Web: Redo locking feature

[kimlisa]

part of #25168
enterprise PR: https://github.com/gravitational/teleport.e/pull/1237

recommend reviewing by commit (i plan to delete the old locks code after review)

it was hard to work with one size fit all data structure for the different types of resources especially when there are three types of pagination being used, so decided to re-do and have everything have its own table

design and ux is copied from access requests

in addition

• i didn't agree with supplying a manual add input box for every resource (especially when you can now use the search bar) so it only shows up for logins
• i copied the table display/formatting from other places, figured we can decide later what to customize if we want to
• add access checking, will not render lock tab if user doesn't have lock.list perm and does not render new lock screen if they don't have lock.create and lock.update perm
• add confirmation dialogue when user is deleting locks
• ** since we create a lock per resource select (this was how it worked before and figured it was okay), there's no guarantee that all will succeed in a row, so we allow user to re-attempt the failed ones
• supports all pagination types until we come up with another one ;;

Improvements for later:

• writing test and stories
• deduplicate code (shares similarities with access request)
• some cells are not aligned perfectly to center (you can tell on smaller screen with access requests)
• ** it looks like you can make batch lock request (as long the target keys are unique), like for example, locking one user and one device can be batched into one lock request. Locking two user has to be separate requests. Not sure if we wanted to support batching for less trip to back, but left it alone for another time.

Demo (using a smaller page size to demonstrate paginating):

Screen.Recording.2023-04-27.at.7.04.24.PM.mov

[public-teleport-github-review-bot]

@kimlisa - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

[kimlisa]

@rudream @avatus i would really appreciate it if ya'll can help me try to break this feature 🙏

[zmb3]

add access checking, will not render lock tab if user doesn't have lock.list perm and does not render new lock screen if they don't have lock.create and lock.update perm

We want to get away from this pattern of completely hiding parts of Teleport, because it prevents people from learning that these features exist.

For now it's fine, but we should start to prefer to always show the tabs and just indicate that the user doesn't have access.

[avatus]

Looks and feels really good to use now. I left some UI comments but more of a discussion rather than suggested changes. Feel free to push back/ignore them all.

[avatus]

I don't think request is good language here but I'm not 100% sold on my suggestion. Best I could come up with.

Suggested change

	+ Add to request
	+ Add Target

If we use the language from the above comments like "Lock Request" then we can just keep this as is.

[avatus]

Proceed to Lock? Proceed to Lock Request? Feel free to skip

[avatus]

Suggested change

	<Text bold>Resources Added ({numAddedResources})</Text>
	<Text bold>Targets Added ({numAddedResources})</Text>

[avatus]

Suggested change

	Submit Request
	Create Locks

I think it makes sense here to say Create Locks even if used in the button to open this dialog

[avatus]

Suggested change

	{locks.length} {pluralize(locks.length, 'Resource')} Selected
	{locks.length} {pluralize(locks.length, 'Target')} Added

Again, not 100% sold here as you are selecting resources TO lock so you can skip this one.

[avatus]

Back to Locks?

[avatus]

Suggested change

	Listing logins are not supported. Use the input box below to manually
	define a login to lock. <br />
	Double check the spelling before adding.
	Listing logins is not supported. Use the input box below to manually
	define a login to lock. <br />
	Double check the spelling before adding.

[avatus]

Suggested change

	<Box>New Request</Box>
	<Box>New Lock Request</Box>

[zmb3]

Shouldn't this just call MakeLock in a loop rather than repeating the same code?

[zmb3]

Suggested change

	Lock access `json:"lock"`
	Locks access `json:"lock"`

Most of these fields are plural.

[zmb3]

Missing license on a lot of these new files.

[zmb3]

Suggested change

	// to define the type of lock to be locked.
	// to define the type of resource to be locked.

[zmb3]

This bit us in the past, right? It's not always a name.

Also, I'm fine with this as-is for simplicity, but note that the data model for the frontend doesn't match the backend now. On the backend, a lock target can have multiple different resources (so long as they are different types).

[kimlisa]

This bit us in the past, right? It's not always a name.

i think this only applies to mapping backend with frontend fields, which isn't the case here. this type is only for frontend use. in the api response we get a mapping of targets, it wasn't very useful in its map form so I converted it into a list of LockTarget and added it as an extra field to the frontend model. i did it in this layer so we don't have to always process it when we use it in components.

we have a lot of frontend models that don't match the backend b/c we customize it further to suit our needs. i thought it was okay to do but maybe it shouldn't be done in the service layer. @ryanclark thoughts?

[avatus]

Suggested change

	return json.map(lock => makeLock(lock));
	return json.map(makeLock);

[kimlisa]

add access checking, will not render lock tab if user doesn't have lock.list perm and does not render new lock screen if they don't have lock.create and lock.update perm

We want to get away from this pattern of completely hiding parts of Teleport, because it prevents people from learning that these features exist.

For now it's fine, but we should start to prefer to always show the tabs and just indicate that the user doesn't have access.

is this something recently decided? i'll double check with xin in our upcoming monday meeting, but i thought we wanted it to be possible to turn off features? There are cases where we don't want to hide things, and thought those only applied when the user at least met the minimum criteria eg. most features look for at least a list access

(i'll leave it as is for now though)

[avatus]

Tested about everything I could think of.
We can update some of the test plan points later but I plan on making a few large changes to that soon anyway.

I'd love to have @rudream comb over this as well

[avatus]

Can we update locks?

[kimlisa]

you can

teleport/lib/auth/auth_with_roles.go

Line 4876 in 860d910

// UpsertLock upserts a lock.

(but no exposed api for the web to use atm), it's an upsert action that requires user to have both the create and update rule

[zmb3]

I was not able to break it. Thanks so much for this.

[public-teleport-github-review-bot]

@kimlisa See the table below for backport results.

Branch	Result
branch/v13	Failed