From 832987fa181c0366f1f7f24fdf9e9f0fc7135ccb Mon Sep 17 00:00:00 2001 From: Tiago Silva Date: Tue, 25 Jun 2024 14:00:30 +0100 Subject: [PATCH] [sec_scan][2] expose `ssh_scan_enabled` in `AccessGraphConfig` response This PR exposes the configuration for nodes to be aware that they should report SSH Authorized keys to Teleport. Part of https://github.com/gravitational/access-graph/issues/637 Signed-off-by: Tiago Silva --- .../clusterconfig/v1/access_graph.pb.go | 130 ++++++++++++++---- .../clusterconfig/v1/access_graph.proto | 8 ++ 2 files changed, 115 insertions(+), 23 deletions(-) diff --git a/api/gen/proto/go/teleport/clusterconfig/v1/access_graph.pb.go b/api/gen/proto/go/teleport/clusterconfig/v1/access_graph.pb.go index 9b185767a5c5d..6a3ea8e7dddb5 100644 --- a/api/gen/proto/go/teleport/clusterconfig/v1/access_graph.pb.go +++ b/api/gen/proto/go/teleport/clusterconfig/v1/access_graph.pb.go @@ -50,6 +50,8 @@ type AccessGraphConfig struct { // insecure is a flag that indicates whether the access graph service should // skip verifying the server's certificate chain and host name. Insecure bool `protobuf:"varint,4,opt,name=insecure,proto3" json:"insecure,omitempty"` + // secrets_scan_config is used to configure the parameters for the secrets scanning functionality. + SecretsScanConfig *AccessGraphSecretsScanConfiguration `protobuf:"bytes,5,opt,name=secrets_scan_config,json=secretsScanConfig,proto3" json:"secrets_scan_config,omitempty"` } func (x *AccessGraphConfig) Reset() { @@ -112,6 +114,62 @@ func (x *AccessGraphConfig) GetInsecure() bool { return false } +func (x *AccessGraphConfig) GetSecretsScanConfig() *AccessGraphSecretsScanConfiguration { + if x != nil { + return x.SecretsScanConfig + } + return nil +} + +// AccessGraphSecretsScanConfiguration controls the secrets scanning service parameters. +type AccessGraphSecretsScanConfiguration struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // ssh_scan_enabled indicates if the SSH scan feature is enabled for the cluster. + SshScanEnabled bool `protobuf:"varint,1,opt,name=ssh_scan_enabled,json=sshScanEnabled,proto3" json:"ssh_scan_enabled,omitempty"` +} + +func (x *AccessGraphSecretsScanConfiguration) Reset() { + *x = AccessGraphSecretsScanConfiguration{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_clusterconfig_v1_access_graph_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *AccessGraphSecretsScanConfiguration) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*AccessGraphSecretsScanConfiguration) ProtoMessage() {} + +func (x *AccessGraphSecretsScanConfiguration) ProtoReflect() protoreflect.Message { + mi := &file_teleport_clusterconfig_v1_access_graph_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use AccessGraphSecretsScanConfiguration.ProtoReflect.Descriptor instead. +func (*AccessGraphSecretsScanConfiguration) Descriptor() ([]byte, []int) { + return file_teleport_clusterconfig_v1_access_graph_proto_rawDescGZIP(), []int{1} +} + +func (x *AccessGraphSecretsScanConfiguration) GetSshScanEnabled() bool { + if x != nil { + return x.SshScanEnabled + } + return false +} + var File_teleport_clusterconfig_v1_access_graph_proto protoreflect.FileDescriptor var file_teleport_clusterconfig_v1_access_graph_proto_rawDesc = []byte{ @@ -119,21 +177,33 @@ var file_teleport_clusterconfig_v1_access_graph_proto_rawDesc = []byte{ 0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x19, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, - 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x76, 0x31, 0x22, 0x73, 0x0a, 0x11, 0x41, 0x63, 0x63, - 0x65, 0x73, 0x73, 0x47, 0x72, 0x61, 0x70, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x18, - 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, - 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, - 0x65, 0x73, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, - 0x73, 0x73, 0x12, 0x0e, 0x0a, 0x02, 0x63, 0x61, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x02, - 0x63, 0x61, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x18, 0x04, - 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x42, 0x5e, - 0x5a, 0x5c, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, - 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, - 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x63, 0x6c, - 0x75, 0x73, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, 0x3b, 0x63, - 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x76, 0x31, 0x62, 0x06, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x76, 0x31, 0x22, 0xe3, 0x01, 0x0a, 0x11, 0x41, 0x63, + 0x63, 0x65, 0x73, 0x73, 0x47, 0x72, 0x61, 0x70, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, + 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, + 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, + 0x72, 0x65, 0x73, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, + 0x65, 0x73, 0x73, 0x12, 0x0e, 0x0a, 0x02, 0x63, 0x61, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, + 0x02, 0x63, 0x61, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x18, + 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x12, + 0x6e, 0x0a, 0x13, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x5f, 0x73, 0x63, 0x61, 0x6e, 0x5f, + 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3e, 0x2e, 0x74, + 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x63, + 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x47, + 0x72, 0x61, 0x70, 0x68, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x53, 0x63, 0x61, 0x6e, 0x43, + 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x11, 0x73, 0x65, + 0x63, 0x72, 0x65, 0x74, 0x73, 0x53, 0x63, 0x61, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, + 0x4f, 0x0a, 0x23, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x47, 0x72, 0x61, 0x70, 0x68, 0x53, 0x65, + 0x63, 0x72, 0x65, 0x74, 0x73, 0x53, 0x63, 0x61, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, + 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x28, 0x0a, 0x10, 0x73, 0x73, 0x68, 0x5f, 0x73, 0x63, + 0x61, 0x6e, 0x5f, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, + 0x52, 0x0e, 0x73, 0x73, 0x68, 0x53, 0x63, 0x61, 0x6e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, + 0x42, 0x5e, 0x5a, 0x5c, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, + 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, + 0x3b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x76, 0x31, + 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -148,16 +218,18 @@ func file_teleport_clusterconfig_v1_access_graph_proto_rawDescGZIP() []byte { return file_teleport_clusterconfig_v1_access_graph_proto_rawDescData } -var file_teleport_clusterconfig_v1_access_graph_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_teleport_clusterconfig_v1_access_graph_proto_msgTypes = make([]protoimpl.MessageInfo, 2) var file_teleport_clusterconfig_v1_access_graph_proto_goTypes = []any{ - (*AccessGraphConfig)(nil), // 0: teleport.clusterconfig.v1.AccessGraphConfig + (*AccessGraphConfig)(nil), // 0: teleport.clusterconfig.v1.AccessGraphConfig + (*AccessGraphSecretsScanConfiguration)(nil), // 1: teleport.clusterconfig.v1.AccessGraphSecretsScanConfiguration } var file_teleport_clusterconfig_v1_access_graph_proto_depIdxs = []int32{ - 0, // [0:0] is the sub-list for method output_type - 0, // [0:0] is the sub-list for method input_type - 0, // [0:0] is the sub-list for extension type_name - 0, // [0:0] is the sub-list for extension extendee - 0, // [0:0] is the sub-list for field type_name + 1, // 0: teleport.clusterconfig.v1.AccessGraphConfig.secrets_scan_config:type_name -> teleport.clusterconfig.v1.AccessGraphSecretsScanConfiguration + 1, // [1:1] is the sub-list for method output_type + 1, // [1:1] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name } func init() { file_teleport_clusterconfig_v1_access_graph_proto_init() } @@ -178,6 +250,18 @@ func file_teleport_clusterconfig_v1_access_graph_proto_init() { return nil } } + file_teleport_clusterconfig_v1_access_graph_proto_msgTypes[1].Exporter = func(v any, i int) any { + switch v := v.(*AccessGraphSecretsScanConfiguration); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } } type x struct{} out := protoimpl.TypeBuilder{ @@ -185,7 +269,7 @@ func file_teleport_clusterconfig_v1_access_graph_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_teleport_clusterconfig_v1_access_graph_proto_rawDesc, NumEnums: 0, - NumMessages: 1, + NumMessages: 2, NumExtensions: 0, NumServices: 0, }, diff --git a/api/proto/teleport/clusterconfig/v1/access_graph.proto b/api/proto/teleport/clusterconfig/v1/access_graph.proto index 525f88d030bac..147aa9261a07b 100644 --- a/api/proto/teleport/clusterconfig/v1/access_graph.proto +++ b/api/proto/teleport/clusterconfig/v1/access_graph.proto @@ -30,4 +30,12 @@ message AccessGraphConfig { // insecure is a flag that indicates whether the access graph service should // skip verifying the server's certificate chain and host name. bool insecure = 4; + // secrets_scan_config is used to configure the parameters for the secrets scanning functionality. + AccessGraphSecretsScanConfiguration secrets_scan_config = 5; +} + +// AccessGraphSecretsScanConfiguration controls the secrets scanning service parameters. +message AccessGraphSecretsScanConfiguration { + // ssh_scan_enabled indicates if the SSH scan feature is enabled for the cluster. + bool ssh_scan_enabled = 1; }