From 7b4d31b0e312bdf68137aeed8e47f0f0e4d8fe0e Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Wed, 10 Jul 2024 16:54:13 -0300 Subject: [PATCH 1/3] Define server-side device assertion interfaces --- lib/devicetrust/assertserver/assert.go | 50 ++++++++++++++++++++++++++ lib/devicetrust/assertserver/doc.go | 21 +++++++++++ 2 files changed, 71 insertions(+) create mode 100644 lib/devicetrust/assertserver/assert.go create mode 100644 lib/devicetrust/assertserver/doc.go diff --git a/lib/devicetrust/assertserver/assert.go b/lib/devicetrust/assertserver/assert.go new file mode 100644 index 0000000000000..46047e465f3b3 --- /dev/null +++ b/lib/devicetrust/assertserver/assert.go @@ -0,0 +1,50 @@ +// Teleport +// Copyright (C) 2024 Gravitational, Inc. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package assertserver + +import ( + "context" + + devicepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1" +) + +// AssertDeviceServerStream represents a server-side device assertion stream. +type AssertDeviceServerStream interface { + Send(*devicepb.AssertDeviceResponse) error + Recv() (*devicepb.AssertDeviceRequest, error) +} + +// Ceremony is the server-side device assertion ceremony. +// +// Device assertion is a light form of device authentication where the user +// isn't considered and no side-effects (like certificate issuance) happen. +// +// Assertion is meant to be embedded in RPCs or streams external to the +// DeviceTrustService itself. +// +// Implementations are provided by e/. +// See e/lib/devicetrustv1.Service.CreateAssertCeremony. +type Ceremony interface { + // AssertDevice runs the device assertion ceremonies. + // + // Requests and responses are consumed from the stream until the device is + // asserted or authentication fails. + // + // As long as any device information is acquired from the stream, a non-nil + // device is returned, even if the ceremony itself failed. + AssertDevice(ctx context.Context, stream AssertDeviceServerStream) (*devicepb.Device, error) +} diff --git a/lib/devicetrust/assertserver/doc.go b/lib/devicetrust/assertserver/doc.go new file mode 100644 index 0000000000000..eebdb97e81933 --- /dev/null +++ b/lib/devicetrust/assertserver/doc.go @@ -0,0 +1,21 @@ +// Teleport +// Copyright (C) 2024 Gravitational, Inc. +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +// Package assertserver provides server-side assert interfaces for device trust. +// +// It explicitly does not depend on devicetrust/native or other client-side +// packages. All implementations are provided by e/. +package assertserver From 87da809c501d440061e119c2a9423f5a56e949a8 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Wed, 10 Jul 2024 16:58:55 -0300 Subject: [PATCH 2/3] Update proto comments --- api/proto/teleport/devicetrust/v1/assert.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/api/proto/teleport/devicetrust/v1/assert.proto b/api/proto/teleport/devicetrust/v1/assert.proto index 79b869feb046b..5841c0a5c0519 100644 --- a/api/proto/teleport/devicetrust/v1/assert.proto +++ b/api/proto/teleport/devicetrust/v1/assert.proto @@ -28,8 +28,8 @@ option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport // either streams or multi-stage RPCs. The ceremony is resolved by a co-located // DeviceTrustService. // -// See the lib/devicetrust/assert (client) and -// e/lib/devicetrust/devicetrustv1/assert (server) packages. +// See the lib/devicetrust/assert (client) and lib/devicetrust/assertserver +// (server) packages. // // Assertion ceremony flow: // -> AssertDeviceInit (client) From c791d11d24fc58a91ce65a4e6273724d80f4e76c Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Wed, 10 Jul 2024 17:06:51 -0300 Subject: [PATCH 3/3] Update generated protos --- api/gen/proto/go/teleport/devicetrust/v1/assert.pb.go | 4 ++-- gen/proto/ts/teleport/devicetrust/v1/assert_pb.ts | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/api/gen/proto/go/teleport/devicetrust/v1/assert.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/assert.pb.go index 05362079fe3f8..ef8f88442136d 100644 --- a/api/gen/proto/go/teleport/devicetrust/v1/assert.pb.go +++ b/api/gen/proto/go/teleport/devicetrust/v1/assert.pb.go @@ -41,8 +41,8 @@ const ( // either streams or multi-stage RPCs. The ceremony is resolved by a co-located // DeviceTrustService. // -// See the lib/devicetrust/assert (client) and -// e/lib/devicetrust/devicetrustv1/assert (server) packages. +// See the lib/devicetrust/assert (client) and lib/devicetrust/assertserver +// (server) packages. // // Assertion ceremony flow: // -> AssertDeviceInit (client) diff --git a/gen/proto/ts/teleport/devicetrust/v1/assert_pb.ts b/gen/proto/ts/teleport/devicetrust/v1/assert_pb.ts index 04371b0ae930c..ef45d1cccdcdd 100644 --- a/gen/proto/ts/teleport/devicetrust/v1/assert_pb.ts +++ b/gen/proto/ts/teleport/devicetrust/v1/assert_pb.ts @@ -40,8 +40,8 @@ import { AuthenticateDeviceChallengeResponse } from "./authenticate_challenge_pb * either streams or multi-stage RPCs. The ceremony is resolved by a co-located * DeviceTrustService. * - * See the lib/devicetrust/assert (client) and - * e/lib/devicetrust/devicetrustv1/assert (server) packages. + * See the lib/devicetrust/assert (client) and lib/devicetrust/assertserver + * (server) packages. * * Assertion ceremony flow: * -> AssertDeviceInit (client)