gravitational · espadolini · Jan 31, 2022 · Jan 12, 2022 · Jan 12, 2022 · Jan 24, 2022
diff --git a/api/types/events/events.pb.go b/api/types/events/events.pb.go
diff --git a/api/types/events/events.proto b/api/types/events/events.proto
@@ -49,6 +49,9 @@ message UserMetadata {
 
     // Impersonator is a user acting on behalf of another user
     string Impersonator = 3 [ (gogoproto.jsontag) = "impersonator,omitempty" ];
+
+    // AccessRequests are the IDs of access requests created by the user
+    repeated string AccessRequests = 5 [ (gogoproto.jsontag) = "access_requests,omitempty" ];
 }
 
 // Server is a server metadata
@@ -152,8 +155,10 @@ message SessionStart {
     // SessionRecording is the type of session recording.
     string SessionRecording = 10 [ (gogoproto.jsontag) = "session_recording,omitempty" ];
 
-    // AccessRequests are the IDs of access requests created by the user
-    repeated string AccessRequests = 11 [ (gogoproto.jsontag) = "access_requests,omitempty" ];
+    // AccessRequests used to be here, it is now part of UserMetadata
+    reserved "AccessRequests";
+    reserved 11;
+    // reserved jsontag "access_requests"
 }
 
 // SessionJoin emitted when another user joins a session

diff --git a/lib/auth/auth.go b/lib/auth/auth.go
@@ -1201,18 +1201,15 @@ func (a *Server) GenerateToken(ctx context.Context, req GenerateTokenRequest) (s
 		return "", trace.Wrap(err)
 	}
 
-	user := ClientUsername(ctx)
+	userMetadata := ClientUserMetadata(ctx)
 	for _, role := range req.Roles {
 		if role == teleport.RoleTrustedCluster {
 			if err := a.emitter.EmitAuditEvent(ctx, &events.TrustedClusterTokenCreate{
 				Metadata: events.Metadata{
 					Type: events.TrustedClusterTokenCreateEvent,
 					Code: events.TrustedClusterTokenCreateCode,
 				},
-				UserMetadata: events.UserMetadata{
-					User:         user,
-					Impersonator: ClientImpersonator(ctx),
-				},
+				UserMetadata: userMetadata,
 			}); err != nil {
 				log.WithError(err).Warn("Failed to emit trusted cluster token create event.")
 			}
@@ -1810,9 +1807,7 @@ func (a *Server) upsertRole(ctx context.Context, role services.Role) error {
 			Type: events.RoleCreatedEvent,
 			Code: events.RoleCreatedCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User: ClientUsername(ctx),
-		},
+		UserMetadata: ClientUserMetadata(ctx),
 		ResourceMetadata: events.ResourceMetadata{
 			Name: role.GetName(),
 		},
@@ -1860,10 +1855,7 @@ func (a *Server) CreateAccessRequest(ctx context.Context, req services.AccessReq
 			Type: events.AccessRequestCreateEvent,
 			Code: events.AccessRequestCreateCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         req.GetUser(),
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadataWithUser(ctx, req.GetUser()),
 		ResourceMetadata: events.ResourceMetadata{
 			Expires: req.GetAccessExpiry(),
 		},
@@ -1887,11 +1879,8 @@ func (a *Server) DeleteAccessRequest(ctx context.Context, name string) error {
 			Type: events.AccessRequestDeleteEvent,
 			Code: events.AccessRequestDeleteCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         ClientUsername(ctx),
-			Impersonator: ClientImpersonator(ctx),
-		},
-		RequestID: name,
+		UserMetadata: ClientUserMetadata(ctx),
+		RequestID:    name,
 	}); err != nil {
 		log.WithError(err).Warn("Failed to emit access request delete event.")
 	}

diff --git a/lib/auth/github.go b/lib/auth/github.go
@@ -72,10 +72,7 @@ func (a *Server) upsertGithubConnector(ctx context.Context, connector services.G
 			Type: events.GithubConnectorCreatedEvent,
 			Code: events.GithubConnectorCreatedCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         ClientUsername(ctx),
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadata(ctx),
 		ResourceMetadata: events.ResourceMetadata{
 			Name: connector.GetName(),
 		},
@@ -97,10 +94,7 @@ func (a *Server) deleteGithubConnector(ctx context.Context, connectorName string
 			Type: events.GithubConnectorDeletedEvent,
 			Code: events.GithubConnectorDeletedCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         ClientUsername(ctx),
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadata(ctx),
 		ResourceMetadata: events.ResourceMetadata{
 			Name: connectorName,
 		},

diff --git a/lib/auth/grpcserver.go b/lib/auth/grpcserver.go
@@ -1572,9 +1572,7 @@ func (g *GRPCServer) AddMFADevice(stream proto.AuthService_AddMFADeviceServer) e
 			Code:        events.MFADeviceAddEventCode,
 			ClusterName: clusterName.GetClusterName(),
 		},
-		UserMetadata: apievents.UserMetadata{
-			User: actx.Identity.GetIdentity().Username,
-		},
+		UserMetadata:      actx.Identity.GetIdentity().GetUserMetadata(),
 		MFADeviceMetadata: mfaDeviceEventMetadata(dev),
 	}); err != nil {
 		return trail.ToGRPC(err)
@@ -1857,9 +1855,7 @@ func (g *GRPCServer) DeleteMFADevice(stream proto.AuthService_DeleteMFADeviceSer
 				Code:        events.MFADeviceDeleteEventCode,
 				ClusterName: clusterName.GetClusterName(),
 			},
-			UserMetadata: apievents.UserMetadata{
-				User: actx.Identity.GetIdentity().Username,
-			},
+			UserMetadata:      actx.Identity.GetIdentity().GetUserMetadata(),
 			MFADeviceMetadata: mfaDeviceEventMetadata(d),
 		}); err != nil {
 			return trail.ToGRPC(err)

diff --git a/lib/auth/oidc.go b/lib/auth/oidc.go
@@ -136,10 +136,7 @@ func (a *Server) UpsertOIDCConnector(ctx context.Context, connector services.OID
 			Type: events.OIDCConnectorCreatedEvent,
 			Code: events.OIDCConnectorCreatedCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         ClientUsername(ctx),
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadata(ctx),
 		ResourceMetadata: events.ResourceMetadata{
 			Name: connector.GetName(),
 		},
@@ -160,10 +157,7 @@ func (a *Server) DeleteOIDCConnector(ctx context.Context, connectorName string)
 			Type: events.OIDCConnectorDeletedEvent,
 			Code: events.OIDCConnectorDeletedCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         ClientUsername(ctx),
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadata(ctx),
 		ResourceMetadata: events.ResourceMetadata{
 			Name: connectorName,
 		},

diff --git a/lib/auth/permissions.go b/lib/auth/permissions.go
@@ -24,6 +24,7 @@ import (
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/types"
+	apievents "github.com/gravitational/teleport/api/types/events"
 	"github.com/gravitational/teleport/api/types/wrappers"
 	"github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/lib/services"
@@ -662,6 +663,41 @@ func ClientImpersonator(ctx context.Context) string {
 	return identity.Impersonator
 }
 
+// ClientUserMetadata returns a UserMetadata suitable for events caused by a
+// remote client making a call. If ctx didn't pass through auth middleware or
+// did not come from an HTTP request, metadata for teleport.UserSystem is
+// returned.
+func ClientUserMetadata(ctx context.Context) apievents.UserMetadata {
+	userI := ctx.Value(ContextUser)
+	userWithIdentity, ok := userI.(IdentityGetter)
+	if !ok {
+		return apievents.UserMetadata{
+			User: teleport.UserSystem,
+		}
+	}
+	meta := userWithIdentity.GetIdentity().GetUserMetadata()
+	if meta.User == "" {
+		meta.User = teleport.UserSystem
+	}
+	return meta
+}
+
+// ClientUserMetadataWithUser returns a UserMetadata suitable for events caused
+// by a remote client making a call, with the specified username overriding the one
+// from the remote client.
+func ClientUserMetadataWithUser(ctx context.Context, user string) apievents.UserMetadata {
+	userI := ctx.Value(ContextUser)
+	userWithIdentity, ok := userI.(IdentityGetter)
+	if !ok {
+		return apievents.UserMetadata{
+			User: user,
+		}
+	}
+	meta := userWithIdentity.GetIdentity().GetUserMetadata()
+	meta.User = user
+	return meta
+}
+
 // LocalUser is a local user
 type LocalUser struct {
 	// Username is local username

diff --git a/lib/auth/resetpasswordtoken.go b/lib/auth/resetpasswordtoken.go
@@ -137,10 +137,7 @@ func (s *Server) CreateResetPasswordToken(ctx context.Context, req CreateResetPa
 			Type: events.ResetPasswordTokenCreateEvent,
 			Code: events.ResetPasswordTokenCreateCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         ClientUsername(ctx),
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadata(ctx),
 		ResourceMetadata: events.ResourceMetadata{
 			Name:    req.Name,
 			TTL:     req.TTL.String(),

diff --git a/lib/auth/saml.go b/lib/auth/saml.go
@@ -46,10 +46,7 @@ func (a *Server) UpsertSAMLConnector(ctx context.Context, connector services.SAM
 			Type: events.SAMLConnectorCreatedEvent,
 			Code: events.SAMLConnectorCreatedCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         ClientUsername(ctx),
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadata(ctx),
 		ResourceMetadata: events.ResourceMetadata{
 			Name: connector.GetName(),
 		},
@@ -70,10 +67,7 @@ func (a *Server) DeleteSAMLConnector(ctx context.Context, connectorName string)
 			Type: events.SAMLConnectorDeletedEvent,
 			Code: events.SAMLConnectorDeletedCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         ClientUsername(ctx),
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadata(ctx),
 		ResourceMetadata: events.ResourceMetadata{
 			Name: connectorName,
 		},

diff --git a/lib/auth/trustedcluster.go b/lib/auth/trustedcluster.go
@@ -146,10 +146,7 @@ func (a *Server) UpsertTrustedCluster(ctx context.Context, trustedCluster servic
 			Type: events.TrustedClusterCreateEvent,
 			Code: events.TrustedClusterCreateCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         ClientUsername(ctx),
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadata(ctx),
 		ResourceMetadata: events.ResourceMetadata{
 			Name: trustedCluster.GetName(),
 		},
@@ -220,10 +217,7 @@ func (a *Server) DeleteTrustedCluster(ctx context.Context, name string) error {
 			Type: events.TrustedClusterDeleteEvent,
 			Code: events.TrustedClusterDeleteCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         ClientUsername(ctx),
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadata(ctx),
 		ResourceMetadata: events.ResourceMetadata{
 			Name: name,
 		},

diff --git a/lib/auth/user.go b/lib/auth/user.go
@@ -61,10 +61,7 @@ func (s *Server) CreateUser(ctx context.Context, user services.User) error {
 			Type: events.UserCreateEvent,
 			Code: events.UserCreateCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         user.GetCreatedBy().User.Name,
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadataWithUser(ctx, user.GetCreatedBy().User.Name),
 		ResourceMetadata: events.ResourceMetadata{
 			Name:    user.GetName(),
 			Expires: user.Expiry(),
@@ -96,10 +93,7 @@ func (s *Server) UpdateUser(ctx context.Context, user services.User) error {
 			Type: events.UserUpdatedEvent,
 			Code: events.UserUpdateCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         ClientUsername(ctx),
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadata(ctx),
 		ResourceMetadata: events.ResourceMetadata{
 			Name:    user.GetName(),
 			Expires: user.Expiry(),
@@ -174,10 +168,7 @@ func (s *Server) DeleteUser(ctx context.Context, user string) error {
 			Type: events.UserDeleteEvent,
 			Code: events.UserDeleteCode,
 		},
-		UserMetadata: events.UserMetadata{
-			User:         ClientUsername(ctx),
-			Impersonator: ClientImpersonator(ctx),
-		},
+		UserMetadata: ClientUserMetadata(ctx),
 		ResourceMetadata: events.ResourceMetadata{
 			Name: user,
 		},