[v16] Backport Secrets scanner #44799

tigrato · 2024-07-30T10:40:04Z

Backport #43804 to branch/v16
Backport #43890 to branch/v16
Backport #44036 to branch/v16
Backport #43462 to branch/v16
Backport #43467 to branch/v16
Backport #43468 to branch/v16
Backport #43486 to branch/v16
Backport #43543 to branch/v16
Backport #43905 to branch/v16
Backport #43906 to branch/v16
Backport #44010 to branch/v16
Backport #44011 to branch/v16
Backport #44014 to branch/v16
Backport #44016 to branch/v16
Backport #44021 to branch/v16
Backport #44032 to branch/v16
Backport #44055 to branch/v16
Backport #44081 to branch/v16
Backport #44159 to branch/v16
Backport #44324 to branch/v16
Backport #44220 to branch/v16
Backport #44523 to branch/v16
Backport #44643 to branch/v16
Backport #45109 to branch/v16

* Add the device assertion protos * Update generated protos

* Add a client-side API to assert devices * Add a godoc to authnStreamAdapter

* Define server-side device assertion interfaces * Update proto comments * Update generated protos

…43462) This PR introduces the `teleport.access_graph.v1.SecretsScannerService`that will be used by Teleport SSH nodes to report `authorized_keys` and user's laptops to report secrets found on them. The `ReportAuthorizedKeys` uses node's TLS certs signed by HostCA for authentication while `ReportSecrets` leverages the device trust credentials (requires that the device is enrolled) to report secrets without requiring valid user credentials. handle Alan's feedback

…se (#43467) This PR exposes the configuration for nodes to be aware that they should report SSH Authorized keys to Teleport. Part of gravitational/access-graph#637 Signed-off-by: Tiago Silva <[email protected]>

…s Graph resources (#43468) This PR extends the Access Graph resources to be able include the newly added `teleport.access_graph.v1.PrivateKey`, `teleport.access_graph.v1.AuthorizedKey` and existing device trust information `teleport.devicetrust.v1.Device`. Part of gravitational/access-graph#637 Signed-off-by: Tiago Silva <[email protected]>

This PR makes `generic.Service` correctly implementing `List*` functions when multiple key prefixes are defined Signed-off-by: Tiago Silva <[email protected]>

* [sec_scan][5] add secrets backend service This PR implements the backend service to support storing `authorized_keys` and `private_keys` into Teleport backend. Part of gravitational/access-graph#637 Signed-off-by: Tiago Silva <[email protected]> * handle feedback * handle nits --------- Signed-off-by: Tiago Silva <[email protected]>

This PR adds the ability to watch for events for `*devicepb.Device` objects. Backend storage representation of `devicepb.Device` is achieved using an internal representation that lives in `e/lib/devicetrust/storage` and whose logic is internal to the package. To be able to expose the unmarshal logic necessary for events to work, this PR exposes a registration hook that `e/lib/devicetrust/storage` function must call during initialization to register the unmarshal function. Part of gravitational/access-graph#637 Signed-off-by: Tiago Silva <[email protected]>

This PR introduces the ability to watch for events related to `accessgraphsecretsv1pb.AuthorizedKey` and `accessgraphsecretsv1pb.PrivateKey` objects. This PR is part of gravitational/access-graph#637. Signed-off-by: Tiago Silva <[email protected]>

This PR adds the `clusterconfigpbv1.AccessGraphSettings` resource that will be used to control the secrets scanning definition of Teleport. This resource will be a singleton and the only goal is to carry some settings related to access graph because on the cloud, users don't have access to fileconf. This PR is part of gravitational/access-graph#637. Signed-off-by: Tiago Silva <[email protected]>

This PR adds the boilerplate code and proto definition for `AccessGraphSettingsUpdate` audit event. This PR is part of gravitational/access-graph#637. Signed-off-by: Tiago Silva <[email protected]>

This PR adds the backend service to be able to create, update and retrieve access graph configurations from Teleport backend. This PR is part of gravitational/access-graph#637.

…#44016) * [sec_scan][12] add cache and events support for `AccessGraphSettings` This PR adds the cache and events support for the new resource `AccessGraphSettings`. This PR is part of gravitational/access-graph#637. Signed-off-by: Tiago Silva <[email protected]> * add tests --------- Signed-off-by: Tiago Silva <[email protected]>

This PR introduces the gRPC implementation for the CRUD operations related to `AccessGraphSettings`. This PR is part of gravitational/access-graph#637. Signed-off-by: Tiago Silva <[email protected]>

* [sec_scan][14] create `AccessGraphSettings` on first auth init This PR adds a init script that sets `AccessGraphSettings` into Teleport backend when auth first inits and there is no `AccessGraphSettings`. This PR is part of gravitational/access-graph#637. Signed-off-by: Tiago Silva <[email protected]> * remove iterations --------- Signed-off-by: Tiago Silva <[email protected]>

…tl` (#44055) This PR allows any cluster admin to edit `access_graph_settings` objects via `tctl`. This PR is part of gravitational/access-graph#637. Signed-off-by: Tiago Silva <[email protected]>

…ns (#44081) This PR adds methods to store/retrieve functions defined by different teleport services. This PR is part of gravitational/access-graph#637. Signed-off-by: Tiago Silva <[email protected]>

* [sec_scan][17] add `AssertDevice` to `FakeDeviceService` This PR introduces a `AssertDevice` logic into `FakeDeviceService` to authenticate devices during unit tests using device trust credentials. This PR is part of gravitational/access-graph#637. Signed-off-by: Tiago Silva <[email protected]> * simplify assert tests * Update lib/devicetrust/assert/assert_test.go Co-authored-by: Alan Parra <[email protected]> --------- Signed-off-by: Tiago Silva <[email protected]> Co-authored-by: Alan Parra <[email protected]>

… server (#44324) * [sec_scan][20] add `ReportSecrets` forwarder to proxy's gRPC insecure server This PR implements a `ReportSecrets` forwarder from Proxy server to Auth server. The goal is to allow clients to hit the proxy insecure gRPC server (credentialless) and proxy will forward requests to the AuthServer on behalf of the client. This is required because the client doesn't have valid credentials and it wasn't possible for it to reach auth server via reversetunnel when the cluster uses `separate` mode. This PR is part of gravitational/access-graph#637. Signed-off-by: Tiago Silva <[email protected]> * add comments * move dial to lib/client/proxy/insecure --------- Signed-off-by: Tiago Silva <[email protected]>

* [sec_scan][19] add `tsh scan keys` implementation This PR introduces the required code to transverse a directory(es), finding all the SSH private keys and report them back to the cluster using the device security enclave as authentication mechanism. This PR is part of gravitational/access-graph#637. Signed-off-by: Tiago Silva <[email protected]> * handle code review * fix message * handle code review * fork ssh private keys * add skip dirs support * handle code review --------- Signed-off-by: Tiago Silva <[email protected]>

* [sec_scan][22] add authorized keys reporter This PR introduces a SSH authorized keys reporter that monitors `/etc/passwd` file and all users' authorized_keys files and reports the findings back to teleport. Part of gravitational/access-graph#637 Signed-off-by: Tiago Silva <[email protected]> * handle comments * handle comments --------- Signed-off-by: Tiago Silva <[email protected]>

This PR adds ability to extract the comment and key type from AuthorizedKeys files. Signed-off-by: Tiago Silva <[email protected]>

orca-security-us

Orca Security Scan Summary

Status	Check	Issues by priority
Failed	Secrets	19 0 0 0	View in Orca