Add the certs.user.emit event

api/types/events/events.proto

@@ -1673,6 +1673,26 @@ message WindowsDesktopSessionEnd {
     map<string, string> DesktopLabels = 8 [ (gogoproto.jsontag) = "desktop_labels" ];
 }
 
+message UserCertsEmit {
+    // Metadata is a common event metadata.
+    Metadata Metadata = 1
+        [ (gogoproto.nullable) = false, (gogoproto.embed) = true, (gogoproto.jsontag) = "" ];
+
+    // User is a common user event metadata
+    UserMetadata User = 2
+        [ (gogoproto.nullable) = false, (gogoproto.embed) = true, (gogoproto.jsontag) = "" ];
+
+    // Subject is the string form of the Subject of the X.509 certificate
+    string Subject = 3 [ (gogoproto.jsontag) = "subject,omitempty" ];
+
+    // Expires is the expiration time point of the certificates
+    google.protobuf.Timestamp Expires = 4 [
+        (gogoproto.stdtime) = true,
+        (gogoproto.nullable) = false,
+        (gogoproto.jsontag) = "expires,omitempty"
+    ];
+}
+
 // OneOf is a union of one of audit events submitted to the auth service
 message OneOf {
     // Event is one of the audit events
@@ -1744,6 +1764,7 @@ message OneOf {
         events.PostgresFunctionCall PostgresFunctionCall = 65;
         events.AccessRequestDelete AccessRequestDelete = 66;
         events.SessionConnect SessionConnect = 67;
+        events.UserCertsEmit UserCertsEmit = 68;
     }
 }
 

api/types/events/oneof.go

@@ -305,6 +305,10 @@ func ToOneOf(in AuditEvent) (*OneOf, error) {
 		out.Event = &OneOf_AccessRequestDelete{
 			AccessRequestDelete: e,
 		}
+	case *UserCertsEmit:
+		out.Event = &OneOf_UserCertsEmit{
+			UserCertsEmit: e,
+		}
 	default:
 		return nil, trace.BadParameter("event type %T is not supported", in)
 	}

lib/auth/auth.go

@@ -1012,6 +1012,22 @@ func (a *Server) generateUserCert(req certRequest) (*proto.Certs, error) {
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
+
+	if a.emitter.EmitAuditEvent(a.closeCtx, &apievents.UserCertsEmit{
+		Metadata: apievents.Metadata{
+			Type: events.UserCertsEmitEvent,
+			Code: events.UserCertsEmitCode,
+		},
+		UserMetadata: apievents.UserMetadata{
+			User:         identity.Username,
+			Impersonator: identity.Impersonator,
+		},
+		Subject: subject.String(),
+		Expires: certRequest.NotAfter,
+	}); err != nil {
+		log.WithError(err).Warn("Failed to emit user certs emit event.")
+	}
+
 	return &proto.Certs{
 		SSH:        sshCert,
 		TLS:        tlsCert,

lib/events/api.go

@@ -456,6 +456,9 @@ const (
 	// WindowsDesktopSessionEndEvent is emitted when a user  disconnects
 	// from a desktop.
 	WindowsDesktopSessionEndEvent = "windows.desktop.session.end"
+
+	// UserCertsEmitEvent is emitted when a user certificate set is emitted.
+	UserCertsEmitEvent = "certs.user.emit"
 )
 
 const (

lib/events/codes.go

@@ -474,4 +474,7 @@ const (
 	LockCreatedCode = "TLK00I"
 	// LockDeletedCode is the lock deleted event code.
 	LockDeletedCode = "TLK01I"
+
+	// UserCertsEmitCode is the user certificate set emitted code.
+	UserCertsEmitCode = "TC000I"
 )

lib/events/dynamic.go

@@ -482,6 +482,12 @@ func FromEventFields(fields EventFields) (apievents.AuditEvent, error) {
 			return nil, trace.Wrap(err)
 		}
 		return &e, nil
+	case UserCertsEmitEvent:
+		var e events.UserCertsEmit
+		if err := utils.FastUnmarshal(data, &e); err != nil {
+			return nil, trace.Wrap(err)
+		}
+		return &e, nil
 	default:
 		return nil, trace.BadParameter("unknown event type: %q", eventType)
 	}