From d53beb7c44a92b8229060536a8f0b5cb5158961b Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Tue, 25 Jun 2024 11:38:16 +0100 Subject: [PATCH] [sec_scan][1] Add `teleport.access_graph.v1.SecretsScannerService` This PR introduces the `teleport.access_graph.v1.SecretsScannerService`that will be used by Teleport SSH nodes to report `authorized_keys` and user's laptops to report secrets found on them. The `ReportAuthorizedKeys` uses node's TLS certs signed by HostCA for authentication while `ReportSecrets` leverages the device trust credentials (requires that the device is enrolled) to report secrets without requiring valid user credentials. handle Alan's feedback --- .../accessgraph/v1/authorized_key.pb.go | 307 +++++++++ .../teleport/accessgraph/v1/private_key.pb.go | 390 +++++++++++ .../accessgraph/v1/secrets_service.pb.go | 626 ++++++++++++++++++ .../accessgraph/v1/secrets_service_grpc.pb.go | 262 ++++++++ .../access_graph/v1/authorized_key.proto | 46 ++ .../access_graph/v1/private_key.proto | 67 ++ .../access_graph/v1/secrets_service.proto | 101 +++ buf.yaml | 1 + 8 files changed, 1800 insertions(+) create mode 100644 api/gen/proto/go/teleport/accessgraph/v1/authorized_key.pb.go create mode 100644 api/gen/proto/go/teleport/accessgraph/v1/private_key.pb.go create mode 100644 api/gen/proto/go/teleport/accessgraph/v1/secrets_service.pb.go create mode 100644 api/gen/proto/go/teleport/accessgraph/v1/secrets_service_grpc.pb.go create mode 100644 api/proto/teleport/access_graph/v1/authorized_key.proto create mode 100644 api/proto/teleport/access_graph/v1/private_key.proto create mode 100644 api/proto/teleport/access_graph/v1/secrets_service.proto diff --git a/api/gen/proto/go/teleport/accessgraph/v1/authorized_key.pb.go b/api/gen/proto/go/teleport/accessgraph/v1/authorized_key.pb.go new file mode 100644 index 0000000000000..4d7e460994779 --- /dev/null +++ b/api/gen/proto/go/teleport/accessgraph/v1/authorized_key.pb.go @@ -0,0 +1,307 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.34.2 +// protoc (unknown) +// source: teleport/access_graph/v1/authorized_key.proto + +package accessgraphv1 + +import ( + v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// The `AuthorizedKey` message represents an authorized key entry for a specific local user. +// These authorized keys are generated by the server when a particular SSH AuthorizedKey is granted access to a user on the node. +type AuthorizedKey struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // metadata is the AuthorizedKey's metadata. + Metadata *v1.Metadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` + // kind is a resource kind. + Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"` + // sub_kind is an optional resource sub kind, used in some resources. + SubKind string `protobuf:"bytes,3,opt,name=sub_kind,json=subKind,proto3" json:"sub_kind,omitempty"` + // version is version. + Version string `protobuf:"bytes,4,opt,name=version,proto3" json:"version,omitempty"` + // Spec is an AuthorizedKey specification. + Spec *AuthorizedKeySpec `protobuf:"bytes,5,opt,name=spec,proto3" json:"spec,omitempty"` +} + +func (x *AuthorizedKey) Reset() { + *x = AuthorizedKey{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_access_graph_v1_authorized_key_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *AuthorizedKey) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*AuthorizedKey) ProtoMessage() {} + +func (x *AuthorizedKey) ProtoReflect() protoreflect.Message { + mi := &file_teleport_access_graph_v1_authorized_key_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use AuthorizedKey.ProtoReflect.Descriptor instead. +func (*AuthorizedKey) Descriptor() ([]byte, []int) { + return file_teleport_access_graph_v1_authorized_key_proto_rawDescGZIP(), []int{0} +} + +func (x *AuthorizedKey) GetMetadata() *v1.Metadata { + if x != nil { + return x.Metadata + } + return nil +} + +func (x *AuthorizedKey) GetKind() string { + if x != nil { + return x.Kind + } + return "" +} + +func (x *AuthorizedKey) GetSubKind() string { + if x != nil { + return x.SubKind + } + return "" +} + +func (x *AuthorizedKey) GetVersion() string { + if x != nil { + return x.Version + } + return "" +} + +func (x *AuthorizedKey) GetSpec() *AuthorizedKeySpec { + if x != nil { + return x.Spec + } + return nil +} + +// AuthorizedKeySpec is the authorized key spec. +type AuthorizedKeySpec struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // host_id is the node identifier and must match the credentials used. + HostId string `protobuf:"bytes,1,opt,name=host_id,json=hostId,proto3" json:"host_id,omitempty"` + // key_fingerprint is the SHA256 SSH public key fingerprint. + KeyFingerprint string `protobuf:"bytes,2,opt,name=key_fingerprint,json=keyFingerprint,proto3" json:"key_fingerprint,omitempty"` + // host_user is the user who can be accessed using the fingerprint above. + HostUser string `protobuf:"bytes,3,opt,name=host_user,json=hostUser,proto3" json:"host_user,omitempty"` +} + +func (x *AuthorizedKeySpec) Reset() { + *x = AuthorizedKeySpec{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_access_graph_v1_authorized_key_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *AuthorizedKeySpec) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*AuthorizedKeySpec) ProtoMessage() {} + +func (x *AuthorizedKeySpec) ProtoReflect() protoreflect.Message { + mi := &file_teleport_access_graph_v1_authorized_key_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use AuthorizedKeySpec.ProtoReflect.Descriptor instead. +func (*AuthorizedKeySpec) Descriptor() ([]byte, []int) { + return file_teleport_access_graph_v1_authorized_key_proto_rawDescGZIP(), []int{1} +} + +func (x *AuthorizedKeySpec) GetHostId() string { + if x != nil { + return x.HostId + } + return "" +} + +func (x *AuthorizedKeySpec) GetKeyFingerprint() string { + if x != nil { + return x.KeyFingerprint + } + return "" +} + +func (x *AuthorizedKeySpec) GetHostUser() string { + if x != nil { + return x.HostUser + } + return "" +} + +var File_teleport_access_graph_v1_authorized_key_proto protoreflect.FileDescriptor + +var file_teleport_access_graph_v1_authorized_key_proto_rawDesc = []byte{ + 0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6f, + 0x72, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, + 0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, + 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x1a, 0x21, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xd3, 0x01, 0x0a, + 0x0d, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x38, + 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x1c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x65, 0x61, 0x64, + 0x65, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, + 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x19, 0x0a, 0x08, + 0x73, 0x75, 0x62, 0x5f, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, + 0x73, 0x75, 0x62, 0x4b, 0x69, 0x6e, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, + 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, + 0x6e, 0x12, 0x3f, 0x0a, 0x04, 0x73, 0x70, 0x65, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, + 0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x53, 0x70, 0x65, 0x63, 0x52, 0x04, 0x73, 0x70, + 0x65, 0x63, 0x22, 0x72, 0x0a, 0x11, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, + 0x4b, 0x65, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x17, 0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x5f, + 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x6f, 0x73, 0x74, 0x49, 0x64, + 0x12, 0x27, 0x0a, 0x0f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, + 0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x6b, 0x65, 0x79, 0x46, 0x69, + 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x68, 0x6f, 0x73, + 0x74, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, + 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, + 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, + 0x68, 0x2f, 0x76, 0x31, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, + 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_access_graph_v1_authorized_key_proto_rawDescOnce sync.Once + file_teleport_access_graph_v1_authorized_key_proto_rawDescData = file_teleport_access_graph_v1_authorized_key_proto_rawDesc +) + +func file_teleport_access_graph_v1_authorized_key_proto_rawDescGZIP() []byte { + file_teleport_access_graph_v1_authorized_key_proto_rawDescOnce.Do(func() { + file_teleport_access_graph_v1_authorized_key_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_access_graph_v1_authorized_key_proto_rawDescData) + }) + return file_teleport_access_graph_v1_authorized_key_proto_rawDescData +} + +var file_teleport_access_graph_v1_authorized_key_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_teleport_access_graph_v1_authorized_key_proto_goTypes = []any{ + (*AuthorizedKey)(nil), // 0: teleport.access_graph.v1.AuthorizedKey + (*AuthorizedKeySpec)(nil), // 1: teleport.access_graph.v1.AuthorizedKeySpec + (*v1.Metadata)(nil), // 2: teleport.header.v1.Metadata +} +var file_teleport_access_graph_v1_authorized_key_proto_depIdxs = []int32{ + 2, // 0: teleport.access_graph.v1.AuthorizedKey.metadata:type_name -> teleport.header.v1.Metadata + 1, // 1: teleport.access_graph.v1.AuthorizedKey.spec:type_name -> teleport.access_graph.v1.AuthorizedKeySpec + 2, // [2:2] is the sub-list for method output_type + 2, // [2:2] is the sub-list for method input_type + 2, // [2:2] is the sub-list for extension type_name + 2, // [2:2] is the sub-list for extension extendee + 0, // [0:2] is the sub-list for field type_name +} + +func init() { file_teleport_access_graph_v1_authorized_key_proto_init() } +func file_teleport_access_graph_v1_authorized_key_proto_init() { + if File_teleport_access_graph_v1_authorized_key_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_teleport_access_graph_v1_authorized_key_proto_msgTypes[0].Exporter = func(v any, i int) any { + switch v := v.(*AuthorizedKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_teleport_access_graph_v1_authorized_key_proto_msgTypes[1].Exporter = func(v any, i int) any { + switch v := v.(*AuthorizedKeySpec); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_access_graph_v1_authorized_key_proto_rawDesc, + NumEnums: 0, + NumMessages: 2, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_access_graph_v1_authorized_key_proto_goTypes, + DependencyIndexes: file_teleport_access_graph_v1_authorized_key_proto_depIdxs, + MessageInfos: file_teleport_access_graph_v1_authorized_key_proto_msgTypes, + }.Build() + File_teleport_access_graph_v1_authorized_key_proto = out.File + file_teleport_access_graph_v1_authorized_key_proto_rawDesc = nil + file_teleport_access_graph_v1_authorized_key_proto_goTypes = nil + file_teleport_access_graph_v1_authorized_key_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/accessgraph/v1/private_key.pb.go b/api/gen/proto/go/teleport/accessgraph/v1/private_key.pb.go new file mode 100644 index 0000000000000..26e65b85e5eed --- /dev/null +++ b/api/gen/proto/go/teleport/accessgraph/v1/private_key.pb.go @@ -0,0 +1,390 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.34.2 +// protoc (unknown) +// source: teleport/access_graph/v1/private_key.proto + +package accessgraphv1 + +import ( + v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// PublicKeyMode is the mode of the public key. +// The public key can be derived from the private key, stored in a separate file, or the private key was password protected +// and we could not extract the public key from it or from the file. +type PublicKeyMode int32 + +const ( + // PUBLIC_KEY_MODE_UNSPECIFIED is an invalid state. + PublicKeyMode_PUBLIC_KEY_MODE_UNSPECIFIED PublicKeyMode = 0 + // PUBLIC_KEY_MODE_DERIVED is the state where the public key is derived from the private key. + PublicKeyMode_PUBLIC_KEY_MODE_DERIVED PublicKeyMode = 1 + // PUBLIC_KEY_MODE_PUB_FILE is a state where the public key is stored in a separate file from the private key. + // The private key is password protected and we could not extract the public key from it. + // This mode is used when the private key is password protected and there is a .pub file next to the private key + // that contains the public key. + PublicKeyMode_PUBLIC_KEY_MODE_PUB_FILE PublicKeyMode = 2 + // PUBLIC_KEY_MODE_PROTECTED is a state where the private key is password protected and we could not extract the public key from it + // or from the .pub file. + PublicKeyMode_PUBLIC_KEY_MODE_PROTECTED PublicKeyMode = 3 +) + +// Enum value maps for PublicKeyMode. +var ( + PublicKeyMode_name = map[int32]string{ + 0: "PUBLIC_KEY_MODE_UNSPECIFIED", + 1: "PUBLIC_KEY_MODE_DERIVED", + 2: "PUBLIC_KEY_MODE_PUB_FILE", + 3: "PUBLIC_KEY_MODE_PROTECTED", + } + PublicKeyMode_value = map[string]int32{ + "PUBLIC_KEY_MODE_UNSPECIFIED": 0, + "PUBLIC_KEY_MODE_DERIVED": 1, + "PUBLIC_KEY_MODE_PUB_FILE": 2, + "PUBLIC_KEY_MODE_PROTECTED": 3, + } +) + +func (x PublicKeyMode) Enum() *PublicKeyMode { + p := new(PublicKeyMode) + *p = x + return p +} + +func (x PublicKeyMode) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (PublicKeyMode) Descriptor() protoreflect.EnumDescriptor { + return file_teleport_access_graph_v1_private_key_proto_enumTypes[0].Descriptor() +} + +func (PublicKeyMode) Type() protoreflect.EnumType { + return &file_teleport_access_graph_v1_private_key_proto_enumTypes[0] +} + +func (x PublicKeyMode) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use PublicKeyMode.Descriptor instead. +func (PublicKeyMode) EnumDescriptor() ([]byte, []int) { + return file_teleport_access_graph_v1_private_key_proto_rawDescGZIP(), []int{0} +} + +// The `PrivateKey` message represents a private key entry for a specific local user. +// It serves as a reference to a private key located on a user's laptop. Note that it *NEVER* contains the private key itself. +// Instead, it stores metadata related to the key, including the fingerprint of the public key, the device trust identifier, and the public key mode. +// The Teleport Access Graph uses this metadata to assess whether a particular private key is authorized to access a user on the node without using Teleport. +type PrivateKey struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // metadata is the PrivateKey's metadata. + Metadata *v1.Metadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` + // kind is a resource kind. + Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"` + // sub_kind is an optional resource sub kind, used in some resources. + SubKind string `protobuf:"bytes,3,opt,name=sub_kind,json=subKind,proto3" json:"sub_kind,omitempty"` + // version is version. + Version string `protobuf:"bytes,4,opt,name=version,proto3" json:"version,omitempty"` + // Spec is a PrivateKey specification. + Spec *PrivateKeySpec `protobuf:"bytes,5,opt,name=spec,proto3" json:"spec,omitempty"` +} + +func (x *PrivateKey) Reset() { + *x = PrivateKey{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_access_graph_v1_private_key_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *PrivateKey) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PrivateKey) ProtoMessage() {} + +func (x *PrivateKey) ProtoReflect() protoreflect.Message { + mi := &file_teleport_access_graph_v1_private_key_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PrivateKey.ProtoReflect.Descriptor instead. +func (*PrivateKey) Descriptor() ([]byte, []int) { + return file_teleport_access_graph_v1_private_key_proto_rawDescGZIP(), []int{0} +} + +func (x *PrivateKey) GetMetadata() *v1.Metadata { + if x != nil { + return x.Metadata + } + return nil +} + +func (x *PrivateKey) GetKind() string { + if x != nil { + return x.Kind + } + return "" +} + +func (x *PrivateKey) GetSubKind() string { + if x != nil { + return x.SubKind + } + return "" +} + +func (x *PrivateKey) GetVersion() string { + if x != nil { + return x.Version + } + return "" +} + +func (x *PrivateKey) GetSpec() *PrivateKeySpec { + if x != nil { + return x.Spec + } + return nil +} + +// PrivateKeySpec is the private key spec. +type PrivateKeySpec struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // device_id is the device trust identifier of the device that owns the key. + DeviceId string `protobuf:"bytes,1,opt,name=device_id,json=deviceId,proto3" json:"device_id,omitempty"` + // public_key_fingerprint is the SHA256 of the SSH public key corresponding to + // the private key. + PublicKeyFingerprint string `protobuf:"bytes,2,opt,name=public_key_fingerprint,json=publicKeyFingerprint,proto3" json:"public_key_fingerprint,omitempty"` + // public_key_mode is the public key mode. + PublicKeyMode PublicKeyMode `protobuf:"varint,3,opt,name=public_key_mode,json=publicKeyMode,proto3,enum=teleport.access_graph.v1.PublicKeyMode" json:"public_key_mode,omitempty"` +} + +func (x *PrivateKeySpec) Reset() { + *x = PrivateKeySpec{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_access_graph_v1_private_key_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *PrivateKeySpec) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PrivateKeySpec) ProtoMessage() {} + +func (x *PrivateKeySpec) ProtoReflect() protoreflect.Message { + mi := &file_teleport_access_graph_v1_private_key_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PrivateKeySpec.ProtoReflect.Descriptor instead. +func (*PrivateKeySpec) Descriptor() ([]byte, []int) { + return file_teleport_access_graph_v1_private_key_proto_rawDescGZIP(), []int{1} +} + +func (x *PrivateKeySpec) GetDeviceId() string { + if x != nil { + return x.DeviceId + } + return "" +} + +func (x *PrivateKeySpec) GetPublicKeyFingerprint() string { + if x != nil { + return x.PublicKeyFingerprint + } + return "" +} + +func (x *PrivateKeySpec) GetPublicKeyMode() PublicKeyMode { + if x != nil { + return x.PublicKeyMode + } + return PublicKeyMode_PUBLIC_KEY_MODE_UNSPECIFIED +} + +var File_teleport_access_graph_v1_private_key_proto protoreflect.FileDescriptor + +var file_teleport_access_graph_v1_private_key_proto_rawDesc = []byte{ + 0x0a, 0x2a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x69, 0x76, 0x61, + 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, + 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x1a, 0x21, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x2f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xcd, 0x01, 0x0a, 0x0a, 0x50, 0x72, + 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x38, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, + 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2e, 0x76, 0x31, 0x2e, + 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x75, 0x62, 0x5f, 0x6b, 0x69, + 0x6e, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x4b, 0x69, 0x6e, + 0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x3c, 0x0a, 0x04, 0x73, + 0x70, 0x65, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x74, 0x65, 0x6c, 0x65, + 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, + 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x53, + 0x70, 0x65, 0x63, 0x52, 0x04, 0x73, 0x70, 0x65, 0x63, 0x22, 0xb4, 0x01, 0x0a, 0x0e, 0x50, 0x72, + 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1b, 0x0a, 0x09, + 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x08, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x34, 0x0a, 0x16, 0x70, 0x75, 0x62, + 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, + 0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x14, 0x70, 0x75, 0x62, 0x6c, 0x69, + 0x63, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x12, + 0x4f, 0x0a, 0x0f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f, + 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, + 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, + 0x65, 0x52, 0x0d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, + 0x2a, 0x8a, 0x01, 0x0a, 0x0d, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x4d, 0x6f, + 0x64, 0x65, 0x12, 0x1f, 0x0a, 0x1b, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, + 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, + 0x44, 0x10, 0x00, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, + 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x44, 0x45, 0x52, 0x49, 0x56, 0x45, 0x44, 0x10, 0x01, + 0x12, 0x1c, 0x0a, 0x18, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x4d, + 0x4f, 0x44, 0x45, 0x5f, 0x50, 0x55, 0x42, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1d, + 0x0a, 0x19, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, + 0x45, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x45, 0x43, 0x54, 0x45, 0x44, 0x10, 0x03, 0x42, 0x5a, 0x5a, + 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, + 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x3b, 0x61, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x33, +} + +var ( + file_teleport_access_graph_v1_private_key_proto_rawDescOnce sync.Once + file_teleport_access_graph_v1_private_key_proto_rawDescData = file_teleport_access_graph_v1_private_key_proto_rawDesc +) + +func file_teleport_access_graph_v1_private_key_proto_rawDescGZIP() []byte { + file_teleport_access_graph_v1_private_key_proto_rawDescOnce.Do(func() { + file_teleport_access_graph_v1_private_key_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_access_graph_v1_private_key_proto_rawDescData) + }) + return file_teleport_access_graph_v1_private_key_proto_rawDescData +} + +var file_teleport_access_graph_v1_private_key_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_teleport_access_graph_v1_private_key_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_teleport_access_graph_v1_private_key_proto_goTypes = []any{ + (PublicKeyMode)(0), // 0: teleport.access_graph.v1.PublicKeyMode + (*PrivateKey)(nil), // 1: teleport.access_graph.v1.PrivateKey + (*PrivateKeySpec)(nil), // 2: teleport.access_graph.v1.PrivateKeySpec + (*v1.Metadata)(nil), // 3: teleport.header.v1.Metadata +} +var file_teleport_access_graph_v1_private_key_proto_depIdxs = []int32{ + 3, // 0: teleport.access_graph.v1.PrivateKey.metadata:type_name -> teleport.header.v1.Metadata + 2, // 1: teleport.access_graph.v1.PrivateKey.spec:type_name -> teleport.access_graph.v1.PrivateKeySpec + 0, // 2: teleport.access_graph.v1.PrivateKeySpec.public_key_mode:type_name -> teleport.access_graph.v1.PublicKeyMode + 3, // [3:3] is the sub-list for method output_type + 3, // [3:3] is the sub-list for method input_type + 3, // [3:3] is the sub-list for extension type_name + 3, // [3:3] is the sub-list for extension extendee + 0, // [0:3] is the sub-list for field type_name +} + +func init() { file_teleport_access_graph_v1_private_key_proto_init() } +func file_teleport_access_graph_v1_private_key_proto_init() { + if File_teleport_access_graph_v1_private_key_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_teleport_access_graph_v1_private_key_proto_msgTypes[0].Exporter = func(v any, i int) any { + switch v := v.(*PrivateKey); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_teleport_access_graph_v1_private_key_proto_msgTypes[1].Exporter = func(v any, i int) any { + switch v := v.(*PrivateKeySpec); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_access_graph_v1_private_key_proto_rawDesc, + NumEnums: 1, + NumMessages: 2, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_access_graph_v1_private_key_proto_goTypes, + DependencyIndexes: file_teleport_access_graph_v1_private_key_proto_depIdxs, + EnumInfos: file_teleport_access_graph_v1_private_key_proto_enumTypes, + MessageInfos: file_teleport_access_graph_v1_private_key_proto_msgTypes, + }.Build() + File_teleport_access_graph_v1_private_key_proto = out.File + file_teleport_access_graph_v1_private_key_proto_rawDesc = nil + file_teleport_access_graph_v1_private_key_proto_goTypes = nil + file_teleport_access_graph_v1_private_key_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/accessgraph/v1/secrets_service.pb.go b/api/gen/proto/go/teleport/accessgraph/v1/secrets_service.pb.go new file mode 100644 index 0000000000000..0d2bd9af11f2b --- /dev/null +++ b/api/gen/proto/go/teleport/accessgraph/v1/secrets_service.pb.go @@ -0,0 +1,626 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.34.2 +// protoc (unknown) +// source: teleport/access_graph/v1/secrets_service.proto + +package accessgraphv1 + +import ( + v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// OperationType is an enum that indicates the operation that the client wants to perform. +type OperationType int32 + +const ( + // OPERATION_TYPE_UNSPECIFIED is an unknown operation. + OperationType_OPERATION_TYPE_UNSPECIFIED OperationType = 0 + // OPERATION_TYPE_ADD is an operation that indicates that the client wants to add keys to the list. + OperationType_OPERATION_TYPE_ADD OperationType = 1 + // OPERATION_TYPE_SYNC is an operation that indicates that the client has sent all the keys and + // the server can proceed with the analysis. + OperationType_OPERATION_TYPE_SYNC OperationType = 2 +) + +// Enum value maps for OperationType. +var ( + OperationType_name = map[int32]string{ + 0: "OPERATION_TYPE_UNSPECIFIED", + 1: "OPERATION_TYPE_ADD", + 2: "OPERATION_TYPE_SYNC", + } + OperationType_value = map[string]int32{ + "OPERATION_TYPE_UNSPECIFIED": 0, + "OPERATION_TYPE_ADD": 1, + "OPERATION_TYPE_SYNC": 2, + } +) + +func (x OperationType) Enum() *OperationType { + p := new(OperationType) + *p = x + return p +} + +func (x OperationType) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (OperationType) Descriptor() protoreflect.EnumDescriptor { + return file_teleport_access_graph_v1_secrets_service_proto_enumTypes[0].Descriptor() +} + +func (OperationType) Type() protoreflect.EnumType { + return &file_teleport_access_graph_v1_secrets_service_proto_enumTypes[0] +} + +func (x OperationType) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use OperationType.Descriptor instead. +func (OperationType) EnumDescriptor() ([]byte, []int) { + return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{0} +} + +// ReportAuthorizedKeysRequest is used by Teleport nodes to report authorized keys +// that could be used to bypass Teleport. +type ReportAuthorizedKeysRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // keys is a list of authorized keys that could be used to bypass Teleport. + Keys []*AuthorizedKey `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"` + // operation indicates the operation that the client wants to perform. + Operation OperationType `protobuf:"varint,2,opt,name=operation,proto3,enum=teleport.access_graph.v1.OperationType" json:"operation,omitempty"` +} + +func (x *ReportAuthorizedKeysRequest) Reset() { + *x = ReportAuthorizedKeysRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ReportAuthorizedKeysRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ReportAuthorizedKeysRequest) ProtoMessage() {} + +func (x *ReportAuthorizedKeysRequest) ProtoReflect() protoreflect.Message { + mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ReportAuthorizedKeysRequest.ProtoReflect.Descriptor instead. +func (*ReportAuthorizedKeysRequest) Descriptor() ([]byte, []int) { + return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{0} +} + +func (x *ReportAuthorizedKeysRequest) GetKeys() []*AuthorizedKey { + if x != nil { + return x.Keys + } + return nil +} + +func (x *ReportAuthorizedKeysRequest) GetOperation() OperationType { + if x != nil { + return x.Operation + } + return OperationType_OPERATION_TYPE_UNSPECIFIED +} + +// ReportAuthorizedKeysResponse is the response from ReportAuthorizedKeys +// RPC method. +type ReportAuthorizedKeysResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields +} + +func (x *ReportAuthorizedKeysResponse) Reset() { + *x = ReportAuthorizedKeysResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ReportAuthorizedKeysResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ReportAuthorizedKeysResponse) ProtoMessage() {} + +func (x *ReportAuthorizedKeysResponse) ProtoReflect() protoreflect.Message { + mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ReportAuthorizedKeysResponse.ProtoReflect.Descriptor instead. +func (*ReportAuthorizedKeysResponse) Descriptor() ([]byte, []int) { + return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{1} +} + +// ReportSecretsRequest is used by trusted devices to report secrets found on the host +// that could be used to bypass Teleport. +type ReportSecretsRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Payload: + // + // *ReportSecretsRequest_DeviceAssertion + // *ReportSecretsRequest_PrivateKeys + Payload isReportSecretsRequest_Payload `protobuf_oneof:"payload"` +} + +func (x *ReportSecretsRequest) Reset() { + *x = ReportSecretsRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ReportSecretsRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ReportSecretsRequest) ProtoMessage() {} + +func (x *ReportSecretsRequest) ProtoReflect() protoreflect.Message { + mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ReportSecretsRequest.ProtoReflect.Descriptor instead. +func (*ReportSecretsRequest) Descriptor() ([]byte, []int) { + return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{2} +} + +func (m *ReportSecretsRequest) GetPayload() isReportSecretsRequest_Payload { + if m != nil { + return m.Payload + } + return nil +} + +func (x *ReportSecretsRequest) GetDeviceAssertion() *v1.AssertDeviceRequest { + if x, ok := x.GetPayload().(*ReportSecretsRequest_DeviceAssertion); ok { + return x.DeviceAssertion + } + return nil +} + +func (x *ReportSecretsRequest) GetPrivateKeys() *ReportPrivateKeys { + if x, ok := x.GetPayload().(*ReportSecretsRequest_PrivateKeys); ok { + return x.PrivateKeys + } + return nil +} + +type isReportSecretsRequest_Payload interface { + isReportSecretsRequest_Payload() +} + +type ReportSecretsRequest_DeviceAssertion struct { + // The device should initiate the device assertion ceremony by sending the + // AssertDeviceRequest. Please refer to the [teleport.devicetrust.v1.AssertDeviceRequest] + // message for more details. + DeviceAssertion *v1.AssertDeviceRequest `protobuf:"bytes,1,opt,name=device_assertion,json=deviceAssertion,proto3,oneof"` +} + +type ReportSecretsRequest_PrivateKeys struct { + // private_keys is a list of private keys that were found on the device. + PrivateKeys *ReportPrivateKeys `protobuf:"bytes,4,opt,name=private_keys,json=privateKeys,proto3,oneof"` +} + +func (*ReportSecretsRequest_DeviceAssertion) isReportSecretsRequest_Payload() {} + +func (*ReportSecretsRequest_PrivateKeys) isReportSecretsRequest_Payload() {} + +// ReportPrivateKeys is used by trusted devices to report private keys found on the host +// that could be used to bypass Teleport. +type ReportPrivateKeys struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // keys is a list of private keys that could be used to bypass Teleport. + Keys []*PrivateKey `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"` +} + +func (x *ReportPrivateKeys) Reset() { + *x = ReportPrivateKeys{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ReportPrivateKeys) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ReportPrivateKeys) ProtoMessage() {} + +func (x *ReportPrivateKeys) ProtoReflect() protoreflect.Message { + mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[3] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ReportPrivateKeys.ProtoReflect.Descriptor instead. +func (*ReportPrivateKeys) Descriptor() ([]byte, []int) { + return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{3} +} + +func (x *ReportPrivateKeys) GetKeys() []*PrivateKey { + if x != nil { + return x.Keys + } + return nil +} + +// ReportSecretsResponse is the response from the ReportSecrets +// RPC method. +type ReportSecretsResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Payload: + // + // *ReportSecretsResponse_DeviceAssertion + Payload isReportSecretsResponse_Payload `protobuf_oneof:"payload"` +} + +func (x *ReportSecretsResponse) Reset() { + *x = ReportSecretsResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ReportSecretsResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ReportSecretsResponse) ProtoMessage() {} + +func (x *ReportSecretsResponse) ProtoReflect() protoreflect.Message { + mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[4] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ReportSecretsResponse.ProtoReflect.Descriptor instead. +func (*ReportSecretsResponse) Descriptor() ([]byte, []int) { + return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{4} +} + +func (m *ReportSecretsResponse) GetPayload() isReportSecretsResponse_Payload { + if m != nil { + return m.Payload + } + return nil +} + +func (x *ReportSecretsResponse) GetDeviceAssertion() *v1.AssertDeviceResponse { + if x, ok := x.GetPayload().(*ReportSecretsResponse_DeviceAssertion); ok { + return x.DeviceAssertion + } + return nil +} + +type isReportSecretsResponse_Payload interface { + isReportSecretsResponse_Payload() +} + +type ReportSecretsResponse_DeviceAssertion struct { + // device_assertion is the response from the device assertion ceremony. + // Please refer to the [teleport.devicetrust.v1.AssertDeviceResponse] + // message for more details + DeviceAssertion *v1.AssertDeviceResponse `protobuf:"bytes,1,opt,name=device_assertion,json=deviceAssertion,proto3,oneof"` +} + +func (*ReportSecretsResponse_DeviceAssertion) isReportSecretsResponse_Payload() {} + +var File_teleport_access_graph_v1_secrets_service_proto protoreflect.FileDescriptor + +var file_teleport_access_graph_v1_secrets_service_proto_rawDesc = []byte{ + 0x0a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x63, 0x72, 0x65, + 0x74, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x12, 0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, + 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x1a, 0x2d, 0x74, 0x65, 0x6c, 0x65, + 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, + 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x5f, + 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2a, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, + 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x24, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x61, + 0x73, 0x73, 0x65, 0x72, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa1, 0x01, 0x0a, 0x1b, + 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, + 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3b, 0x0a, 0x04, 0x6b, + 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, + 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, + 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b, + 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x12, 0x45, 0x0a, 0x09, 0x6f, 0x70, 0x65, 0x72, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, + 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x54, 0x79, 0x70, 0x65, 0x52, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, + 0x1e, 0x0a, 0x1c, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, + 0xce, 0x01, 0x0a, 0x14, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, + 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x59, 0x0a, 0x10, 0x64, 0x65, 0x76, 0x69, + 0x63, 0x65, 0x5f, 0x61, 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, + 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x73, 0x73, + 0x65, 0x72, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x48, 0x00, 0x52, 0x0f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x73, 0x73, 0x65, 0x72, 0x74, + 0x69, 0x6f, 0x6e, 0x12, 0x50, 0x0a, 0x0c, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, + 0x65, 0x79, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, + 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, + 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x50, 0x72, 0x69, 0x76, 0x61, + 0x74, 0x65, 0x4b, 0x65, 0x79, 0x73, 0x48, 0x00, 0x52, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, + 0x65, 0x4b, 0x65, 0x79, 0x73, 0x42, 0x09, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, + 0x22, 0x4d, 0x0a, 0x11, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, + 0x65, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x38, 0x0a, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, + 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x50, + 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x22, + 0x7e, 0x0a, 0x15, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5a, 0x0a, 0x10, 0x64, 0x65, 0x76, 0x69, + 0x63, 0x65, 0x5f, 0x61, 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, + 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x73, 0x73, + 0x65, 0x72, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x48, 0x00, 0x52, 0x0f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x73, 0x73, 0x65, 0x72, + 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x09, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x2a, + 0x60, 0x0a, 0x0d, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x79, 0x70, 0x65, + 0x12, 0x1e, 0x0a, 0x1a, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59, + 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, + 0x12, 0x16, 0x0a, 0x12, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59, + 0x50, 0x45, 0x5f, 0x41, 0x44, 0x44, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x4f, 0x50, 0x45, 0x52, + 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x59, 0x4e, 0x43, 0x10, + 0x02, 0x32, 0x9d, 0x02, 0x0a, 0x15, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x53, 0x63, 0x61, + 0x6e, 0x6e, 0x65, 0x72, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x8b, 0x01, 0x0a, 0x14, + 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, + 0x4b, 0x65, 0x79, 0x73, 0x12, 0x35, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, + 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, + 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, + 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x36, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, + 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, + 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30, 0x01, 0x12, 0x76, 0x0a, 0x0d, 0x52, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x12, 0x2e, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, + 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72, + 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2f, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, + 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72, + 0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30, + 0x01, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x3b, + 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x62, 0x06, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_access_graph_v1_secrets_service_proto_rawDescOnce sync.Once + file_teleport_access_graph_v1_secrets_service_proto_rawDescData = file_teleport_access_graph_v1_secrets_service_proto_rawDesc +) + +func file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP() []byte { + file_teleport_access_graph_v1_secrets_service_proto_rawDescOnce.Do(func() { + file_teleport_access_graph_v1_secrets_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_access_graph_v1_secrets_service_proto_rawDescData) + }) + return file_teleport_access_graph_v1_secrets_service_proto_rawDescData +} + +var file_teleport_access_graph_v1_secrets_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_teleport_access_graph_v1_secrets_service_proto_msgTypes = make([]protoimpl.MessageInfo, 5) +var file_teleport_access_graph_v1_secrets_service_proto_goTypes = []any{ + (OperationType)(0), // 0: teleport.access_graph.v1.OperationType + (*ReportAuthorizedKeysRequest)(nil), // 1: teleport.access_graph.v1.ReportAuthorizedKeysRequest + (*ReportAuthorizedKeysResponse)(nil), // 2: teleport.access_graph.v1.ReportAuthorizedKeysResponse + (*ReportSecretsRequest)(nil), // 3: teleport.access_graph.v1.ReportSecretsRequest + (*ReportPrivateKeys)(nil), // 4: teleport.access_graph.v1.ReportPrivateKeys + (*ReportSecretsResponse)(nil), // 5: teleport.access_graph.v1.ReportSecretsResponse + (*AuthorizedKey)(nil), // 6: teleport.access_graph.v1.AuthorizedKey + (*v1.AssertDeviceRequest)(nil), // 7: teleport.devicetrust.v1.AssertDeviceRequest + (*PrivateKey)(nil), // 8: teleport.access_graph.v1.PrivateKey + (*v1.AssertDeviceResponse)(nil), // 9: teleport.devicetrust.v1.AssertDeviceResponse +} +var file_teleport_access_graph_v1_secrets_service_proto_depIdxs = []int32{ + 6, // 0: teleport.access_graph.v1.ReportAuthorizedKeysRequest.keys:type_name -> teleport.access_graph.v1.AuthorizedKey + 0, // 1: teleport.access_graph.v1.ReportAuthorizedKeysRequest.operation:type_name -> teleport.access_graph.v1.OperationType + 7, // 2: teleport.access_graph.v1.ReportSecretsRequest.device_assertion:type_name -> teleport.devicetrust.v1.AssertDeviceRequest + 4, // 3: teleport.access_graph.v1.ReportSecretsRequest.private_keys:type_name -> teleport.access_graph.v1.ReportPrivateKeys + 8, // 4: teleport.access_graph.v1.ReportPrivateKeys.keys:type_name -> teleport.access_graph.v1.PrivateKey + 9, // 5: teleport.access_graph.v1.ReportSecretsResponse.device_assertion:type_name -> teleport.devicetrust.v1.AssertDeviceResponse + 1, // 6: teleport.access_graph.v1.SecretsScannerService.ReportAuthorizedKeys:input_type -> teleport.access_graph.v1.ReportAuthorizedKeysRequest + 3, // 7: teleport.access_graph.v1.SecretsScannerService.ReportSecrets:input_type -> teleport.access_graph.v1.ReportSecretsRequest + 2, // 8: teleport.access_graph.v1.SecretsScannerService.ReportAuthorizedKeys:output_type -> teleport.access_graph.v1.ReportAuthorizedKeysResponse + 5, // 9: teleport.access_graph.v1.SecretsScannerService.ReportSecrets:output_type -> teleport.access_graph.v1.ReportSecretsResponse + 8, // [8:10] is the sub-list for method output_type + 6, // [6:8] is the sub-list for method input_type + 6, // [6:6] is the sub-list for extension type_name + 6, // [6:6] is the sub-list for extension extendee + 0, // [0:6] is the sub-list for field type_name +} + +func init() { file_teleport_access_graph_v1_secrets_service_proto_init() } +func file_teleport_access_graph_v1_secrets_service_proto_init() { + if File_teleport_access_graph_v1_secrets_service_proto != nil { + return + } + file_teleport_access_graph_v1_authorized_key_proto_init() + file_teleport_access_graph_v1_private_key_proto_init() + if !protoimpl.UnsafeEnabled { + file_teleport_access_graph_v1_secrets_service_proto_msgTypes[0].Exporter = func(v any, i int) any { + switch v := v.(*ReportAuthorizedKeysRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_teleport_access_graph_v1_secrets_service_proto_msgTypes[1].Exporter = func(v any, i int) any { + switch v := v.(*ReportAuthorizedKeysResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_teleport_access_graph_v1_secrets_service_proto_msgTypes[2].Exporter = func(v any, i int) any { + switch v := v.(*ReportSecretsRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_teleport_access_graph_v1_secrets_service_proto_msgTypes[3].Exporter = func(v any, i int) any { + switch v := v.(*ReportPrivateKeys); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_teleport_access_graph_v1_secrets_service_proto_msgTypes[4].Exporter = func(v any, i int) any { + switch v := v.(*ReportSecretsResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + file_teleport_access_graph_v1_secrets_service_proto_msgTypes[2].OneofWrappers = []any{ + (*ReportSecretsRequest_DeviceAssertion)(nil), + (*ReportSecretsRequest_PrivateKeys)(nil), + } + file_teleport_access_graph_v1_secrets_service_proto_msgTypes[4].OneofWrappers = []any{ + (*ReportSecretsResponse_DeviceAssertion)(nil), + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_access_graph_v1_secrets_service_proto_rawDesc, + NumEnums: 1, + NumMessages: 5, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_teleport_access_graph_v1_secrets_service_proto_goTypes, + DependencyIndexes: file_teleport_access_graph_v1_secrets_service_proto_depIdxs, + EnumInfos: file_teleport_access_graph_v1_secrets_service_proto_enumTypes, + MessageInfos: file_teleport_access_graph_v1_secrets_service_proto_msgTypes, + }.Build() + File_teleport_access_graph_v1_secrets_service_proto = out.File + file_teleport_access_graph_v1_secrets_service_proto_rawDesc = nil + file_teleport_access_graph_v1_secrets_service_proto_goTypes = nil + file_teleport_access_graph_v1_secrets_service_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/accessgraph/v1/secrets_service_grpc.pb.go b/api/gen/proto/go/teleport/accessgraph/v1/secrets_service_grpc.pb.go new file mode 100644 index 0000000000000..bc1e09264f36a --- /dev/null +++ b/api/gen/proto/go/teleport/accessgraph/v1/secrets_service_grpc.pb.go @@ -0,0 +1,262 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.4.0 +// - protoc (unknown) +// source: teleport/access_graph/v1/secrets_service.proto + +package accessgraphv1 + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.62.0 or later. +const _ = grpc.SupportPackageIsVersion8 + +const ( + SecretsScannerService_ReportAuthorizedKeys_FullMethodName = "/teleport.access_graph.v1.SecretsScannerService/ReportAuthorizedKeys" + SecretsScannerService_ReportSecrets_FullMethodName = "/teleport.access_graph.v1.SecretsScannerService/ReportSecrets" +) + +// SecretsScannerServiceClient is the client API for SecretsScannerService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// SecretsScannerService provides methods for Access Graph Secret Scanner functionality. +type SecretsScannerServiceClient interface { + // ReportAuthorizedKeys is used by Teleport SSH nodes to report authorized keys + // that could be used to bypass Teleport. + // The client (Teleport SSH Node) should authenticate using the certificate-key pair signed by Teleport HostCA. + ReportAuthorizedKeys(ctx context.Context, opts ...grpc.CallOption) (SecretsScannerService_ReportAuthorizedKeysClient, error) + // ReportSecrets is used by trusted devices to report secrets found on the host that could be used to bypass Teleport. + // The client (device) should first authenticate using the [ReportSecretsRequest.device_assertion] flow. Please refer to + // the [teleport.devicetrust.v1.AssertDeviceRequest] and [teleport.devicetrust.v1.AssertDeviceResponse] messages for more details. + // + // Once the device is asserted, the client can send the secrets using the [ReportSecretsRequest.private_keys] field + // and then close the client side of the stream. + // + // -> ReportSecrets (client) [1 or more] + // -> CloseStream (client) + // <- TerminateStream (server) + // + // Any failure in the assertion ceremony will result in the stream being terminated by the server. All secrets + // reported by the client before the assertion terminates will be ignored and result in the stream being terminated. + ReportSecrets(ctx context.Context, opts ...grpc.CallOption) (SecretsScannerService_ReportSecretsClient, error) +} + +type secretsScannerServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewSecretsScannerServiceClient(cc grpc.ClientConnInterface) SecretsScannerServiceClient { + return &secretsScannerServiceClient{cc} +} + +func (c *secretsScannerServiceClient) ReportAuthorizedKeys(ctx context.Context, opts ...grpc.CallOption) (SecretsScannerService_ReportAuthorizedKeysClient, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + stream, err := c.cc.NewStream(ctx, &SecretsScannerService_ServiceDesc.Streams[0], SecretsScannerService_ReportAuthorizedKeys_FullMethodName, cOpts...) + if err != nil { + return nil, err + } + x := &secretsScannerServiceReportAuthorizedKeysClient{ClientStream: stream} + return x, nil +} + +type SecretsScannerService_ReportAuthorizedKeysClient interface { + Send(*ReportAuthorizedKeysRequest) error + Recv() (*ReportAuthorizedKeysResponse, error) + grpc.ClientStream +} + +type secretsScannerServiceReportAuthorizedKeysClient struct { + grpc.ClientStream +} + +func (x *secretsScannerServiceReportAuthorizedKeysClient) Send(m *ReportAuthorizedKeysRequest) error { + return x.ClientStream.SendMsg(m) +} + +func (x *secretsScannerServiceReportAuthorizedKeysClient) Recv() (*ReportAuthorizedKeysResponse, error) { + m := new(ReportAuthorizedKeysResponse) + if err := x.ClientStream.RecvMsg(m); err != nil { + return nil, err + } + return m, nil +} + +func (c *secretsScannerServiceClient) ReportSecrets(ctx context.Context, opts ...grpc.CallOption) (SecretsScannerService_ReportSecretsClient, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + stream, err := c.cc.NewStream(ctx, &SecretsScannerService_ServiceDesc.Streams[1], SecretsScannerService_ReportSecrets_FullMethodName, cOpts...) + if err != nil { + return nil, err + } + x := &secretsScannerServiceReportSecretsClient{ClientStream: stream} + return x, nil +} + +type SecretsScannerService_ReportSecretsClient interface { + Send(*ReportSecretsRequest) error + Recv() (*ReportSecretsResponse, error) + grpc.ClientStream +} + +type secretsScannerServiceReportSecretsClient struct { + grpc.ClientStream +} + +func (x *secretsScannerServiceReportSecretsClient) Send(m *ReportSecretsRequest) error { + return x.ClientStream.SendMsg(m) +} + +func (x *secretsScannerServiceReportSecretsClient) Recv() (*ReportSecretsResponse, error) { + m := new(ReportSecretsResponse) + if err := x.ClientStream.RecvMsg(m); err != nil { + return nil, err + } + return m, nil +} + +// SecretsScannerServiceServer is the server API for SecretsScannerService service. +// All implementations must embed UnimplementedSecretsScannerServiceServer +// for forward compatibility +// +// SecretsScannerService provides methods for Access Graph Secret Scanner functionality. +type SecretsScannerServiceServer interface { + // ReportAuthorizedKeys is used by Teleport SSH nodes to report authorized keys + // that could be used to bypass Teleport. + // The client (Teleport SSH Node) should authenticate using the certificate-key pair signed by Teleport HostCA. + ReportAuthorizedKeys(SecretsScannerService_ReportAuthorizedKeysServer) error + // ReportSecrets is used by trusted devices to report secrets found on the host that could be used to bypass Teleport. + // The client (device) should first authenticate using the [ReportSecretsRequest.device_assertion] flow. Please refer to + // the [teleport.devicetrust.v1.AssertDeviceRequest] and [teleport.devicetrust.v1.AssertDeviceResponse] messages for more details. + // + // Once the device is asserted, the client can send the secrets using the [ReportSecretsRequest.private_keys] field + // and then close the client side of the stream. + // + // -> ReportSecrets (client) [1 or more] + // -> CloseStream (client) + // <- TerminateStream (server) + // + // Any failure in the assertion ceremony will result in the stream being terminated by the server. All secrets + // reported by the client before the assertion terminates will be ignored and result in the stream being terminated. + ReportSecrets(SecretsScannerService_ReportSecretsServer) error + mustEmbedUnimplementedSecretsScannerServiceServer() +} + +// UnimplementedSecretsScannerServiceServer must be embedded to have forward compatible implementations. +type UnimplementedSecretsScannerServiceServer struct { +} + +func (UnimplementedSecretsScannerServiceServer) ReportAuthorizedKeys(SecretsScannerService_ReportAuthorizedKeysServer) error { + return status.Errorf(codes.Unimplemented, "method ReportAuthorizedKeys not implemented") +} +func (UnimplementedSecretsScannerServiceServer) ReportSecrets(SecretsScannerService_ReportSecretsServer) error { + return status.Errorf(codes.Unimplemented, "method ReportSecrets not implemented") +} +func (UnimplementedSecretsScannerServiceServer) mustEmbedUnimplementedSecretsScannerServiceServer() {} + +// UnsafeSecretsScannerServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to SecretsScannerServiceServer will +// result in compilation errors. +type UnsafeSecretsScannerServiceServer interface { + mustEmbedUnimplementedSecretsScannerServiceServer() +} + +func RegisterSecretsScannerServiceServer(s grpc.ServiceRegistrar, srv SecretsScannerServiceServer) { + s.RegisterService(&SecretsScannerService_ServiceDesc, srv) +} + +func _SecretsScannerService_ReportAuthorizedKeys_Handler(srv interface{}, stream grpc.ServerStream) error { + return srv.(SecretsScannerServiceServer).ReportAuthorizedKeys(&secretsScannerServiceReportAuthorizedKeysServer{ServerStream: stream}) +} + +type SecretsScannerService_ReportAuthorizedKeysServer interface { + Send(*ReportAuthorizedKeysResponse) error + Recv() (*ReportAuthorizedKeysRequest, error) + grpc.ServerStream +} + +type secretsScannerServiceReportAuthorizedKeysServer struct { + grpc.ServerStream +} + +func (x *secretsScannerServiceReportAuthorizedKeysServer) Send(m *ReportAuthorizedKeysResponse) error { + return x.ServerStream.SendMsg(m) +} + +func (x *secretsScannerServiceReportAuthorizedKeysServer) Recv() (*ReportAuthorizedKeysRequest, error) { + m := new(ReportAuthorizedKeysRequest) + if err := x.ServerStream.RecvMsg(m); err != nil { + return nil, err + } + return m, nil +} + +func _SecretsScannerService_ReportSecrets_Handler(srv interface{}, stream grpc.ServerStream) error { + return srv.(SecretsScannerServiceServer).ReportSecrets(&secretsScannerServiceReportSecretsServer{ServerStream: stream}) +} + +type SecretsScannerService_ReportSecretsServer interface { + Send(*ReportSecretsResponse) error + Recv() (*ReportSecretsRequest, error) + grpc.ServerStream +} + +type secretsScannerServiceReportSecretsServer struct { + grpc.ServerStream +} + +func (x *secretsScannerServiceReportSecretsServer) Send(m *ReportSecretsResponse) error { + return x.ServerStream.SendMsg(m) +} + +func (x *secretsScannerServiceReportSecretsServer) Recv() (*ReportSecretsRequest, error) { + m := new(ReportSecretsRequest) + if err := x.ServerStream.RecvMsg(m); err != nil { + return nil, err + } + return m, nil +} + +// SecretsScannerService_ServiceDesc is the grpc.ServiceDesc for SecretsScannerService service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var SecretsScannerService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "teleport.access_graph.v1.SecretsScannerService", + HandlerType: (*SecretsScannerServiceServer)(nil), + Methods: []grpc.MethodDesc{}, + Streams: []grpc.StreamDesc{ + { + StreamName: "ReportAuthorizedKeys", + Handler: _SecretsScannerService_ReportAuthorizedKeys_Handler, + ServerStreams: true, + ClientStreams: true, + }, + { + StreamName: "ReportSecrets", + Handler: _SecretsScannerService_ReportSecrets_Handler, + ServerStreams: true, + ClientStreams: true, + }, + }, + Metadata: "teleport/access_graph/v1/secrets_service.proto", +} diff --git a/api/proto/teleport/access_graph/v1/authorized_key.proto b/api/proto/teleport/access_graph/v1/authorized_key.proto new file mode 100644 index 0000000000000..15d95228b4897 --- /dev/null +++ b/api/proto/teleport/access_graph/v1/authorized_key.proto @@ -0,0 +1,46 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.access_graph.v1; + +import "teleport/header/v1/metadata.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1;accessgraphv1"; + +// The `AuthorizedKey` message represents an authorized key entry for a specific local user. +// These authorized keys are generated by the server when a particular SSH AuthorizedKey is granted access to a user on the node. +message AuthorizedKey { + // metadata is the AuthorizedKey's metadata. + teleport.header.v1.Metadata metadata = 1; + // kind is a resource kind. + string kind = 2; + // sub_kind is an optional resource sub kind, used in some resources. + string sub_kind = 3; + // version is version. + string version = 4; + // Spec is an AuthorizedKey specification. + AuthorizedKeySpec spec = 5; +} + +// AuthorizedKeySpec is the authorized key spec. +message AuthorizedKeySpec { + // host_id is the node identifier and must match the credentials used. + string host_id = 1; + // key_fingerprint is the SHA256 SSH public key fingerprint. + string key_fingerprint = 2; + // host_user is the user who can be accessed using the fingerprint above. + string host_user = 3; +} diff --git a/api/proto/teleport/access_graph/v1/private_key.proto b/api/proto/teleport/access_graph/v1/private_key.proto new file mode 100644 index 0000000000000..239c515d89044 --- /dev/null +++ b/api/proto/teleport/access_graph/v1/private_key.proto @@ -0,0 +1,67 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.access_graph.v1; + +import "teleport/header/v1/metadata.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1;accessgraphv1"; + +// The `PrivateKey` message represents a private key entry for a specific local user. +// It serves as a reference to a private key located on a user's laptop. Note that it *NEVER* contains the private key itself. +// Instead, it stores metadata related to the key, including the fingerprint of the public key, the device trust identifier, and the public key mode. +// The Teleport Access Graph uses this metadata to assess whether a particular private key is authorized to access a user on the node without using Teleport. +message PrivateKey { + // metadata is the PrivateKey's metadata. + teleport.header.v1.Metadata metadata = 1; + // kind is a resource kind. + string kind = 2; + // sub_kind is an optional resource sub kind, used in some resources. + string sub_kind = 3; + // version is version. + string version = 4; + // Spec is a PrivateKey specification. + PrivateKeySpec spec = 5; +} + +// PrivateKeySpec is the private key spec. +message PrivateKeySpec { + // device_id is the device trust identifier of the device that owns the key. + string device_id = 1; + // public_key_fingerprint is the SHA256 of the SSH public key corresponding to + // the private key. + string public_key_fingerprint = 2; + // public_key_mode is the public key mode. + PublicKeyMode public_key_mode = 3; +} + +// PublicKeyMode is the mode of the public key. +// The public key can be derived from the private key, stored in a separate file, or the private key was password protected +// and we could not extract the public key from it or from the file. +enum PublicKeyMode { + // PUBLIC_KEY_MODE_UNSPECIFIED is an invalid state. + PUBLIC_KEY_MODE_UNSPECIFIED = 0; + // PUBLIC_KEY_MODE_DERIVED is the state where the public key is derived from the private key. + PUBLIC_KEY_MODE_DERIVED = 1; + // PUBLIC_KEY_MODE_PUB_FILE is a state where the public key is stored in a separate file from the private key. + // The private key is password protected and we could not extract the public key from it. + // This mode is used when the private key is password protected and there is a .pub file next to the private key + // that contains the public key. + PUBLIC_KEY_MODE_PUB_FILE = 2; + // PUBLIC_KEY_MODE_PROTECTED is a state where the private key is password protected and we could not extract the public key from it + // or from the .pub file. + PUBLIC_KEY_MODE_PROTECTED = 3; +} diff --git a/api/proto/teleport/access_graph/v1/secrets_service.proto b/api/proto/teleport/access_graph/v1/secrets_service.proto new file mode 100644 index 0000000000000..7c2b3d49e6e76 --- /dev/null +++ b/api/proto/teleport/access_graph/v1/secrets_service.proto @@ -0,0 +1,101 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.access_graph.v1; + +import "teleport/access_graph/v1/authorized_key.proto"; +import "teleport/access_graph/v1/private_key.proto"; +import "teleport/devicetrust/v1/assert.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1;accessgraphv1"; + +// SecretsScannerService provides methods for Access Graph Secret Scanner functionality. +service SecretsScannerService { + // ReportAuthorizedKeys is used by Teleport SSH nodes to report authorized keys + // that could be used to bypass Teleport. + // The client (Teleport SSH Node) should authenticate using the certificate-key pair signed by Teleport HostCA. + rpc ReportAuthorizedKeys(stream ReportAuthorizedKeysRequest) returns (stream ReportAuthorizedKeysResponse) {} + + // ReportSecrets is used by trusted devices to report secrets found on the host that could be used to bypass Teleport. + // The client (device) should first authenticate using the [ReportSecretsRequest.device_assertion] flow. Please refer to + // the [teleport.devicetrust.v1.AssertDeviceRequest] and [teleport.devicetrust.v1.AssertDeviceResponse] messages for more details. + // + // Once the device is asserted, the client can send the secrets using the [ReportSecretsRequest.private_keys] field + // and then close the client side of the stream. + // + // -> ReportSecrets (client) [1 or more] + // -> CloseStream (client) + // <- TerminateStream (server) + // + // Any failure in the assertion ceremony will result in the stream being terminated by the server. All secrets + // reported by the client before the assertion terminates will be ignored and result in the stream being terminated. + rpc ReportSecrets(stream ReportSecretsRequest) returns (stream ReportSecretsResponse) {} +} + +// ReportAuthorizedKeysRequest is used by Teleport nodes to report authorized keys +// that could be used to bypass Teleport. +message ReportAuthorizedKeysRequest { + // keys is a list of authorized keys that could be used to bypass Teleport. + repeated teleport.access_graph.v1.AuthorizedKey keys = 1; + // operation indicates the operation that the client wants to perform. + OperationType operation = 2; +} + +// ReportAuthorizedKeysResponse is the response from ReportAuthorizedKeys +// RPC method. +message ReportAuthorizedKeysResponse {} + +// ReportSecretsRequest is used by trusted devices to report secrets found on the host +// that could be used to bypass Teleport. +message ReportSecretsRequest { + oneof payload { + // The device should initiate the device assertion ceremony by sending the + // AssertDeviceRequest. Please refer to the [teleport.devicetrust.v1.AssertDeviceRequest] + // message for more details. + teleport.devicetrust.v1.AssertDeviceRequest device_assertion = 1; + // private_keys is a list of private keys that were found on the device. + ReportPrivateKeys private_keys = 4; + } +} + +// ReportPrivateKeys is used by trusted devices to report private keys found on the host +// that could be used to bypass Teleport. +message ReportPrivateKeys { + // keys is a list of private keys that could be used to bypass Teleport. + repeated teleport.access_graph.v1.PrivateKey keys = 1; +} + +// ReportSecretsResponse is the response from the ReportSecrets +// RPC method. +message ReportSecretsResponse { + oneof payload { + // device_assertion is the response from the device assertion ceremony. + // Please refer to the [teleport.devicetrust.v1.AssertDeviceResponse] + // message for more details + teleport.devicetrust.v1.AssertDeviceResponse device_assertion = 1; + } +} + +// OperationType is an enum that indicates the operation that the client wants to perform. +enum OperationType { + // OPERATION_TYPE_UNSPECIFIED is an unknown operation. + OPERATION_TYPE_UNSPECIFIED = 0; + // OPERATION_TYPE_ADD is an operation that indicates that the client wants to add keys to the list. + OPERATION_TYPE_ADD = 1; + // OPERATION_TYPE_SYNC is an operation that indicates that the client has sent all the keys and + // the server can proceed with the analysis. + OPERATION_TYPE_SYNC = 2; +} diff --git a/buf.yaml b/buf.yaml index 9ad6bb4013935..31fc097117d56 100644 --- a/buf.yaml +++ b/buf.yaml @@ -68,6 +68,7 @@ lint: - api/proto/teleport/devicetrust/v1/devicetrust_service.proto - api/proto/teleport/legacy/client/proto/joinservice.proto - api/proto/teleport/transport/v1/transport_service.proto + - api/proto/teleport/access_graph/v1/secrets_service.proto - proto/accessgraph/v1alpha/access_graph_service.proto - proto/teleport/lib/teleterm/v1/service.proto disallow_comment_ignores: true