false,
   });
   const { data: account } = useAccount();
-  const { data: profile } = useProfile();
+  const {
+    isProxyOrDelegateUserType,
+    isChildUserType,
+    isParentUserType,
+    profileUserType,
+  } = useDelegationRole();
   const { limitsEvolution } = useFlags();
 
   const { data: permissions } = usePermissions('account', [
@@ -48,21 +54,20 @@ export const AccountLanding = () => {
   const sessionContext = React.useContext(switchAccountSessionContext);
 
   const isAkamaiAccount = account?.billing_source === 'akamai';
-  const isProxyUser = profile?.user_type === 'proxy';
-  const isChildUser = profile?.user_type === 'child';
-  const isParentUser = profile?.user_type === 'parent';
 
   const showQuotasTab = limitsEvolution?.enabled ?? false;
 
-  const isReadOnly = !permissions.make_billing_payment || isChildUser;
+  const isReadOnly = !permissions.make_billing_payment || isChildUserType;
 
   const isChildAccountAccessRestricted = useRestrictedGlobalGrantCheck({
     globalGrantType: 'child_account_access',
   });
 
   const { isIAMDelegationEnabled } = useIsIAMDelegationEnabled();
 
-  const { isParentTokenExpired } = useIsParentTokenExpired({ isProxyUser });
+  const { isParentTokenExpired } = useIsParentTokenExpired({
+    isProxyOrDelegateUserType,
+  });
 
   const { tabs, handleTabChange, tabIndex, getTabIndex } = useTabs([
     {
@@ -124,8 +129,9 @@ export const AccountLanding = () => {
 
   const isBillingTabSelected = getTabIndex('/account/billing') === tabIndex;
   const canSwitchBetweenParentOrProxyAccount = isIAMDelegationEnabled
-    ? isParentUser
-    : (!isChildAccountAccessRestricted && isParentUser) || isProxyUser;
+    ? isParentUserType
+    : (!isChildAccountAccessRestricted && isParentUserType) ||
+      isProxyOrDelegateUserType;
 
   const landingHeaderProps: LandingHeaderProps = {
     breadcrumbProps: {
@@ -134,7 +140,7 @@ export const AccountLanding = () => {
     buttonDataAttrs: {
       disabled: isReadOnly,
       tooltipText: getRestrictedResourceText({
-        isChildUser,
+        isChildUserType,
         resourceType: 'Account',
       }),
     },
@@ -181,7 +187,7 @@ export const AccountLanding = () => {
       <SwitchAccountDrawer
         onClose={() => setIsDrawerOpen(false)}
         open={isDrawerOpen}
-        userType={profile?.user_type}
+        userType={profileUserType}
       />
     </React.Fragment>
   );

packages/manager/src/features/Account/AccountLogins.tsx

@@ -1,4 +1,4 @@
-import { useAccountLoginsQuery, useProfile } from '@linode/queries';
+import { useAccountLoginsQuery } from '@linode/queries';
 import { Notice, Typography } from '@linode/ui';
 import { Hidden } from '@linode/ui';
 import * as React from 'react';
@@ -18,6 +18,7 @@ import { TableSortCell } from 'src/components/TableSortCell';
 import { useOrderV2 } from 'src/hooks/useOrderV2';
 import { usePaginationV2 } from 'src/hooks/usePaginationV2';
 
+import { useDelegationRole } from '../IAM/hooks/useDelegationRole';
 import { usePermissions } from '../IAM/hooks/usePermissions';
 import AccountLoginsTableRow from './AccountLoginsTableRow';
 import { getRestrictedResourceText } from './utils';
@@ -74,8 +75,7 @@ const AccountLogins = () => {
     },
     filter
   );
-  const { data: profile } = useProfile();
-  const isChildUser = profile?.user_type === 'child';
+  const { isChildUserType } = useDelegationRole();
   const canViewAccountLogins = permissions.list_account_logins;
 
   const renderTableContent = () => {
@@ -172,7 +172,7 @@ const AccountLogins = () => {
   ) : (
     <Notice
       text={getRestrictedResourceText({
-        isChildUser,
+        isChildUserType,
         resourceType: 'Account',
       })}
       variant="warning"

packages/manager/src/features/Account/CloseAccountSetting.test.tsx

@@ -7,8 +7,8 @@ import { renderWithTheme } from 'src/utilities/testHelpers';
 import CloseAccountSetting from './CloseAccountSetting';
 import {
   CHILD_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT,
+  DELEGATE_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT,
   PARENT_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT,
-  PROXY_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT,
 } from './constants';
 
 // Mock the useProfile hook to immediately return the expected data, circumventing the HTTP request and loading state.
@@ -105,7 +105,7 @@ describe('Close Account Settings', () => {
       expect(getByRole('tooltip')).toBeInTheDocument();
     });
 
-    expect(getByText(PROXY_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT)).toBeVisible();
+    expect(getByText(DELEGATE_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT)).toBeVisible();
     expect(button).toHaveAttribute('aria-describedby', 'button-tooltip');
     expect(button).not.toHaveAttribute('disabled');
     expect(button).toHaveAttribute('aria-disabled', 'true');

packages/manager/src/features/Account/CloseAccountSetting.tsx

@@ -6,8 +6,8 @@ import { usePermissions } from '../IAM/hooks/usePermissions';
 import CloseAccountDialog from './CloseAccountDialog';
 import {
   CHILD_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT,
+  DELEGATE_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT,
   PARENT_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT,
-  PROXY_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT,
 } from './constants';
 
 export const CloseAccountSetting = () => {
@@ -17,7 +17,7 @@ export const CloseAccountSetting = () => {
 
   const { data: permissions } = usePermissions('account', ['cancel_account']);
 
-  // Disable the Close Account button for users with a Parent/Proxy/Child user type.
+  // Disable the Close Account button for users with a Parent/Proxy/Delegate/Child user type.
   const isCloseAccountDisabled = Boolean(profile?.user_type !== 'default');
 
   let closeAccountButtonTooltipText;
@@ -28,8 +28,11 @@ export const CloseAccountSetting = () => {
     case 'child':
       closeAccountButtonTooltipText = CHILD_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT;
       break;
+    case 'delegate':
+      closeAccountButtonTooltipText = DELEGATE_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT;
+      break;
     case 'proxy':
-      closeAccountButtonTooltipText = PROXY_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT;
+      closeAccountButtonTooltipText = DELEGATE_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT;
       break;
     default:
       closeAccountButtonTooltipText = PARENT_USER_CLOSE_ACCOUNT_TOOLTIP_TEXT;

packages/manager/src/features/Account/SwitchAccountDrawer.tsx

@@ -40,7 +40,10 @@ export const SwitchAccountDrawer = (props: Props) => {
   >([]);
   const [searchQuery, setSearchQuery] = React.useState<string>('');
   const { isIAMDelegationEnabled } = useIsIAMDelegationEnabled();
-  const isProxyUser = userType === 'proxy';
+  const isParentUserType = userType === 'parent';
+  const isProxyUserType = userType === 'proxy';
+  const isDelegateUserType = userType === 'delegate';
+  const isProxyOrDelegateUserType = isProxyUserType || isDelegateUserType;
   const currentParentTokenWithBearer =
     getStorage('authentication/parent_token/token') ?? '';
   const currentTokenWithBearer = storage.authentication.token.get() ?? '';
@@ -73,12 +76,11 @@ export const SwitchAccountDrawer = (props: Props) => {
   } = useChildAccountsInfiniteQuery(
     {
       filter,
-      headers:
-        userType === 'proxy'
-          ? {
-              Authorization: currentTokenWithBearer,
-            }
-          : undefined,
+      headers: isProxyOrDelegateUserType
+        ? {
+            Authorization: currentTokenWithBearer,
+          }
+        : undefined,
     },
     isIAMDelegationEnabled === false
   );
@@ -90,7 +92,7 @@ export const SwitchAccountDrawer = (props: Props) => {
     refetch: refetchAllChildAccounts,
   } = useAllListMyDelegatedChildAccountsQuery({
     params: {},
-    enabled: isIAMDelegationEnabled,
+    enabled: isIAMDelegationEnabled && isParentUserType,
   });
 
   const refetchFn = isIAMDelegationEnabled
@@ -105,10 +107,11 @@ export const SwitchAccountDrawer = (props: Props) => {
       onClose,
       userType,
     }: HandleSwitchToChildAccountProps) => {
-      const isProxyUser = userType === 'proxy';
+      const isProxyOrDelegateUserType =
+        userType === 'proxy' || userType === 'delegate';
 
       try {
-        if (isProxyUser) {
+        if (isProxyOrDelegateUserType) {
           // Revoke proxy token before switching accounts.
           await revokeToken().catch(() => {
             /* Allow user account switching; tokens will expire naturally. */
@@ -121,14 +124,18 @@ export const SwitchAccountDrawer = (props: Props) => {
         const proxyToken = await createToken(euuid);
 
         setTokenInLocalStorage({
-          prefix: 'authentication/proxy_token',
+          prefix: isProxyUserType
+            ? 'authentication/proxy_token'
+            : 'authentication/delegate_token',
           token: {
             ...proxyToken,
             token: `Bearer ${proxyToken.token}`,
           },
         });
 
-        updateCurrentToken({ userType: 'proxy' });
+        updateCurrentToken({
+          userType: isProxyUserType ? 'proxy' : 'delegate',
+        });
         onClose(event);
         location.reload();
       } catch (error) {
@@ -153,19 +160,30 @@ export const SwitchAccountDrawer = (props: Props) => {
     // Flag to prevent multiple clicks on the switch account link.
     setSubmitting(true);
 
-    // Revoke proxy token before switching to parent account.
+    // Revoke proxy or delegate token before switching to parent account.
     await revokeToken().catch(() => {
       /* Allow user account switching; tokens will expire naturally. */
     });
 
     updateCurrentToken({ userType: 'parent' });
 
-    // Reset flag for proxy user to display success toast once.
-    setStorage('is_proxy_user', 'false');
+    // Reset flag for proxy or delegate user to display success toast once.
+    if (isProxyUserType) {
+      setStorage('is_proxy_user_type', 'false');
+    } else if (isDelegateUserType) {
+      setStorage('is_delegate_user_type', 'false');
+    }
 
     onClose();
     location.reload();
-  }, [onClose, revokeToken, validateParentToken, updateCurrentToken]);
+  }, [
+    onClose,
+    revokeToken,
+    validateParentToken,
+    updateCurrentToken,
+    isProxyUserType,
+    isDelegateUserType,
+  ]);
 
   const [isSwitchingChildAccounts, setIsSwitchingChildAccounts] =
     useState<boolean>(false);
@@ -203,7 +221,7 @@ export const SwitchAccountDrawer = (props: Props) => {
         })}
       >
         Select an account to view and manage its settings and configurations
-        {isProxyUser && (
+        {isProxyOrDelegateUserType && (
           <>
             {' or '}
             <LinkButton
@@ -256,7 +274,9 @@ export const SwitchAccountDrawer = (props: Props) => {
       <ChildAccountList
         childAccounts={childAccounts}
         currentTokenWithBearer={
-          isProxyUser ? currentParentTokenWithBearer : currentTokenWithBearer
+          isProxyOrDelegateUserType
+            ? currentParentTokenWithBearer
+            : currentTokenWithBearer
         }
         errors={{
           childAccountInfiniteError,