self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-18 16:24:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

[sec_scan][1] Add teleport.access_graph.v1.SecretsScannerService (#43462)

Browse source 
This PR introduces the `teleport.access_graph.v1.SecretsScannerService`that will be used by Teleport SSH nodes to report `authorized_keys` and user's laptops to report secrets found on them.

The `ReportAuthorizedKeys` uses node's TLS certs signed by HostCA for authentication while `ReportSecrets` leverages the device trust credentials (requires that the device is enrolled) to report secrets without requiring valid user credentials.

handle Alan's feedback
This commit is contained in:
Tiago Silva 2024-07-09 09:56:47 +01:00 committed by GitHub
parent 0040ee3f36
commit 8456e312fd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 1800 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

307
api/gen/proto/go/teleport/accessgraph/v1/authorized_key.pb.go Normal file
View file

@ -0,0 +1,307 @@
// Copyright 2024 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.34.2
// protoc (unknown)
// source: teleport/access_graph/v1/authorized_key.proto
package accessgraphv1
import (
v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
sync "sync"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
// The `AuthorizedKey` message represents an authorized key entry for a specific local user.
// These authorized keys are generated by the server when a particular SSH AuthorizedKey is granted access to a user on the node.
type AuthorizedKey struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// metadata is the AuthorizedKey's metadata.
Metadata *v1.Metadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"`
// kind is a resource kind.
Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"`
// sub_kind is an optional resource sub kind, used in some resources.
SubKind string `protobuf:"bytes,3,opt,name=sub_kind,json=subKind,proto3" json:"sub_kind,omitempty"`
// version is version.
Version string `protobuf:"bytes,4,opt,name=version,proto3" json:"version,omitempty"`
// Spec is an AuthorizedKey specification.
Spec *AuthorizedKeySpec `protobuf:"bytes,5,opt,name=spec,proto3" json:"spec,omitempty"`
}
func (x *AuthorizedKey) Reset() {
*x = AuthorizedKey{}
if protoimpl.UnsafeEnabled {
mi := &file_teleport_access_graph_v1_authorized_key_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *AuthorizedKey) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*AuthorizedKey) ProtoMessage() {}
func (x *AuthorizedKey) ProtoReflect() protoreflect.Message {
mi := &file_teleport_access_graph_v1_authorized_key_proto_msgTypes[0]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use AuthorizedKey.ProtoReflect.Descriptor instead.
func (*AuthorizedKey) Descriptor() ([]byte, []int) {
return file_teleport_access_graph_v1_authorized_key_proto_rawDescGZIP(), []int{0}
}
func (x *AuthorizedKey) GetMetadata() *v1.Metadata {
if x != nil {
return x.Metadata
}
return nil
}
func (x *AuthorizedKey) GetKind() string {
if x != nil {
return x.Kind
}
return ""
}
func (x *AuthorizedKey) GetSubKind() string {
if x != nil {
return x.SubKind
}
return ""
}
func (x *AuthorizedKey) GetVersion() string {
if x != nil {
return x.Version
}
return ""
}
func (x *AuthorizedKey) GetSpec() *AuthorizedKeySpec {
if x != nil {
return x.Spec
}
return nil
}
// AuthorizedKeySpec is the authorized key spec.
type AuthorizedKeySpec struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// host_id is the node identifier and must match the credentials used.
HostId string `protobuf:"bytes,1,opt,name=host_id,json=hostId,proto3" json:"host_id,omitempty"`
// key_fingerprint is the SHA256 SSH public key fingerprint.
KeyFingerprint string `protobuf:"bytes,2,opt,name=key_fingerprint,json=keyFingerprint,proto3" json:"key_fingerprint,omitempty"`
// host_user is the user who can be accessed using the fingerprint above.
HostUser string `protobuf:"bytes,3,opt,name=host_user,json=hostUser,proto3" json:"host_user,omitempty"`
}
func (x *AuthorizedKeySpec) Reset() {
*x = AuthorizedKeySpec{}
if protoimpl.UnsafeEnabled {
mi := &file_teleport_access_graph_v1_authorized_key_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *AuthorizedKeySpec) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*AuthorizedKeySpec) ProtoMessage() {}
func (x *AuthorizedKeySpec) ProtoReflect() protoreflect.Message {
mi := &file_teleport_access_graph_v1_authorized_key_proto_msgTypes[1]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use AuthorizedKeySpec.ProtoReflect.Descriptor instead.
func (*AuthorizedKeySpec) Descriptor() ([]byte, []int) {
return file_teleport_access_graph_v1_authorized_key_proto_rawDescGZIP(), []int{1}
}
func (x *AuthorizedKeySpec) GetHostId() string {
if x != nil {
return x.HostId
}
return ""
}
func (x *AuthorizedKeySpec) GetKeyFingerprint() string {
if x != nil {
return x.KeyFingerprint
}
return ""
}
func (x *AuthorizedKeySpec) GetHostUser() string {
if x != nil {
return x.HostUser
}
return ""
}
var File_teleport_access_graph_v1_authorized_key_proto protoreflect.FileDescriptor
var file_teleport_access_graph_v1_authorized_key_proto_rawDesc = []byte{
0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6f,
0x72, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73,
0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x1a, 0x21, 0x74, 0x65, 0x6c, 0x65, 0x70,
0x6f, 0x72, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x65,
0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xd3, 0x01, 0x0a,
0x0d, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x38,
0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x1c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x65, 0x61, 0x64,
0x65, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08,
0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64,
0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x19, 0x0a, 0x08,
0x73, 0x75, 0x62, 0x5f, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07,
0x73, 0x75, 0x62, 0x4b, 0x69, 0x6e, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69,
0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f,
0x6e, 0x12, 0x3f, 0x0a, 0x04, 0x73, 0x70, 0x65, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32,
0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73,
0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f,
0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x53, 0x70, 0x65, 0x63, 0x52, 0x04, 0x73, 0x70,
0x65, 0x63, 0x22, 0x72, 0x0a, 0x11, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64,
0x4b, 0x65, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x17, 0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x5f,
0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x6f, 0x73, 0x74, 0x49, 0x64,
0x12, 0x27, 0x0a, 0x0f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72,
0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x6b, 0x65, 0x79, 0x46, 0x69,
0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x68, 0x6f, 0x73,
0x74, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f,
0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e,
0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f,
0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c,
0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70,
0x68, 0x2f, 0x76, 0x31, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68,
0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
file_teleport_access_graph_v1_authorized_key_proto_rawDescOnce sync.Once
file_teleport_access_graph_v1_authorized_key_proto_rawDescData = file_teleport_access_graph_v1_authorized_key_proto_rawDesc
)
func file_teleport_access_graph_v1_authorized_key_proto_rawDescGZIP() []byte {
file_teleport_access_graph_v1_authorized_key_proto_rawDescOnce.Do(func() {
file_teleport_access_graph_v1_authorized_key_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_access_graph_v1_authorized_key_proto_rawDescData)
})
return file_teleport_access_graph_v1_authorized_key_proto_rawDescData
}
var file_teleport_access_graph_v1_authorized_key_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
var file_teleport_access_graph_v1_authorized_key_proto_goTypes = []any{
(*AuthorizedKey)(nil), // 0: teleport.access_graph.v1.AuthorizedKey
(*AuthorizedKeySpec)(nil), // 1: teleport.access_graph.v1.AuthorizedKeySpec
(*v1.Metadata)(nil), // 2: teleport.header.v1.Metadata
}
var file_teleport_access_graph_v1_authorized_key_proto_depIdxs = []int32{
2, // 0: teleport.access_graph.v1.AuthorizedKey.metadata:type_name -> teleport.header.v1.Metadata
1, // 1: teleport.access_graph.v1.AuthorizedKey.spec:type_name -> teleport.access_graph.v1.AuthorizedKeySpec
2, // [2:2] is the sub-list for method output_type
2, // [2:2] is the sub-list for method input_type
2, // [2:2] is the sub-list for extension type_name
2, // [2:2] is the sub-list for extension extendee
0, // [0:2] is the sub-list for field type_name
}
func init() { file_teleport_access_graph_v1_authorized_key_proto_init() }
func file_teleport_access_graph_v1_authorized_key_proto_init() {
if File_teleport_access_graph_v1_authorized_key_proto != nil {
return
}
if !protoimpl.UnsafeEnabled {
file_teleport_access_graph_v1_authorized_key_proto_msgTypes[0].Exporter = func(v any, i int) any {
switch v := v.(*AuthorizedKey); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_teleport_access_graph_v1_authorized_key_proto_msgTypes[1].Exporter = func(v any, i int) any {
switch v := v.(*AuthorizedKeySpec); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_teleport_access_graph_v1_authorized_key_proto_rawDesc,
NumEnums: 0,
NumMessages: 2,
NumExtensions: 0,
NumServices: 0,
},
GoTypes: file_teleport_access_graph_v1_authorized_key_proto_goTypes,
DependencyIndexes: file_teleport_access_graph_v1_authorized_key_proto_depIdxs,
MessageInfos: file_teleport_access_graph_v1_authorized_key_proto_msgTypes,
}.Build()
File_teleport_access_graph_v1_authorized_key_proto = out.File
file_teleport_access_graph_v1_authorized_key_proto_rawDesc = nil
file_teleport_access_graph_v1_authorized_key_proto_goTypes = nil
file_teleport_access_graph_v1_authorized_key_proto_depIdxs = nil
}

390
api/gen/proto/go/teleport/accessgraph/v1/private_key.pb.go Normal file
View file

@ -0,0 +1,390 @@
// Copyright 2024 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.34.2
// protoc (unknown)
// source: teleport/access_graph/v1/private_key.proto
package accessgraphv1
import (
v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
sync "sync"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
// PublicKeyMode is the mode of the public key.
// The public key can be derived from the private key, stored in a separate file, or the private key was password protected
// and we could not extract the public key from it or from the file.
type PublicKeyMode int32
const (
// PUBLIC_KEY_MODE_UNSPECIFIED is an invalid state.
PublicKeyMode_PUBLIC_KEY_MODE_UNSPECIFIED PublicKeyMode = 0
// PUBLIC_KEY_MODE_DERIVED is the state where the public key is derived from the private key.
PublicKeyMode_PUBLIC_KEY_MODE_DERIVED PublicKeyMode = 1
// PUBLIC_KEY_MODE_PUB_FILE is a state where the public key is stored in a separate file from the private key.
// The private key is password protected and we could not extract the public key from it.
// This mode is used when the private key is password protected and there is a <key>.pub file next to the private key
// that contains the public key.
PublicKeyMode_PUBLIC_KEY_MODE_PUB_FILE PublicKeyMode = 2
// PUBLIC_KEY_MODE_PROTECTED is a state where the private key is password protected and we could not extract the public key from it
// or from the .pub file.
PublicKeyMode_PUBLIC_KEY_MODE_PROTECTED PublicKeyMode = 3
)
// Enum value maps for PublicKeyMode.
var (
PublicKeyMode_name = map[int32]string{
0: "PUBLIC_KEY_MODE_UNSPECIFIED",
1: "PUBLIC_KEY_MODE_DERIVED",
2: "PUBLIC_KEY_MODE_PUB_FILE",
3: "PUBLIC_KEY_MODE_PROTECTED",
}
PublicKeyMode_value = map[string]int32{
"PUBLIC_KEY_MODE_UNSPECIFIED": 0,
"PUBLIC_KEY_MODE_DERIVED": 1,
"PUBLIC_KEY_MODE_PUB_FILE": 2,
"PUBLIC_KEY_MODE_PROTECTED": 3,
}
)
func (x PublicKeyMode) Enum() *PublicKeyMode {
p := new(PublicKeyMode)
*p = x
return p
}
func (x PublicKeyMode) String() string {
return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
}
func (PublicKeyMode) Descriptor() protoreflect.EnumDescriptor {
return file_teleport_access_graph_v1_private_key_proto_enumTypes[0].Descriptor()
}
func (PublicKeyMode) Type() protoreflect.EnumType {
return &file_teleport_access_graph_v1_private_key_proto_enumTypes[0]
}
func (x PublicKeyMode) Number() protoreflect.EnumNumber {
return protoreflect.EnumNumber(x)
}
// Deprecated: Use PublicKeyMode.Descriptor instead.
func (PublicKeyMode) EnumDescriptor() ([]byte, []int) {
return file_teleport_access_graph_v1_private_key_proto_rawDescGZIP(), []int{0}
}
// The `PrivateKey` message represents a private key entry for a specific local user.
// It serves as a reference to a private key located on a user's laptop. Note that it *NEVER* contains the private key itself.
// Instead, it stores metadata related to the key, including the fingerprint of the public key, the device trust identifier, and the public key mode.
// The Teleport Access Graph uses this metadata to assess whether a particular private key is authorized to access a user on the node without using Teleport.
type PrivateKey struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// metadata is the PrivateKey's metadata.
Metadata *v1.Metadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"`
// kind is a resource kind.
Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"`
// sub_kind is an optional resource sub kind, used in some resources.
SubKind string `protobuf:"bytes,3,opt,name=sub_kind,json=subKind,proto3" json:"sub_kind,omitempty"`
// version is version.
Version string `protobuf:"bytes,4,opt,name=version,proto3" json:"version,omitempty"`
// Spec is a PrivateKey specification.
Spec *PrivateKeySpec `protobuf:"bytes,5,opt,name=spec,proto3" json:"spec,omitempty"`
}
func (x *PrivateKey) Reset() {
*x = PrivateKey{}
if protoimpl.UnsafeEnabled {
mi := &file_teleport_access_graph_v1_private_key_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *PrivateKey) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*PrivateKey) ProtoMessage() {}
func (x *PrivateKey) ProtoReflect() protoreflect.Message {
mi := &file_teleport_access_graph_v1_private_key_proto_msgTypes[0]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use PrivateKey.ProtoReflect.Descriptor instead.
func (*PrivateKey) Descriptor() ([]byte, []int) {
return file_teleport_access_graph_v1_private_key_proto_rawDescGZIP(), []int{0}
}
func (x *PrivateKey) GetMetadata() *v1.Metadata {
if x != nil {
return x.Metadata
}
return nil
}
func (x *PrivateKey) GetKind() string {
if x != nil {
return x.Kind
}
return ""
}
func (x *PrivateKey) GetSubKind() string {
if x != nil {
return x.SubKind
}
return ""
}
func (x *PrivateKey) GetVersion() string {
if x != nil {
return x.Version
}
return ""
}
func (x *PrivateKey) GetSpec() *PrivateKeySpec {
if x != nil {
return x.Spec
}
return nil
}
// PrivateKeySpec is the private key spec.
type PrivateKeySpec struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// device_id is the device trust identifier of the device that owns the key.
DeviceId string `protobuf:"bytes,1,opt,name=device_id,json=deviceId,proto3" json:"device_id,omitempty"`
// public_key_fingerprint is the SHA256 of the SSH public key corresponding to
// the private key.
PublicKeyFingerprint string `protobuf:"bytes,2,opt,name=public_key_fingerprint,json=publicKeyFingerprint,proto3" json:"public_key_fingerprint,omitempty"`
// public_key_mode is the public key mode.
PublicKeyMode PublicKeyMode `protobuf:"varint,3,opt,name=public_key_mode,json=publicKeyMode,proto3,enum=teleport.access_graph.v1.PublicKeyMode" json:"public_key_mode,omitempty"`
}
func (x *PrivateKeySpec) Reset() {
*x = PrivateKeySpec{}
if protoimpl.UnsafeEnabled {
mi := &file_teleport_access_graph_v1_private_key_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *PrivateKeySpec) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*PrivateKeySpec) ProtoMessage() {}
func (x *PrivateKeySpec) ProtoReflect() protoreflect.Message {
mi := &file_teleport_access_graph_v1_private_key_proto_msgTypes[1]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use PrivateKeySpec.ProtoReflect.Descriptor instead.
func (*PrivateKeySpec) Descriptor() ([]byte, []int) {
return file_teleport_access_graph_v1_private_key_proto_rawDescGZIP(), []int{1}
}
func (x *PrivateKeySpec) GetDeviceId() string {
if x != nil {
return x.DeviceId
}
return ""
}
func (x *PrivateKeySpec) GetPublicKeyFingerprint() string {
if x != nil {
return x.PublicKeyFingerprint
}
return ""
}
func (x *PrivateKeySpec) GetPublicKeyMode() PublicKeyMode {
if x != nil {
return x.PublicKeyMode
}
return PublicKeyMode_PUBLIC_KEY_MODE_UNSPECIFIED
}
var File_teleport_access_graph_v1_private_key_proto protoreflect.FileDescriptor
var file_teleport_access_graph_v1_private_key_proto_rawDesc = []byte{
0x0a, 0x2a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x69, 0x76, 0x61,
0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74, 0x65,
0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72,
0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x1a, 0x21, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
0x2f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x65, 0x74, 0x61, 0x64,
0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xcd, 0x01, 0x0a, 0x0a, 0x50, 0x72,
0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x38, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61,
0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x74, 0x65, 0x6c,
0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2e, 0x76, 0x31, 0x2e,
0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61,
0x74, 0x61, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x75, 0x62, 0x5f, 0x6b, 0x69,
0x6e, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x4b, 0x69, 0x6e,
0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01,
0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x3c, 0x0a, 0x04, 0x73,
0x70, 0x65, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x74, 0x65, 0x6c, 0x65,
0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70,
0x68, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x53,
0x70, 0x65, 0x63, 0x52, 0x04, 0x73, 0x70, 0x65, 0x63, 0x22, 0xb4, 0x01, 0x0a, 0x0e, 0x50, 0x72,
0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1b, 0x0a, 0x09,
0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x08, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x34, 0x0a, 0x16, 0x70, 0x75, 0x62,
0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72,
0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x14, 0x70, 0x75, 0x62, 0x6c, 0x69,
0x63, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x12,
0x4f, 0x0a, 0x0f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x6d, 0x6f,
0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70,
0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68,
0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64,
0x65, 0x52, 0x0d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65,
0x2a, 0x8a, 0x01, 0x0a, 0x0d, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x4d, 0x6f,
0x64, 0x65, 0x12, 0x1f, 0x0a, 0x1b, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59,
0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45,
0x44, 0x10, 0x00, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45,
0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x44, 0x45, 0x52, 0x49, 0x56, 0x45, 0x44, 0x10, 0x01,
0x12, 0x1c, 0x0a, 0x18, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x4d,
0x4f, 0x44, 0x45, 0x5f, 0x50, 0x55, 0x42, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1d,
0x0a, 0x19, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44,
0x45, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x45, 0x43, 0x54, 0x45, 0x44, 0x10, 0x03, 0x42, 0x5a, 0x5a,
0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76,
0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63,
0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x3b, 0x61, 0x63, 0x63, 0x65,
0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
0x33,
}
var (
file_teleport_access_graph_v1_private_key_proto_rawDescOnce sync.Once
file_teleport_access_graph_v1_private_key_proto_rawDescData = file_teleport_access_graph_v1_private_key_proto_rawDesc
)
func file_teleport_access_graph_v1_private_key_proto_rawDescGZIP() []byte {
file_teleport_access_graph_v1_private_key_proto_rawDescOnce.Do(func() {
file_teleport_access_graph_v1_private_key_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_access_graph_v1_private_key_proto_rawDescData)
})
return file_teleport_access_graph_v1_private_key_proto_rawDescData
}
var file_teleport_access_graph_v1_private_key_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
var file_teleport_access_graph_v1_private_key_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
var file_teleport_access_graph_v1_private_key_proto_goTypes = []any{
(PublicKeyMode)(0), // 0: teleport.access_graph.v1.PublicKeyMode
(*PrivateKey)(nil), // 1: teleport.access_graph.v1.PrivateKey
(*PrivateKeySpec)(nil), // 2: teleport.access_graph.v1.PrivateKeySpec
(*v1.Metadata)(nil), // 3: teleport.header.v1.Metadata
}
var file_teleport_access_graph_v1_private_key_proto_depIdxs = []int32{
3, // 0: teleport.access_graph.v1.PrivateKey.metadata:type_name -> teleport.header.v1.Metadata
2, // 1: teleport.access_graph.v1.PrivateKey.spec:type_name -> teleport.access_graph.v1.PrivateKeySpec
0, // 2: teleport.access_graph.v1.PrivateKeySpec.public_key_mode:type_name -> teleport.access_graph.v1.PublicKeyMode
3, // [3:3] is the sub-list for method output_type
3, // [3:3] is the sub-list for method input_type
3, // [3:3] is the sub-list for extension type_name
3, // [3:3] is the sub-list for extension extendee
0, // [0:3] is the sub-list for field type_name
}
func init() { file_teleport_access_graph_v1_private_key_proto_init() }
func file_teleport_access_graph_v1_private_key_proto_init() {
if File_teleport_access_graph_v1_private_key_proto != nil {
return
}
if !protoimpl.UnsafeEnabled {
file_teleport_access_graph_v1_private_key_proto_msgTypes[0].Exporter = func(v any, i int) any {
switch v := v.(*PrivateKey); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_teleport_access_graph_v1_private_key_proto_msgTypes[1].Exporter = func(v any, i int) any {
switch v := v.(*PrivateKeySpec); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_teleport_access_graph_v1_private_key_proto_rawDesc,
NumEnums: 1,
NumMessages: 2,
NumExtensions: 0,
NumServices: 0,
},
GoTypes: file_teleport_access_graph_v1_private_key_proto_goTypes,
DependencyIndexes: file_teleport_access_graph_v1_private_key_proto_depIdxs,
EnumInfos: file_teleport_access_graph_v1_private_key_proto_enumTypes,
MessageInfos: file_teleport_access_graph_v1_private_key_proto_msgTypes,
}.Build()
File_teleport_access_graph_v1_private_key_proto = out.File
file_teleport_access_graph_v1_private_key_proto_rawDesc = nil
file_teleport_access_graph_v1_private_key_proto_goTypes = nil
file_teleport_access_graph_v1_private_key_proto_depIdxs = nil
}

626
api/gen/proto/go/teleport/accessgraph/v1/secrets_service.pb.go Normal file
View file

@ -0,0 +1,626 @@
// Copyright 2024 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// protoc-gen-go v1.34.2
// protoc (unknown)
// source: teleport/access_graph/v1/secrets_service.proto
package accessgraphv1
import (
v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1"
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
reflect "reflect"
sync "sync"
)
const (
// Verify that this generated code is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
// Verify that runtime/protoimpl is sufficiently up-to-date.
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
// OperationType is an enum that indicates the operation that the client wants to perform.
type OperationType int32
const (
// OPERATION_TYPE_UNSPECIFIED is an unknown operation.
OperationType_OPERATION_TYPE_UNSPECIFIED OperationType = 0
// OPERATION_TYPE_ADD is an operation that indicates that the client wants to add keys to the list.
OperationType_OPERATION_TYPE_ADD OperationType = 1
// OPERATION_TYPE_SYNC is an operation that indicates that the client has sent all the keys and
// the server can proceed with the analysis.
OperationType_OPERATION_TYPE_SYNC OperationType = 2
)
// Enum value maps for OperationType.
var (
OperationType_name = map[int32]string{
0: "OPERATION_TYPE_UNSPECIFIED",
1: "OPERATION_TYPE_ADD",
2: "OPERATION_TYPE_SYNC",
}
OperationType_value = map[string]int32{
"OPERATION_TYPE_UNSPECIFIED": 0,
"OPERATION_TYPE_ADD": 1,
"OPERATION_TYPE_SYNC": 2,
}
)
func (x OperationType) Enum() *OperationType {
p := new(OperationType)
*p = x
return p
}
func (x OperationType) String() string {
return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
}
func (OperationType) Descriptor() protoreflect.EnumDescriptor {
return file_teleport_access_graph_v1_secrets_service_proto_enumTypes[0].Descriptor()
}
func (OperationType) Type() protoreflect.EnumType {
return &file_teleport_access_graph_v1_secrets_service_proto_enumTypes[0]
}
func (x OperationType) Number() protoreflect.EnumNumber {
return protoreflect.EnumNumber(x)
}
// Deprecated: Use OperationType.Descriptor instead.
func (OperationType) EnumDescriptor() ([]byte, []int) {
return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{0}
}
// ReportAuthorizedKeysRequest is used by Teleport nodes to report authorized keys
// that could be used to bypass Teleport.
type ReportAuthorizedKeysRequest struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// keys is a list of authorized keys that could be used to bypass Teleport.
Keys []*AuthorizedKey `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"`
// operation indicates the operation that the client wants to perform.
Operation OperationType `protobuf:"varint,2,opt,name=operation,proto3,enum=teleport.access_graph.v1.OperationType" json:"operation,omitempty"`
}
func (x *ReportAuthorizedKeysRequest) Reset() {
*x = ReportAuthorizedKeysRequest{}
if protoimpl.UnsafeEnabled {
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *ReportAuthorizedKeysRequest) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ReportAuthorizedKeysRequest) ProtoMessage() {}
func (x *ReportAuthorizedKeysRequest) ProtoReflect() protoreflect.Message {
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[0]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ReportAuthorizedKeysRequest.ProtoReflect.Descriptor instead.
func (*ReportAuthorizedKeysRequest) Descriptor() ([]byte, []int) {
return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{0}
}
func (x *ReportAuthorizedKeysRequest) GetKeys() []*AuthorizedKey {
if x != nil {
return x.Keys
}
return nil
}
func (x *ReportAuthorizedKeysRequest) GetOperation() OperationType {
if x != nil {
return x.Operation
}
return OperationType_OPERATION_TYPE_UNSPECIFIED
}
// ReportAuthorizedKeysResponse is the response from ReportAuthorizedKeys
// RPC method.
type ReportAuthorizedKeysResponse struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
}
func (x *ReportAuthorizedKeysResponse) Reset() {
*x = ReportAuthorizedKeysResponse{}
if protoimpl.UnsafeEnabled {
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *ReportAuthorizedKeysResponse) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ReportAuthorizedKeysResponse) ProtoMessage() {}
func (x *ReportAuthorizedKeysResponse) ProtoReflect() protoreflect.Message {
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[1]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ReportAuthorizedKeysResponse.ProtoReflect.Descriptor instead.
func (*ReportAuthorizedKeysResponse) Descriptor() ([]byte, []int) {
return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{1}
}
// ReportSecretsRequest is used by trusted devices to report secrets found on the host
// that could be used to bypass Teleport.
type ReportSecretsRequest struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// Types that are assignable to Payload:
//
// *ReportSecretsRequest_DeviceAssertion
// *ReportSecretsRequest_PrivateKeys
Payload isReportSecretsRequest_Payload `protobuf_oneof:"payload"`
}
func (x *ReportSecretsRequest) Reset() {
*x = ReportSecretsRequest{}
if protoimpl.UnsafeEnabled {
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[2]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *ReportSecretsRequest) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ReportSecretsRequest) ProtoMessage() {}
func (x *ReportSecretsRequest) ProtoReflect() protoreflect.Message {
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[2]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ReportSecretsRequest.ProtoReflect.Descriptor instead.
func (*ReportSecretsRequest) Descriptor() ([]byte, []int) {
return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{2}
}
func (m *ReportSecretsRequest) GetPayload() isReportSecretsRequest_Payload {
if m != nil {
return m.Payload
}
return nil
}
func (x *ReportSecretsRequest) GetDeviceAssertion() *v1.AssertDeviceRequest {
if x, ok := x.GetPayload().(*ReportSecretsRequest_DeviceAssertion); ok {
return x.DeviceAssertion
}
return nil
}
func (x *ReportSecretsRequest) GetPrivateKeys() *ReportPrivateKeys {
if x, ok := x.GetPayload().(*ReportSecretsRequest_PrivateKeys); ok {
return x.PrivateKeys
}
return nil
}
type isReportSecretsRequest_Payload interface {
isReportSecretsRequest_Payload()
}
type ReportSecretsRequest_DeviceAssertion struct {
// The device should initiate the device assertion ceremony by sending the
// AssertDeviceRequest. Please refer to the [teleport.devicetrust.v1.AssertDeviceRequest]
// message for more details.
DeviceAssertion *v1.AssertDeviceRequest `protobuf:"bytes,1,opt,name=device_assertion,json=deviceAssertion,proto3,oneof"`
}
type ReportSecretsRequest_PrivateKeys struct {
// private_keys is a list of private keys that were found on the device.
PrivateKeys *ReportPrivateKeys `protobuf:"bytes,4,opt,name=private_keys,json=privateKeys,proto3,oneof"`
}
func (*ReportSecretsRequest_DeviceAssertion) isReportSecretsRequest_Payload() {}
func (*ReportSecretsRequest_PrivateKeys) isReportSecretsRequest_Payload() {}
// ReportPrivateKeys is used by trusted devices to report private keys found on the host
// that could be used to bypass Teleport.
type ReportPrivateKeys struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// keys is a list of private keys that could be used to bypass Teleport.
Keys []*PrivateKey `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"`
}
func (x *ReportPrivateKeys) Reset() {
*x = ReportPrivateKeys{}
if protoimpl.UnsafeEnabled {
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[3]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *ReportPrivateKeys) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ReportPrivateKeys) ProtoMessage() {}
func (x *ReportPrivateKeys) ProtoReflect() protoreflect.Message {
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[3]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ReportPrivateKeys.ProtoReflect.Descriptor instead.
func (*ReportPrivateKeys) Descriptor() ([]byte, []int) {
return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{3}
}
func (x *ReportPrivateKeys) GetKeys() []*PrivateKey {
if x != nil {
return x.Keys
}
return nil
}
// ReportSecretsResponse is the response from the ReportSecrets
// RPC method.
type ReportSecretsResponse struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
// Types that are assignable to Payload:
//
// *ReportSecretsResponse_DeviceAssertion
Payload isReportSecretsResponse_Payload `protobuf_oneof:"payload"`
}
func (x *ReportSecretsResponse) Reset() {
*x = ReportSecretsResponse{}
if protoimpl.UnsafeEnabled {
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[4]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *ReportSecretsResponse) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ReportSecretsResponse) ProtoMessage() {}
func (x *ReportSecretsResponse) ProtoReflect() protoreflect.Message {
mi := &file_teleport_access_graph_v1_secrets_service_proto_msgTypes[4]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ReportSecretsResponse.ProtoReflect.Descriptor instead.
func (*ReportSecretsResponse) Descriptor() ([]byte, []int) {
return file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP(), []int{4}
}
func (m *ReportSecretsResponse) GetPayload() isReportSecretsResponse_Payload {
if m != nil {
return m.Payload
}
return nil
}
func (x *ReportSecretsResponse) GetDeviceAssertion() *v1.AssertDeviceResponse {
if x, ok := x.GetPayload().(*ReportSecretsResponse_DeviceAssertion); ok {
return x.DeviceAssertion
}
return nil
}
type isReportSecretsResponse_Payload interface {
isReportSecretsResponse_Payload()
}
type ReportSecretsResponse_DeviceAssertion struct {
// device_assertion is the response from the device assertion ceremony.
// Please refer to the [teleport.devicetrust.v1.AssertDeviceResponse]
// message for more details
DeviceAssertion *v1.AssertDeviceResponse `protobuf:"bytes,1,opt,name=device_assertion,json=deviceAssertion,proto3,oneof"`
}
func (*ReportSecretsResponse_DeviceAssertion) isReportSecretsResponse_Payload() {}
var File_teleport_access_graph_v1_secrets_service_proto protoreflect.FileDescriptor
var file_teleport_access_graph_v1_secrets_service_proto_rawDesc = []byte{
0x0a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x63, 0x72, 0x65,
0x74, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
0x12, 0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73,
0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x1a, 0x2d, 0x74, 0x65, 0x6c, 0x65,
0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70,
0x68, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x5f,
0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2a, 0x74, 0x65, 0x6c, 0x65, 0x70,
0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68,
0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x2e,
0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x24, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f,
0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x61,
0x73, 0x73, 0x65, 0x72, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa1, 0x01, 0x0a, 0x1b,
0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64,
0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3b, 0x0a, 0x04, 0x6b,
0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65,
0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70,
0x68, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b,
0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x12, 0x45, 0x0a, 0x09, 0x6f, 0x70, 0x65, 0x72,
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x74, 0x65,
0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72,
0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
0x54, 0x79, 0x70, 0x65, 0x52, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22,
0x1e, 0x0a, 0x1c, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
0xce, 0x01, 0x0a, 0x14, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74,
0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x59, 0x0a, 0x10, 0x64, 0x65, 0x76, 0x69,
0x63, 0x65, 0x5f, 0x61, 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01,
0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65,
0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x73, 0x73,
0x65, 0x72, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
0x48, 0x00, 0x52, 0x0f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x73, 0x73, 0x65, 0x72, 0x74,
0x69, 0x6f, 0x6e, 0x12, 0x50, 0x0a, 0x0c, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b,
0x65, 0x79, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65,
0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70,
0x68, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x50, 0x72, 0x69, 0x76, 0x61,
0x74, 0x65, 0x4b, 0x65, 0x79, 0x73, 0x48, 0x00, 0x52, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74,
0x65, 0x4b, 0x65, 0x79, 0x73, 0x42, 0x09, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
0x22, 0x4d, 0x0a, 0x11, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x50, 0x72, 0x69, 0x76, 0x61, 0x74,
0x65, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x38, 0x0a, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20,
0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61,
0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x50,
0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x22,
0x7e, 0x0a, 0x15, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73,
0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5a, 0x0a, 0x10, 0x64, 0x65, 0x76, 0x69,
0x63, 0x65, 0x5f, 0x61, 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01,
0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65,
0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x73, 0x73,
0x65, 0x72, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
0x65, 0x48, 0x00, 0x52, 0x0f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x73, 0x73, 0x65, 0x72,
0x74, 0x69, 0x6f, 0x6e, 0x42, 0x09, 0x0a, 0x07, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x2a,
0x60, 0x0a, 0x0d, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x79, 0x70, 0x65,
0x12, 0x1e, 0x0a, 0x1a, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59,
0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00,
0x12, 0x16, 0x0a, 0x12, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59,
0x50, 0x45, 0x5f, 0x41, 0x44, 0x44, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x4f, 0x50, 0x45, 0x52,
0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x59, 0x4e, 0x43, 0x10,
0x02, 0x32, 0x9d, 0x02, 0x0a, 0x15, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x53, 0x63, 0x61,
0x6e, 0x6e, 0x65, 0x72, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x8b, 0x01, 0x0a, 0x14,
0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64,
0x4b, 0x65, 0x79, 0x73, 0x12, 0x35, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e,
0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e,
0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64,
0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x36, 0x2e, 0x74, 0x65,
0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72,
0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x41, 0x75, 0x74,
0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f,
0x6e, 0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30, 0x01, 0x12, 0x76, 0x0a, 0x0d, 0x52, 0x65, 0x70,
0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x12, 0x2e, 0x2e, 0x74, 0x65, 0x6c,
0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61,
0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72,
0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2f, 0x2e, 0x74, 0x65, 0x6c,
0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61,
0x70, 0x68, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x63, 0x72,
0x65, 0x74, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30,
0x01, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65,
0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70,
0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x3b,
0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x62, 0x06, 0x70,
0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
file_teleport_access_graph_v1_secrets_service_proto_rawDescOnce sync.Once
file_teleport_access_graph_v1_secrets_service_proto_rawDescData = file_teleport_access_graph_v1_secrets_service_proto_rawDesc
)
func file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP() []byte {
file_teleport_access_graph_v1_secrets_service_proto_rawDescOnce.Do(func() {
file_teleport_access_graph_v1_secrets_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_access_graph_v1_secrets_service_proto_rawDescData)
})
return file_teleport_access_graph_v1_secrets_service_proto_rawDescData
}
var file_teleport_access_graph_v1_secrets_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
var file_teleport_access_graph_v1_secrets_service_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
var file_teleport_access_graph_v1_secrets_service_proto_goTypes = []any{
(OperationType)(0), // 0: teleport.access_graph.v1.OperationType
(*ReportAuthorizedKeysRequest)(nil), // 1: teleport.access_graph.v1.ReportAuthorizedKeysRequest
(*ReportAuthorizedKeysResponse)(nil), // 2: teleport.access_graph.v1.ReportAuthorizedKeysResponse
(*ReportSecretsRequest)(nil), // 3: teleport.access_graph.v1.ReportSecretsRequest
(*ReportPrivateKeys)(nil), // 4: teleport.access_graph.v1.ReportPrivateKeys
(*ReportSecretsResponse)(nil), // 5: teleport.access_graph.v1.ReportSecretsResponse
(*AuthorizedKey)(nil), // 6: teleport.access_graph.v1.AuthorizedKey
(*v1.AssertDeviceRequest)(nil), // 7: teleport.devicetrust.v1.AssertDeviceRequest
(*PrivateKey)(nil), // 8: teleport.access_graph.v1.PrivateKey
(*v1.AssertDeviceResponse)(nil), // 9: teleport.devicetrust.v1.AssertDeviceResponse
}
var file_teleport_access_graph_v1_secrets_service_proto_depIdxs = []int32{
6, // 0: teleport.access_graph.v1.ReportAuthorizedKeysRequest.keys:type_name -> teleport.access_graph.v1.AuthorizedKey
0, // 1: teleport.access_graph.v1.ReportAuthorizedKeysRequest.operation:type_name -> teleport.access_graph.v1.OperationType
7, // 2: teleport.access_graph.v1.ReportSecretsRequest.device_assertion:type_name -> teleport.devicetrust.v1.AssertDeviceRequest
4, // 3: teleport.access_graph.v1.ReportSecretsRequest.private_keys:type_name -> teleport.access_graph.v1.ReportPrivateKeys
8, // 4: teleport.access_graph.v1.ReportPrivateKeys.keys:type_name -> teleport.access_graph.v1.PrivateKey
9, // 5: teleport.access_graph.v1.ReportSecretsResponse.device_assertion:type_name -> teleport.devicetrust.v1.AssertDeviceResponse
1, // 6: teleport.access_graph.v1.SecretsScannerService.ReportAuthorizedKeys:input_type -> teleport.access_graph.v1.ReportAuthorizedKeysRequest
3, // 7: teleport.access_graph.v1.SecretsScannerService.ReportSecrets:input_type -> teleport.access_graph.v1.ReportSecretsRequest
2, // 8: teleport.access_graph.v1.SecretsScannerService.ReportAuthorizedKeys:output_type -> teleport.access_graph.v1.ReportAuthorizedKeysResponse
5, // 9: teleport.access_graph.v1.SecretsScannerService.ReportSecrets:output_type -> teleport.access_graph.v1.ReportSecretsResponse
8, // [8:10] is the sub-list for method output_type
6, // [6:8] is the sub-list for method input_type
6, // [6:6] is the sub-list for extension type_name
6, // [6:6] is the sub-list for extension extendee
0, // [0:6] is the sub-list for field type_name
}
func init() { file_teleport_access_graph_v1_secrets_service_proto_init() }
func file_teleport_access_graph_v1_secrets_service_proto_init() {
if File_teleport_access_graph_v1_secrets_service_proto != nil {
return
}
file_teleport_access_graph_v1_authorized_key_proto_init()
file_teleport_access_graph_v1_private_key_proto_init()
if !protoimpl.UnsafeEnabled {
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[0].Exporter = func(v any, i int) any {
switch v := v.(*ReportAuthorizedKeysRequest); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[1].Exporter = func(v any, i int) any {
switch v := v.(*ReportAuthorizedKeysResponse); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[2].Exporter = func(v any, i int) any {
switch v := v.(*ReportSecretsRequest); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[3].Exporter = func(v any, i int) any {
switch v := v.(*ReportPrivateKeys); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[4].Exporter = func(v any, i int) any {
switch v := v.(*ReportSecretsResponse); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
}
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[2].OneofWrappers = []any{
(*ReportSecretsRequest_DeviceAssertion)(nil),
(*ReportSecretsRequest_PrivateKeys)(nil),
}
file_teleport_access_graph_v1_secrets_service_proto_msgTypes[4].OneofWrappers = []any{
(*ReportSecretsResponse_DeviceAssertion)(nil),
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_teleport_access_graph_v1_secrets_service_proto_rawDesc,
NumEnums: 1,
NumMessages: 5,
NumExtensions: 0,
NumServices: 1,
},
GoTypes: file_teleport_access_graph_v1_secrets_service_proto_goTypes,
DependencyIndexes: file_teleport_access_graph_v1_secrets_service_proto_depIdxs,
EnumInfos: file_teleport_access_graph_v1_secrets_service_proto_enumTypes,
MessageInfos: file_teleport_access_graph_v1_secrets_service_proto_msgTypes,
}.Build()
File_teleport_access_graph_v1_secrets_service_proto = out.File
file_teleport_access_graph_v1_secrets_service_proto_rawDesc = nil
file_teleport_access_graph_v1_secrets_service_proto_goTypes = nil
file_teleport_access_graph_v1_secrets_service_proto_depIdxs = nil
}

262
api/gen/proto/go/teleport/accessgraph/v1/secrets_service_grpc.pb.go Normal file
View file

@ -0,0 +1,262 @@
// Copyright 2024 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
// versions:
// - protoc-gen-go-grpc v1.4.0
// - protoc (unknown)
// source: teleport/access_graph/v1/secrets_service.proto
package accessgraphv1
import (
context "context"
grpc "google.golang.org/grpc"
codes "google.golang.org/grpc/codes"
status "google.golang.org/grpc/status"
)
// This is a compile-time assertion to ensure that this generated file
// is compatible with the grpc package it is being compiled against.
// Requires gRPC-Go v1.62.0 or later.
const _ = grpc.SupportPackageIsVersion8
const (
SecretsScannerService_ReportAuthorizedKeys_FullMethodName = "/teleport.access_graph.v1.SecretsScannerService/ReportAuthorizedKeys"
SecretsScannerService_ReportSecrets_FullMethodName = "/teleport.access_graph.v1.SecretsScannerService/ReportSecrets"
)
// SecretsScannerServiceClient is the client API for SecretsScannerService service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
//
// SecretsScannerService provides methods for Access Graph Secret Scanner functionality.
type SecretsScannerServiceClient interface {
// ReportAuthorizedKeys is used by Teleport SSH nodes to report authorized keys
// that could be used to bypass Teleport.
// The client (Teleport SSH Node) should authenticate using the certificate-key pair signed by Teleport HostCA.
ReportAuthorizedKeys(ctx context.Context, opts ...grpc.CallOption) (SecretsScannerService_ReportAuthorizedKeysClient, error)
// ReportSecrets is used by trusted devices to report secrets found on the host that could be used to bypass Teleport.
// The client (device) should first authenticate using the [ReportSecretsRequest.device_assertion] flow. Please refer to
// the [teleport.devicetrust.v1.AssertDeviceRequest] and [teleport.devicetrust.v1.AssertDeviceResponse] messages for more details.
//
// Once the device is asserted, the client can send the secrets using the [ReportSecretsRequest.private_keys] field
// and then close the client side of the stream.
//
// -> ReportSecrets (client) [1 or more]
// -> CloseStream (client)
// <- TerminateStream (server)
//
// Any failure in the assertion ceremony will result in the stream being terminated by the server. All secrets
// reported by the client before the assertion terminates will be ignored and result in the stream being terminated.
ReportSecrets(ctx context.Context, opts ...grpc.CallOption) (SecretsScannerService_ReportSecretsClient, error)
}
type secretsScannerServiceClient struct {
cc grpc.ClientConnInterface
}
func NewSecretsScannerServiceClient(cc grpc.ClientConnInterface) SecretsScannerServiceClient {
return &secretsScannerServiceClient{cc}
}
func (c *secretsScannerServiceClient) ReportAuthorizedKeys(ctx context.Context, opts ...grpc.CallOption) (SecretsScannerService_ReportAuthorizedKeysClient, error) {
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
stream, err := c.cc.NewStream(ctx, &SecretsScannerService_ServiceDesc.Streams[0], SecretsScannerService_ReportAuthorizedKeys_FullMethodName, cOpts...)
if err != nil {
return nil, err
}
x := &secretsScannerServiceReportAuthorizedKeysClient{ClientStream: stream}
return x, nil
}
type SecretsScannerService_ReportAuthorizedKeysClient interface {
Send(*ReportAuthorizedKeysRequest) error
Recv() (*ReportAuthorizedKeysResponse, error)
grpc.ClientStream
}
type secretsScannerServiceReportAuthorizedKeysClient struct {
grpc.ClientStream
}
func (x *secretsScannerServiceReportAuthorizedKeysClient) Send(m *ReportAuthorizedKeysRequest) error {
return x.ClientStream.SendMsg(m)
}
func (x *secretsScannerServiceReportAuthorizedKeysClient) Recv() (*ReportAuthorizedKeysResponse, error) {
m := new(ReportAuthorizedKeysResponse)
if err := x.ClientStream.RecvMsg(m); err != nil {
return nil, err
}
return m, nil
}
func (c *secretsScannerServiceClient) ReportSecrets(ctx context.Context, opts ...grpc.CallOption) (SecretsScannerService_ReportSecretsClient, error) {
cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
stream, err := c.cc.NewStream(ctx, &SecretsScannerService_ServiceDesc.Streams[1], SecretsScannerService_ReportSecrets_FullMethodName, cOpts...)
if err != nil {
return nil, err
}
x := &secretsScannerServiceReportSecretsClient{ClientStream: stream}
return x, nil
}
type SecretsScannerService_ReportSecretsClient interface {
Send(*ReportSecretsRequest) error
Recv() (*ReportSecretsResponse, error)
grpc.ClientStream
}
type secretsScannerServiceReportSecretsClient struct {
grpc.ClientStream
}
func (x *secretsScannerServiceReportSecretsClient) Send(m *ReportSecretsRequest) error {
return x.ClientStream.SendMsg(m)
}
func (x *secretsScannerServiceReportSecretsClient) Recv() (*ReportSecretsResponse, error) {
m := new(ReportSecretsResponse)
if err := x.ClientStream.RecvMsg(m); err != nil {
return nil, err
}
return m, nil
}
// SecretsScannerServiceServer is the server API for SecretsScannerService service.
// All implementations must embed UnimplementedSecretsScannerServiceServer
// for forward compatibility
//
// SecretsScannerService provides methods for Access Graph Secret Scanner functionality.
type SecretsScannerServiceServer interface {
// ReportAuthorizedKeys is used by Teleport SSH nodes to report authorized keys
// that could be used to bypass Teleport.
// The client (Teleport SSH Node) should authenticate using the certificate-key pair signed by Teleport HostCA.
ReportAuthorizedKeys(SecretsScannerService_ReportAuthorizedKeysServer) error
// ReportSecrets is used by trusted devices to report secrets found on the host that could be used to bypass Teleport.
// The client (device) should first authenticate using the [ReportSecretsRequest.device_assertion] flow. Please refer to
// the [teleport.devicetrust.v1.AssertDeviceRequest] and [teleport.devicetrust.v1.AssertDeviceResponse] messages for more details.
//
// Once the device is asserted, the client can send the secrets using the [ReportSecretsRequest.private_keys] field
// and then close the client side of the stream.
//
// -> ReportSecrets (client) [1 or more]
// -> CloseStream (client)
// <- TerminateStream (server)
//
// Any failure in the assertion ceremony will result in the stream being terminated by the server. All secrets
// reported by the client before the assertion terminates will be ignored and result in the stream being terminated.
ReportSecrets(SecretsScannerService_ReportSecretsServer) error
mustEmbedUnimplementedSecretsScannerServiceServer()
}
// UnimplementedSecretsScannerServiceServer must be embedded to have forward compatible implementations.
type UnimplementedSecretsScannerServiceServer struct {
}
func (UnimplementedSecretsScannerServiceServer) ReportAuthorizedKeys(SecretsScannerService_ReportAuthorizedKeysServer) error {
return status.Errorf(codes.Unimplemented, "method ReportAuthorizedKeys not implemented")
}
func (UnimplementedSecretsScannerServiceServer) ReportSecrets(SecretsScannerService_ReportSecretsServer) error {
return status.Errorf(codes.Unimplemented, "method ReportSecrets not implemented")
}
func (UnimplementedSecretsScannerServiceServer) mustEmbedUnimplementedSecretsScannerServiceServer() {}
// UnsafeSecretsScannerServiceServer may be embedded to opt out of forward compatibility for this service.
// Use of this interface is not recommended, as added methods to SecretsScannerServiceServer will
// result in compilation errors.
type UnsafeSecretsScannerServiceServer interface {
mustEmbedUnimplementedSecretsScannerServiceServer()
}
func RegisterSecretsScannerServiceServer(s grpc.ServiceRegistrar, srv SecretsScannerServiceServer) {
s.RegisterService(&SecretsScannerService_ServiceDesc, srv)
}
func _SecretsScannerService_ReportAuthorizedKeys_Handler(srv interface{}, stream grpc.ServerStream) error {
return srv.(SecretsScannerServiceServer).ReportAuthorizedKeys(&secretsScannerServiceReportAuthorizedKeysServer{ServerStream: stream})
}
type SecretsScannerService_ReportAuthorizedKeysServer interface {
Send(*ReportAuthorizedKeysResponse) error
Recv() (*ReportAuthorizedKeysRequest, error)
grpc.ServerStream
}
type secretsScannerServiceReportAuthorizedKeysServer struct {
grpc.ServerStream
}
func (x *secretsScannerServiceReportAuthorizedKeysServer) Send(m *ReportAuthorizedKeysResponse) error {
return x.ServerStream.SendMsg(m)
}
func (x *secretsScannerServiceReportAuthorizedKeysServer) Recv() (*ReportAuthorizedKeysRequest, error) {
m := new(ReportAuthorizedKeysRequest)
if err := x.ServerStream.RecvMsg(m); err != nil {
return nil, err
}
return m, nil
}
func _SecretsScannerService_ReportSecrets_Handler(srv interface{}, stream grpc.ServerStream) error {
return srv.(SecretsScannerServiceServer).ReportSecrets(&secretsScannerServiceReportSecretsServer{ServerStream: stream})
}
type SecretsScannerService_ReportSecretsServer interface {
Send(*ReportSecretsResponse) error
Recv() (*ReportSecretsRequest, error)
grpc.ServerStream
}
type secretsScannerServiceReportSecretsServer struct {
grpc.ServerStream
}
func (x *secretsScannerServiceReportSecretsServer) Send(m *ReportSecretsResponse) error {
return x.ServerStream.SendMsg(m)
}
func (x *secretsScannerServiceReportSecretsServer) Recv() (*ReportSecretsRequest, error) {
m := new(ReportSecretsRequest)
if err := x.ServerStream.RecvMsg(m); err != nil {
return nil, err
}
return m, nil
}
// SecretsScannerService_ServiceDesc is the grpc.ServiceDesc for SecretsScannerService service.
// It's only intended for direct use with grpc.RegisterService,
// and not to be introspected or modified (even as a copy)
var SecretsScannerService_ServiceDesc = grpc.ServiceDesc{
ServiceName: "teleport.access_graph.v1.SecretsScannerService",
HandlerType: (*SecretsScannerServiceServer)(nil),
Methods: []grpc.MethodDesc{},
Streams: []grpc.StreamDesc{
{
StreamName: "ReportAuthorizedKeys",
Handler: _SecretsScannerService_ReportAuthorizedKeys_Handler,
ServerStreams: true,
ClientStreams: true,
},
{
StreamName: "ReportSecrets",
Handler: _SecretsScannerService_ReportSecrets_Handler,
ServerStreams: true,
ClientStreams: true,
},
},
Metadata: "teleport/access_graph/v1/secrets_service.proto",
}

46
api/proto/teleport/access_graph/v1/authorized_key.proto Normal file
View file

@ -0,0 +1,46 @@
// Copyright 2024 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package teleport.access_graph.v1;
import "teleport/header/v1/metadata.proto";
option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1;accessgraphv1";
// The `AuthorizedKey` message represents an authorized key entry for a specific local user.
// These authorized keys are generated by the server when a particular SSH AuthorizedKey is granted access to a user on the node.
message AuthorizedKey {
// metadata is the AuthorizedKey's metadata.
teleport.header.v1.Metadata metadata = 1;
// kind is a resource kind.
string kind = 2;
// sub_kind is an optional resource sub kind, used in some resources.
string sub_kind = 3;
// version is version.
string version = 4;
// Spec is an AuthorizedKey specification.
AuthorizedKeySpec spec = 5;
}
// AuthorizedKeySpec is the authorized key spec.
message AuthorizedKeySpec {
// host_id is the node identifier and must match the credentials used.
string host_id = 1;
// key_fingerprint is the SHA256 SSH public key fingerprint.
string key_fingerprint = 2;
// host_user is the user who can be accessed using the fingerprint above.
string host_user = 3;
}

67
api/proto/teleport/access_graph/v1/private_key.proto Normal file
View file

@ -0,0 +1,67 @@
// Copyright 2024 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package teleport.access_graph.v1;
import "teleport/header/v1/metadata.proto";
option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1;accessgraphv1";
// The `PrivateKey` message represents a private key entry for a specific local user.
// It serves as a reference to a private key located on a user's laptop. Note that it *NEVER* contains the private key itself.
// Instead, it stores metadata related to the key, including the fingerprint of the public key, the device trust identifier, and the public key mode.
// The Teleport Access Graph uses this metadata to assess whether a particular private key is authorized to access a user on the node without using Teleport.
message PrivateKey {
// metadata is the PrivateKey's metadata.
teleport.header.v1.Metadata metadata = 1;
// kind is a resource kind.
string kind = 2;
// sub_kind is an optional resource sub kind, used in some resources.
string sub_kind = 3;
// version is version.
string version = 4;
// Spec is a PrivateKey specification.
PrivateKeySpec spec = 5;
}
// PrivateKeySpec is the private key spec.
message PrivateKeySpec {
// device_id is the device trust identifier of the device that owns the key.
string device_id = 1;
// public_key_fingerprint is the SHA256 of the SSH public key corresponding to
// the private key.
string public_key_fingerprint = 2;
// public_key_mode is the public key mode.
PublicKeyMode public_key_mode = 3;
}
// PublicKeyMode is the mode of the public key.
// The public key can be derived from the private key, stored in a separate file, or the private key was password protected
// and we could not extract the public key from it or from the file.
enum PublicKeyMode {
// PUBLIC_KEY_MODE_UNSPECIFIED is an invalid state.
PUBLIC_KEY_MODE_UNSPECIFIED = 0;
// PUBLIC_KEY_MODE_DERIVED is the state where the public key is derived from the private key.
PUBLIC_KEY_MODE_DERIVED = 1;
// PUBLIC_KEY_MODE_PUB_FILE is a state where the public key is stored in a separate file from the private key.
// The private key is password protected and we could not extract the public key from it.
// This mode is used when the private key is password protected and there is a <key>.pub file next to the private key
// that contains the public key.
PUBLIC_KEY_MODE_PUB_FILE = 2;
// PUBLIC_KEY_MODE_PROTECTED is a state where the private key is password protected and we could not extract the public key from it
// or from the .pub file.
PUBLIC_KEY_MODE_PROTECTED = 3;
}

101
api/proto/teleport/access_graph/v1/secrets_service.proto Normal file
View file

@ -0,0 +1,101 @@
// Copyright 2024 Gravitational, Inc
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package teleport.access_graph.v1;
import "teleport/access_graph/v1/authorized_key.proto";
import "teleport/access_graph/v1/private_key.proto";
import "teleport/devicetrust/v1/assert.proto";
option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1;accessgraphv1";
// SecretsScannerService provides methods for Access Graph Secret Scanner functionality.
service SecretsScannerService {
// ReportAuthorizedKeys is used by Teleport SSH nodes to report authorized keys
// that could be used to bypass Teleport.
// The client (Teleport SSH Node) should authenticate using the certificate-key pair signed by Teleport HostCA.
rpc ReportAuthorizedKeys(stream ReportAuthorizedKeysRequest) returns (stream ReportAuthorizedKeysResponse) {}
// ReportSecrets is used by trusted devices to report secrets found on the host that could be used to bypass Teleport.
// The client (device) should first authenticate using the [ReportSecretsRequest.device_assertion] flow. Please refer to
// the [teleport.devicetrust.v1.AssertDeviceRequest] and [teleport.devicetrust.v1.AssertDeviceResponse] messages for more details.
//
// Once the device is asserted, the client can send the secrets using the [ReportSecretsRequest.private_keys] field
// and then close the client side of the stream.
//
// -> ReportSecrets (client) [1 or more]
// -> CloseStream (client)
// <- TerminateStream (server)
//
// Any failure in the assertion ceremony will result in the stream being terminated by the server. All secrets
// reported by the client before the assertion terminates will be ignored and result in the stream being terminated.
rpc ReportSecrets(stream ReportSecretsRequest) returns (stream ReportSecretsResponse) {}
}
// ReportAuthorizedKeysRequest is used by Teleport nodes to report authorized keys
// that could be used to bypass Teleport.
message ReportAuthorizedKeysRequest {
// keys is a list of authorized keys that could be used to bypass Teleport.
repeated teleport.access_graph.v1.AuthorizedKey keys = 1;
// operation indicates the operation that the client wants to perform.
OperationType operation = 2;
}
// ReportAuthorizedKeysResponse is the response from ReportAuthorizedKeys
// RPC method.
message ReportAuthorizedKeysResponse {}
// ReportSecretsRequest is used by trusted devices to report secrets found on the host
// that could be used to bypass Teleport.
message ReportSecretsRequest {
oneof payload {
// The device should initiate the device assertion ceremony by sending the
// AssertDeviceRequest. Please refer to the [teleport.devicetrust.v1.AssertDeviceRequest]
// message for more details.
teleport.devicetrust.v1.AssertDeviceRequest device_assertion = 1;
// private_keys is a list of private keys that were found on the device.
ReportPrivateKeys private_keys = 4;
}
}
// ReportPrivateKeys is used by trusted devices to report private keys found on the host
// that could be used to bypass Teleport.
message ReportPrivateKeys {
// keys is a list of private keys that could be used to bypass Teleport.
repeated teleport.access_graph.v1.PrivateKey keys = 1;
}
// ReportSecretsResponse is the response from the ReportSecrets
// RPC method.
message ReportSecretsResponse {
oneof payload {
// device_assertion is the response from the device assertion ceremony.
// Please refer to the [teleport.devicetrust.v1.AssertDeviceResponse]
// message for more details
teleport.devicetrust.v1.AssertDeviceResponse device_assertion = 1;
}
}
// OperationType is an enum that indicates the operation that the client wants to perform.
enum OperationType {
// OPERATION_TYPE_UNSPECIFIED is an unknown operation.
OPERATION_TYPE_UNSPECIFIED = 0;
// OPERATION_TYPE_ADD is an operation that indicates that the client wants to add keys to the list.
OPERATION_TYPE_ADD = 1;
// OPERATION_TYPE_SYNC is an operation that indicates that the client has sent all the keys and
// the server can proceed with the analysis.
OPERATION_TYPE_SYNC = 2;
}

1
buf.yaml
View file

@ -68,6 +68,7 @@ lint:
- api/proto/teleport/devicetrust/v1/devicetrust_service.proto
- api/proto/teleport/legacy/client/proto/joinservice.proto
- api/proto/teleport/transport/v1/transport_service.proto
- api/proto/teleport/access_graph/v1/secrets_service.proto
- proto/accessgraph/v1alpha/access_graph_service.proto
- proto/teleport/lib/teleterm/v1/service.proto
disallow_comment_ignores: true