Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[sec_scan][15] add support for edits to AccessGraphSettings via tctl #44055

Merged
merged 1 commit into from
Jul 23, 2024

Conversation

tigrato
Copy link
Contributor

@tigrato tigrato commented Jul 11, 2024

This PR allows any cluster admin to edit access_graph_settings objects via tctl.

This PR is part of https://github.com/gravitational/access-graph/issues/637.

@tigrato tigrato added backport/branch/v14 no-changelog Indicates that a PR does not require a changelog entry backport/branch/v15 backport/branch/v16 labels Jul 11, 2024
@github-actions github-actions bot requested review from fheinecke and r0mant July 11, 2024 10:08
@github-actions github-actions bot added size/md tctl tctl - Teleport admin tool labels Jul 11, 2024
@tigrato tigrato force-pushed the tigrato/ssh-keys-impl8-8 branch from 6a75b06 to 934a0f0 Compare July 11, 2024 13:48
@tigrato tigrato force-pushed the tigrato/ssh-keys-impl8-9 branch from abcdf91 to 42abee3 Compare July 11, 2024 13:49
@tigrato tigrato force-pushed the tigrato/ssh-keys-impl8-8 branch from 934a0f0 to be5996c Compare July 12, 2024 20:33
@tigrato tigrato force-pushed the tigrato/ssh-keys-impl8-9 branch from 42abee3 to dce9fc0 Compare July 12, 2024 20:33
@tigrato tigrato force-pushed the tigrato/ssh-keys-impl8-8 branch from be5996c to 84114e8 Compare July 19, 2024 11:28
This PR allows any cluster admin to edit `access_graph_settings` objects via `tctl`.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
@tigrato tigrato changed the base branch from tigrato/ssh-keys-impl8-8 to master July 19, 2024 11:36
@tigrato tigrato force-pushed the tigrato/ssh-keys-impl8-9 branch from dce9fc0 to 674e7e3 Compare July 19, 2024 11:36
@tigrato
Copy link
Contributor Author

tigrato commented Jul 19, 2024

Friendly ping @r0mant @fheinecke

@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from fheinecke July 23, 2024 08:34
@tigrato tigrato added this pull request to the merge queue Jul 23, 2024
Merged via the queue into master with commit b435ed7 Jul 23, 2024
39 checks passed
@tigrato tigrato deleted the tigrato/ssh-keys-impl8-9 branch July 23, 2024 09:00
@public-teleport-github-review-bot

@tigrato See the table below for backport results.

Branch Result
branch/v14 Failed
branch/v15 Failed
branch/v16 Failed

tigrato added a commit that referenced this pull request Jul 30, 2024
…tl` (#44055)

This PR allows any cluster admin to edit `access_graph_settings` objects via `tctl`.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
tigrato added a commit that referenced this pull request Jul 30, 2024
…tl` (#44055)

This PR allows any cluster admin to edit `access_graph_settings` objects via `tctl`.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
github-merge-queue bot pushed a commit that referenced this pull request Aug 13, 2024
* Add the device assertion protos (#43804)

* Add the device assertion protos

* Update generated protos

* Add a client-side API to assert devices (#43890)

* Add a client-side API to assert devices

* Add a godoc to authnStreamAdapter

* Define server-side device assertion interfaces (#44036)

* Define server-side device assertion interfaces

* Update proto comments

* Update generated protos

* [sec_scan][1] Add `teleport.access_graph.v1.SecretsScannerService` (#43462)

This PR introduces the `teleport.access_graph.v1.SecretsScannerService`that will be used by Teleport SSH nodes to report `authorized_keys` and user's laptops to report secrets found on them.

The `ReportAuthorizedKeys` uses node's TLS certs signed by HostCA for authentication while `ReportSecrets` leverages the device trust credentials (requires that the device is enrolled) to report secrets without requiring valid user credentials.

handle Alan's feedback

* [sec_scan][2] expose `ssh_scan_enabled` in `AccessGraphConfig` response (#43467)

This PR exposes the configuration for nodes to be aware that they should report SSH Authorized keys to Teleport.

Part of gravitational/access-graph#637

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][3] add `PrivateKey`, `AuthorizedKey` and `Device` to Access Graph resources (#43468)

This PR extends the Access Graph resources to be able include the newly added `teleport.access_graph.v1.PrivateKey`,
`teleport.access_graph.v1.AuthorizedKey` and existing device trust information `teleport.devicetrust.v1.Device`.

Part of gravitational/access-graph#637

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* fix: fix `nextKey` values when using multiple prefixes (#43486)

This PR makes `generic.Service` correctly implementing `List*` functions when multiple key prefixes are defined

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][5] add secrets backend service (#43543)

* [sec_scan][5] add secrets backend service

This PR implements the backend service to support storing `authorized_keys` and `private_keys` into Teleport backend.

Part of gravitational/access-graph#637

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* handle feedback

* handle nits

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][6] add device events (#43905)

This PR adds the ability to watch for events for `*devicepb.Device` objects.

Backend storage representation of  `devicepb.Device` is achieved using an internal representation that lives in `e/lib/devicetrust/storage` and whose logic is internal to the package.

To be able to expose the unmarshal logic necessary for events to work, this PR exposes a registration hook that `e/lib/devicetrust/storage` function must call during initialization to register the unmarshal function.

Part of gravitational/access-graph#637

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][7] add authorizedKeys and privateKeys events support (#43906)

This PR introduces the ability to watch for events related to `accessgraphsecretsv1pb.AuthorizedKey` and
`accessgraphsecretsv1pb.PrivateKey` objects.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][9] add `access_graph_settings` protobuf (#44010)

This PR adds the `clusterconfigpbv1.AccessGraphSettings` resource that will be used to control the secrets scanning definition of Teleport.

This resource will be a singleton and the only goal is to carry some settings related to access graph because on the cloud, users don't have access to fileconf.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][10] add `AccessGraphSettingsUpdate` audit event (#44011)

This PR adds the boilerplate code and proto definition for `AccessGraphSettingsUpdate` audit event.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][11] add `AccessGraphSettings` backend service (#44014)

This PR adds the backend service to be able to create, update and retrieve access graph configurations from Teleport backend.

This PR is part of gravitational/access-graph#637.

* [sec_scan][12] add cache and events support for `AccessGraphSettings` (#44016)

* [sec_scan][12] add cache and events support for `AccessGraphSettings`

This PR adds the cache and events support for the new resource `AccessGraphSettings`.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* add tests

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][13] add `AccessGraphSettings` gRPC implementation (#44021)

This PR introduces the gRPC implementation for the CRUD operations related to `AccessGraphSettings`.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][14] create `AccessGraphSettings` on first auth init (#44032)

* [sec_scan][14] create `AccessGraphSettings` on first auth init

This PR adds a init script that sets `AccessGraphSettings` into Teleport backend when auth first inits and there is no `AccessGraphSettings`.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* remove iterations

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][15] add support for edits to `AccessGraphSettings` via `tctl` (#44055)

This PR allows any cluster admin to edit `access_graph_settings` objects via `tctl`.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][16] add methods to store/retrieve device assertion functions (#44081)

This PR adds methods to store/retrieve functions defined by different teleport services.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][17] add `AssertDevice` to `FakeDeviceService` (#44159)

* [sec_scan][17] add `AssertDevice` to `FakeDeviceService`

This PR introduces a `AssertDevice` logic into `FakeDeviceService` to authenticate devices during unit tests using device trust credentials.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* simplify assert tests

* Update lib/devicetrust/assert/assert_test.go

Co-authored-by: Alan Parra <alan.parra@goteleport.com>

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>

* [sec_scan][20] add `ReportSecrets` forwarder to proxy's gRPC insecure server (#44324)

* [sec_scan][20] add `ReportSecrets` forwarder to proxy's gRPC insecure server

This PR implements a `ReportSecrets` forwarder from Proxy server to Auth server.
The goal is to allow clients to hit the proxy insecure gRPC server (credentialless)
and proxy will forward requests to the AuthServer on behalf of the client. This is required
because the client doesn't have valid credentials and it wasn't possible for it to reach auth server
via reversetunnel when the cluster uses `separate` mode.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* add comments

* move dial to lib/client/proxy/insecure

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][19] add `tsh scan keys` implementation (#44220)

* [sec_scan][19] add `tsh scan keys` implementation

This PR introduces the required code to transverse a directory(es), finding all the SSH private keys and report them back to the cluster using the device security enclave as authentication mechanism.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* handle code review

* fix message

* handle code review

* fork ssh private keys

* add skip dirs support

* handle code review

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][22] add authorized keys reporter (#44523)

* [sec_scan][22] add authorized keys reporter

This PR introduces a SSH authorized keys reporter that monitors `/etc/passwd` file and all users' authorized_keys files and reports the findings back to teleport.

Part of gravitational/access-graph#637

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* handle comments

* handle comments

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][24] extract AuthorizedKey's comment and type (#44643)

This PR adds ability to extract the comment and key type from AuthorizedKeys files.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* fix api module

* [sec_scan][27] add support for LDAP users and macOS (#45109)

* [sec_scan][27] add support for LDAP users and macOS

This PR extends support for authorized keys report for users managed by LDAP system and macOS targets.

It leverages `getpwent` to read the system database files and retrieve the user properties.
It doesn't use the `getpwent_r` because it's not available in macOS and because it's not (yet) standerdized

>   PLEASE NOTE: the `getpwent_r' function is not (yet) standardized.
>   The interface may change in later versions of this library.  But
>   the interface is designed following the principals used for the
>   other reentrant functions so the chances are good this is what the
>   POSIX people would choose.

Part of gravitational/access-graph#637

* handle comments

* handle comments 2

* add comment

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
github-merge-queue bot pushed a commit that referenced this pull request Aug 13, 2024
* Add the device assertion protos (#43804)

* Add the device assertion protos

* Update generated protos

* Add a client-side API to assert devices (#43890)

* Add a client-side API to assert devices

* Add a godoc to authnStreamAdapter

* Define server-side device assertion interfaces (#44036)

* Define server-side device assertion interfaces

* Update proto comments

* Update generated protos

* [sec_scan][1] Add `teleport.access_graph.v1.SecretsScannerService` (#43462)

This PR introduces the `teleport.access_graph.v1.SecretsScannerService`that will be used by Teleport SSH nodes to report `authorized_keys` and user's laptops to report secrets found on them.

The `ReportAuthorizedKeys` uses node's TLS certs signed by HostCA for authentication while `ReportSecrets` leverages the device trust credentials (requires that the device is enrolled) to report secrets without requiring valid user credentials.

handle Alan's feedback

* [sec_scan][2] expose `ssh_scan_enabled` in `AccessGraphConfig` response (#43467)

This PR exposes the configuration for nodes to be aware that they should report SSH Authorized keys to Teleport.

Part of gravitational/access-graph#637

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][3] add `PrivateKey`, `AuthorizedKey` and `Device` to Access Graph resources (#43468)

This PR extends the Access Graph resources to be able include the newly added `teleport.access_graph.v1.PrivateKey`,
`teleport.access_graph.v1.AuthorizedKey` and existing device trust information `teleport.devicetrust.v1.Device`.

Part of gravitational/access-graph#637

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* fix: fix `nextKey` values when using multiple prefixes (#43486)

This PR makes `generic.Service` correctly implementing `List*` functions when multiple key prefixes are defined

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][5] add secrets backend service (#43543)

* [sec_scan][5] add secrets backend service

This PR implements the backend service to support storing `authorized_keys` and `private_keys` into Teleport backend.

Part of gravitational/access-graph#637

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* handle feedback

* handle nits

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][6] add device events (#43905)

This PR adds the ability to watch for events for `*devicepb.Device` objects.

Backend storage representation of  `devicepb.Device` is achieved using an internal representation that lives in `e/lib/devicetrust/storage` and whose logic is internal to the package.

To be able to expose the unmarshal logic necessary for events to work, this PR exposes a registration hook that `e/lib/devicetrust/storage` function must call during initialization to register the unmarshal function.

Part of gravitational/access-graph#637

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][7] add authorizedKeys and privateKeys events support (#43906)

This PR introduces the ability to watch for events related to `accessgraphsecretsv1pb.AuthorizedKey` and
`accessgraphsecretsv1pb.PrivateKey` objects.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][9] add `access_graph_settings` protobuf (#44010)

This PR adds the `clusterconfigpbv1.AccessGraphSettings` resource that will be used to control the secrets scanning definition of Teleport.

This resource will be a singleton and the only goal is to carry some settings related to access graph because on the cloud, users don't have access to fileconf.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][10] add `AccessGraphSettingsUpdate` audit event (#44011)

This PR adds the boilerplate code and proto definition for `AccessGraphSettingsUpdate` audit event.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][11] add `AccessGraphSettings` backend service (#44014)

This PR adds the backend service to be able to create, update and retrieve access graph configurations from Teleport backend.

This PR is part of gravitational/access-graph#637.

* [sec_scan][12] add cache and events support for `AccessGraphSettings` (#44016)

* [sec_scan][12] add cache and events support for `AccessGraphSettings`

This PR adds the cache and events support for the new resource `AccessGraphSettings`.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* add tests

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][13] add `AccessGraphSettings` gRPC implementation (#44021)

This PR introduces the gRPC implementation for the CRUD operations related to `AccessGraphSettings`.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][14] create `AccessGraphSettings` on first auth init (#44032)

* [sec_scan][14] create `AccessGraphSettings` on first auth init

This PR adds a init script that sets `AccessGraphSettings` into Teleport backend when auth first inits and there is no `AccessGraphSettings`.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* remove iterations

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][15] add support for edits to `AccessGraphSettings` via `tctl` (#44055)

This PR allows any cluster admin to edit `access_graph_settings` objects via `tctl`.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][16] add methods to store/retrieve device assertion functions (#44081)

This PR adds methods to store/retrieve functions defined by different teleport services.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][17] add `AssertDevice` to `FakeDeviceService` (#44159)

* [sec_scan][17] add `AssertDevice` to `FakeDeviceService`

This PR introduces a `AssertDevice` logic into `FakeDeviceService` to authenticate devices during unit tests using device trust credentials.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* simplify assert tests

* Update lib/devicetrust/assert/assert_test.go

Co-authored-by: Alan Parra <alan.parra@goteleport.com>

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>

* [sec_scan][20] add `ReportSecrets` forwarder to proxy's gRPC insecure server (#44324)

* [sec_scan][20] add `ReportSecrets` forwarder to proxy's gRPC insecure server

This PR implements a `ReportSecrets` forwarder from Proxy server to Auth server.
The goal is to allow clients to hit the proxy insecure gRPC server (credentialless)
and proxy will forward requests to the AuthServer on behalf of the client. This is required
because the client doesn't have valid credentials and it wasn't possible for it to reach auth server
via reversetunnel when the cluster uses `separate` mode.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* add comments

* move dial to lib/client/proxy/insecure

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][19] add `tsh scan keys` implementation (#44220)

* [sec_scan][19] add `tsh scan keys` implementation

This PR introduces the required code to transverse a directory(es), finding all the SSH private keys and report them back to the cluster using the device security enclave as authentication mechanism.

This PR is part of gravitational/access-graph#637.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* handle code review

* fix message

* handle code review

* fork ssh private keys

* add skip dirs support

* handle code review

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][22] add authorized keys reporter (#44523)

* [sec_scan][22] add authorized keys reporter

This PR introduces a SSH authorized keys reporter that monitors `/etc/passwd` file and all users' authorized_keys files and reports the findings back to teleport.

Part of gravitational/access-graph#637

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* handle comments

* handle comments

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* [sec_scan][24] extract AuthorizedKey's comment and type (#44643)

This PR adds ability to extract the comment and key type from AuthorizedKeys files.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

* update gomod

* [sec_scan][27] add support for LDAP users and macOS (#45109)

* [sec_scan][27] add support for LDAP users and macOS

This PR extends support for authorized keys report for users managed by LDAP system and macOS targets.

It leverages `getpwent` to read the system database files and retrieve the user properties.
It doesn't use the `getpwent_r` because it's not available in macOS and because it's not (yet) standerdized

>   PLEASE NOTE: the `getpwent_r' function is not (yet) standardized.
>   The interface may change in later versions of this library.  But
>   the interface is designed following the principals used for the
>   other reentrant functions so the chances are good this is what the
>   POSIX people would choose.

Part of gravitational/access-graph#637

* handle comments

* handle comments 2

* add comment

---------

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/branch/v14 backport/branch/v15 backport/branch/v16 no-changelog Indicates that a PR does not require a changelog entry size/md tctl tctl - Teleport admin tool
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants