[sec_scan][5] add secrets backend service (#43543)

* [sec_scan][5] add secrets backend service This PR implements the backend service to support storing `authorized_keys` and `private_keys` into Teleport backend. Part of gravitational/access-graph#637 Signed-off-by: Tiago Silva <[email protected]> * handle feedback * handle nits --------- Signed-off-by: Tiago Silva <[email protected]>
gravitational · Jul 11, 2024 · 157d0d7 · 157d0d7
1 parent 9308a47
commit 157d0d7
Show file tree

Hide file tree

Showing 8 changed files with 894 additions and 0 deletions.
diff --git a/api/types/accessgraph/authorized_key.go b/api/types/accessgraph/authorized_key.go
@@ -0,0 +1,90 @@
+/*
+Copyright 2024 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package accessgraph
+
+import (
+	"time"
+
+	"github.com/gravitational/trace"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	accessgraphv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1"
+	headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
+	"github.com/gravitational/teleport/api/types"
+)
+
+const (
+	authorizedKeyDefaultKeyTTL = 8 * time.Hour
+)
+
+// NewAuthorizedKey creates a new SSH authorized key resource.
+func NewAuthorizedKey(spec *accessgraphv1pb.AuthorizedKeySpec) (*accessgraphv1pb.AuthorizedKey, error) {
+	name := authKeyHashNameKey(spec)
+	authKey := &accessgraphv1pb.AuthorizedKey{
+		Kind:    types.KindAccessGraphSecretAuthorizedKey,
+		Version: types.V1,
+		Metadata: &headerv1.Metadata{
+			Name: name,
+			Expires: timestamppb.New(
+				time.Now().Add(authorizedKeyDefaultKeyTTL),
+			),
+		},
+		Spec: spec,
+	}
+	if err := ValidateAuthorizedKey(authKey); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return authKey, nil
+}
+
+// ValidateAuthorizedKey checks that required parameters are set
+// for the specified AuthorizedKey
+func ValidateAuthorizedKey(k *accessgraphv1pb.AuthorizedKey) error {
+	if k == nil {
+		return trace.BadParameter("AuthorizedKey is nil")
+	}
+	if k.Metadata == nil {
+		return trace.BadParameter("Metadata is nil")
+	}
+	if k.Spec == nil {
+		return trace.BadParameter("Spec is nil")
+	}
+
+	if k.Spec.HostId == "" {
+		return trace.BadParameter("HostId is unset")
+	}
+	if k.Spec.HostUser == "" {
+		return trace.BadParameter("HostUser is unset")
+	}
+	if k.Spec.KeyFingerprint == "" {
+		return trace.BadParameter("KeyFingerprint is unset")
+	}
+
+	if k.Metadata.Name == "" {
+		return trace.BadParameter("Name is unset")
+	}
+	if k.Metadata.Name != authKeyHashNameKey(k.Spec) {
+		return trace.BadParameter("Name must be derived from the key fields")
+	}
+
+	return nil
+}
+
+func authKeyHashNameKey(k *accessgraphv1pb.AuthorizedKeySpec) string {
+	return hashComp(k.HostId, k.HostUser, k.KeyFingerprint)
+}
diff --git a/api/types/accessgraph/authorized_key_test.go b/api/types/accessgraph/authorized_key_test.go
@@ -0,0 +1,90 @@
+/*
+Copyright 2024 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package accessgraph
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/testing/protocmp"
+
+	accessgraphv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1"
+)
+
+func TestAuthorizedKey(t *testing.T) {
+	tests := []struct {
+		name          string
+		spec          *accessgraphv1pb.AuthorizedKeySpec
+		errValidation require.ErrorAssertionFunc
+	}{
+		{
+			name: "valid",
+			spec: &accessgraphv1pb.AuthorizedKeySpec{
+				HostId:         uuid.New().String(),
+				KeyFingerprint: "fingerprint",
+				HostUser:       "user",
+			},
+			errValidation: require.NoError,
+		},
+		{
+			name: "missing fingerprint",
+			spec: &accessgraphv1pb.AuthorizedKeySpec{
+				HostId:         uuid.New().String(),
+				KeyFingerprint: "",
+				HostUser:       "user",
+			},
+			errValidation: func(t require.TestingT, err error, i ...any) {
+				require.ErrorContains(t, err, "KeyFingerprint is unset")
+			},
+		},
+		{
+			name: "missing user",
+			spec: &accessgraphv1pb.AuthorizedKeySpec{
+				HostId:         uuid.New().String(),
+				KeyFingerprint: "fingerprint",
+				HostUser:       "",
+			},
+			errValidation: func(t require.TestingT, err error, i ...any) {
+				require.ErrorContains(t, err, "HostUser is unset")
+			},
+		},
+		{
+			name: "missing HostID",
+			spec: &accessgraphv1pb.AuthorizedKeySpec{
+				KeyFingerprint: "fingerprint",
+				HostUser:       "user",
+			},
+			errValidation: func(t require.TestingT, err error, i ...any) {
+				require.ErrorContains(t, err, "HostId is unset")
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			privKey, err := NewAuthorizedKey(tt.spec)
+			tt.errValidation(t, err)
+			if err != nil {
+				return
+			}
+			require.NotEmpty(t, privKey.Metadata.Name)
+			require.Empty(t, cmp.Diff(tt.spec, privKey.Spec, protocmp.Transform()))
+
+		})
+	}
+}
diff --git a/api/types/accessgraph/private_key.go b/api/types/accessgraph/private_key.go
@@ -0,0 +1,108 @@
+/*
+Copyright 2024 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package accessgraph
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+
+	"github.com/gravitational/trace"
+
+	accessgraphv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1"
+	headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
+	"github.com/gravitational/teleport/api/types"
+)
+
+// NewPrivateKey creates a new SSH Private key resource with a generated name based on the spec.
+func NewPrivateKey(spec *accessgraphv1pb.PrivateKeySpec) (*accessgraphv1pb.PrivateKey, error) {
+	name := privKeyHashNameKey(spec)
+	v, err := NewPrivateKeyWithName(name, spec)
+
+	return v, trace.Wrap(err)
+}
+
+// NewPrivateKeyWithName creates a new SSH Private key resource.
+func NewPrivateKeyWithName(name string, spec *accessgraphv1pb.PrivateKeySpec) (*accessgraphv1pb.PrivateKey, error) {
+	privKey := &accessgraphv1pb.PrivateKey{
+		Kind:    types.KindAccessGraphSecretPrivateKey,
+		Version: types.V1,
+		Metadata: &headerv1.Metadata{
+			Name: name,
+		},
+		Spec: spec,
+	}
+	if err := ValidatePrivateKey(privKey); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return privKey, nil
+}
+
+// ValidatePrivateKey checks that required parameters are set
+// for the specified PrivateKey
+func ValidatePrivateKey(k *accessgraphv1pb.PrivateKey) error {
+	if k == nil {
+		return trace.BadParameter("PrivateKey is nil")
+	}
+	if k.Metadata == nil {
+		return trace.BadParameter("Metadata is nil")
+	}
+	if k.Spec == nil {
+		return trace.BadParameter("Spec is nil")
+	}
+
+	if k.Kind != types.KindAccessGraphSecretPrivateKey {
+		return trace.BadParameter("Kind is invalid")
+	}
+
+	if k.Version != types.V1 {
+		return trace.BadParameter("Version is invalid")
+	}
+
+	switch k.Spec.PublicKeyMode {
+	case accessgraphv1pb.PublicKeyMode_PUBLIC_KEY_MODE_PROTECTED,
+		accessgraphv1pb.PublicKeyMode_PUBLIC_KEY_MODE_PUB_FILE,
+		accessgraphv1pb.PublicKeyMode_PUBLIC_KEY_MODE_DERIVED:
+	default:
+		return trace.BadParameter("PublicKeyMode is invalid")
+	}
+
+	if k.Spec.DeviceId == "" {
+		return trace.BadParameter("DeviceId is unset")
+	}
+	if k.Spec.PublicKeyFingerprint == "" && k.Spec.PublicKeyMode != accessgraphv1pb.PublicKeyMode_PUBLIC_KEY_MODE_PROTECTED {
+		return trace.BadParameter("PublicKeyFingerprint is unset")
+	}
+
+	if k.Metadata.Name == "" {
+		return trace.BadParameter("Name is unset")
+	}
+
+	return nil
+}
+
+func privKeyHashNameKey(k *accessgraphv1pb.PrivateKeySpec) string {
+	return hashComp(k.DeviceId, k.PublicKeyFingerprint)
+}
+
+func hashComp(values ...string) string {
+	h := sha256.New()
+	for _, value := range values {
+		h.Write([]byte(value))
+	}
+	return hex.EncodeToString(h.Sum(nil))
+}