Allow setting custom reason prompt for Access Requests

[kopiczko]

Issue: #29475

Requires #54660

E companion: https://github.com/gravitational/teleport.e/pull/6502

Changes:

• if any of the user's role is configured with .spec.options.request_prompt then that request will be displayed in the reason box in the UI (screenshot below)
• for multiple roles .spec.options.request_prompt prompts are sorted and deduplicated
• (not a change) for auto-request only one random prompt is displayed for backward compatibility

Bonus changes:

• now we can validate if reason is required in the UI before sending request to backend
• as a consequence of the above, the reason is never required for the dry-run access request

After pressing "Submit Request", when 2 prompts are configured and the reason is required:

Note: Teleport Connect support is added in #55092

changelog: UI: Access Request reason prompts configured in Role.spec.options.request_prompt are now displayed in the reason text box, if such a role is assigned to the user.

[gzdunek]

There's already a requireReason field https://github.com/gravitational/teleport.e/blob/b24b076f260ad5900f589a04cd7debc4f3059527/web/teleport/src/Workflow/NewRequest/useRequestCheckout.tsx#L226.

How does it differ from reasonMode? Could we only have requireReason?

[kopiczko]

They come from different fields in the role.

requireReason comes from .spec.options.request_access and the reasonMode comes from .spec.allow.request.reason.mode. They have slightly different semantics:

• https://goteleport.com/docs/admin-guides/access-controls/access-requests/access-request-configuration/#requiring-request-reasons
• https://goteleport.com/docs/admin-guides/access-controls/access-requests/access-request-configuration/#how-clients-request-access

[kimlisa]

for RequestCheckout i don't think we need the distinction between reasonMode and requireReason (especially if my mental wiring was correct, reasonMode refers to both fields?).

all we need to know is is reason required so we can mark the textbox as required.

[kopiczko]

I removed reasonMode from there. The handling is done in https://github.com/gravitational/teleport.e/pull/6502/files#diff-b64b7aa2754e33df83b39bcee2a857c345415c9a1c8de0f5138424c48a3a7acdR228

[kimlisa]

is the reason mode included in the flag?

access request isn't confusing at all 😭 (i just looked at the requiringReasonRoles)

i would mention in comment, not to be confused with spec.allow.request.reason.mode

can we also mention that this flag takes precedence over the reason mode?

[kopiczko]

There is no precedence. If any of them matches then the reason is requred.

[kimlisa]

hrm, what benefit do we get by sorting the prompts? i'd imagine a user would not expect that or what if prompts are built from previous prompts?

[kopiczko]

There is no guaranteed order they will come from the backend. I'd like to avoid situation where the order is changed on every refresh. So by extension prompts can't be build from previous prompts.

[kimlisa]

i'm not sure enrichment.ReasonMode the ReasonMode is the right variable name to use b/c it makes it sound like that's the spec.allow.request.reason.mode value, but it's that or the options.request_access (which takes precedence).

I'd probably rename it to just enrichment.ReasonRequired or RequireReason

[kopiczko]

options.request_access doesn't take precedence. It may look like that from the implementation because it's more efficient to check options.request_access first. I'd even say checking options.request_access for regular (not autologin) access requests was a bad decision.

I prefer to stick with the enum because in unlikely case this mode is extended we won't have to change the wire format.

[kimlisa]

i just want to make sure, is this reasonMode referring specifically to field spec.allow.request.reason.mode

[kopiczko]

It covers both spec.allow.request.reason.mode and spec.options.request_access

[kopiczko]

I think I know why you may be confused. The information take from the user state may be already outdated. This reasonMode thing will calculated from the current backend state regardless of the roles in the cert.

[kimlisa]

for RequestCheckout i don't think we need the distinction between reasonMode and requireReason (especially if my mental wiring was correct, reasonMode refers to both fields?).

all we need to know is is reason required so we can mark the textbox as required.

[kopiczko]

@gzdunek @kimlisa @smallinsky PTALA

[smallinsky]

This is quite scary interface.

I would expect that the err == nil the object is valid

Can we just req.SetDryRunEnrichment(enrichment) ?

[kopiczko]

Done.

[gzdunek]

In the line 272 we should also add:

            requireReason={reasonMode === 'required'}

Another thing is that these prompts work only in Web UI, not in Teleport Connect (teleterm).
To add them there too, we need to extend the below struct with these two new fields (reasonMode and reasonPrompts):

teleport/lib/teleterm/apiserver/handler/handler_access_requests.go

Lines 203 to 221 in f33bbbf

	return &api.AccessRequest{
	Id: req.GetName(),
	State: req.GetState().String(),
	ResolveReason: req.GetResolveReason(),
	RequestReason: req.GetRequestReason(),
	User: req.GetUser(),
	Roles: req.GetRoles(),
	Created: timestamppb.New(req.GetCreationTime()),
	Expires: timestamppb.New(req.GetAccessExpiry()),
	Reviews: reviews,
	SuggestedReviewers: req.GetSuggestedReviewers(),
	ThresholdNames: thresholdNames,
	ResourceIds: requestedResourceIDs,
	Resources: resources,
	PromotedAccessListTitle: req.GetPromotedAccessListTitle(),
	AssumeStartTime: getProtoTimestamp(req.GetAssumeStartTime()),
	MaxDuration: timestamppb.New(req.GetMaxDuration()),
	RequestTtl: timestamppb.New(req.Expiry()),
	SessionTtl: timestamppb.New(req.GetSessionTLL()),

and make sure that they are passed here:

teleport/web/packages/teleterm/src/ui/DocumentAccessRequests/useAccessRequests.tsx

Lines 87 to 106 in d339c65

	export function makeUiAccessRequest(request: TshdAccessRequest) {
	return makeAccessRequest({
	...request,
	created: Timestamp.toDate(request.created),
	expires: Timestamp.toDate(request.expires),
	maxDuration: request.maxDuration && Timestamp.toDate(request.maxDuration),
	requestTTL: request.requestTtl && Timestamp.toDate(request.requestTtl),
	sessionTTL: request.sessionTtl && Timestamp.toDate(request.sessionTtl),
	assumeStartTime:
	request.assumeStartTime && Timestamp.toDate(request.assumeStartTime),
	roles: request.roles,
	reviews: request.reviews.map(review => ({
	...review,
	created: Timestamp.toDate(review.created),
	assumeStartTime:
	review.assumeStartTime && Timestamp.toDate(review.assumeStartTime),
	})),
	suggestedReviewers: request.suggestedReviewers,
	thresholdNames: request.thresholdNames,
	resources: request.resources,

Unfortunately the type for an argument in makeAccessRequest is any so TypeScript doesn't show any errors about missing fields.

In case of any problems feel free to reach out to me.

[kopiczko]

Would you be ok with adding Teleport Connect support in a subsequent PR?

[gzdunek]

Yeah, sure.

[kopiczko]

#55092

[kopiczko]

@gzdunek PTALA

[gzdunek]

The frontend side looks good to me.

[gzdunek]

Unnecessary optional chaining (optionality can also be removed in the line 739).

[gzdunek]

Yeah, sure.

[backport-bot-workflows]

@kopiczko See the table below for backport results.

Branch	Result
branch/v17	Failed