Skip to content

Commit

Permalink
Update proxy features (#45979)
Browse files Browse the repository at this point in the history 
* Add feature watcher

* Add test

* Update godocs, fix typos, rename SupportEntitlementsCompatibility to BackfillFeatures

* Godocs; rename start and stop functions

* Use `Feature` prefix in var names instead of `License`

* Fix lint

* Fix TestGetWebConfig_LegacyFeatureLimits

* Fix TestGetWebConfig_WithEntitlements

* Fix tests and lint

* Remove sync.Once

* Add jitter

* Remove Ping call from getUserContext

* Move entitlements test to entitlements package

* Apply suggestions from code review: godoc and tests improvement.

Co-authored-by: Zac Bergquist <[email protected]>

* Improve tests

* Shadow `t` in EventuallyWithT closure to avoid mistakes

* Improve startFeatureWatcher godoc

* Log features on update

* Log features on update

* Avoid race condition on test

* Improve TODO comment

Co-authored-by: rosstimothy <[email protected]>

* Use handler config context

* Start feature watcher in NewHandler

* Improve startFeatureWatcher godocs

* Add TODO to unexport SetClusterFeatures

* Remove featureWatcherReady

* Use require in require.EventuallyWithT in cases where an error is not expected

* Use return of assert.NoError` to return early on require.EventuallyWithT

---------

Co-authored-by: Zac Bergquist <[email protected]>
Co-authored-by: rosstimothy <[email protected]>
  • Loading branch information
@mcbattirola @zmb3 @rosstimothy
3 people authored Oct 1, 2024
1 parent 5f4eaf3 commit 75bc1f2
Show file tree
Hide file tree
Showing 11 changed files with 680 additions and 410 deletions.
66 changes: 66 additions & 0 deletions entitlements/entitlements.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@

package entitlements

import "github.com/gravitational/teleport/api/client/proto"

type EntitlementKind string

// The EntitlementKind list should be 1:1 with the Features & FeatureStrings in salescenter/product/product.go,
Expand Down Expand Up @@ -57,3 +59,67 @@ var AllEntitlements = []EntitlementKind{
ExternalAuditStorage, FeatureHiding, HSM, Identity, JoinActiveSessions, K8s, MobileDeviceManagement, OIDC, OktaSCIM,
OktaUserSync, Policy, SAML, SessionLocks, UpsellAlert, UsageReporting, LicenseAutoUpdate,
}

// BackfillFeatures ensures entitlements are backwards compatible.
// If Entitlements are present, there are no changes.
// If Entitlements are not present, it sets the entitlements based on legacy field values.
// TODO(michellescripts) DELETE IN 18.0.0
func BackfillFeatures(features *proto.Features) {
if len(features.Entitlements) > 0 {
return
}

features.Entitlements = getBaseEntitlements(features.GetEntitlements())

// Entitlements: All records are {enabled: false}; update to equal legacy feature value
features.Entitlements[string(ExternalAuditStorage)] = &proto.EntitlementInfo{Enabled: features.GetExternalAuditStorage()}
features.Entitlements[string(FeatureHiding)] = &proto.EntitlementInfo{Enabled: features.GetFeatureHiding()}
features.Entitlements[string(Identity)] = &proto.EntitlementInfo{Enabled: features.GetIdentityGovernance()}
features.Entitlements[string(JoinActiveSessions)] = &proto.EntitlementInfo{Enabled: features.GetJoinActiveSessions()}
features.Entitlements[string(MobileDeviceManagement)] = &proto.EntitlementInfo{Enabled: features.GetMobileDeviceManagement()}
features.Entitlements[string(OIDC)] = &proto.EntitlementInfo{Enabled: features.GetOIDC()}
features.Entitlements[string(Policy)] = &proto.EntitlementInfo{Enabled: features.GetPolicy().GetEnabled()}
features.Entitlements[string(SAML)] = &proto.EntitlementInfo{Enabled: features.GetSAML()}
features.Entitlements[string(K8s)] = &proto.EntitlementInfo{Enabled: features.GetKubernetes()}
features.Entitlements[string(App)] = &proto.EntitlementInfo{Enabled: features.GetApp()}
features.Entitlements[string(DB)] = &proto.EntitlementInfo{Enabled: features.GetDB()}
features.Entitlements[string(Desktop)] = &proto.EntitlementInfo{Enabled: features.GetDesktop()}
features.Entitlements[string(HSM)] = &proto.EntitlementInfo{Enabled: features.GetHSM()}

// set default Identity fields to legacy feature value
features.Entitlements[string(AccessLists)] = &proto.EntitlementInfo{Enabled: true, Limit: features.GetAccessList().GetCreateLimit()}
features.Entitlements[string(AccessMonitoring)] = &proto.EntitlementInfo{Enabled: features.GetAccessMonitoring().GetEnabled(), Limit: features.GetAccessMonitoring().GetMaxReportRangeLimit()}
features.Entitlements[string(AccessRequests)] = &proto.EntitlementInfo{Enabled: features.GetAccessRequests().MonthlyRequestLimit > 0, Limit: features.GetAccessRequests().GetMonthlyRequestLimit()}
features.Entitlements[string(DeviceTrust)] = &proto.EntitlementInfo{Enabled: features.GetDeviceTrust().GetEnabled(), Limit: features.GetDeviceTrust().GetDevicesUsageLimit()}
// override Identity Package features if Identity is enabled: set true and clear limit
if features.GetIdentityGovernance() {
features.Entitlements[string(AccessLists)] = &proto.EntitlementInfo{Enabled: true}
features.Entitlements[string(AccessMonitoring)] = &proto.EntitlementInfo{Enabled: true}
features.Entitlements[string(AccessRequests)] = &proto.EntitlementInfo{Enabled: true}
features.Entitlements[string(DeviceTrust)] = &proto.EntitlementInfo{Enabled: true}
features.Entitlements[string(OktaSCIM)] = &proto.EntitlementInfo{Enabled: true}
features.Entitlements[string(OktaUserSync)] = &proto.EntitlementInfo{Enabled: true}
features.Entitlements[string(SessionLocks)] = &proto.EntitlementInfo{Enabled: true}
}
}

// getBaseEntitlements takes a cloud entitlement set and returns a modules Entitlement set
func getBaseEntitlements(protoEntitlements map[string]*proto.EntitlementInfo) map[string]*proto.EntitlementInfo {
all := AllEntitlements
result := make(map[string]*proto.EntitlementInfo, len(all))

for _, e := range all {
al, ok := protoEntitlements[string(e)]
if !ok {
result[string(e)] = &proto.EntitlementInfo{}
continue
}

result[string(e)] = &proto.EntitlementInfo{
Enabled: al.Enabled,
Limit: al.Limit,
}
}

return result
}
286 changes: 286 additions & 0 deletions entitlements/entitlements_test.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,286 @@
// Teleport
// Copyright (C) 2024 Gravitational, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.

package entitlements

import (
"testing"

"github.com/stretchr/testify/require"

"github.com/gravitational/teleport/api/client/proto"
apiutils "github.com/gravitational/teleport/api/utils"
)

func TestBackfillFeatures(t *testing.T) {
tests := []struct {
name string
features *proto.Features
expected map[string]*proto.EntitlementInfo
}{
{
name: "entitlements present; keeps entitlement values",
features: &proto.Features{
DeviceTrust: nil,
AccessRequests: nil,
AccessList: nil,
AccessMonitoring: nil,
Policy: nil,
CustomTheme: "",
ProductType: 0,
SupportType: 0,
Kubernetes: false,
App: false,
DB: false,
OIDC: false,
SAML: false,
AccessControls: false,
AdvancedAccessWorkflows: false,
Cloud: false,
HSM: false,
Desktop: false,
RecoveryCodes: false,
Plugins: false,
AutomaticUpgrades: false,
IsUsageBased: false,
Assist: false,
FeatureHiding: false,
IdentityGovernance: false,
AccessGraph: false,
Questionnaire: false,
IsStripeManaged: false,
ExternalAuditStorage: false,
JoinActiveSessions: false,
MobileDeviceManagement: false,
AccessMonitoringConfigured: false,
Entitlements: map[string]*proto.EntitlementInfo{
string(AccessLists): {Enabled: true, Limit: 111},
string(AccessMonitoring): {Enabled: true, Limit: 2113},
string(AccessRequests): {Enabled: true, Limit: 39},
string(App): {Enabled: false},
string(CloudAuditLogRetention): {Enabled: true},
string(DB): {Enabled: true},
string(Desktop): {Enabled: true},
string(DeviceTrust): {Enabled: true, Limit: 103},
string(ExternalAuditStorage): {Enabled: true},
string(FeatureHiding): {Enabled: true},
string(HSM): {Enabled: true},
string(Identity): {Enabled: true},
string(JoinActiveSessions): {Enabled: true},
string(K8s): {Enabled: true},
string(MobileDeviceManagement): {Enabled: true},
string(OIDC): {Enabled: true},
string(OktaSCIM): {Enabled: true},
string(OktaUserSync): {Enabled: true},
string(Policy): {Enabled: true},
string(SAML): {Enabled: true},
string(SessionLocks): {Enabled: true},
string(UpsellAlert): {Enabled: true},
string(UsageReporting): {Enabled: true},
string(LicenseAutoUpdate): {Enabled: true},
},
},
expected: map[string]*proto.EntitlementInfo{
string(AccessLists): {Enabled: true, Limit: 111},
string(AccessMonitoring): {Enabled: true, Limit: 2113},
string(AccessRequests): {Enabled: true, Limit: 39},
string(App): {Enabled: false},
string(CloudAuditLogRetention): {Enabled: true},
string(DB): {Enabled: true},
string(Desktop): {Enabled: true},
string(DeviceTrust): {Enabled: true, Limit: 103},
string(ExternalAuditStorage): {Enabled: true},
string(FeatureHiding): {Enabled: true},
string(HSM): {Enabled: true},
string(Identity): {Enabled: true},
string(JoinActiveSessions): {Enabled: true},
string(K8s): {Enabled: true},
string(MobileDeviceManagement): {Enabled: true},
string(OIDC): {Enabled: true},
string(OktaSCIM): {Enabled: true},
string(OktaUserSync): {Enabled: true},
string(Policy): {Enabled: true},
string(SAML): {Enabled: true},
string(SessionLocks): {Enabled: true},
string(UpsellAlert): {Enabled: true},
string(UsageReporting): {Enabled: true},
string(LicenseAutoUpdate): {Enabled: true},
},
},
{
name: "entitlements not present; identity on - sets legacy fields & drops limits",
features: &proto.Features{
DeviceTrust: &proto.DeviceTrustFeature{
Enabled: true,
DevicesUsageLimit: 33,
},
AccessRequests: &proto.AccessRequestsFeature{
MonthlyRequestLimit: 22,
},
AccessList: &proto.AccessListFeature{
CreateLimit: 44,
},
AccessMonitoring: &proto.AccessMonitoringFeature{
Enabled: true,
MaxReportRangeLimit: 55,
},
Policy: &proto.PolicyFeature{
Enabled: true,
},
CustomTheme: "",
ProductType: 0,
SupportType: 0,
Kubernetes: true,
App: true,
DB: true,
OIDC: true,
SAML: true,
AccessControls: true,
AdvancedAccessWorkflows: true,
Cloud: true,
HSM: true,
Desktop: true,
RecoveryCodes: true,
Plugins: true,
AutomaticUpgrades: true,
IsUsageBased: true,
Assist: true,
FeatureHiding: true,
IdentityGovernance: true,
AccessGraph: true,
Questionnaire: true,
IsStripeManaged: true,
ExternalAuditStorage: true,
JoinActiveSessions: true,
MobileDeviceManagement: true,
AccessMonitoringConfigured: true,
},
expected: map[string]*proto.EntitlementInfo{
string(AccessLists): {Enabled: true},
string(AccessMonitoring): {Enabled: true},
string(AccessRequests): {Enabled: true},
string(App): {Enabled: true},
string(DB): {Enabled: true},
string(Desktop): {Enabled: true},
string(DeviceTrust): {Enabled: true},
string(ExternalAuditStorage): {Enabled: true},
string(FeatureHiding): {Enabled: true},
string(HSM): {Enabled: true},
string(Identity): {Enabled: true},
string(JoinActiveSessions): {Enabled: true},
string(K8s): {Enabled: true},
string(MobileDeviceManagement): {Enabled: true},
string(OIDC): {Enabled: true},
string(OktaSCIM): {Enabled: true},
string(OktaUserSync): {Enabled: true},
string(Policy): {Enabled: true},
string(SAML): {Enabled: true},
string(SessionLocks): {Enabled: true},
// defaults, no legacy equivalent
string(UsageReporting): {Enabled: false},
string(UpsellAlert): {Enabled: false},
string(CloudAuditLogRetention): {Enabled: false},
string(LicenseAutoUpdate): {Enabled: false},
},
},
{
name: "entitlements not present; identity off - sets legacy fields",
features: &proto.Features{
DeviceTrust: &proto.DeviceTrustFeature{
Enabled: true,
DevicesUsageLimit: 33,
},
AccessRequests: &proto.AccessRequestsFeature{
MonthlyRequestLimit: 22,
},
AccessList: &proto.AccessListFeature{
CreateLimit: 44,
},
AccessMonitoring: &proto.AccessMonitoringFeature{
Enabled: true,
MaxReportRangeLimit: 55,
},
Policy: &proto.PolicyFeature{
Enabled: true,
},
CustomTheme: "",
ProductType: 0,
SupportType: 0,
Kubernetes: true,
App: true,
DB: true,
OIDC: true,
SAML: true,
AccessControls: true,
AdvancedAccessWorkflows: true,
Cloud: true,
HSM: true,
Desktop: true,
RecoveryCodes: true,
Plugins: true,
AutomaticUpgrades: true,
IsUsageBased: true,
Assist: true,
FeatureHiding: true,
IdentityGovernance: false,
AccessGraph: true,
Questionnaire: true,
IsStripeManaged: true,
ExternalAuditStorage: true,
JoinActiveSessions: true,
MobileDeviceManagement: true,
AccessMonitoringConfigured: true,
},
expected: map[string]*proto.EntitlementInfo{
string(AccessLists): {Enabled: true, Limit: 44},
string(AccessMonitoring): {Enabled: true, Limit: 55},
string(AccessRequests): {Enabled: true, Limit: 22},
string(DeviceTrust): {Enabled: true, Limit: 33},
string(App): {Enabled: true},
string(DB): {Enabled: true},
string(Desktop): {Enabled: true},
string(ExternalAuditStorage): {Enabled: true},
string(FeatureHiding): {Enabled: true},
string(HSM): {Enabled: true},
string(JoinActiveSessions): {Enabled: true},
string(K8s): {Enabled: true},
string(MobileDeviceManagement): {Enabled: true},
string(OIDC): {Enabled: true},
string(Policy): {Enabled: true},
string(SAML): {Enabled: true},

// defaults, no legacy equivalent
string(UsageReporting): {Enabled: false},
string(UpsellAlert): {Enabled: false},
string(CloudAuditLogRetention): {Enabled: false},
string(LicenseAutoUpdate): {Enabled: false},
// Identity off, fields false
string(Identity): {Enabled: false},
string(SessionLocks): {Enabled: false},
string(OktaSCIM): {Enabled: false},
string(OktaUserSync): {Enabled: false},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cloned := apiutils.CloneProtoMsg(tt.features)

BackfillFeatures(cloned)
require.Equal(t, tt.expected, cloned.Entitlements)
})
}
}
Loading

0 comments on commit 75bc1f2

Please sign in to comment.