mirror of
https://github.com/gravitational/teleport
synced 2024-10-18 16:24:03 +00:00
[sec_scan][1] Add teleport.access_graph.v1.SecretsScannerService
(#43462)
This PR introduces the `teleport.access_graph.v1.SecretsScannerService`that will be used by Teleport SSH nodes to report `authorized_keys` and user's laptops to report secrets found on them. The `ReportAuthorizedKeys` uses node's TLS certs signed by HostCA for authentication while `ReportSecrets` leverages the device trust credentials (requires that the device is enrolled) to report secrets without requiring valid user credentials. handle Alan's feedback
This commit is contained in:
parent
0040ee3f36
commit
8456e312fd
307
api/gen/proto/go/teleport/accessgraph/v1/authorized_key.pb.go
Normal file
307
api/gen/proto/go/teleport/accessgraph/v1/authorized_key.pb.go
Normal file
|
@ -0,0 +1,307 @@
|
|||
// Copyright 2024 Gravitational, Inc
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.34.2
|
||||
// protoc (unknown)
|
||||
// source: teleport/access_graph/v1/authorized_key.proto
|
||||
|
||||
package accessgraphv1
|
||||
|
||||
import (
|
||||
v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
|
||||
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
|
||||
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
|
||||
reflect "reflect"
|
||||
sync "sync"
|
||||
)
|
||||
|
||||
const (
|
||||
// Verify that this generated code is sufficiently up-to-date.
|
||||
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
|
||||
// Verify that runtime/protoimpl is sufficiently up-to-date.
|
||||
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
|
||||
)
|
||||
|
||||
// The `AuthorizedKey` message represents an authorized key entry for a specific local user.
|
||||
// These authorized keys are generated by the server when a particular SSH AuthorizedKey is granted access to a user on the node.
|
||||
type AuthorizedKey struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
// metadata is the AuthorizedKey's metadata.
|
||||
Metadata *v1.Metadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"`
|
||||
// kind is a resource kind.
|
||||
Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"`
|
||||
// sub_kind is an optional resource sub kind, used in some resources.
|
||||
SubKind string `protobuf:"bytes,3,opt,name=sub_kind,json=subKind,proto3" json:"sub_kind,omitempty"`
|
||||
// version is version.
|
||||
Version string `protobuf:"bytes,4,opt,name=version,proto3" json:"version,omitempty"`
|
||||
// Spec is an AuthorizedKey specification.
|
||||
Spec *AuthorizedKeySpec `protobuf:"bytes,5,opt,name=spec,proto3" json:"spec,omitempty"`
|
||||
}
|
||||
|
||||
func (x *AuthorizedKey) Reset() {
|
||||
*x = AuthorizedKey{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_teleport_access_graph_v1_authorized_key_proto_msgTypes[0]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *AuthorizedKey) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*AuthorizedKey) ProtoMessage() {}
|
||||
|
||||
func (x *AuthorizedKey) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_teleport_access_graph_v1_authorized_key_proto_msgTypes[0]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use AuthorizedKey.ProtoReflect.Descriptor instead.
|
||||
func (*AuthorizedKey) Descriptor() ([]byte, []int) {
|
||||
return file_teleport_access_graph_v1_authorized_key_proto_rawDescGZIP(), []int{0}
|
||||
}
|
||||
|
||||
func (x *AuthorizedKey) GetMetadata() *v1.Metadata {
|
||||
if x != nil {
|
||||
return x.Metadata
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *AuthorizedKey) GetKind() string {
|
||||
if x != nil {
|
||||
return x.Kind
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *AuthorizedKey) GetSubKind() string {
|
||||
if x != nil {
|
||||
return x.SubKind
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *AuthorizedKey) GetVersion() string {
|
||||
if x != nil {
|
||||
return x.Version
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *AuthorizedKey) GetSpec() *AuthorizedKeySpec {
|
||||
if x != nil {
|
||||
return x.Spec
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// AuthorizedKeySpec is the authorized key spec.
|
||||
type AuthorizedKeySpec struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
// host_id is the node identifier and must match the credentials used.
|
||||
HostId string `protobuf:"bytes,1,opt,name=host_id,json=hostId,proto3" json:"host_id,omitempty"`
|
||||
// key_fingerprint is the SHA256 SSH public key fingerprint.
|
||||
KeyFingerprint string `protobuf:"bytes,2,opt,name=key_fingerprint,json=keyFingerprint,proto3" json:"key_fingerprint,omitempty"`
|
||||
// host_user is the user who can be accessed using the fingerprint above.
|
||||
HostUser string `protobuf:"bytes,3,opt,name=host_user,json=hostUser,proto3" json:"host_user,omitempty"`
|
||||
}
|
||||
|
||||
func (x *AuthorizedKeySpec) Reset() {
|
||||
*x = AuthorizedKeySpec{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_teleport_access_graph_v1_authorized_key_proto_msgTypes[1]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *AuthorizedKeySpec) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*AuthorizedKeySpec) ProtoMessage() {}
|
||||
|
||||
func (x *AuthorizedKeySpec) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_teleport_access_graph_v1_authorized_key_proto_msgTypes[1]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use AuthorizedKeySpec.ProtoReflect.Descriptor instead.
|
||||
func (*AuthorizedKeySpec) Descriptor() ([]byte, []int) {
|
||||
return file_teleport_access_graph_v1_authorized_key_proto_rawDescGZIP(), []int{1}
|
||||
}
|
||||
|
||||
func (x *AuthorizedKeySpec) GetHostId() string {
|
||||
if x != nil {
|
||||
return x.HostId
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *AuthorizedKeySpec) GetKeyFingerprint() string {
|
||||
if x != nil {
|
||||
return x.KeyFingerprint
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *AuthorizedKeySpec) GetHostUser() string {
|
||||
if x != nil {
|
||||
return x.HostUser
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
var File_teleport_access_graph_v1_authorized_key_proto protoreflect.FileDescriptor
|
||||
|
||||
var file_teleport_access_graph_v1_authorized_key_proto_rawDesc = []byte{
|
||||
0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
|
||||
0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6f,
|
||||
0x72, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
|
||||
0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73,
|
||||
0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x1a, 0x21, 0x74, 0x65, 0x6c, 0x65, 0x70,
|
||||
0x6f, 0x72, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x65,
|
||||
0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xd3, 0x01, 0x0a,
|
||||
0x0d, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x38,
|
||||
0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
|
||||
0x32, 0x1c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x65, 0x61, 0x64,
|
||||
0x65, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08,
|
||||
0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64,
|
||||
0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x19, 0x0a, 0x08,
|
||||
0x73, 0x75, 0x62, 0x5f, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07,
|
||||
0x73, 0x75, 0x62, 0x4b, 0x69, 0x6e, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69,
|
||||
0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f,
|
||||
0x6e, 0x12, 0x3f, 0x0a, 0x04, 0x73, 0x70, 0x65, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32,
|
||||
0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73,
|
||||
0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f,
|
||||
0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x53, 0x70, 0x65, 0x63, 0x52, 0x04, 0x73, 0x70,
|
||||
0x65, 0x63, 0x22, 0x72, 0x0a, 0x11, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64,
|
||||
0x4b, 0x65, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x17, 0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x5f,
|
||||
0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x6f, 0x73, 0x74, 0x49, 0x64,
|
||||
0x12, 0x27, 0x0a, 0x0f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72,
|
||||
0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x6b, 0x65, 0x79, 0x46, 0x69,
|
||||
0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x68, 0x6f, 0x73,
|
||||
0x74, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f,
|
||||
0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
|
||||
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e,
|
||||
0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f,
|
||||
0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c,
|
||||
0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70,
|
||||
0x68, 0x2f, 0x76, 0x31, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68,
|
||||
0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||
}
|
||||
|
||||
var (
|
||||
file_teleport_access_graph_v1_authorized_key_proto_rawDescOnce sync.Once
|
||||
file_teleport_access_graph_v1_authorized_key_proto_rawDescData = file_teleport_access_graph_v1_authorized_key_proto_rawDesc
|
||||
)
|
||||
|
||||
func file_teleport_access_graph_v1_authorized_key_proto_rawDescGZIP() []byte {
|
||||
file_teleport_access_graph_v1_authorized_key_proto_rawDescOnce.Do(func() {
|
||||
file_teleport_access_graph_v1_authorized_key_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_access_graph_v1_authorized_key_proto_rawDescData)
|
||||
})
|
||||
return file_teleport_access_graph_v1_authorized_key_proto_rawDescData
|
||||
}
|
||||
|
||||
var file_teleport_access_graph_v1_authorized_key_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
|
||||
var file_teleport_access_graph_v1_authorized_key_proto_goTypes = []any{
|
||||
(*AuthorizedKey)(nil), // 0: teleport.access_graph.v1.AuthorizedKey
|
||||
(*AuthorizedKeySpec)(nil), // 1: teleport.access_graph.v1.AuthorizedKeySpec
|
||||
(*v1.Metadata)(nil), // 2: teleport.header.v1.Metadata
|
||||
}
|
||||
var file_teleport_access_graph_v1_authorized_key_proto_depIdxs = []int32{
|
||||
2, // 0: teleport.access_graph.v1.AuthorizedKey.metadata:type_name -> teleport.header.v1.Metadata
|
||||
1, // 1: teleport.access_graph.v1.AuthorizedKey.spec:type_name -> teleport.access_graph.v1.AuthorizedKeySpec
|
||||
2, // [2:2] is the sub-list for method output_type
|
||||
2, // [2:2] is the sub-list for method input_type
|
||||
2, // [2:2] is the sub-list for extension type_name
|
||||
2, // [2:2] is the sub-list for extension extendee
|
||||
0, // [0:2] is the sub-list for field type_name
|
||||
}
|
||||
|
||||
func init() { file_teleport_access_graph_v1_authorized_key_proto_init() }
|
||||
func file_teleport_access_graph_v1_authorized_key_proto_init() {
|
||||
if File_teleport_access_graph_v1_authorized_key_proto != nil {
|
||||
return
|
||||
}
|
||||
if !protoimpl.UnsafeEnabled {
|
||||
file_teleport_access_graph_v1_authorized_key_proto_msgTypes[0].Exporter = func(v any, i int) any {
|
||||
switch v := v.(*AuthorizedKey); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
file_teleport_access_graph_v1_authorized_key_proto_msgTypes[1].Exporter = func(v any, i int) any {
|
||||
switch v := v.(*AuthorizedKeySpec); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}
|
||||
type x struct{}
|
||||
out := protoimpl.TypeBuilder{
|
||||
File: protoimpl.DescBuilder{
|
||||
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
||||
RawDescriptor: file_teleport_access_graph_v1_authorized_key_proto_rawDesc,
|
||||
NumEnums: 0,
|
||||
NumMessages: 2,
|
||||
NumExtensions: 0,
|
||||
NumServices: 0,
|
||||
},
|
||||
GoTypes: file_teleport_access_graph_v1_authorized_key_proto_goTypes,
|
||||
DependencyIndexes: file_teleport_access_graph_v1_authorized_key_proto_depIdxs,
|
||||
MessageInfos: file_teleport_access_graph_v1_authorized_key_proto_msgTypes,
|
||||
}.Build()
|
||||
File_teleport_access_graph_v1_authorized_key_proto = out.File
|
||||
file_teleport_access_graph_v1_authorized_key_proto_rawDesc = nil
|
||||
file_teleport_access_graph_v1_authorized_key_proto_goTypes = nil
|
||||
file_teleport_access_graph_v1_authorized_key_proto_depIdxs = nil
|
||||
}
|
390
api/gen/proto/go/teleport/accessgraph/v1/private_key.pb.go
Normal file
390
api/gen/proto/go/teleport/accessgraph/v1/private_key.pb.go
Normal file
|
@ -0,0 +1,390 @@
|
|||
// Copyright 2024 Gravitational, Inc
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.34.2
|
||||
// protoc (unknown)
|
||||
// source: teleport/access_graph/v1/private_key.proto
|
||||
|
||||
package accessgraphv1
|
||||
|
||||
import (
|
||||
v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
|
||||
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
|
||||
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
|
||||
reflect "reflect"
|
||||
sync "sync"
|
||||
)
|
||||
|
||||
const (
|
||||
// Verify that this generated code is sufficiently up-to-date.
|
||||
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
|
||||
// Verify that runtime/protoimpl is sufficiently up-to-date.
|
||||
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
|
||||
)
|
||||
|
||||
// PublicKeyMode is the mode of the public key.
|
||||
// The public key can be derived from the private key, stored in a separate file, or the private key was password protected
|
||||
// and we could not extract the public key from it or from the file.
|
||||
type PublicKeyMode int32
|
||||
|
||||
const (
|
||||
// PUBLIC_KEY_MODE_UNSPECIFIED is an invalid state.
|
||||
PublicKeyMode_PUBLIC_KEY_MODE_UNSPECIFIED PublicKeyMode = 0
|
||||
// PUBLIC_KEY_MODE_DERIVED is the state where the public key is derived from the private key.
|
||||
PublicKeyMode_PUBLIC_KEY_MODE_DERIVED PublicKeyMode = 1
|
||||
// PUBLIC_KEY_MODE_PUB_FILE is a state where the public key is stored in a separate file from the private key.
|
||||
// The private key is password protected and we could not extract the public key from it.
|
||||
// This mode is used when the private key is password protected and there is a <key>.pub file next to the private key
|
||||
// that contains the public key.
|
||||
PublicKeyMode_PUBLIC_KEY_MODE_PUB_FILE PublicKeyMode = 2
|
||||
// PUBLIC_KEY_MODE_PROTECTED is a state where the private key is password protected and we could not extract the public key from it
|
||||
// or from the .pub file.
|
||||
PublicKeyMode_PUBLIC_KEY_MODE_PROTECTED PublicKeyMode = 3
|
||||
)
|
||||
|
||||
// Enum value maps for PublicKeyMode.
|
||||
var (
|
||||
PublicKeyMode_name = map[int32]string{
|
||||
0: "PUBLIC_KEY_MODE_UNSPECIFIED",
|
||||
1: "PUBLIC_KEY_MODE_DERIVED",
|
||||
2: "PUBLIC_KEY_MODE_PUB_FILE",
|
||||
3: "PUBLIC_KEY_MODE_PROTECTED",
|
||||
}
|
||||
PublicKeyMode_value = map[string]int32{
|
||||
"PUBLIC_KEY_MODE_UNSPECIFIED": 0,
|
||||
"PUBLIC_KEY_MODE_DERIVED": 1,
|
||||
"PUBLIC_KEY_MODE_PUB_FILE": 2,
|
||||
"PUBLIC_KEY_MODE_PROTECTED": 3,
|
||||
}
|
||||
)
|
||||
|
||||
func (x PublicKeyMode) Enum() *PublicKeyMode {
|
||||
p := new(PublicKeyMode)
|
||||
*p = x
|
||||
return p
|
||||
}
|
||||
|
||||
func (x PublicKeyMode) String() string {
|
||||
return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
|
||||
}
|
||||
|
||||
func (PublicKeyMode) Descriptor() protoreflect.EnumDescriptor {
|
||||
return file_teleport_access_graph_v1_private_key_proto_enumTypes[0].Descriptor()
|
||||
}
|
||||
|
||||
func (PublicKeyMode) Type() protoreflect.EnumType {
|
||||
return &file_teleport_access_graph_v1_private_key_proto_enumTypes[0]
|
||||
}
|
||||
|
||||
func (x PublicKeyMode) Number() protoreflect.EnumNumber {
|
||||
return protoreflect.EnumNumber(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use PublicKeyMode.Descriptor instead.
|
||||
func (PublicKeyMode) EnumDescriptor() ([]byte, []int) {
|
||||
return file_teleport_access_graph_v1_private_key_proto_rawDescGZIP(), []int{0}
|
||||
}
|
||||
|
||||
// The `PrivateKey` message represents a private key entry for a specific local user.
|
||||
// It serves as a reference to a private key located on a user's laptop. Note that it *NEVER* contains the private key itself.
|
||||
// Instead, it stores metadata related to the key, including the fingerprint of the public key, the device trust identifier, and the public key mode.
|
||||
// The Teleport Access Graph uses this metadata to assess whether a particular private key is authorized to access a user on the node without using Teleport.
|
||||
type PrivateKey struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
// metadata is the PrivateKey's metadata.
|
||||
Metadata *v1.Metadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"`
|
||||
// kind is a resource kind.
|
||||
Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"`
|
||||
// sub_kind is an optional resource sub kind, used in some resources.
|
||||
SubKind string `protobuf:"bytes,3,opt,name=sub_kind,json=subKind,proto3" json:"sub_kind,omitempty"`
|
||||
// version is version.
|
||||
Version string `protobuf:"bytes,4,opt,name=version,proto3" json:"version,omitempty"`
|
||||
// Spec is a PrivateKey specification.
|
||||
Spec *PrivateKeySpec `protobuf:"bytes,5,opt,name=spec,proto3" json:"spec,omitempty"`
|
||||
}
|
||||
|
||||
func (x *PrivateKey) Reset() {
|
||||
*x = PrivateKey{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_teleport_access_graph_v1_private_key_proto_msgTypes[0]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *PrivateKey) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*PrivateKey) ProtoMessage() {}
|
||||
|
||||
func (x *PrivateKey) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_teleport_access_graph_v1_private_key_proto_msgTypes[0]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use PrivateKey.ProtoReflect.Descriptor instead.
|
||||
func (*PrivateKey) Descriptor() ([]byte, []int) {
|
||||
return file_teleport_access_graph_v1_private_key_proto_rawDescGZIP(), []int{0}
|
||||
}
|
||||
|
||||
func (x *PrivateKey) GetMetadata() *v1.Metadata {
|
||||
if x != nil {
|
||||
return x.Metadata
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *PrivateKey) GetKind() string {
|
||||
if x != nil {
|
||||
return x.Kind
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *PrivateKey) GetSubKind() string {
|
||||
if x != nil {
|
||||
return x.SubKind
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *PrivateKey) GetVersion() string {
|
||||
if x != nil {
|
||||
return x.Version
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *PrivateKey) GetSpec() *PrivateKeySpec {
|
||||
if x != nil {
|
||||
return x.Spec
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// PrivateKeySpec is the private key spec.
|
||||
type PrivateKeySpec struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
// device_id is the device trust identifier of the device that owns the key.
|
||||
DeviceId string `protobuf:"bytes,1,opt,name=device_id,json=deviceId,proto3" json:"device_id,omitempty"`
|
||||
// public_key_fingerprint is the SHA256 of the SSH public key corresponding to
|
||||
// the private key.
|
||||
PublicKeyFingerprint string `protobuf:"bytes,2,opt,name=public_key_fingerprint,json=publicKeyFingerprint,proto3" json:"public_key_fingerprint,omitempty"`
|
||||
// public_key_mode is the public key mode.
|
||||
PublicKeyMode PublicKeyMode `protobuf:"varint,3,opt,name=public_key_mode,json=publicKeyMode,proto3,enum=teleport.access_graph.v1.PublicKeyMode" json:"public_key_mode,omitempty"`
|
||||
}
|
||||
|
||||
func (x *PrivateKeySpec) Reset() {
|
||||
*x = PrivateKeySpec{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_teleport_access_graph_v1_private_key_proto_msgTypes[1]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *PrivateKeySpec) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*PrivateKeySpec) ProtoMessage() {}
|
||||
|
||||
func (x *PrivateKeySpec) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_teleport_access_graph_v1_private_key_proto_msgTypes[1]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use PrivateKeySpec.ProtoReflect.Descriptor instead.
|
||||
func (*PrivateKeySpec) Descriptor() ([]byte, []int) {
|
||||
return file_teleport_access_graph_v1_private_key_proto_rawDescGZIP(), []int{1}
|
||||
}
|
||||
|
||||
func (x *PrivateKeySpec) GetDeviceId() string {
|
||||
if x != nil {
|
||||
return x.DeviceId
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *PrivateKeySpec) GetPublicKeyFingerprint() string {
|
||||
if x != nil {
|
||||
return x.PublicKeyFingerprint
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func (x *PrivateKeySpec) GetPublicKeyMode() PublicKeyMode {
|
||||
if x != nil {
|
||||
return x.PublicKeyMode
|
||||
}
|
||||
return PublicKeyMode_PUBLIC_KEY_MODE_UNSPECIFIED
|
||||
}
|
||||
|
||||
var File_teleport_access_graph_v1_private_key_proto protoreflect.FileDescriptor
|
||||
|
||||
var file_teleport_access_graph_v1_private_key_proto_rawDesc = []byte{
|
||||
0x0a, 0x2a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
|
||||
0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x69, 0x76, 0x61,
|
||||
0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74, 0x65,
|
||||
0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72,
|
||||
0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x1a, 0x21, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
|
||||
0x2f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x65, 0x74, 0x61, 0x64,
|
||||
0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xcd, 0x01, 0x0a, 0x0a, 0x50, 0x72,
|
||||
0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x38, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61,
|
||||
0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x74, 0x65, 0x6c,
|
||||
0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2e, 0x76, 0x31, 0x2e,
|
||||
0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61,
|
||||
0x74, 0x61, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
|
||||
0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x75, 0x62, 0x5f, 0x6b, 0x69,
|
||||
0x6e, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x4b, 0x69, 0x6e,
|
||||
0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01,
|
||||
0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x3c, 0x0a, 0x04, 0x73,
|
||||
0x70, 0x65, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x74, 0x65, 0x6c, 0x65,
|
||||
0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70,
|
||||
0x68, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x53,
|
||||
0x70, 0x65, 0x63, 0x52, 0x04, 0x73, 0x70, 0x65, 0x63, 0x22, 0xb4, 0x01, 0x0a, 0x0e, 0x50, 0x72,
|
||||
0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1b, 0x0a, 0x09,
|
||||
0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
|
||||
0x08, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x34, 0x0a, 0x16, 0x70, 0x75, 0x62,
|
||||
0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72,
|
||||
0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x14, 0x70, 0x75, 0x62, 0x6c, 0x69,
|
||||
0x63, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x12,
|
||||
0x4f, 0x0a, 0x0f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f,
|
||||
0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70,
|
||||
0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68,
|
||||
0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64,
|
||||
0x65, 0x52, 0x0d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65,
|
||||
0x2a, 0x8a, 0x01, 0x0a, 0x0d, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x4d, 0x6f,
|
||||
0x64, 0x65, 0x12, 0x1f, 0x0a, 0x1b, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59,
|
||||
0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45,
|
||||
0x44, 0x10, 0x00, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45,
|
||||
0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x44, 0x45, 0x52, 0x49, 0x56, 0x45, 0x44, 0x10, 0x01,
|
||||
0x12, 0x1c, 0x0a, 0x18, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x4d,
|
||||
0x4f, 0x44, 0x45, 0x5f, 0x50, 0x55, 0x42, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1d,
|
||||
0x0a, 0x19, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44,
|
||||
0x45, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x45, 0x43, 0x54, 0x45, 0x44, 0x10, 0x03, 0x42, 0x5a, 0x5a,
|
||||
0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76,
|
||||
0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
|
||||
0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
|
||||
0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63,
|
||||
0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x3b, 0x61, 0x63, 0x63, 0x65,
|
||||
0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
|
||||
0x33,
|
||||
}
|
||||
|
||||
var (
|
||||
file_teleport_access_graph_v1_private_key_proto_rawDescOnce sync.Once
|
||||
file_teleport_access_graph_v1_private_key_proto_rawDescData = file_teleport_access_graph_v1_private_key_proto_rawDesc
|
||||
)
|
||||
|
||||
func file_teleport_access_graph_v1_private_key_proto_rawDescGZIP() []byte {
|
||||
file_teleport_access_graph_v1_private_key_proto_rawDescOnce.Do(func() {
|
||||
file_teleport_access_graph_v1_private_key_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_access_graph_v1_private_key_proto_rawDescData)
|
||||
})
|
||||
return file_teleport_access_graph_v1_private_key_proto_rawDescData
|
||||
}
|
||||
|
||||
var file_teleport_access_graph_v1_private_key_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
|
||||
var file_teleport_access_graph_v1_private_key_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
|
||||
var file_teleport_access_graph_v1_private_key_proto_goTypes = []any{
|
||||
(PublicKeyMode)(0), // 0: teleport.access_graph.v1.PublicKeyMode
|
||||
(*PrivateKey)(nil), // 1: teleport.access_graph.v1.PrivateKey
|
||||
(*PrivateKeySpec)(nil), // 2: teleport.access_graph.v1.PrivateKeySpec
|
||||
(*v1.Metadata)(nil), // 3: teleport.header.v1.Metadata
|
||||
}
|
||||
var file_teleport_access_graph_v1_private_key_proto_depIdxs = []int32{
|
||||
3, // 0: teleport.access_graph.v1.PrivateKey.metadata:type_name -> teleport.header.v1.Metadata
|
||||
2, // 1: teleport.access_graph.v1.PrivateKey.spec:type_name -> teleport.access_graph.v1.PrivateKeySpec
|
||||
0, // 2: teleport.access_graph.v1.PrivateKeySpec.public_key_mode:type_name -> teleport.access_graph.v1.PublicKeyMode
|
||||
3, // [3:3] is the sub-list for method output_type
|
||||
3, // [3:3] is the sub-list for method input_type
|
||||
3, // [3:3] is the sub-list for extension type_name
|
||||
3, // [3:3] is the sub-list for extension extendee
|
||||
0, // [0:3] is the sub-list for field type_name
|
||||
}
|
||||
|
||||
func init() { file_teleport_access_graph_v1_private_key_proto_init() }
|
||||
func file_teleport_access_graph_v1_private_key_proto_init() {
|
||||
if File_teleport_access_graph_v1_private_key_proto != nil {
|
||||
return
|
||||
}
|
||||
if !protoimpl.UnsafeEnabled {
|
||||
file_teleport_access_graph_v1_private_key_proto_msgTypes[0].Exporter = func(v any, i int) any {
|
||||
switch v := v.(*PrivateKey); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
file_teleport_access_graph_v1_private_key_proto_msgTypes[1].Exporter = func(v any, i int) any {
|
||||
switch v := v.(*PrivateKeySpec); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}
|
||||
type x struct{}
|
||||
out := protoimpl.TypeBuilder{
|
||||
File: protoimpl.DescBuilder{
|
||||
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
||||
RawDescriptor: file_teleport_access_graph_v1_private_key_proto_rawDesc,
|
||||
NumEnums: 1,
|
||||
NumMessages: 2,
|
||||
NumExtensions: 0,
|
||||
NumServices: 0,
|
||||
},
|
||||
GoTypes: file_teleport_access_graph_v1_private_key_proto_goTypes,
|
||||
DependencyIndexes: file_teleport_access_graph_v1_private_key_proto_depIdxs,
|
||||
EnumInfos: file_teleport_access_graph_v1_private_key_proto_enumTypes,
|
||||
MessageInfos: file_teleport_access_graph_v1_private_key_proto_msgTypes,
|
||||
}.Build()
|
||||
File_teleport_access_graph_v1_private_key_proto = out.File
|
||||
file_teleport_access_graph_v1_private_key_proto_rawDesc = nil
|
||||
file_teleport_access_graph_v1_private_key_proto_goTypes = nil
|
||||
file_teleport_access_graph_v1_private_key_proto_depIdxs = nil
|
||||
}
|
626
api/gen/proto/go/teleport/accessgraph/v1/secrets_service.pb.go
Normal file
626
api/gen/proto/go/teleport/accessgraph/v1/secrets_service.pb.go
Normal file
|
@ -0,0 +1,626 @@
|
|||
// Copyright 2024 Gravitational, Inc
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||
// versions:
|
||||
// protoc-gen-go v1.34.2
|
||||
// protoc (unknown)
|
||||
// source: teleport/access_graph/v1/secrets_service.proto
|
||||
|
||||
package accessgraphv1
|
||||
|
||||
import (
|
||||
v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1"
|
||||
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
|
||||
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
|
||||
reflect "reflect"
|
||||
sync "sync"
|
||||
)
|
||||
|
||||
const (
|
||||
// Verify that this generated code is sufficiently up-to-date.
|
||||
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
|
||||
// Verify that runtime/protoimpl is sufficiently up-to-date.
|
||||
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
|
||||
)
|
||||
|
||||
// OperationType is an enum that indicates the operation that the client wants to perform.
|
||||
type OperationType int32
|
||||
|
||||
const (
|
||||
// OPERATION_TYPE_UNSPECIFIED is an unknown operation.
|
||||
OperationType_OPERATION_TYPE_UNSPECIFIED OperationType = 0
|
||||
// OPERATION_TYPE_ADD is an operation that indicates that the client wants to add keys to the list.
|
||||
OperationType_OPERATION_TYPE_ADD OperationType = 1
|
||||
// OPERATION_TYPE_SYNC is an operation that indicates that the client has sent all the keys and
|
||||
// the server can proceed with the analysis.
|
||||
OperationType_OPERATION_TYPE_SYNC OperationType = 2
|
||||
)
|
||||
|
||||
// Enum value maps for OperationType.
|
||||
var (
|
||||
OperationType_name = map[int32]string{
|
||||
0: "OPERATION_TYPE_UNSPECIFIED",
|
||||
1: "OPERATION_TYPE_ADD",
|
||||
2: "OPERATION_TYPE_SYNC",
|
||||
}
|
||||
OperationType_value = map[string]int32{
|
||||
"OPERATION_TYPE_UNSPECIFIED": 0,
|
||||
"OPERATION_TYPE_ADD": 1,
|
||||
"OPERATION_TYPE_SYNC": 2,
|
||||
}
|
||||
)
|
||||
|
||||
func (x OperationType) Enum() *OperationType {
|
||||
p := new(OperationType)
|
||||
*p = x
|
||||
return p
|
||||
}
|
||||
|
||||
func (x OperationType) String() string {
|
||||
return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
|
||||
}
|
||||
|
||||
func (OperationType) Descriptor() protoreflect.EnumDescriptor {
|
||||
return file_teleport_access_graph_v1_secrets_service_proto_enumTypes[0].Descriptor()
|
||||
}
|
||||
|
||||
func (OperationType) Type() protoreflect.EnumType {
|
||||
return &file_teleport_access_graph_v1_secrets_service_proto_enumTypes[0]
|
||||
}
|
||||
|
||||
func (x OperationType) Number() protoreflect.EnumNumber {
|
||||
return protoreflect.EnumNumber(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use OperationType.Descriptor instead.
|
||||
func (OperationType) EnumDescriptor() ([]byte, []int) {
|
||||
return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{0}
|
||||
}
|
||||
|
||||
// ReportAuthorizedKeysRequest is used by Teleport nodes to report authorized keys
|
||||
// that could be used to bypass Teleport.
|
||||
type ReportAuthorizedKeysRequest struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
// keys is a list of authorized keys that could be used to bypass Teleport.
|
||||
Keys []*AuthorizedKey `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"`
|
||||
// operation indicates the operation that the client wants to perform.
|
||||
Operation OperationType `protobuf:"varint,2,opt,name=operation,proto3,enum=teleport.access_graph.v1.OperationType" json:"operation,omitempty"`
|
||||
}
|
||||
|
||||
func (x *ReportAuthorizedKeysRequest) Reset() {
|
||||
*x = ReportAuthorizedKeysRequest{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[0]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *ReportAuthorizedKeysRequest) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*ReportAuthorizedKeysRequest) ProtoMessage() {}
|
||||
|
||||
func (x *ReportAuthorizedKeysRequest) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[0]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use ReportAuthorizedKeysRequest.ProtoReflect.Descriptor instead.
|
||||
func (*ReportAuthorizedKeysRequest) Descriptor() ([]byte, []int) {
|
||||
return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{0}
|
||||
}
|
||||
|
||||
func (x *ReportAuthorizedKeysRequest) GetKeys() []*AuthorizedKey {
|
||||
if x != nil {
|
||||
return x.Keys
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *ReportAuthorizedKeysRequest) GetOperation() OperationType {
|
||||
if x != nil {
|
||||
return x.Operation
|
||||
}
|
||||
return OperationType_OPERATION_TYPE_UNSPECIFIED
|
||||
}
|
||||
|
||||
// ReportAuthorizedKeysResponse is the response from ReportAuthorizedKeys
|
||||
// RPC method.
|
||||
type ReportAuthorizedKeysResponse struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
}
|
||||
|
||||
func (x *ReportAuthorizedKeysResponse) Reset() {
|
||||
*x = ReportAuthorizedKeysResponse{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[1]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *ReportAuthorizedKeysResponse) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*ReportAuthorizedKeysResponse) ProtoMessage() {}
|
||||
|
||||
func (x *ReportAuthorizedKeysResponse) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[1]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use ReportAuthorizedKeysResponse.ProtoReflect.Descriptor instead.
|
||||
func (*ReportAuthorizedKeysResponse) Descriptor() ([]byte, []int) {
|
||||
return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{1}
|
||||
}
|
||||
|
||||
// ReportSecretsRequest is used by trusted devices to report secrets found on the host
|
||||
// that could be used to bypass Teleport.
|
||||
type ReportSecretsRequest struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
// Types that are assignable to Payload:
|
||||
//
|
||||
// *ReportSecretsRequest_DeviceAssertion
|
||||
// *ReportSecretsRequest_PrivateKeys
|
||||
Payload isReportSecretsRequest_Payload `protobuf_oneof:"payload"`
|
||||
}
|
||||
|
||||
func (x *ReportSecretsRequest) Reset() {
|
||||
*x = ReportSecretsRequest{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[2]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *ReportSecretsRequest) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*ReportSecretsRequest) ProtoMessage() {}
|
||||
|
||||
func (x *ReportSecretsRequest) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[2]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use ReportSecretsRequest.ProtoReflect.Descriptor instead.
|
||||
func (*ReportSecretsRequest) Descriptor() ([]byte, []int) {
|
||||
return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{2}
|
||||
}
|
||||
|
||||
func (m *ReportSecretsRequest) GetPayload() isReportSecretsRequest_Payload {
|
||||
if m != nil {
|
||||
return m.Payload
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *ReportSecretsRequest) GetDeviceAssertion() *v1.AssertDeviceRequest {
|
||||
if x, ok := x.GetPayload().(*ReportSecretsRequest_DeviceAssertion); ok {
|
||||
return x.DeviceAssertion
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *ReportSecretsRequest) GetPrivateKeys() *ReportPrivateKeys {
|
||||
if x, ok := x.GetPayload().(*ReportSecretsRequest_PrivateKeys); ok {
|
||||
return x.PrivateKeys
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type isReportSecretsRequest_Payload interface {
|
||||
isReportSecretsRequest_Payload()
|
||||
}
|
||||
|
||||
type ReportSecretsRequest_DeviceAssertion struct {
|
||||
// The device should initiate the device assertion ceremony by sending the
|
||||
// AssertDeviceRequest. Please refer to the [teleport.devicetrust.v1.AssertDeviceRequest]
|
||||
// message for more details.
|
||||
DeviceAssertion *v1.AssertDeviceRequest `protobuf:"bytes,1,opt,name=device_assertion,json=deviceAssertion,proto3,oneof"`
|
||||
}
|
||||
|
||||
type ReportSecretsRequest_PrivateKeys struct {
|
||||
// private_keys is a list of private keys that were found on the device.
|
||||
PrivateKeys *ReportPrivateKeys `protobuf:"bytes,4,opt,name=private_keys,json=privateKeys,proto3,oneof"`
|
||||
}
|
||||
|
||||
func (*ReportSecretsRequest_DeviceAssertion) isReportSecretsRequest_Payload() {}
|
||||
|
||||
func (*ReportSecretsRequest_PrivateKeys) isReportSecretsRequest_Payload() {}
|
||||
|
||||
// ReportPrivateKeys is used by trusted devices to report private keys found on the host
|
||||
// that could be used to bypass Teleport.
|
||||
type ReportPrivateKeys struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
// keys is a list of private keys that could be used to bypass Teleport.
|
||||
Keys []*PrivateKey `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"`
|
||||
}
|
||||
|
||||
func (x *ReportPrivateKeys) Reset() {
|
||||
*x = ReportPrivateKeys{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[3]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *ReportPrivateKeys) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*ReportPrivateKeys) ProtoMessage() {}
|
||||
|
||||
func (x *ReportPrivateKeys) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[3]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use ReportPrivateKeys.ProtoReflect.Descriptor instead.
|
||||
func (*ReportPrivateKeys) Descriptor() ([]byte, []int) {
|
||||
return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{3}
|
||||
}
|
||||
|
||||
func (x *ReportPrivateKeys) GetKeys() []*PrivateKey {
|
||||
if x != nil {
|
||||
return x.Keys
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// ReportSecretsResponse is the response from the ReportSecrets
|
||||
// RPC method.
|
||||
type ReportSecretsResponse struct {
|
||||
state protoimpl.MessageState
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
// Types that are assignable to Payload:
|
||||
//
|
||||
// *ReportSecretsResponse_DeviceAssertion
|
||||
Payload isReportSecretsResponse_Payload `protobuf_oneof:"payload"`
|
||||
}
|
||||
|
||||
func (x *ReportSecretsResponse) Reset() {
|
||||
*x = ReportSecretsResponse{}
|
||||
if protoimpl.UnsafeEnabled {
|
||||
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[4]
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
}
|
||||
|
||||
func (x *ReportSecretsResponse) String() string {
|
||||
return protoimpl.X.MessageStringOf(x)
|
||||
}
|
||||
|
||||
func (*ReportSecretsResponse) ProtoMessage() {}
|
||||
|
||||
func (x *ReportSecretsResponse) ProtoReflect() protoreflect.Message {
|
||||
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[4]
|
||||
if protoimpl.UnsafeEnabled && x != nil {
|
||||
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||
if ms.LoadMessageInfo() == nil {
|
||||
ms.StoreMessageInfo(mi)
|
||||
}
|
||||
return ms
|
||||
}
|
||||
return mi.MessageOf(x)
|
||||
}
|
||||
|
||||
// Deprecated: Use ReportSecretsResponse.ProtoReflect.Descriptor instead.
|
||||
func (*ReportSecretsResponse) Descriptor() ([]byte, []int) {
|
||||
return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{4}
|
||||
}
|
||||
|
||||
func (m *ReportSecretsResponse) GetPayload() isReportSecretsResponse_Payload {
|
||||
if m != nil {
|
||||
return m.Payload
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *ReportSecretsResponse) GetDeviceAssertion() *v1.AssertDeviceResponse {
|
||||
if x, ok := x.GetPayload().(*ReportSecretsResponse_DeviceAssertion); ok {
|
||||
return x.DeviceAssertion
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
type isReportSecretsResponse_Payload interface {
|
||||
isReportSecretsResponse_Payload()
|
||||
}
|
||||
|
||||
type ReportSecretsResponse_DeviceAssertion struct {
|
||||
// device_assertion is the response from the device assertion ceremony.
|
||||
// Please refer to the [teleport.devicetrust.v1.AssertDeviceResponse]
|
||||
// message for more details
|
||||
DeviceAssertion *v1.AssertDeviceResponse `protobuf:"bytes,1,opt,name=device_assertion,json=deviceAssertion,proto3,oneof"`
|
||||
}
|
||||
|
||||
func (*ReportSecretsResponse_DeviceAssertion) isReportSecretsResponse_Payload() {}
|
||||
|
||||
var File_teleport_access_graph_v1_secrets_service_proto protoreflect.FileDescriptor
|
||||
|
||||
var file_teleport_access_graph_v1_secrets_service_proto_rawDesc = []byte{
|
||||
0x0a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
|
||||
0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x63, 0x72, 0x65,
|
||||
0x74, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
|
||||
0x12, 0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73,
|
||||
0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x1a, 0x2d, 0x74, 0x65, 0x6c, 0x65,
|
||||
0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70,
|
||||
0x68, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x5f,
|
||||
0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2a, 0x74, 0x65, 0x6c, 0x65, 0x70,
|
||||
0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68,
|
||||
0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x2e,
|
||||
0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x24, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f,
|
||||
0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x61,
|
||||
0x73, 0x73, 0x65, 0x72, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa1, 0x01, 0x0a, 0x1b,
|
||||
0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64,
|
||||
0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3b, 0x0a, 0x04, 0x6b,
|
||||
0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65,
|
||||
0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70,
|
||||
0x68, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b,
|
||||
0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x12, 0x45, 0x0a, 0x09, 0x6f, 0x70, 0x65, 0x72,
|
||||
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x74, 0x65,
|
||||
0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72,
|
||||
0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
|
||||
0x54, 0x79, 0x70, 0x65, 0x52, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22,
|
||||
0x1e, 0x0a, 0x1c, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
|
||||
0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
|
||||
0xce, 0x01, 0x0a, 0x14, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74,
|
||||
0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x59, 0x0a, 0x10, 0x64, 0x65, 0x76, 0x69,
|
||||
0x63, 0x65, 0x5f, 0x61, 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01,
|
||||
0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65,
|
||||
0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x73, 0x73,
|
||||
0x65, 0x72, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
|
||||
0x48, 0x00, 0x52, 0x0f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x73, 0x73, 0x65, 0x72, 0x74,
|
||||
0x69, 0x6f, 0x6e, 0x12, 0x50, 0x0a, 0x0c, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b,
|
||||
0x65, 0x79, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65,
|
||||
0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70,
|
||||
0x68, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x50, 0x72, 0x69, 0x76, 0x61,
|
||||
0x74, 0x65, 0x4b, 0x65, 0x79, 0x73, 0x48, 0x00, 0x52, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74,
|
||||
0x65, 0x4b, 0x65, 0x79, 0x73, 0x42, 0x09, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
|
||||
0x22, 0x4d, 0x0a, 0x11, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74,
|
||||
0x65, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x38, 0x0a, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20,
|
||||
0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61,
|
||||
0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x50,
|
||||
0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x22,
|
||||
0x7e, 0x0a, 0x15, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73,
|
||||
0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5a, 0x0a, 0x10, 0x64, 0x65, 0x76, 0x69,
|
||||
0x63, 0x65, 0x5f, 0x61, 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01,
|
||||
0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65,
|
||||
0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x73, 0x73,
|
||||
0x65, 0x72, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
|
||||
0x65, 0x48, 0x00, 0x52, 0x0f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x73, 0x73, 0x65, 0x72,
|
||||
0x74, 0x69, 0x6f, 0x6e, 0x42, 0x09, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x2a,
|
||||
0x60, 0x0a, 0x0d, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x79, 0x70, 0x65,
|
||||
0x12, 0x1e, 0x0a, 0x1a, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59,
|
||||
0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00,
|
||||
0x12, 0x16, 0x0a, 0x12, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59,
|
||||
0x50, 0x45, 0x5f, 0x41, 0x44, 0x44, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x4f, 0x50, 0x45, 0x52,
|
||||
0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x59, 0x4e, 0x43, 0x10,
|
||||
0x02, 0x32, 0x9d, 0x02, 0x0a, 0x15, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x53, 0x63, 0x61,
|
||||
0x6e, 0x6e, 0x65, 0x72, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x8b, 0x01, 0x0a, 0x14,
|
||||
0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64,
|
||||
0x4b, 0x65, 0x79, 0x73, 0x12, 0x35, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e,
|
||||
0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e,
|
||||
0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64,
|
||||
0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x36, 0x2e, 0x74, 0x65,
|
||||
0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72,
|
||||
0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74,
|
||||
0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
|
||||
0x6e, 0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30, 0x01, 0x12, 0x76, 0x0a, 0x0d, 0x52, 0x65, 0x70,
|
||||
0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x12, 0x2e, 0x2e, 0x74, 0x65, 0x6c,
|
||||
0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61,
|
||||
0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72,
|
||||
0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2f, 0x2e, 0x74, 0x65, 0x6c,
|
||||
0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61,
|
||||
0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72,
|
||||
0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30,
|
||||
0x01, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
|
||||
0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65,
|
||||
0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70,
|
||||
0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
|
||||
0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x3b,
|
||||
0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x62, 0x06, 0x70,
|
||||
0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||
}
|
||||
|
||||
var (
|
||||
file_teleport_access_graph_v1_secrets_service_proto_rawDescOnce sync.Once
|
||||
file_teleport_access_graph_v1_secrets_service_proto_rawDescData = file_teleport_access_graph_v1_secrets_service_proto_rawDesc
|
||||
)
|
||||
|
||||
func file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP() []byte {
|
||||
file_teleport_access_graph_v1_secrets_service_proto_rawDescOnce.Do(func() {
|
||||
file_teleport_access_graph_v1_secrets_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_access_graph_v1_secrets_service_proto_rawDescData)
|
||||
})
|
||||
return file_teleport_access_graph_v1_secrets_service_proto_rawDescData
|
||||
}
|
||||
|
||||
var file_teleport_access_graph_v1_secrets_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
|
||||
var file_teleport_access_graph_v1_secrets_service_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
|
||||
var file_teleport_access_graph_v1_secrets_service_proto_goTypes = []any{
|
||||
(OperationType)(0), // 0: teleport.access_graph.v1.OperationType
|
||||
(*ReportAuthorizedKeysRequest)(nil), // 1: teleport.access_graph.v1.ReportAuthorizedKeysRequest
|
||||
(*ReportAuthorizedKeysResponse)(nil), // 2: teleport.access_graph.v1.ReportAuthorizedKeysResponse
|
||||
(*ReportSecretsRequest)(nil), // 3: teleport.access_graph.v1.ReportSecretsRequest
|
||||
(*ReportPrivateKeys)(nil), // 4: teleport.access_graph.v1.ReportPrivateKeys
|
||||
(*ReportSecretsResponse)(nil), // 5: teleport.access_graph.v1.ReportSecretsResponse
|
||||
(*AuthorizedKey)(nil), // 6: teleport.access_graph.v1.AuthorizedKey
|
||||
(*v1.AssertDeviceRequest)(nil), // 7: teleport.devicetrust.v1.AssertDeviceRequest
|
||||
(*PrivateKey)(nil), // 8: teleport.access_graph.v1.PrivateKey
|
||||
(*v1.AssertDeviceResponse)(nil), // 9: teleport.devicetrust.v1.AssertDeviceResponse
|
||||
}
|
||||
var file_teleport_access_graph_v1_secrets_service_proto_depIdxs = []int32{
|
||||
6, // 0: teleport.access_graph.v1.ReportAuthorizedKeysRequest.keys:type_name -> teleport.access_graph.v1.AuthorizedKey
|
||||
0, // 1: teleport.access_graph.v1.ReportAuthorizedKeysRequest.operation:type_name -> teleport.access_graph.v1.OperationType
|
||||
7, // 2: teleport.access_graph.v1.ReportSecretsRequest.device_assertion:type_name -> teleport.devicetrust.v1.AssertDeviceRequest
|
||||
4, // 3: teleport.access_graph.v1.ReportSecretsRequest.private_keys:type_name -> teleport.access_graph.v1.ReportPrivateKeys
|
||||
8, // 4: teleport.access_graph.v1.ReportPrivateKeys.keys:type_name -> teleport.access_graph.v1.PrivateKey
|
||||
9, // 5: teleport.access_graph.v1.ReportSecretsResponse.device_assertion:type_name -> teleport.devicetrust.v1.AssertDeviceResponse
|
||||
1, // 6: teleport.access_graph.v1.SecretsScannerService.ReportAuthorizedKeys:input_type -> teleport.access_graph.v1.ReportAuthorizedKeysRequest
|
||||
3, // 7: teleport.access_graph.v1.SecretsScannerService.ReportSecrets:input_type -> teleport.access_graph.v1.ReportSecretsRequest
|
||||
2, // 8: teleport.access_graph.v1.SecretsScannerService.ReportAuthorizedKeys:output_type -> teleport.access_graph.v1.ReportAuthorizedKeysResponse
|
||||
5, // 9: teleport.access_graph.v1.SecretsScannerService.ReportSecrets:output_type -> teleport.access_graph.v1.ReportSecretsResponse
|
||||
8, // [8:10] is the sub-list for method output_type
|
||||
6, // [6:8] is the sub-list for method input_type
|
||||
6, // [6:6] is the sub-list for extension type_name
|
||||
6, // [6:6] is the sub-list for extension extendee
|
||||
0, // [0:6] is the sub-list for field type_name
|
||||
}
|
||||
|
||||
func init() { file_teleport_access_graph_v1_secrets_service_proto_init() }
|
||||
func file_teleport_access_graph_v1_secrets_service_proto_init() {
|
||||
if File_teleport_access_graph_v1_secrets_service_proto != nil {
|
||||
return
|
||||
}
|
||||
file_teleport_access_graph_v1_authorized_key_proto_init()
|
||||
file_teleport_access_graph_v1_private_key_proto_init()
|
||||
if !protoimpl.UnsafeEnabled {
|
||||
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[0].Exporter = func(v any, i int) any {
|
||||
switch v := v.(*ReportAuthorizedKeysRequest); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[1].Exporter = func(v any, i int) any {
|
||||
switch v := v.(*ReportAuthorizedKeysResponse); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[2].Exporter = func(v any, i int) any {
|
||||
switch v := v.(*ReportSecretsRequest); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[3].Exporter = func(v any, i int) any {
|
||||
switch v := v.(*ReportPrivateKeys); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[4].Exporter = func(v any, i int) any {
|
||||
switch v := v.(*ReportSecretsResponse); i {
|
||||
case 0:
|
||||
return &v.state
|
||||
case 1:
|
||||
return &v.sizeCache
|
||||
case 2:
|
||||
return &v.unknownFields
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}
|
||||
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[2].OneofWrappers = []any{
|
||||
(*ReportSecretsRequest_DeviceAssertion)(nil),
|
||||
(*ReportSecretsRequest_PrivateKeys)(nil),
|
||||
}
|
||||
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[4].OneofWrappers = []any{
|
||||
(*ReportSecretsResponse_DeviceAssertion)(nil),
|
||||
}
|
||||
type x struct{}
|
||||
out := protoimpl.TypeBuilder{
|
||||
File: protoimpl.DescBuilder{
|
||||
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
||||
RawDescriptor: file_teleport_access_graph_v1_secrets_service_proto_rawDesc,
|
||||
NumEnums: 1,
|
||||
NumMessages: 5,
|
||||
NumExtensions: 0,
|
||||
NumServices: 1,
|
||||
},
|
||||
GoTypes: file_teleport_access_graph_v1_secrets_service_proto_goTypes,
|
||||
DependencyIndexes: file_teleport_access_graph_v1_secrets_service_proto_depIdxs,
|
||||
EnumInfos: file_teleport_access_graph_v1_secrets_service_proto_enumTypes,
|
||||
MessageInfos: file_teleport_access_graph_v1_secrets_service_proto_msgTypes,
|
||||
}.Build()
|
||||
File_teleport_access_graph_v1_secrets_service_proto = out.File
|
||||
file_teleport_access_graph_v1_secrets_service_proto_rawDesc = nil
|
||||
file_teleport_access_graph_v1_secrets_service_proto_goTypes = nil
|
||||
file_teleport_access_graph_v1_secrets_service_proto_depIdxs = nil
|
||||
}
|
|
@ -0,0 +1,262 @@
|
|||
// Copyright 2024 Gravitational, Inc
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
|
||||
// versions:
|
||||
// - protoc-gen-go-grpc v1.4.0
|
||||
// - protoc (unknown)
|
||||
// source: teleport/access_graph/v1/secrets_service.proto
|
||||
|
||||
package accessgraphv1
|
||||
|
||||
import (
|
||||
context "context"
|
||||
grpc "google.golang.org/grpc"
|
||||
codes "google.golang.org/grpc/codes"
|
||||
status "google.golang.org/grpc/status"
|
||||
)
|
||||
|
||||
// This is a compile-time assertion to ensure that this generated file
|
||||
// is compatible with the grpc package it is being compiled against.
|
||||
// Requires gRPC-Go v1.62.0 or later.
|
||||
const _ = grpc.SupportPackageIsVersion8
|
||||
|
||||
const (
|
||||
SecretsScannerService_ReportAuthorizedKeys_FullMethodName = "/teleport.access_graph.v1.SecretsScannerService/ReportAuthorizedKeys"
|
||||
SecretsScannerService_ReportSecrets_FullMethodName = "/teleport.access_graph.v1.SecretsScannerService/ReportSecrets"
|
||||
)
|
||||
|
||||
// SecretsScannerServiceClient is the client API for SecretsScannerService service.
|
||||
//
|
||||
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
|
||||
//
|
||||
// SecretsScannerService provides methods for Access Graph Secret Scanner functionality.
|
||||
type SecretsScannerServiceClient interface {
|
||||
// ReportAuthorizedKeys is used by Teleport SSH nodes to report authorized keys
|
||||
// that could be used to bypass Teleport.
|
||||
// The client (Teleport SSH Node) should authenticate using the certificate-key pair signed by Teleport HostCA.
|
||||
ReportAuthorizedKeys(ctx context.Context, opts ...grpc.CallOption) (SecretsScannerService_ReportAuthorizedKeysClient, error)
|
||||
// ReportSecrets is used by trusted devices to report secrets found on the host that could be used to bypass Teleport.
|
||||
// The client (device) should first authenticate using the [ReportSecretsRequest.device_assertion] flow. Please refer to
|
||||
// the [teleport.devicetrust.v1.AssertDeviceRequest] and [teleport.devicetrust.v1.AssertDeviceResponse] messages for more details.
|
||||
//
|
||||
// Once the device is asserted, the client can send the secrets using the [ReportSecretsRequest.private_keys] field
|
||||
// and then close the client side of the stream.
|
||||
//
|
||||
// -> ReportSecrets (client) [1 or more]
|
||||
// -> CloseStream (client)
|
||||
// <- TerminateStream (server)
|
||||
//
|
||||
// Any failure in the assertion ceremony will result in the stream being terminated by the server. All secrets
|
||||
// reported by the client before the assertion terminates will be ignored and result in the stream being terminated.
|
||||
ReportSecrets(ctx context.Context, opts ...grpc.CallOption) (SecretsScannerService_ReportSecretsClient, error)
|
||||
}
|
||||
|
||||
type secretsScannerServiceClient struct {
|
||||
cc grpc.ClientConnInterface
|
||||
}
|
||||
|
||||
func NewSecretsScannerServiceClient(cc grpc.ClientConnInterface) SecretsScannerServiceClient {
|
||||
return &secretsScannerServiceClient{cc}
|
||||
}
|
||||
|
||||
func (c *secretsScannerServiceClient) ReportAuthorizedKeys(ctx context.Context, opts ...grpc.CallOption) (SecretsScannerService_ReportAuthorizedKeysClient, error) {
|
||||
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
||||
stream, err := c.cc.NewStream(ctx, &SecretsScannerService_ServiceDesc.Streams[0], SecretsScannerService_ReportAuthorizedKeys_FullMethodName, cOpts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
x := &secretsScannerServiceReportAuthorizedKeysClient{ClientStream: stream}
|
||||
return x, nil
|
||||
}
|
||||
|
||||
type SecretsScannerService_ReportAuthorizedKeysClient interface {
|
||||
Send(*ReportAuthorizedKeysRequest) error
|
||||
Recv() (*ReportAuthorizedKeysResponse, error)
|
||||
grpc.ClientStream
|
||||
}
|
||||
|
||||
type secretsScannerServiceReportAuthorizedKeysClient struct {
|
||||
grpc.ClientStream
|
||||
}
|
||||
|
||||
func (x *secretsScannerServiceReportAuthorizedKeysClient) Send(m *ReportAuthorizedKeysRequest) error {
|
||||
return x.ClientStream.SendMsg(m)
|
||||
}
|
||||
|
||||
func (x *secretsScannerServiceReportAuthorizedKeysClient) Recv() (*ReportAuthorizedKeysResponse, error) {
|
||||
m := new(ReportAuthorizedKeysResponse)
|
||||
if err := x.ClientStream.RecvMsg(m); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return m, nil
|
||||
}
|
||||
|
||||
func (c *secretsScannerServiceClient) ReportSecrets(ctx context.Context, opts ...grpc.CallOption) (SecretsScannerService_ReportSecretsClient, error) {
|
||||
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
|
||||
stream, err := c.cc.NewStream(ctx, &SecretsScannerService_ServiceDesc.Streams[1], SecretsScannerService_ReportSecrets_FullMethodName, cOpts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
x := &secretsScannerServiceReportSecretsClient{ClientStream: stream}
|
||||
return x, nil
|
||||
}
|
||||
|
||||
type SecretsScannerService_ReportSecretsClient interface {
|
||||
Send(*ReportSecretsRequest) error
|
||||
Recv() (*ReportSecretsResponse, error)
|
||||
grpc.ClientStream
|
||||
}
|
||||
|
||||
type secretsScannerServiceReportSecretsClient struct {
|
||||
grpc.ClientStream
|
||||
}
|
||||
|
||||
func (x *secretsScannerServiceReportSecretsClient) Send(m *ReportSecretsRequest) error {
|
||||
return x.ClientStream.SendMsg(m)
|
||||
}
|
||||
|
||||
func (x *secretsScannerServiceReportSecretsClient) Recv() (*ReportSecretsResponse, error) {
|
||||
m := new(ReportSecretsResponse)
|
||||
if err := x.ClientStream.RecvMsg(m); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return m, nil
|
||||
}
|
||||
|
||||
// SecretsScannerServiceServer is the server API for SecretsScannerService service.
|
||||
// All implementations must embed UnimplementedSecretsScannerServiceServer
|
||||
// for forward compatibility
|
||||
//
|
||||
// SecretsScannerService provides methods for Access Graph Secret Scanner functionality.
|
||||
type SecretsScannerServiceServer interface {
|
||||
// ReportAuthorizedKeys is used by Teleport SSH nodes to report authorized keys
|
||||
// that could be used to bypass Teleport.
|
||||
// The client (Teleport SSH Node) should authenticate using the certificate-key pair signed by Teleport HostCA.
|
||||
ReportAuthorizedKeys(SecretsScannerService_ReportAuthorizedKeysServer) error
|
||||
// ReportSecrets is used by trusted devices to report secrets found on the host that could be used to bypass Teleport.
|
||||
// The client (device) should first authenticate using the [ReportSecretsRequest.device_assertion] flow. Please refer to
|
||||
// the [teleport.devicetrust.v1.AssertDeviceRequest] and [teleport.devicetrust.v1.AssertDeviceResponse] messages for more details.
|
||||
//
|
||||
// Once the device is asserted, the client can send the secrets using the [ReportSecretsRequest.private_keys] field
|
||||
// and then close the client side of the stream.
|
||||
//
|
||||
// -> ReportSecrets (client) [1 or more]
|
||||
// -> CloseStream (client)
|
||||
// <- TerminateStream (server)
|
||||
//
|
||||
// Any failure in the assertion ceremony will result in the stream being terminated by the server. All secrets
|
||||
// reported by the client before the assertion terminates will be ignored and result in the stream being terminated.
|
||||
ReportSecrets(SecretsScannerService_ReportSecretsServer) error
|
||||
mustEmbedUnimplementedSecretsScannerServiceServer()
|
||||
}
|
||||
|
||||
// UnimplementedSecretsScannerServiceServer must be embedded to have forward compatible implementations.
|
||||
type UnimplementedSecretsScannerServiceServer struct {
|
||||
}
|
||||
|
||||
func (UnimplementedSecretsScannerServiceServer) ReportAuthorizedKeys(SecretsScannerService_ReportAuthorizedKeysServer) error {
|
||||
return status.Errorf(codes.Unimplemented, "method ReportAuthorizedKeys not implemented")
|
||||
}
|
||||
func (UnimplementedSecretsScannerServiceServer) ReportSecrets(SecretsScannerService_ReportSecretsServer) error {
|
||||
return status.Errorf(codes.Unimplemented, "method ReportSecrets not implemented")
|
||||
}
|
||||
func (UnimplementedSecretsScannerServiceServer) mustEmbedUnimplementedSecretsScannerServiceServer() {}
|
||||
|
||||
// UnsafeSecretsScannerServiceServer may be embedded to opt out of forward compatibility for this service.
|
||||
// Use of this interface is not recommended, as added methods to SecretsScannerServiceServer will
|
||||
// result in compilation errors.
|
||||
type UnsafeSecretsScannerServiceServer interface {
|
||||
mustEmbedUnimplementedSecretsScannerServiceServer()
|
||||
}
|
||||
|
||||
func RegisterSecretsScannerServiceServer(s grpc.ServiceRegistrar, srv SecretsScannerServiceServer) {
|
||||
s.RegisterService(&SecretsScannerService_ServiceDesc, srv)
|
||||
}
|
||||
|
||||
func _SecretsScannerService_ReportAuthorizedKeys_Handler(srv interface{}, stream grpc.ServerStream) error {
|
||||
return srv.(SecretsScannerServiceServer).ReportAuthorizedKeys(&secretsScannerServiceReportAuthorizedKeysServer{ServerStream: stream})
|
||||
}
|
||||
|
||||
type SecretsScannerService_ReportAuthorizedKeysServer interface {
|
||||
Send(*ReportAuthorizedKeysResponse) error
|
||||
Recv() (*ReportAuthorizedKeysRequest, error)
|
||||
grpc.ServerStream
|
||||
}
|
||||
|
||||
type secretsScannerServiceReportAuthorizedKeysServer struct {
|
||||
grpc.ServerStream
|
||||
}
|
||||
|
||||
func (x *secretsScannerServiceReportAuthorizedKeysServer) Send(m *ReportAuthorizedKeysResponse) error {
|
||||
return x.ServerStream.SendMsg(m)
|
||||
}
|
||||
|
||||
func (x *secretsScannerServiceReportAuthorizedKeysServer) Recv() (*ReportAuthorizedKeysRequest, error) {
|
||||
m := new(ReportAuthorizedKeysRequest)
|
||||
if err := x.ServerStream.RecvMsg(m); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return m, nil
|
||||
}
|
||||
|
||||
func _SecretsScannerService_ReportSecrets_Handler(srv interface{}, stream grpc.ServerStream) error {
|
||||
return srv.(SecretsScannerServiceServer).ReportSecrets(&secretsScannerServiceReportSecretsServer{ServerStream: stream})
|
||||
}
|
||||
|
||||
type SecretsScannerService_ReportSecretsServer interface {
|
||||
Send(*ReportSecretsResponse) error
|
||||
Recv() (*ReportSecretsRequest, error)
|
||||
grpc.ServerStream
|
||||
}
|
||||
|
||||
type secretsScannerServiceReportSecretsServer struct {
|
||||
grpc.ServerStream
|
||||
}
|
||||
|
||||
func (x *secretsScannerServiceReportSecretsServer) Send(m *ReportSecretsResponse) error {
|
||||
return x.ServerStream.SendMsg(m)
|
||||
}
|
||||
|
||||
func (x *secretsScannerServiceReportSecretsServer) Recv() (*ReportSecretsRequest, error) {
|
||||
m := new(ReportSecretsRequest)
|
||||
if err := x.ServerStream.RecvMsg(m); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return m, nil
|
||||
}
|
||||
|
||||
// SecretsScannerService_ServiceDesc is the grpc.ServiceDesc for SecretsScannerService service.
|
||||
// It's only intended for direct use with grpc.RegisterService,
|
||||
// and not to be introspected or modified (even as a copy)
|
||||
var SecretsScannerService_ServiceDesc = grpc.ServiceDesc{
|
||||
ServiceName: "teleport.access_graph.v1.SecretsScannerService",
|
||||
HandlerType: (*SecretsScannerServiceServer)(nil),
|
||||
Methods: []grpc.MethodDesc{},
|
||||
Streams: []grpc.StreamDesc{
|
||||
{
|
||||
StreamName: "ReportAuthorizedKeys",
|
||||
Handler: _SecretsScannerService_ReportAuthorizedKeys_Handler,
|
||||
ServerStreams: true,
|
||||
ClientStreams: true,
|
||||
},
|
||||
{
|
||||
StreamName: "ReportSecrets",
|
||||
Handler: _SecretsScannerService_ReportSecrets_Handler,
|
||||
ServerStreams: true,
|
||||
ClientStreams: true,
|
||||
},
|
||||
},
|
||||
Metadata: "teleport/access_graph/v1/secrets_service.proto",
|
||||
}
|
46
api/proto/teleport/access_graph/v1/authorized_key.proto
Normal file
46
api/proto/teleport/access_graph/v1/authorized_key.proto
Normal file
|
@ -0,0 +1,46 @@
|
|||
// Copyright 2024 Gravitational, Inc
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
syntax = "proto3";
|
||||
|
||||
package teleport.access_graph.v1;
|
||||
|
||||
import "teleport/header/v1/metadata.proto";
|
||||
|
||||
option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1;accessgraphv1";
|
||||
|
||||
// The `AuthorizedKey` message represents an authorized key entry for a specific local user.
|
||||
// These authorized keys are generated by the server when a particular SSH AuthorizedKey is granted access to a user on the node.
|
||||
message AuthorizedKey {
|
||||
// metadata is the AuthorizedKey's metadata.
|
||||
teleport.header.v1.Metadata metadata = 1;
|
||||
// kind is a resource kind.
|
||||
string kind = 2;
|
||||
// sub_kind is an optional resource sub kind, used in some resources.
|
||||
string sub_kind = 3;
|
||||
// version is version.
|
||||
string version = 4;
|
||||
// Spec is an AuthorizedKey specification.
|
||||
AuthorizedKeySpec spec = 5;
|
||||
}
|
||||
|
||||
// AuthorizedKeySpec is the authorized key spec.
|
||||
message AuthorizedKeySpec {
|
||||
// host_id is the node identifier and must match the credentials used.
|
||||
string host_id = 1;
|
||||
// key_fingerprint is the SHA256 SSH public key fingerprint.
|
||||
string key_fingerprint = 2;
|
||||
// host_user is the user who can be accessed using the fingerprint above.
|
||||
string host_user = 3;
|
||||
}
|
67
api/proto/teleport/access_graph/v1/private_key.proto
Normal file
67
api/proto/teleport/access_graph/v1/private_key.proto
Normal file
|
@ -0,0 +1,67 @@
|
|||
// Copyright 2024 Gravitational, Inc
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
syntax = "proto3";
|
||||
|
||||
package teleport.access_graph.v1;
|
||||
|
||||
import "teleport/header/v1/metadata.proto";
|
||||
|
||||
option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1;accessgraphv1";
|
||||
|
||||
// The `PrivateKey` message represents a private key entry for a specific local user.
|
||||
// It serves as a reference to a private key located on a user's laptop. Note that it *NEVER* contains the private key itself.
|
||||
// Instead, it stores metadata related to the key, including the fingerprint of the public key, the device trust identifier, and the public key mode.
|
||||
// The Teleport Access Graph uses this metadata to assess whether a particular private key is authorized to access a user on the node without using Teleport.
|
||||
message PrivateKey {
|
||||
// metadata is the PrivateKey's metadata.
|
||||
teleport.header.v1.Metadata metadata = 1;
|
||||
// kind is a resource kind.
|
||||
string kind = 2;
|
||||
// sub_kind is an optional resource sub kind, used in some resources.
|
||||
string sub_kind = 3;
|
||||
// version is version.
|
||||
string version = 4;
|
||||
// Spec is a PrivateKey specification.
|
||||
PrivateKeySpec spec = 5;
|
||||
}
|
||||
|
||||
// PrivateKeySpec is the private key spec.
|
||||
message PrivateKeySpec {
|
||||
// device_id is the device trust identifier of the device that owns the key.
|
||||
string device_id = 1;
|
||||
// public_key_fingerprint is the SHA256 of the SSH public key corresponding to
|
||||
// the private key.
|
||||
string public_key_fingerprint = 2;
|
||||
// public_key_mode is the public key mode.
|
||||
PublicKeyMode public_key_mode = 3;
|
||||
}
|
||||
|
||||
// PublicKeyMode is the mode of the public key.
|
||||
// The public key can be derived from the private key, stored in a separate file, or the private key was password protected
|
||||
// and we could not extract the public key from it or from the file.
|
||||
enum PublicKeyMode {
|
||||
// PUBLIC_KEY_MODE_UNSPECIFIED is an invalid state.
|
||||
PUBLIC_KEY_MODE_UNSPECIFIED = 0;
|
||||
// PUBLIC_KEY_MODE_DERIVED is the state where the public key is derived from the private key.
|
||||
PUBLIC_KEY_MODE_DERIVED = 1;
|
||||
// PUBLIC_KEY_MODE_PUB_FILE is a state where the public key is stored in a separate file from the private key.
|
||||
// The private key is password protected and we could not extract the public key from it.
|
||||
// This mode is used when the private key is password protected and there is a <key>.pub file next to the private key
|
||||
// that contains the public key.
|
||||
PUBLIC_KEY_MODE_PUB_FILE = 2;
|
||||
// PUBLIC_KEY_MODE_PROTECTED is a state where the private key is password protected and we could not extract the public key from it
|
||||
// or from the .pub file.
|
||||
PUBLIC_KEY_MODE_PROTECTED = 3;
|
||||
}
|
101
api/proto/teleport/access_graph/v1/secrets_service.proto
Normal file
101
api/proto/teleport/access_graph/v1/secrets_service.proto
Normal file
|
@ -0,0 +1,101 @@
|
|||
// Copyright 2024 Gravitational, Inc
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
syntax = "proto3";
|
||||
|
||||
package teleport.access_graph.v1;
|
||||
|
||||
import "teleport/access_graph/v1/authorized_key.proto";
|
||||
import "teleport/access_graph/v1/private_key.proto";
|
||||
import "teleport/devicetrust/v1/assert.proto";
|
||||
|
||||
option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1;accessgraphv1";
|
||||
|
||||
// SecretsScannerService provides methods for Access Graph Secret Scanner functionality.
|
||||
service SecretsScannerService {
|
||||
// ReportAuthorizedKeys is used by Teleport SSH nodes to report authorized keys
|
||||
// that could be used to bypass Teleport.
|
||||
// The client (Teleport SSH Node) should authenticate using the certificate-key pair signed by Teleport HostCA.
|
||||
rpc ReportAuthorizedKeys(stream ReportAuthorizedKeysRequest) returns (stream ReportAuthorizedKeysResponse) {}
|
||||
|
||||
// ReportSecrets is used by trusted devices to report secrets found on the host that could be used to bypass Teleport.
|
||||
// The client (device) should first authenticate using the [ReportSecretsRequest.device_assertion] flow. Please refer to
|
||||
// the [teleport.devicetrust.v1.AssertDeviceRequest] and [teleport.devicetrust.v1.AssertDeviceResponse] messages for more details.
|
||||
//
|
||||
// Once the device is asserted, the client can send the secrets using the [ReportSecretsRequest.private_keys] field
|
||||
// and then close the client side of the stream.
|
||||
//
|
||||
// -> ReportSecrets (client) [1 or more]
|
||||
// -> CloseStream (client)
|
||||
// <- TerminateStream (server)
|
||||
//
|
||||
// Any failure in the assertion ceremony will result in the stream being terminated by the server. All secrets
|
||||
// reported by the client before the assertion terminates will be ignored and result in the stream being terminated.
|
||||
rpc ReportSecrets(stream ReportSecretsRequest) returns (stream ReportSecretsResponse) {}
|
||||
}
|
||||
|
||||
// ReportAuthorizedKeysRequest is used by Teleport nodes to report authorized keys
|
||||
// that could be used to bypass Teleport.
|
||||
message ReportAuthorizedKeysRequest {
|
||||
// keys is a list of authorized keys that could be used to bypass Teleport.
|
||||
repeated teleport.access_graph.v1.AuthorizedKey keys = 1;
|
||||
// operation indicates the operation that the client wants to perform.
|
||||
OperationType operation = 2;
|
||||
}
|
||||
|
||||
// ReportAuthorizedKeysResponse is the response from ReportAuthorizedKeys
|
||||
// RPC method.
|
||||
message ReportAuthorizedKeysResponse {}
|
||||
|
||||
// ReportSecretsRequest is used by trusted devices to report secrets found on the host
|
||||
// that could be used to bypass Teleport.
|
||||
message ReportSecretsRequest {
|
||||
oneof payload {
|
||||
// The device should initiate the device assertion ceremony by sending the
|
||||
// AssertDeviceRequest. Please refer to the [teleport.devicetrust.v1.AssertDeviceRequest]
|
||||
// message for more details.
|
||||
teleport.devicetrust.v1.AssertDeviceRequest device_assertion = 1;
|
||||
// private_keys is a list of private keys that were found on the device.
|
||||
ReportPrivateKeys private_keys = 4;
|
||||
}
|
||||
}
|
||||
|
||||
// ReportPrivateKeys is used by trusted devices to report private keys found on the host
|
||||
// that could be used to bypass Teleport.
|
||||
message ReportPrivateKeys {
|
||||
// keys is a list of private keys that could be used to bypass Teleport.
|
||||
repeated teleport.access_graph.v1.PrivateKey keys = 1;
|
||||
}
|
||||
|
||||
// ReportSecretsResponse is the response from the ReportSecrets
|
||||
// RPC method.
|
||||
message ReportSecretsResponse {
|
||||
oneof payload {
|
||||
// device_assertion is the response from the device assertion ceremony.
|
||||
// Please refer to the [teleport.devicetrust.v1.AssertDeviceResponse]
|
||||
// message for more details
|
||||
teleport.devicetrust.v1.AssertDeviceResponse device_assertion = 1;
|
||||
}
|
||||
}
|
||||
|
||||
// OperationType is an enum that indicates the operation that the client wants to perform.
|
||||
enum OperationType {
|
||||
// OPERATION_TYPE_UNSPECIFIED is an unknown operation.
|
||||
OPERATION_TYPE_UNSPECIFIED = 0;
|
||||
// OPERATION_TYPE_ADD is an operation that indicates that the client wants to add keys to the list.
|
||||
OPERATION_TYPE_ADD = 1;
|
||||
// OPERATION_TYPE_SYNC is an operation that indicates that the client has sent all the keys and
|
||||
// the server can proceed with the analysis.
|
||||
OPERATION_TYPE_SYNC = 2;
|
||||
}
|
1
buf.yaml
1
buf.yaml
|
@ -68,6 +68,7 @@ lint:
|
|||
- api/proto/teleport/devicetrust/v1/devicetrust_service.proto
|
||||
- api/proto/teleport/legacy/client/proto/joinservice.proto
|
||||
- api/proto/teleport/transport/v1/transport_service.proto
|
||||
- api/proto/teleport/access_graph/v1/secrets_service.proto
|
||||
- proto/accessgraph/v1alpha/access_graph_service.proto
|
||||
- proto/teleport/lib/teleterm/v1/service.proto
|
||||
disallow_comment_ignores: true
|
||||
|
|
Loading…
Reference in a new issue