diff --git a/entitlements/entitlements.go b/entitlements/entitlements.go index bbaed5590530f..4f06af8959aa5 100644 --- a/entitlements/entitlements.go +++ b/entitlements/entitlements.go @@ -27,38 +27,39 @@ type EntitlementKind string // All EntitlementKinds added here should also be added to AllEntitlements below and defaultEntitlements in // web/packages/teleport/src/entitlement.ts. const ( - AccessLists EntitlementKind = "AccessLists" - AccessMonitoring EntitlementKind = "AccessMonitoring" - AccessRequests EntitlementKind = "AccessRequests" - App EntitlementKind = "App" - CloudAuditLogRetention EntitlementKind = "CloudAuditLogRetention" - DB EntitlementKind = "DB" - Desktop EntitlementKind = "Desktop" - DeviceTrust EntitlementKind = "DeviceTrust" - ExternalAuditStorage EntitlementKind = "ExternalAuditStorage" - FeatureHiding EntitlementKind = "FeatureHiding" - HSM EntitlementKind = "HSM" - Identity EntitlementKind = "Identity" - JoinActiveSessions EntitlementKind = "JoinActiveSessions" - K8s EntitlementKind = "K8s" - MobileDeviceManagement EntitlementKind = "MobileDeviceManagement" - OIDC EntitlementKind = "OIDC" - OktaSCIM EntitlementKind = "OktaSCIM" - OktaUserSync EntitlementKind = "OktaUserSync" - Policy EntitlementKind = "Policy" - SAML EntitlementKind = "SAML" - SessionLocks EntitlementKind = "SessionLocks" - UpsellAlert EntitlementKind = "UpsellAlert" - UsageReporting EntitlementKind = "UsageReporting" - LicenseAutoUpdate EntitlementKind = "LicenseAutoUpdate" - AccessGraphDemoMode EntitlementKind = "AccessGraphDemoMode" + AccessLists EntitlementKind = "AccessLists" + AccessMonitoring EntitlementKind = "AccessMonitoring" + AccessRequests EntitlementKind = "AccessRequests" + App EntitlementKind = "App" + CloudAuditLogRetention EntitlementKind = "CloudAuditLogRetention" + DB EntitlementKind = "DB" + Desktop EntitlementKind = "Desktop" + DeviceTrust EntitlementKind = "DeviceTrust" + ExternalAuditStorage EntitlementKind = "ExternalAuditStorage" + FeatureHiding EntitlementKind = "FeatureHiding" + HSM EntitlementKind = "HSM" + Identity EntitlementKind = "Identity" + JoinActiveSessions EntitlementKind = "JoinActiveSessions" + K8s EntitlementKind = "K8s" + MobileDeviceManagement EntitlementKind = "MobileDeviceManagement" + OIDC EntitlementKind = "OIDC" + OktaSCIM EntitlementKind = "OktaSCIM" + OktaUserSync EntitlementKind = "OktaUserSync" + Policy EntitlementKind = "Policy" + SAML EntitlementKind = "SAML" + SessionLocks EntitlementKind = "SessionLocks" + UnrestrictedManagedUpdates EntitlementKind = "UnrestrictedManagedUpdates" + UpsellAlert EntitlementKind = "UpsellAlert" + UsageReporting EntitlementKind = "UsageReporting" + LicenseAutoUpdate EntitlementKind = "LicenseAutoUpdate" + AccessGraphDemoMode EntitlementKind = "AccessGraphDemoMode" ) // AllEntitlements returns all Entitlements; should be 1:1 with the const declared above. var AllEntitlements = []EntitlementKind{ AccessLists, AccessMonitoring, AccessRequests, App, CloudAuditLogRetention, DB, Desktop, DeviceTrust, ExternalAuditStorage, FeatureHiding, HSM, Identity, JoinActiveSessions, K8s, MobileDeviceManagement, OIDC, OktaSCIM, - OktaUserSync, Policy, SAML, SessionLocks, UpsellAlert, UsageReporting, LicenseAutoUpdate, AccessGraphDemoMode, + OktaUserSync, Policy, SAML, SessionLocks, UnrestrictedManagedUpdates, UpsellAlert, UsageReporting, LicenseAutoUpdate, AccessGraphDemoMode, } // BackfillFeatures ensures entitlements are backwards compatible. diff --git a/entitlements/entitlements_test.go b/entitlements/entitlements_test.go index 3b07e64d4537c..ac90e4a8b1e29 100644 --- a/entitlements/entitlements_test.go +++ b/entitlements/entitlements_test.go @@ -67,59 +67,61 @@ func TestBackfillFeatures(t *testing.T) { MobileDeviceManagement: false, AccessMonitoringConfigured: false, Entitlements: map[string]*proto.EntitlementInfo{ - string(AccessLists): {Enabled: true, Limit: 111}, - string(AccessMonitoring): {Enabled: true, Limit: 2113}, - string(AccessRequests): {Enabled: true, Limit: 39}, - string(App): {Enabled: false}, - string(CloudAuditLogRetention): {Enabled: true}, - string(DB): {Enabled: true}, - string(Desktop): {Enabled: true}, - string(DeviceTrust): {Enabled: true, Limit: 103}, - string(ExternalAuditStorage): {Enabled: true}, - string(FeatureHiding): {Enabled: true}, - string(HSM): {Enabled: true}, - string(Identity): {Enabled: true}, - string(JoinActiveSessions): {Enabled: true}, - string(K8s): {Enabled: true}, - string(MobileDeviceManagement): {Enabled: true}, - string(OIDC): {Enabled: true}, - string(OktaSCIM): {Enabled: true}, - string(OktaUserSync): {Enabled: true}, - string(Policy): {Enabled: true}, - string(SAML): {Enabled: true}, - string(SessionLocks): {Enabled: true}, - string(UpsellAlert): {Enabled: true}, - string(UsageReporting): {Enabled: true}, - string(LicenseAutoUpdate): {Enabled: true}, - string(AccessGraphDemoMode): {Enabled: true}, + string(AccessLists): {Enabled: true, Limit: 111}, + string(AccessMonitoring): {Enabled: true, Limit: 2113}, + string(AccessRequests): {Enabled: true, Limit: 39}, + string(App): {Enabled: false}, + string(CloudAuditLogRetention): {Enabled: true}, + string(DB): {Enabled: true}, + string(Desktop): {Enabled: true}, + string(DeviceTrust): {Enabled: true, Limit: 103}, + string(ExternalAuditStorage): {Enabled: true}, + string(FeatureHiding): {Enabled: true}, + string(HSM): {Enabled: true}, + string(Identity): {Enabled: true}, + string(JoinActiveSessions): {Enabled: true}, + string(K8s): {Enabled: true}, + string(MobileDeviceManagement): {Enabled: true}, + string(OIDC): {Enabled: true}, + string(OktaSCIM): {Enabled: true}, + string(OktaUserSync): {Enabled: true}, + string(Policy): {Enabled: true}, + string(SAML): {Enabled: true}, + string(SessionLocks): {Enabled: true}, + string(UpsellAlert): {Enabled: true}, + string(UsageReporting): {Enabled: true}, + string(LicenseAutoUpdate): {Enabled: true}, + string(AccessGraphDemoMode): {Enabled: true}, + string(UnrestrictedManagedUpdates): {Enabled: true}, }, }, expected: map[string]*proto.EntitlementInfo{ - string(AccessLists): {Enabled: true, Limit: 111}, - string(AccessMonitoring): {Enabled: true, Limit: 2113}, - string(AccessRequests): {Enabled: true, Limit: 39}, - string(App): {Enabled: false}, - string(CloudAuditLogRetention): {Enabled: true}, - string(DB): {Enabled: true}, - string(Desktop): {Enabled: true}, - string(DeviceTrust): {Enabled: true, Limit: 103}, - string(ExternalAuditStorage): {Enabled: true}, - string(FeatureHiding): {Enabled: true}, - string(HSM): {Enabled: true}, - string(Identity): {Enabled: true}, - string(JoinActiveSessions): {Enabled: true}, - string(K8s): {Enabled: true}, - string(MobileDeviceManagement): {Enabled: true}, - string(OIDC): {Enabled: true}, - string(OktaSCIM): {Enabled: true}, - string(OktaUserSync): {Enabled: true}, - string(Policy): {Enabled: true}, - string(SAML): {Enabled: true}, - string(SessionLocks): {Enabled: true}, - string(UpsellAlert): {Enabled: true}, - string(UsageReporting): {Enabled: true}, - string(LicenseAutoUpdate): {Enabled: true}, - string(AccessGraphDemoMode): {Enabled: true}, + string(AccessLists): {Enabled: true, Limit: 111}, + string(AccessMonitoring): {Enabled: true, Limit: 2113}, + string(AccessRequests): {Enabled: true, Limit: 39}, + string(App): {Enabled: false}, + string(CloudAuditLogRetention): {Enabled: true}, + string(DB): {Enabled: true}, + string(Desktop): {Enabled: true}, + string(DeviceTrust): {Enabled: true, Limit: 103}, + string(ExternalAuditStorage): {Enabled: true}, + string(FeatureHiding): {Enabled: true}, + string(HSM): {Enabled: true}, + string(Identity): {Enabled: true}, + string(JoinActiveSessions): {Enabled: true}, + string(K8s): {Enabled: true}, + string(MobileDeviceManagement): {Enabled: true}, + string(OIDC): {Enabled: true}, + string(OktaSCIM): {Enabled: true}, + string(OktaUserSync): {Enabled: true}, + string(Policy): {Enabled: true}, + string(SAML): {Enabled: true}, + string(SessionLocks): {Enabled: true}, + string(UpsellAlert): {Enabled: true}, + string(UsageReporting): {Enabled: true}, + string(LicenseAutoUpdate): {Enabled: true}, + string(AccessGraphDemoMode): {Enabled: true}, + string(UnrestrictedManagedUpdates): {Enabled: true}, }, }, { @@ -192,11 +194,12 @@ func TestBackfillFeatures(t *testing.T) { string(SAML): {Enabled: true}, string(SessionLocks): {Enabled: true}, // defaults, no legacy equivalent - string(UsageReporting): {Enabled: false}, - string(UpsellAlert): {Enabled: false}, - string(CloudAuditLogRetention): {Enabled: false}, - string(LicenseAutoUpdate): {Enabled: false}, - string(AccessGraphDemoMode): {Enabled: false}, + string(UsageReporting): {Enabled: false}, + string(UpsellAlert): {Enabled: false}, + string(CloudAuditLogRetention): {Enabled: false}, + string(LicenseAutoUpdate): {Enabled: false}, + string(AccessGraphDemoMode): {Enabled: false}, + string(UnrestrictedManagedUpdates): {Enabled: false}, }, }, { @@ -266,11 +269,12 @@ func TestBackfillFeatures(t *testing.T) { string(SAML): {Enabled: true}, // defaults, no legacy equivalent - string(UsageReporting): {Enabled: false}, - string(UpsellAlert): {Enabled: false}, - string(CloudAuditLogRetention): {Enabled: false}, - string(LicenseAutoUpdate): {Enabled: false}, - string(AccessGraphDemoMode): {Enabled: false}, + string(UsageReporting): {Enabled: false}, + string(UpsellAlert): {Enabled: false}, + string(CloudAuditLogRetention): {Enabled: false}, + string(LicenseAutoUpdate): {Enabled: false}, + string(AccessGraphDemoMode): {Enabled: false}, + string(UnrestrictedManagedUpdates): {Enabled: false}, // Identity off, fields false string(Identity): {Enabled: false}, string(SessionLocks): {Enabled: false}, diff --git a/lib/auth/autoupdate/autoupdatev1/service.go b/lib/auth/autoupdate/autoupdatev1/service.go index 3b1d175a6fb91..4a111fe262cb5 100644 --- a/lib/auth/autoupdate/autoupdatev1/service.go +++ b/lib/auth/autoupdate/autoupdatev1/service.go @@ -31,6 +31,7 @@ import ( "github.com/gravitational/teleport/api/types" update "github.com/gravitational/teleport/api/types/autoupdate" apievents "github.com/gravitational/teleport/api/types/events" + "github.com/gravitational/teleport/entitlements" "github.com/gravitational/teleport/lib/authz" "github.com/gravitational/teleport/lib/autoupdate/rollout" "github.com/gravitational/teleport/lib/events" @@ -1073,11 +1074,12 @@ func validateServerSideAgentConfig(config *autoupdate.AutoUpdateConfig) error { return trace.Wrap(err, "validating autoupdate config") } - var maxGroups int - isCloud := modules.GetModules().Features().Cloud + isLimitedCloud := modules.GetModules().Features().Cloud && + !modules.GetModules().Features().Entitlements[entitlements.UnrestrictedManagedUpdates].Enabled + var maxGroups int switch { - case isCloud && agentsSpec.GetStrategy() == update.AgentsStrategyHaltOnError: + case isLimitedCloud && agentsSpec.GetStrategy() == update.AgentsStrategyHaltOnError: maxGroups = maxGroupsHaltOnErrorStrategyCloud case agentsSpec.GetStrategy() == update.AgentsStrategyHaltOnError: maxGroups = maxGroupsHaltOnErrorStrategy @@ -1091,7 +1093,7 @@ func validateServerSideAgentConfig(config *autoupdate.AutoUpdateConfig) error { return trace.BadParameter("max groups (%d) exceeded for strategy %s, %s schedule contains %d groups", maxGroups, agentsSpec.GetStrategy(), update.AgentsScheduleRegular, len(agentsSpec.GetSchedules().GetRegular())) } - if !isCloud { + if !isLimitedCloud { return nil } @@ -1109,7 +1111,6 @@ func validateServerSideAgentConfig(config *autoupdate.AutoUpdateConfig) error { if !maps.Equal(cloudWeekdays, weekdays) { return trace.BadParameter("weekdays must be set to %v in cloud", cloudGroupUpdateDays) } - } if duration := computeMinRolloutTime(agentsSpec.GetSchedules().GetRegular()); duration > maxRolloutDurationCloudHours { diff --git a/lib/auth/autoupdate/autoupdatev1/service_test.go b/lib/auth/autoupdate/autoupdatev1/service_test.go index f3780e390be1e..20829179fd848 100644 --- a/lib/auth/autoupdate/autoupdatev1/service_test.go +++ b/lib/auth/autoupdate/autoupdatev1/service_test.go @@ -32,6 +32,7 @@ import ( "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/api/types/autoupdate" apievents "github.com/gravitational/teleport/api/types/events" + "github.com/gravitational/teleport/entitlements" "github.com/gravitational/teleport/lib/authz" "github.com/gravitational/teleport/lib/backend/memory" libevents "github.com/gravitational/teleport/lib/events" @@ -883,6 +884,14 @@ func TestValidateServerSideAgentConfig(t *testing.T) { Cloud: true, }, } + cloudUnlimitedModules := &modules.TestModules{ + TestFeatures: modules.Features{ + Cloud: true, + Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{ + entitlements.UnrestrictedManagedUpdates: {Enabled: true}, + }, + }, + } selfHostedModules := &modules.TestModules{ TestFeatures: modules.Features{ Cloud: false, @@ -925,6 +934,18 @@ func TestValidateServerSideAgentConfig(t *testing.T) { }, expectErr: require.Error, }, + { + name: "over max groups halt-on-error cloud unlimited", + modules: cloudUnlimitedModules, + config: &autoupdatev1pb.AutoUpdateConfigSpecAgents{ + Mode: autoupdate.AgentsUpdateModeEnabled, + Strategy: autoupdate.AgentsStrategyHaltOnError, + Schedules: &autoupdatev1pb.AgentAutoUpdateSchedules{ + Regular: generateGroups(maxGroupsHaltOnErrorStrategy+1, cloudGroupUpdateDays), + }, + }, + expectErr: require.Error, + }, { name: "over max groups halt-on-error cloud", modules: cloudModules, @@ -949,6 +970,18 @@ func TestValidateServerSideAgentConfig(t *testing.T) { }, expectErr: require.Error, }, + { + name: "cloud unlimited should allow custom weekdays", + modules: cloudUnlimitedModules, + config: &autoupdatev1pb.AutoUpdateConfigSpecAgents{ + Mode: autoupdate.AgentsUpdateModeEnabled, + Strategy: autoupdate.AgentsStrategyHaltOnError, + Schedules: &autoupdatev1pb.AgentAutoUpdateSchedules{ + Regular: generateGroups(maxGroupsHaltOnErrorStrategyCloud, []string{"Mon"}), + }, + }, + expectErr: require.NoError, + }, { name: "self-hosted should allow custom weekdays", modules: selfHostedModules, @@ -976,6 +1009,21 @@ func TestValidateServerSideAgentConfig(t *testing.T) { }, expectErr: require.Error, }, + { + name: "cloud should allow long rollouts with entitlement", + modules: cloudUnlimitedModules, + config: &autoupdatev1pb.AutoUpdateConfigSpecAgents{ + Mode: autoupdate.AgentsUpdateModeEnabled, + Strategy: autoupdate.AgentsStrategyHaltOnError, + Schedules: &autoupdatev1pb.AgentAutoUpdateSchedules{ + Regular: []*autoupdatev1pb.AgentAutoUpdateGroup{ + {Name: "g1", Days: cloudGroupUpdateDays}, + {Name: "g2", Days: cloudGroupUpdateDays, WaitHours: maxRolloutDurationCloudHours}, + }, + }, + }, + expectErr: require.NoError, + }, { name: "self-hosted should allow long rollouts", modules: selfHostedModules, diff --git a/lib/modules/modules_test.go b/lib/modules/modules_test.go index 18ffe1bc78cab..b6d1313b5eb88 100644 --- a/lib/modules/modules_test.go +++ b/lib/modules/modules_test.go @@ -131,31 +131,32 @@ func TestFeatures_ToProto(t *testing.T) { RecoveryCodes: true, AccessMonitoringConfigured: false, Entitlements: map[string]*proto.EntitlementInfo{ - string(entitlements.AccessLists): {Enabled: true, Limit: 111}, - string(entitlements.AccessMonitoring): {Enabled: true, Limit: 2113}, - string(entitlements.AccessRequests): {Enabled: true, Limit: 39}, - string(entitlements.App): {Enabled: false}, - string(entitlements.CloudAuditLogRetention): {Enabled: true}, - string(entitlements.DB): {Enabled: true}, - string(entitlements.Desktop): {Enabled: true}, - string(entitlements.DeviceTrust): {Enabled: true, Limit: 103}, - string(entitlements.ExternalAuditStorage): {Enabled: true}, - string(entitlements.FeatureHiding): {Enabled: true}, - string(entitlements.HSM): {Enabled: true}, - string(entitlements.Identity): {Enabled: true}, - string(entitlements.JoinActiveSessions): {Enabled: true}, - string(entitlements.K8s): {Enabled: true}, - string(entitlements.MobileDeviceManagement): {Enabled: true}, - string(entitlements.OIDC): {Enabled: true}, - string(entitlements.OktaSCIM): {Enabled: true}, - string(entitlements.OktaUserSync): {Enabled: true}, - string(entitlements.Policy): {Enabled: true}, - string(entitlements.SAML): {Enabled: true}, - string(entitlements.SessionLocks): {Enabled: true}, - string(entitlements.UpsellAlert): {Enabled: true}, - string(entitlements.UsageReporting): {Enabled: true}, - string(entitlements.LicenseAutoUpdate): {Enabled: true}, - string(entitlements.AccessGraphDemoMode): {Enabled: true}, + string(entitlements.AccessLists): {Enabled: true, Limit: 111}, + string(entitlements.AccessMonitoring): {Enabled: true, Limit: 2113}, + string(entitlements.AccessRequests): {Enabled: true, Limit: 39}, + string(entitlements.App): {Enabled: false}, + string(entitlements.CloudAuditLogRetention): {Enabled: true}, + string(entitlements.DB): {Enabled: true}, + string(entitlements.Desktop): {Enabled: true}, + string(entitlements.DeviceTrust): {Enabled: true, Limit: 103}, + string(entitlements.ExternalAuditStorage): {Enabled: true}, + string(entitlements.FeatureHiding): {Enabled: true}, + string(entitlements.HSM): {Enabled: true}, + string(entitlements.Identity): {Enabled: true}, + string(entitlements.JoinActiveSessions): {Enabled: true}, + string(entitlements.K8s): {Enabled: true}, + string(entitlements.MobileDeviceManagement): {Enabled: true}, + string(entitlements.OIDC): {Enabled: true}, + string(entitlements.OktaSCIM): {Enabled: true}, + string(entitlements.OktaUserSync): {Enabled: true}, + string(entitlements.Policy): {Enabled: true}, + string(entitlements.SAML): {Enabled: true}, + string(entitlements.SessionLocks): {Enabled: true}, + string(entitlements.UpsellAlert): {Enabled: true}, + string(entitlements.UsageReporting): {Enabled: true}, + string(entitlements.LicenseAutoUpdate): {Enabled: true}, + string(entitlements.AccessGraphDemoMode): {Enabled: true}, + string(entitlements.UnrestrictedManagedUpdates): {Enabled: true}, }, // Legacy Fields; remove in v18 Kubernetes: true, @@ -207,31 +208,32 @@ func TestFeatures_ToProto(t *testing.T) { AccessMonitoringConfigured: false, CloudAnonymizationKey: []byte("001"), Entitlements: map[entitlements.EntitlementKind]modules.EntitlementInfo{ - entitlements.AccessLists: {Enabled: true, Limit: 111}, - entitlements.AccessMonitoring: {Enabled: true, Limit: 2113}, - entitlements.AccessRequests: {Enabled: true, Limit: 39}, - entitlements.App: {Enabled: false, Limit: 0}, - entitlements.CloudAuditLogRetention: {Enabled: true, Limit: 0}, - entitlements.DB: {Enabled: true, Limit: 0}, - entitlements.Desktop: {Enabled: true, Limit: 0}, - entitlements.DeviceTrust: {Enabled: true, Limit: 103}, - entitlements.ExternalAuditStorage: {Enabled: true, Limit: 0}, - entitlements.FeatureHiding: {Enabled: true, Limit: 0}, - entitlements.HSM: {Enabled: true, Limit: 0}, - entitlements.Identity: {Enabled: true, Limit: 0}, - entitlements.JoinActiveSessions: {Enabled: true, Limit: 0}, - entitlements.K8s: {Enabled: true, Limit: 0}, - entitlements.MobileDeviceManagement: {Enabled: true, Limit: 0}, - entitlements.OIDC: {Enabled: true, Limit: 0}, - entitlements.OktaSCIM: {Enabled: true, Limit: 0}, - entitlements.OktaUserSync: {Enabled: true, Limit: 0}, - entitlements.Policy: {Enabled: true, Limit: 0}, - entitlements.SAML: {Enabled: true, Limit: 0}, - entitlements.SessionLocks: {Enabled: true, Limit: 0}, - entitlements.UpsellAlert: {Enabled: true, Limit: 0}, - entitlements.UsageReporting: {Enabled: true, Limit: 0}, - entitlements.LicenseAutoUpdate: {Enabled: true, Limit: 0}, - entitlements.AccessGraphDemoMode: {Enabled: true, Limit: 0}, + entitlements.AccessLists: {Enabled: true, Limit: 111}, + entitlements.AccessMonitoring: {Enabled: true, Limit: 2113}, + entitlements.AccessRequests: {Enabled: true, Limit: 39}, + entitlements.App: {Enabled: false, Limit: 0}, + entitlements.CloudAuditLogRetention: {Enabled: true, Limit: 0}, + entitlements.DB: {Enabled: true, Limit: 0}, + entitlements.Desktop: {Enabled: true, Limit: 0}, + entitlements.DeviceTrust: {Enabled: true, Limit: 103}, + entitlements.ExternalAuditStorage: {Enabled: true, Limit: 0}, + entitlements.FeatureHiding: {Enabled: true, Limit: 0}, + entitlements.HSM: {Enabled: true, Limit: 0}, + entitlements.Identity: {Enabled: true, Limit: 0}, + entitlements.JoinActiveSessions: {Enabled: true, Limit: 0}, + entitlements.K8s: {Enabled: true, Limit: 0}, + entitlements.MobileDeviceManagement: {Enabled: true, Limit: 0}, + entitlements.OIDC: {Enabled: true, Limit: 0}, + entitlements.OktaSCIM: {Enabled: true, Limit: 0}, + entitlements.OktaUserSync: {Enabled: true, Limit: 0}, + entitlements.Policy: {Enabled: true, Limit: 0}, + entitlements.SAML: {Enabled: true, Limit: 0}, + entitlements.SessionLocks: {Enabled: true, Limit: 0}, + entitlements.UpsellAlert: {Enabled: true, Limit: 0}, + entitlements.UsageReporting: {Enabled: true, Limit: 0}, + entitlements.LicenseAutoUpdate: {Enabled: true, Limit: 0}, + entitlements.AccessGraphDemoMode: {Enabled: true, Limit: 0}, + entitlements.UnrestrictedManagedUpdates: {Enabled: true, Limit: 0}, }, } diff --git a/lib/web/apiserver_test.go b/lib/web/apiserver_test.go index 4f6c3ee946fc5..4a6077240e910 100644 --- a/lib/web/apiserver_test.go +++ b/lib/web/apiserver_test.go @@ -4752,31 +4752,32 @@ func TestGetWebConfig_WithEntitlements(t *testing.T) { JoinActiveSessions: true, Edition: modules.BuildOSS, // testBuildType is empty Entitlements: map[string]webclient.EntitlementInfo{ - string(entitlements.AccessLists): {Enabled: false}, - string(entitlements.AccessMonitoring): {Enabled: false}, - string(entitlements.AccessRequests): {Enabled: false}, - string(entitlements.App): {Enabled: true}, - string(entitlements.CloudAuditLogRetention): {Enabled: false}, - string(entitlements.DB): {Enabled: true}, - string(entitlements.Desktop): {Enabled: true}, - string(entitlements.DeviceTrust): {Enabled: false}, - string(entitlements.ExternalAuditStorage): {Enabled: false}, - string(entitlements.FeatureHiding): {Enabled: false}, - string(entitlements.HSM): {Enabled: false}, - string(entitlements.Identity): {Enabled: false}, - string(entitlements.JoinActiveSessions): {Enabled: true}, - string(entitlements.K8s): {Enabled: true}, - string(entitlements.MobileDeviceManagement): {Enabled: false}, - string(entitlements.OIDC): {Enabled: false}, - string(entitlements.OktaSCIM): {Enabled: false}, - string(entitlements.OktaUserSync): {Enabled: false}, - string(entitlements.Policy): {Enabled: false}, - string(entitlements.SAML): {Enabled: false}, - string(entitlements.SessionLocks): {Enabled: false}, - string(entitlements.UpsellAlert): {Enabled: false}, - string(entitlements.UsageReporting): {Enabled: false}, - string(entitlements.LicenseAutoUpdate): {Enabled: false}, - string(entitlements.AccessGraphDemoMode): {Enabled: false}, + string(entitlements.AccessLists): {Enabled: false}, + string(entitlements.AccessMonitoring): {Enabled: false}, + string(entitlements.AccessRequests): {Enabled: false}, + string(entitlements.App): {Enabled: true}, + string(entitlements.CloudAuditLogRetention): {Enabled: false}, + string(entitlements.DB): {Enabled: true}, + string(entitlements.Desktop): {Enabled: true}, + string(entitlements.DeviceTrust): {Enabled: false}, + string(entitlements.ExternalAuditStorage): {Enabled: false}, + string(entitlements.FeatureHiding): {Enabled: false}, + string(entitlements.HSM): {Enabled: false}, + string(entitlements.Identity): {Enabled: false}, + string(entitlements.JoinActiveSessions): {Enabled: true}, + string(entitlements.K8s): {Enabled: true}, + string(entitlements.MobileDeviceManagement): {Enabled: false}, + string(entitlements.OIDC): {Enabled: false}, + string(entitlements.OktaSCIM): {Enabled: false}, + string(entitlements.OktaUserSync): {Enabled: false}, + string(entitlements.Policy): {Enabled: false}, + string(entitlements.SAML): {Enabled: false}, + string(entitlements.SessionLocks): {Enabled: false}, + string(entitlements.UpsellAlert): {Enabled: false}, + string(entitlements.UsageReporting): {Enabled: false}, + string(entitlements.LicenseAutoUpdate): {Enabled: false}, + string(entitlements.AccessGraphDemoMode): {Enabled: false}, + string(entitlements.UnrestrictedManagedUpdates): {Enabled: false}, }, TunnelPublicAddress: "", RecoveryCodesEnabled: false, @@ -4938,31 +4939,32 @@ func TestGetWebConfig_LegacyFeatureLimits(t *testing.T) { Questionnaire: true, IsUsageBasedBilling: true, Entitlements: map[string]webclient.EntitlementInfo{ - string(entitlements.AccessLists): {Enabled: true, Limit: 5}, - string(entitlements.AccessMonitoring): {Enabled: true, Limit: 10}, - string(entitlements.AccessRequests): {Enabled: false}, - string(entitlements.App): {Enabled: false}, - string(entitlements.CloudAuditLogRetention): {Enabled: false}, - string(entitlements.DB): {Enabled: false}, - string(entitlements.Desktop): {Enabled: false}, - string(entitlements.DeviceTrust): {Enabled: false}, - string(entitlements.ExternalAuditStorage): {Enabled: false}, - string(entitlements.FeatureHiding): {Enabled: false}, - string(entitlements.HSM): {Enabled: false}, - string(entitlements.Identity): {Enabled: true}, - string(entitlements.JoinActiveSessions): {Enabled: false}, - string(entitlements.K8s): {Enabled: false}, - string(entitlements.MobileDeviceManagement): {Enabled: false}, - string(entitlements.OIDC): {Enabled: false}, - string(entitlements.OktaSCIM): {Enabled: false}, - string(entitlements.OktaUserSync): {Enabled: false}, - string(entitlements.Policy): {Enabled: false}, - string(entitlements.SAML): {Enabled: false}, - string(entitlements.SessionLocks): {Enabled: false}, - string(entitlements.UpsellAlert): {Enabled: false}, - string(entitlements.UsageReporting): {Enabled: false}, - string(entitlements.LicenseAutoUpdate): {Enabled: false}, - string(entitlements.AccessGraphDemoMode): {Enabled: false}, + string(entitlements.AccessLists): {Enabled: true, Limit: 5}, + string(entitlements.AccessMonitoring): {Enabled: true, Limit: 10}, + string(entitlements.AccessRequests): {Enabled: false}, + string(entitlements.App): {Enabled: false}, + string(entitlements.CloudAuditLogRetention): {Enabled: false}, + string(entitlements.DB): {Enabled: false}, + string(entitlements.Desktop): {Enabled: false}, + string(entitlements.DeviceTrust): {Enabled: false}, + string(entitlements.ExternalAuditStorage): {Enabled: false}, + string(entitlements.FeatureHiding): {Enabled: false}, + string(entitlements.HSM): {Enabled: false}, + string(entitlements.Identity): {Enabled: true}, + string(entitlements.JoinActiveSessions): {Enabled: false}, + string(entitlements.K8s): {Enabled: false}, + string(entitlements.MobileDeviceManagement): {Enabled: false}, + string(entitlements.OIDC): {Enabled: false}, + string(entitlements.OktaSCIM): {Enabled: false}, + string(entitlements.OktaUserSync): {Enabled: false}, + string(entitlements.Policy): {Enabled: false}, + string(entitlements.SAML): {Enabled: false}, + string(entitlements.SessionLocks): {Enabled: false}, + string(entitlements.UpsellAlert): {Enabled: false}, + string(entitlements.UsageReporting): {Enabled: false}, + string(entitlements.LicenseAutoUpdate): {Enabled: false}, + string(entitlements.AccessGraphDemoMode): {Enabled: false}, + string(entitlements.UnrestrictedManagedUpdates): {Enabled: false}, }, PlayableDatabaseProtocols: player.SupportedDatabaseProtocols, IsPolicyRoleVisualizerEnabled: true, @@ -10929,31 +10931,32 @@ func Test_setEntitlementsWithLegacyLogic(t *testing.T) { SupportType: 0, // since present, becomes source of truth for feature enablement Entitlements: map[string]*authproto.EntitlementInfo{ - string(entitlements.AccessLists): {Enabled: true, Limit: 99}, - string(entitlements.AccessMonitoring): {Enabled: true, Limit: 99}, - string(entitlements.AccessRequests): {Enabled: true, Limit: 99}, - string(entitlements.App): {Enabled: true, Limit: 99}, - string(entitlements.CloudAuditLogRetention): {Enabled: true, Limit: 99}, - string(entitlements.DB): {Enabled: true, Limit: 99}, - string(entitlements.Desktop): {Enabled: true, Limit: 99}, - string(entitlements.DeviceTrust): {Enabled: true, Limit: 99}, - string(entitlements.ExternalAuditStorage): {Enabled: true, Limit: 99}, - string(entitlements.FeatureHiding): {Enabled: true, Limit: 99}, - string(entitlements.HSM): {Enabled: true, Limit: 99}, - string(entitlements.Identity): {Enabled: true, Limit: 99}, - string(entitlements.JoinActiveSessions): {Enabled: true, Limit: 99}, - string(entitlements.K8s): {Enabled: true, Limit: 99}, - string(entitlements.MobileDeviceManagement): {Enabled: true, Limit: 99}, - string(entitlements.OIDC): {Enabled: true, Limit: 99}, - string(entitlements.OktaSCIM): {Enabled: true, Limit: 99}, - string(entitlements.OktaUserSync): {Enabled: true, Limit: 99}, - string(entitlements.Policy): {Enabled: true, Limit: 99}, - string(entitlements.SAML): {Enabled: true, Limit: 99}, - string(entitlements.SessionLocks): {Enabled: true, Limit: 99}, - string(entitlements.UpsellAlert): {Enabled: true, Limit: 99}, - string(entitlements.UsageReporting): {Enabled: true, Limit: 99}, - string(entitlements.LicenseAutoUpdate): {Enabled: true, Limit: 99}, - string(entitlements.AccessGraphDemoMode): {Enabled: true, Limit: 99}, + string(entitlements.AccessLists): {Enabled: true, Limit: 99}, + string(entitlements.AccessMonitoring): {Enabled: true, Limit: 99}, + string(entitlements.AccessRequests): {Enabled: true, Limit: 99}, + string(entitlements.App): {Enabled: true, Limit: 99}, + string(entitlements.CloudAuditLogRetention): {Enabled: true, Limit: 99}, + string(entitlements.DB): {Enabled: true, Limit: 99}, + string(entitlements.Desktop): {Enabled: true, Limit: 99}, + string(entitlements.DeviceTrust): {Enabled: true, Limit: 99}, + string(entitlements.ExternalAuditStorage): {Enabled: true, Limit: 99}, + string(entitlements.FeatureHiding): {Enabled: true, Limit: 99}, + string(entitlements.HSM): {Enabled: true, Limit: 99}, + string(entitlements.Identity): {Enabled: true, Limit: 99}, + string(entitlements.JoinActiveSessions): {Enabled: true, Limit: 99}, + string(entitlements.K8s): {Enabled: true, Limit: 99}, + string(entitlements.MobileDeviceManagement): {Enabled: true, Limit: 99}, + string(entitlements.OIDC): {Enabled: true, Limit: 99}, + string(entitlements.OktaSCIM): {Enabled: true, Limit: 99}, + string(entitlements.OktaUserSync): {Enabled: true, Limit: 99}, + string(entitlements.Policy): {Enabled: true, Limit: 99}, + string(entitlements.SAML): {Enabled: true, Limit: 99}, + string(entitlements.SessionLocks): {Enabled: true, Limit: 99}, + string(entitlements.UpsellAlert): {Enabled: true, Limit: 99}, + string(entitlements.UsageReporting): {Enabled: true, Limit: 99}, + string(entitlements.LicenseAutoUpdate): {Enabled: true, Limit: 99}, + string(entitlements.AccessGraphDemoMode): {Enabled: true, Limit: 99}, + string(entitlements.UnrestrictedManagedUpdates): {Enabled: true, Limit: 99}, }, }, expected: &webclient.WebConfig{ @@ -10992,31 +10995,32 @@ func Test_setEntitlementsWithLegacyLogic(t *testing.T) { AccessRequestMonthlyRequestLimit: 99, }, Entitlements: map[string]webclient.EntitlementInfo{ - string(entitlements.AccessLists): {Enabled: true, Limit: 99}, - string(entitlements.AccessMonitoring): {Enabled: true, Limit: 99}, - string(entitlements.AccessRequests): {Enabled: true, Limit: 99}, - string(entitlements.App): {Enabled: true, Limit: 99}, - string(entitlements.CloudAuditLogRetention): {Enabled: true, Limit: 99}, - string(entitlements.DB): {Enabled: true, Limit: 99}, - string(entitlements.Desktop): {Enabled: true, Limit: 99}, - string(entitlements.DeviceTrust): {Enabled: true, Limit: 99}, - string(entitlements.ExternalAuditStorage): {Enabled: true, Limit: 99}, - string(entitlements.FeatureHiding): {Enabled: true, Limit: 99}, - string(entitlements.HSM): {Enabled: true, Limit: 99}, - string(entitlements.Identity): {Enabled: true, Limit: 99}, - string(entitlements.JoinActiveSessions): {Enabled: true, Limit: 99}, - string(entitlements.K8s): {Enabled: true, Limit: 99}, - string(entitlements.MobileDeviceManagement): {Enabled: true, Limit: 99}, - string(entitlements.OIDC): {Enabled: true, Limit: 99}, - string(entitlements.OktaSCIM): {Enabled: true, Limit: 99}, - string(entitlements.OktaUserSync): {Enabled: true, Limit: 99}, - string(entitlements.Policy): {Enabled: true, Limit: 99}, - string(entitlements.SAML): {Enabled: true, Limit: 99}, - string(entitlements.SessionLocks): {Enabled: true, Limit: 99}, - string(entitlements.UpsellAlert): {Enabled: true, Limit: 99}, - string(entitlements.UsageReporting): {Enabled: true, Limit: 99}, - string(entitlements.LicenseAutoUpdate): {Enabled: true, Limit: 99}, - string(entitlements.AccessGraphDemoMode): {Enabled: true, Limit: 99}, + string(entitlements.AccessLists): {Enabled: true, Limit: 99}, + string(entitlements.AccessMonitoring): {Enabled: true, Limit: 99}, + string(entitlements.AccessRequests): {Enabled: true, Limit: 99}, + string(entitlements.App): {Enabled: true, Limit: 99}, + string(entitlements.CloudAuditLogRetention): {Enabled: true, Limit: 99}, + string(entitlements.DB): {Enabled: true, Limit: 99}, + string(entitlements.Desktop): {Enabled: true, Limit: 99}, + string(entitlements.DeviceTrust): {Enabled: true, Limit: 99}, + string(entitlements.ExternalAuditStorage): {Enabled: true, Limit: 99}, + string(entitlements.FeatureHiding): {Enabled: true, Limit: 99}, + string(entitlements.HSM): {Enabled: true, Limit: 99}, + string(entitlements.Identity): {Enabled: true, Limit: 99}, + string(entitlements.JoinActiveSessions): {Enabled: true, Limit: 99}, + string(entitlements.K8s): {Enabled: true, Limit: 99}, + string(entitlements.MobileDeviceManagement): {Enabled: true, Limit: 99}, + string(entitlements.OIDC): {Enabled: true, Limit: 99}, + string(entitlements.OktaSCIM): {Enabled: true, Limit: 99}, + string(entitlements.OktaUserSync): {Enabled: true, Limit: 99}, + string(entitlements.Policy): {Enabled: true, Limit: 99}, + string(entitlements.SAML): {Enabled: true, Limit: 99}, + string(entitlements.SessionLocks): {Enabled: true, Limit: 99}, + string(entitlements.UpsellAlert): {Enabled: true, Limit: 99}, + string(entitlements.UsageReporting): {Enabled: true, Limit: 99}, + string(entitlements.LicenseAutoUpdate): {Enabled: true, Limit: 99}, + string(entitlements.AccessGraphDemoMode): {Enabled: true, Limit: 99}, + string(entitlements.UnrestrictedManagedUpdates): {Enabled: true, Limit: 99}, }, }, }, @@ -11109,16 +11113,17 @@ func Test_setEntitlementsWithLegacyLogic(t *testing.T) { }, Entitlements: map[string]webclient.EntitlementInfo{ // no equivalent legacy feature; defaults to false - string(entitlements.App): {Enabled: false}, - string(entitlements.CloudAuditLogRetention): {Enabled: false}, - string(entitlements.DB): {Enabled: false}, - string(entitlements.Desktop): {Enabled: false}, - string(entitlements.HSM): {Enabled: false}, - string(entitlements.K8s): {Enabled: false}, - string(entitlements.UpsellAlert): {Enabled: false}, - string(entitlements.UsageReporting): {Enabled: false}, - string(entitlements.LicenseAutoUpdate): {Enabled: false}, - string(entitlements.AccessGraphDemoMode): {Enabled: false}, + string(entitlements.App): {Enabled: false}, + string(entitlements.CloudAuditLogRetention): {Enabled: false}, + string(entitlements.DB): {Enabled: false}, + string(entitlements.Desktop): {Enabled: false}, + string(entitlements.HSM): {Enabled: false}, + string(entitlements.K8s): {Enabled: false}, + string(entitlements.UpsellAlert): {Enabled: false}, + string(entitlements.UsageReporting): {Enabled: false}, + string(entitlements.LicenseAutoUpdate): {Enabled: false}, + string(entitlements.AccessGraphDemoMode): {Enabled: false}, + string(entitlements.UnrestrictedManagedUpdates): {Enabled: false}, // set to equivalent legacy feature string(entitlements.ExternalAuditStorage): {Enabled: true}, @@ -11239,15 +11244,16 @@ func Test_setEntitlementsWithLegacyLogic(t *testing.T) { string(entitlements.UsageReporting): {Enabled: false}, // set to equivalent legacy feature - string(entitlements.ExternalAuditStorage): {Enabled: true}, - string(entitlements.FeatureHiding): {Enabled: true}, - string(entitlements.Identity): {Enabled: false}, - string(entitlements.JoinActiveSessions): {Enabled: true}, - string(entitlements.MobileDeviceManagement): {Enabled: true}, - string(entitlements.OIDC): {Enabled: true}, - string(entitlements.Policy): {Enabled: true}, - string(entitlements.SAML): {Enabled: true}, - string(entitlements.AccessGraphDemoMode): {Enabled: false}, + string(entitlements.ExternalAuditStorage): {Enabled: true}, + string(entitlements.FeatureHiding): {Enabled: true}, + string(entitlements.Identity): {Enabled: false}, + string(entitlements.JoinActiveSessions): {Enabled: true}, + string(entitlements.MobileDeviceManagement): {Enabled: true}, + string(entitlements.OIDC): {Enabled: true}, + string(entitlements.Policy): {Enabled: true}, + string(entitlements.SAML): {Enabled: true}, + string(entitlements.AccessGraphDemoMode): {Enabled: false}, + string(entitlements.UnrestrictedManagedUpdates): {Enabled: false}, // set to legacy feature "IsIGSEnabled"; false so set value and keep limits string(entitlements.AccessLists): {Enabled: true, Limit: 88}, string(entitlements.AccessMonitoring): {Enabled: true, Limit: 88}, @@ -11333,31 +11339,32 @@ func Test_setEntitlementsWithLegacyLogic(t *testing.T) { SAML: false, MobileDeviceManagement: false, Entitlements: map[string]webclient.EntitlementInfo{ - string(entitlements.AccessLists): {Enabled: true}, // AccessLists had no previous behavior from an enablement perspective; so we default to true - string(entitlements.AccessMonitoring): {Enabled: false}, - string(entitlements.AccessRequests): {Enabled: false}, - string(entitlements.App): {Enabled: false}, - string(entitlements.CloudAuditLogRetention): {Enabled: false}, - string(entitlements.DB): {Enabled: false}, - string(entitlements.Desktop): {Enabled: false}, - string(entitlements.DeviceTrust): {Enabled: false}, - string(entitlements.ExternalAuditStorage): {Enabled: false}, - string(entitlements.FeatureHiding): {Enabled: false}, - string(entitlements.HSM): {Enabled: false}, - string(entitlements.Identity): {Enabled: false}, - string(entitlements.JoinActiveSessions): {Enabled: false}, - string(entitlements.K8s): {Enabled: false}, - string(entitlements.MobileDeviceManagement): {Enabled: false}, - string(entitlements.OIDC): {Enabled: false}, - string(entitlements.OktaSCIM): {Enabled: false}, - string(entitlements.OktaUserSync): {Enabled: false}, - string(entitlements.Policy): {Enabled: false}, - string(entitlements.SAML): {Enabled: false}, - string(entitlements.SessionLocks): {Enabled: false}, - string(entitlements.UpsellAlert): {Enabled: false}, - string(entitlements.UsageReporting): {Enabled: false}, - string(entitlements.LicenseAutoUpdate): {Enabled: false}, - string(entitlements.AccessGraphDemoMode): {Enabled: false}, + string(entitlements.AccessLists): {Enabled: true}, // AccessLists had no previous behavior from an enablement perspective; so we default to true + string(entitlements.AccessMonitoring): {Enabled: false}, + string(entitlements.AccessRequests): {Enabled: false}, + string(entitlements.App): {Enabled: false}, + string(entitlements.CloudAuditLogRetention): {Enabled: false}, + string(entitlements.DB): {Enabled: false}, + string(entitlements.Desktop): {Enabled: false}, + string(entitlements.DeviceTrust): {Enabled: false}, + string(entitlements.ExternalAuditStorage): {Enabled: false}, + string(entitlements.FeatureHiding): {Enabled: false}, + string(entitlements.HSM): {Enabled: false}, + string(entitlements.Identity): {Enabled: false}, + string(entitlements.JoinActiveSessions): {Enabled: false}, + string(entitlements.K8s): {Enabled: false}, + string(entitlements.MobileDeviceManagement): {Enabled: false}, + string(entitlements.OIDC): {Enabled: false}, + string(entitlements.OktaSCIM): {Enabled: false}, + string(entitlements.OktaUserSync): {Enabled: false}, + string(entitlements.Policy): {Enabled: false}, + string(entitlements.SAML): {Enabled: false}, + string(entitlements.SessionLocks): {Enabled: false}, + string(entitlements.UpsellAlert): {Enabled: false}, + string(entitlements.UsageReporting): {Enabled: false}, + string(entitlements.LicenseAutoUpdate): {Enabled: false}, + string(entitlements.AccessGraphDemoMode): {Enabled: false}, + string(entitlements.UnrestrictedManagedUpdates): {Enabled: false}, }, }, }, diff --git a/web/packages/teleport/src/entitlement.ts b/web/packages/teleport/src/entitlement.ts index c48e3c71d3408..a1631726bf9f0 100644 --- a/web/packages/teleport/src/entitlement.ts +++ b/web/packages/teleport/src/entitlement.ts @@ -40,6 +40,7 @@ type entitlement = | 'Policy' | 'SAML' | 'SessionLocks' + | 'UnrestrictedManagedUpdates' | 'UpsellAlert' | 'UsageReporting'; @@ -69,6 +70,7 @@ export const defaultEntitlements: Record< Policy: { enabled: false, limit: 0 }, SAML: { enabled: false, limit: 0 }, SessionLocks: { enabled: false, limit: 0 }, + UnrestrictedManagedUpdates: { enabled: false, limit: 0 }, UpsellAlert: { enabled: false, limit: 0 }, UsageReporting: { enabled: false, limit: 0 }, };