From b84e7db3465fb005b493bd28a2774539ed6a9a49 Mon Sep 17 00:00:00 2001 From: Forrest Marshall Date: Mon, 23 Dec 2024 11:00:08 -0800 Subject: [PATCH] add identity generators to decision api --- .../decision/v1alpha1/decision_service.pb.go | 103 ++++-- .../v1alpha1/decision_service_grpc.pb.go | 88 ++++- .../decision/v1alpha1/simulated.pb.go | 325 ++++++++++++++++++ .../decision/v1alpha1/decision_service.proto | 9 + .../decision/v1alpha1/simulated.proto | 50 +++ 5 files changed, 537 insertions(+), 38 deletions(-) create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/simulated.pb.go create mode 100644 api/proto/teleport/decision/v1alpha1/simulated.proto diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go index d50f86f8a1a7f..53587c237bb69 100644 --- a/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go +++ b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go @@ -44,49 +44,79 @@ var file_teleport_decision_v1alpha1_decision_service_proto_rawDesc = []byte{ 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x1a, 0x2b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, - 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, - 0x68, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0xa6, - 0x02, 0x0a, 0x0f, 0x44, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, - 0x63, 0x65, 0x12, 0x80, 0x01, 0x0a, 0x11, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x53, - 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x34, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, - 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x53, 0x53, - 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, + 0x6f, 0x1a, 0x2a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, + 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x69, + 0x6d, 0x75, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2b, 0x74, + 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, + 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, 0x68, 0x5f, 0x61, 0x63, + 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0xd0, 0x04, 0x0a, 0x0f, 0x44, + 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x92, + 0x01, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x53, 0x69, 0x6d, 0x75, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x54, + 0x4c, 0x53, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x3a, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x69, 0x6d, 0x75, 0x6c, + 0x61, 0x74, 0x65, 0x64, 0x54, 0x4c, 0x53, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, + 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x69, 0x6d, 0x75, 0x6c, 0x61, 0x74, 0x65, 0x64, + 0x54, 0x4c, 0x53, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x92, 0x01, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x53, 0x69, 0x6d, 0x75, 0x6c, + 0x61, 0x74, 0x65, 0x64, 0x53, 0x53, 0x48, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, + 0x3a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x47, 0x65, 0x74, + 0x53, 0x69, 0x6d, 0x75, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x53, 0x53, 0x48, 0x49, 0x64, 0x65, 0x6e, + 0x74, 0x69, 0x74, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3b, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x53, 0x69, 0x6d, 0x75, + 0x6c, 0x61, 0x74, 0x65, 0x64, 0x53, 0x53, 0x48, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x80, 0x01, 0x0a, 0x11, 0x45, 0x76, 0x61, + 0x6c, 0x75, 0x61, 0x74, 0x65, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x34, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, 0x61, 0x6c, - 0x75, 0x61, 0x74, 0x65, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x8f, 0x01, 0x0a, 0x16, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, - 0x74, 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, - 0x12, 0x39, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, - 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, - 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, - 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3a, 0x2e, 0x74, 0x65, - 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, - 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, - 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, - 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, - 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, - 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, - 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, - 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, - 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x75, 0x61, 0x74, 0x65, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x2e, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, + 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x8f, 0x01, 0x0a, 0x16, + 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, + 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x39, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, + 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x44, 0x61, 0x74, 0x61, + 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x3a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, + 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, + 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x5a, 0x5a, + 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, + 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, + 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x33, } var file_teleport_decision_v1alpha1_decision_service_proto_goTypes = []any{ - (*EvaluateSSHAccessRequest)(nil), // 0: teleport.decision.v1alpha1.EvaluateSSHAccessRequest - (*EvaluateDatabaseAccessRequest)(nil), // 1: teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest - (*EvaluateSSHAccessResponse)(nil), // 2: teleport.decision.v1alpha1.EvaluateSSHAccessResponse - (*EvaluateDatabaseAccessResponse)(nil), // 3: teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse + (*GetSimulatedTLSIdentityRequest)(nil), // 0: teleport.decision.v1alpha1.GetSimulatedTLSIdentityRequest + (*GetSimulatedSSHIdentityRequest)(nil), // 1: teleport.decision.v1alpha1.GetSimulatedSSHIdentityRequest + (*EvaluateSSHAccessRequest)(nil), // 2: teleport.decision.v1alpha1.EvaluateSSHAccessRequest + (*EvaluateDatabaseAccessRequest)(nil), // 3: teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest + (*GetSimulatedTLSIdentityResponse)(nil), // 4: teleport.decision.v1alpha1.GetSimulatedTLSIdentityResponse + (*GetSimulatedSSHIdentityResponse)(nil), // 5: teleport.decision.v1alpha1.GetSimulatedSSHIdentityResponse + (*EvaluateSSHAccessResponse)(nil), // 6: teleport.decision.v1alpha1.EvaluateSSHAccessResponse + (*EvaluateDatabaseAccessResponse)(nil), // 7: teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse } var file_teleport_decision_v1alpha1_decision_service_proto_depIdxs = []int32{ - 0, // 0: teleport.decision.v1alpha1.DecisionService.EvaluateSSHAccess:input_type -> teleport.decision.v1alpha1.EvaluateSSHAccessRequest - 1, // 1: teleport.decision.v1alpha1.DecisionService.EvaluateDatabaseAccess:input_type -> teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest - 2, // 2: teleport.decision.v1alpha1.DecisionService.EvaluateSSHAccess:output_type -> teleport.decision.v1alpha1.EvaluateSSHAccessResponse - 3, // 3: teleport.decision.v1alpha1.DecisionService.EvaluateDatabaseAccess:output_type -> teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse - 2, // [2:4] is the sub-list for method output_type - 0, // [0:2] is the sub-list for method input_type + 0, // 0: teleport.decision.v1alpha1.DecisionService.GetSimulatedTLSIdentity:input_type -> teleport.decision.v1alpha1.GetSimulatedTLSIdentityRequest + 1, // 1: teleport.decision.v1alpha1.DecisionService.GetSimulatedSSHIdentity:input_type -> teleport.decision.v1alpha1.GetSimulatedSSHIdentityRequest + 2, // 2: teleport.decision.v1alpha1.DecisionService.EvaluateSSHAccess:input_type -> teleport.decision.v1alpha1.EvaluateSSHAccessRequest + 3, // 3: teleport.decision.v1alpha1.DecisionService.EvaluateDatabaseAccess:input_type -> teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest + 4, // 4: teleport.decision.v1alpha1.DecisionService.GetSimulatedTLSIdentity:output_type -> teleport.decision.v1alpha1.GetSimulatedTLSIdentityResponse + 5, // 5: teleport.decision.v1alpha1.DecisionService.GetSimulatedSSHIdentity:output_type -> teleport.decision.v1alpha1.GetSimulatedSSHIdentityResponse + 6, // 6: teleport.decision.v1alpha1.DecisionService.EvaluateSSHAccess:output_type -> teleport.decision.v1alpha1.EvaluateSSHAccessResponse + 7, // 7: teleport.decision.v1alpha1.DecisionService.EvaluateDatabaseAccess:output_type -> teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse + 4, // [4:8] is the sub-list for method output_type + 0, // [0:4] is the sub-list for method input_type 0, // [0:0] is the sub-list for extension type_name 0, // [0:0] is the sub-list for extension extendee 0, // [0:0] is the sub-list for field type_name @@ -98,6 +128,7 @@ func file_teleport_decision_v1alpha1_decision_service_proto_init() { return } file_teleport_decision_v1alpha1_database_access_proto_init() + file_teleport_decision_v1alpha1_simulated_proto_init() file_teleport_decision_v1alpha1_ssh_access_proto_init() type x struct{} out := protoimpl.TypeBuilder{ diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/decision_service_grpc.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service_grpc.pb.go index 620b4bf79887b..9a8cc9928f478 100644 --- a/api/gen/proto/go/teleport/decision/v1alpha1/decision_service_grpc.pb.go +++ b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service_grpc.pb.go @@ -33,8 +33,10 @@ import ( const _ = grpc.SupportPackageIsVersion9 const ( - DecisionService_EvaluateSSHAccess_FullMethodName = "/teleport.decision.v1alpha1.DecisionService/EvaluateSSHAccess" - DecisionService_EvaluateDatabaseAccess_FullMethodName = "/teleport.decision.v1alpha1.DecisionService/EvaluateDatabaseAccess" + DecisionService_GetSimulatedTLSIdentity_FullMethodName = "/teleport.decision.v1alpha1.DecisionService/GetSimulatedTLSIdentity" + DecisionService_GetSimulatedSSHIdentity_FullMethodName = "/teleport.decision.v1alpha1.DecisionService/GetSimulatedSSHIdentity" + DecisionService_EvaluateSSHAccess_FullMethodName = "/teleport.decision.v1alpha1.DecisionService/EvaluateSSHAccess" + DecisionService_EvaluateDatabaseAccess_FullMethodName = "/teleport.decision.v1alpha1.DecisionService/EvaluateDatabaseAccess" ) // DecisionServiceClient is the client API for DecisionService service. @@ -52,6 +54,12 @@ const ( // decision. A successful evaluation carries a Permit, whereas a failed // evaluation carries a Denial. type DecisionServiceClient interface { + // GetSimulatedTLSIdentity gets a TLS idenitity object based on a target user. The identity objects generated + // this way are not authoratative, and are meant for use only in the context of auditing and introspection. + GetSimulatedTLSIdentity(ctx context.Context, in *GetSimulatedTLSIdentityRequest, opts ...grpc.CallOption) (*GetSimulatedTLSIdentityResponse, error) + // GetSimulatedSSHIdentity gets a SSH identity object based on a target user. The identity objects generated + // this way are not authoratative, and are meant for use only in the context of auditing and introspection. + GetSimulatedSSHIdentity(ctx context.Context, in *GetSimulatedSSHIdentityRequest, opts ...grpc.CallOption) (*GetSimulatedSSHIdentityResponse, error) // EvaluateSSHAccess evaluates an SSH access attempt. EvaluateSSHAccess(ctx context.Context, in *EvaluateSSHAccessRequest, opts ...grpc.CallOption) (*EvaluateSSHAccessResponse, error) // EvaluateDatabaseAccess evaluate a database access attempt. @@ -66,6 +74,26 @@ func NewDecisionServiceClient(cc grpc.ClientConnInterface) DecisionServiceClient return &decisionServiceClient{cc} } +func (c *decisionServiceClient) GetSimulatedTLSIdentity(ctx context.Context, in *GetSimulatedTLSIdentityRequest, opts ...grpc.CallOption) (*GetSimulatedTLSIdentityResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(GetSimulatedTLSIdentityResponse) + err := c.cc.Invoke(ctx, DecisionService_GetSimulatedTLSIdentity_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *decisionServiceClient) GetSimulatedSSHIdentity(ctx context.Context, in *GetSimulatedSSHIdentityRequest, opts ...grpc.CallOption) (*GetSimulatedSSHIdentityResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(GetSimulatedSSHIdentityResponse) + err := c.cc.Invoke(ctx, DecisionService_GetSimulatedSSHIdentity_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + func (c *decisionServiceClient) EvaluateSSHAccess(ctx context.Context, in *EvaluateSSHAccessRequest, opts ...grpc.CallOption) (*EvaluateSSHAccessResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(EvaluateSSHAccessResponse) @@ -101,6 +129,12 @@ func (c *decisionServiceClient) EvaluateDatabaseAccess(ctx context.Context, in * // decision. A successful evaluation carries a Permit, whereas a failed // evaluation carries a Denial. type DecisionServiceServer interface { + // GetSimulatedTLSIdentity gets a TLS idenitity object based on a target user. The identity objects generated + // this way are not authoratative, and are meant for use only in the context of auditing and introspection. + GetSimulatedTLSIdentity(context.Context, *GetSimulatedTLSIdentityRequest) (*GetSimulatedTLSIdentityResponse, error) + // GetSimulatedSSHIdentity gets a SSH identity object based on a target user. The identity objects generated + // this way are not authoratative, and are meant for use only in the context of auditing and introspection. + GetSimulatedSSHIdentity(context.Context, *GetSimulatedSSHIdentityRequest) (*GetSimulatedSSHIdentityResponse, error) // EvaluateSSHAccess evaluates an SSH access attempt. EvaluateSSHAccess(context.Context, *EvaluateSSHAccessRequest) (*EvaluateSSHAccessResponse, error) // EvaluateDatabaseAccess evaluate a database access attempt. @@ -115,6 +149,12 @@ type DecisionServiceServer interface { // pointer dereference when methods are called. type UnimplementedDecisionServiceServer struct{} +func (UnimplementedDecisionServiceServer) GetSimulatedTLSIdentity(context.Context, *GetSimulatedTLSIdentityRequest) (*GetSimulatedTLSIdentityResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetSimulatedTLSIdentity not implemented") +} +func (UnimplementedDecisionServiceServer) GetSimulatedSSHIdentity(context.Context, *GetSimulatedSSHIdentityRequest) (*GetSimulatedSSHIdentityResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetSimulatedSSHIdentity not implemented") +} func (UnimplementedDecisionServiceServer) EvaluateSSHAccess(context.Context, *EvaluateSSHAccessRequest) (*EvaluateSSHAccessResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method EvaluateSSHAccess not implemented") } @@ -142,6 +182,42 @@ func RegisterDecisionServiceServer(s grpc.ServiceRegistrar, srv DecisionServiceS s.RegisterService(&DecisionService_ServiceDesc, srv) } +func _DecisionService_GetSimulatedTLSIdentity_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetSimulatedTLSIdentityRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DecisionServiceServer).GetSimulatedTLSIdentity(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DecisionService_GetSimulatedTLSIdentity_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DecisionServiceServer).GetSimulatedTLSIdentity(ctx, req.(*GetSimulatedTLSIdentityRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _DecisionService_GetSimulatedSSHIdentity_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetSimulatedSSHIdentityRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DecisionServiceServer).GetSimulatedSSHIdentity(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DecisionService_GetSimulatedSSHIdentity_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DecisionServiceServer).GetSimulatedSSHIdentity(ctx, req.(*GetSimulatedSSHIdentityRequest)) + } + return interceptor(ctx, in, info, handler) +} + func _DecisionService_EvaluateSSHAccess_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(EvaluateSSHAccessRequest) if err := dec(in); err != nil { @@ -185,6 +261,14 @@ var DecisionService_ServiceDesc = grpc.ServiceDesc{ ServiceName: "teleport.decision.v1alpha1.DecisionService", HandlerType: (*DecisionServiceServer)(nil), Methods: []grpc.MethodDesc{ + { + MethodName: "GetSimulatedTLSIdentity", + Handler: _DecisionService_GetSimulatedTLSIdentity_Handler, + }, + { + MethodName: "GetSimulatedSSHIdentity", + Handler: _DecisionService_GetSimulatedSSHIdentity_Handler, + }, { MethodName: "EvaluateSSHAccess", Handler: _DecisionService_EvaluateSSHAccess_Handler, diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/simulated.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/simulated.pb.go new file mode 100644 index 0000000000000..4ee68ff3108c7 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/simulated.pb.go @@ -0,0 +1,325 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.1 +// protoc (unknown) +// source: teleport/decision/v1alpha1/simulated.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// GetSimulatedTLSIdentityRequest is used to request a TLS identity object based on a target user. The resulting +// identity object is not authoratative, and is meant for use only in the context of auditing and introspection. +type GetSimulatedTLSIdentityRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Username is the teleport username of the target user. + Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetSimulatedTLSIdentityRequest) Reset() { + *x = GetSimulatedTLSIdentityRequest{} + mi := &file_teleport_decision_v1alpha1_simulated_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetSimulatedTLSIdentityRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetSimulatedTLSIdentityRequest) ProtoMessage() {} + +func (x *GetSimulatedTLSIdentityRequest) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_simulated_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetSimulatedTLSIdentityRequest.ProtoReflect.Descriptor instead. +func (*GetSimulatedTLSIdentityRequest) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_simulated_proto_rawDescGZIP(), []int{0} +} + +func (x *GetSimulatedTLSIdentityRequest) GetUsername() string { + if x != nil { + return x.Username + } + return "" +} + +// GetSimulatedTLSIdentityResponse is used to return a TLS identity object based on a target user. The resulting +// identity object is not authoratative, and is meant for use only in the context of auditing and introspection. +type GetSimulatedTLSIdentityResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // TlsIdentity is a simulated TLS identity object. + TlsIdentity *TLSIdentity `protobuf:"bytes,1,opt,name=tls_identity,json=tlsIdentity,proto3" json:"tls_identity,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetSimulatedTLSIdentityResponse) Reset() { + *x = GetSimulatedTLSIdentityResponse{} + mi := &file_teleport_decision_v1alpha1_simulated_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetSimulatedTLSIdentityResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetSimulatedTLSIdentityResponse) ProtoMessage() {} + +func (x *GetSimulatedTLSIdentityResponse) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_simulated_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetSimulatedTLSIdentityResponse.ProtoReflect.Descriptor instead. +func (*GetSimulatedTLSIdentityResponse) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_simulated_proto_rawDescGZIP(), []int{1} +} + +func (x *GetSimulatedTLSIdentityResponse) GetTlsIdentity() *TLSIdentity { + if x != nil { + return x.TlsIdentity + } + return nil +} + +// GetSimulatedSSHIdentityRequest is used to request a SSH identity object based on a target user. The resulting +// identity object is not authoratative, and is meant for use only in the context of auditing and introspection. +type GetSimulatedSSHIdentityRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Username is the teleport username of the target user. + Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetSimulatedSSHIdentityRequest) Reset() { + *x = GetSimulatedSSHIdentityRequest{} + mi := &file_teleport_decision_v1alpha1_simulated_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetSimulatedSSHIdentityRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetSimulatedSSHIdentityRequest) ProtoMessage() {} + +func (x *GetSimulatedSSHIdentityRequest) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_simulated_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetSimulatedSSHIdentityRequest.ProtoReflect.Descriptor instead. +func (*GetSimulatedSSHIdentityRequest) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_simulated_proto_rawDescGZIP(), []int{2} +} + +func (x *GetSimulatedSSHIdentityRequest) GetUsername() string { + if x != nil { + return x.Username + } + return "" +} + +// GetSimulatedSSHIdentityResponse is used to return a SSH identity object based on a target user. The resulting +// identity object is not authoratative, and is meant for use only in the context of auditing and introspection. +type GetSimulatedSSHIdentityResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // SshIdentity is a simulated SSH identity object. + SshIdentity *SSHIdentity `protobuf:"bytes,1,opt,name=ssh_identity,json=sshIdentity,proto3" json:"ssh_identity,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetSimulatedSSHIdentityResponse) Reset() { + *x = GetSimulatedSSHIdentityResponse{} + mi := &file_teleport_decision_v1alpha1_simulated_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetSimulatedSSHIdentityResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetSimulatedSSHIdentityResponse) ProtoMessage() {} + +func (x *GetSimulatedSSHIdentityResponse) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_simulated_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetSimulatedSSHIdentityResponse.ProtoReflect.Descriptor instead. +func (*GetSimulatedSSHIdentityResponse) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_simulated_proto_rawDescGZIP(), []int{3} +} + +func (x *GetSimulatedSSHIdentityResponse) GetSshIdentity() *SSHIdentity { + if x != nil { + return x.SshIdentity + } + return nil +} + +var File_teleport_decision_v1alpha1_simulated_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_simulated_proto_rawDesc = []byte{ + 0x0a, 0x2a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x69, 0x6d, + 0x75, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, + 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, 0x68, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, + 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, + 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x2f, 0x74, 0x6c, 0x73, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x3c, 0x0a, 0x1e, 0x47, 0x65, 0x74, 0x53, 0x69, 0x6d, + 0x75, 0x6c, 0x61, 0x74, 0x65, 0x64, 0x54, 0x4c, 0x53, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, + 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, + 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, + 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x6d, 0x0a, 0x1f, 0x47, 0x65, 0x74, 0x53, 0x69, 0x6d, 0x75, 0x6c, + 0x61, 0x74, 0x65, 0x64, 0x54, 0x4c, 0x53, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4a, 0x0a, 0x0c, 0x74, 0x6c, 0x73, 0x5f, 0x69, + 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x4c, 0x53, 0x49, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0b, 0x74, 0x6c, 0x73, 0x49, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x22, 0x3c, 0x0a, 0x1e, 0x47, 0x65, 0x74, 0x53, 0x69, 0x6d, 0x75, 0x6c, 0x61, + 0x74, 0x65, 0x64, 0x53, 0x53, 0x48, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, + 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, + 0x65, 0x22, 0x6d, 0x0a, 0x1f, 0x47, 0x65, 0x74, 0x53, 0x69, 0x6d, 0x75, 0x6c, 0x61, 0x74, 0x65, + 0x64, 0x53, 0x53, 0x48, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4a, 0x0a, 0x0c, 0x73, 0x73, 0x68, 0x5f, 0x69, 0x64, 0x65, 0x6e, + 0x74, 0x69, 0x74, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x53, 0x48, 0x49, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x52, 0x0b, 0x73, 0x73, 0x68, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, + 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, + 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_simulated_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_simulated_proto_rawDescData = file_teleport_decision_v1alpha1_simulated_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_simulated_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_simulated_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_simulated_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_simulated_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_simulated_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_simulated_proto_msgTypes = make([]protoimpl.MessageInfo, 4) +var file_teleport_decision_v1alpha1_simulated_proto_goTypes = []any{ + (*GetSimulatedTLSIdentityRequest)(nil), // 0: teleport.decision.v1alpha1.GetSimulatedTLSIdentityRequest + (*GetSimulatedTLSIdentityResponse)(nil), // 1: teleport.decision.v1alpha1.GetSimulatedTLSIdentityResponse + (*GetSimulatedSSHIdentityRequest)(nil), // 2: teleport.decision.v1alpha1.GetSimulatedSSHIdentityRequest + (*GetSimulatedSSHIdentityResponse)(nil), // 3: teleport.decision.v1alpha1.GetSimulatedSSHIdentityResponse + (*TLSIdentity)(nil), // 4: teleport.decision.v1alpha1.TLSIdentity + (*SSHIdentity)(nil), // 5: teleport.decision.v1alpha1.SSHIdentity +} +var file_teleport_decision_v1alpha1_simulated_proto_depIdxs = []int32{ + 4, // 0: teleport.decision.v1alpha1.GetSimulatedTLSIdentityResponse.tls_identity:type_name -> teleport.decision.v1alpha1.TLSIdentity + 5, // 1: teleport.decision.v1alpha1.GetSimulatedSSHIdentityResponse.ssh_identity:type_name -> teleport.decision.v1alpha1.SSHIdentity + 2, // [2:2] is the sub-list for method output_type + 2, // [2:2] is the sub-list for method input_type + 2, // [2:2] is the sub-list for extension type_name + 2, // [2:2] is the sub-list for extension extendee + 0, // [0:2] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_simulated_proto_init() } +func file_teleport_decision_v1alpha1_simulated_proto_init() { + if File_teleport_decision_v1alpha1_simulated_proto != nil { + return + } + file_teleport_decision_v1alpha1_ssh_identity_proto_init() + file_teleport_decision_v1alpha1_tls_identity_proto_init() + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_simulated_proto_rawDesc, + NumEnums: 0, + NumMessages: 4, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_simulated_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_simulated_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_simulated_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_simulated_proto = out.File + file_teleport_decision_v1alpha1_simulated_proto_rawDesc = nil + file_teleport_decision_v1alpha1_simulated_proto_goTypes = nil + file_teleport_decision_v1alpha1_simulated_proto_depIdxs = nil +} diff --git a/api/proto/teleport/decision/v1alpha1/decision_service.proto b/api/proto/teleport/decision/v1alpha1/decision_service.proto index b5f98c7d5e33e..af62dd7958003 100644 --- a/api/proto/teleport/decision/v1alpha1/decision_service.proto +++ b/api/proto/teleport/decision/v1alpha1/decision_service.proto @@ -17,6 +17,7 @@ syntax = "proto3"; package teleport.decision.v1alpha1; import "teleport/decision/v1alpha1/database_access.proto"; +import "teleport/decision/v1alpha1/simulated.proto"; import "teleport/decision/v1alpha1/ssh_access.proto"; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; @@ -32,6 +33,14 @@ option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport // decision. A successful evaluation carries a Permit, whereas a failed // evaluation carries a Denial. service DecisionService { + // GetSimulatedTLSIdentity gets a TLS idenitity object based on a target user. The identity objects generated + // this way are not authoratative, and are meant for use only in the context of auditing and introspection. + rpc GetSimulatedTLSIdentity(GetSimulatedTLSIdentityRequest) returns (GetSimulatedTLSIdentityResponse); + + // GetSimulatedSSHIdentity gets a SSH identity object based on a target user. The identity objects generated + // this way are not authoratative, and are meant for use only in the context of auditing and introspection. + rpc GetSimulatedSSHIdentity(GetSimulatedSSHIdentityRequest) returns (GetSimulatedSSHIdentityResponse); + // EvaluateSSHAccess evaluates an SSH access attempt. rpc EvaluateSSHAccess(EvaluateSSHAccessRequest) returns (EvaluateSSHAccessResponse); diff --git a/api/proto/teleport/decision/v1alpha1/simulated.proto b/api/proto/teleport/decision/v1alpha1/simulated.proto new file mode 100644 index 0000000000000..59c665f176153 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/simulated.proto @@ -0,0 +1,50 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "teleport/decision/v1alpha1/ssh_identity.proto"; +import "teleport/decision/v1alpha1/tls_identity.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// GetSimulatedTLSIdentityRequest is used to request a TLS identity object based on a target user. The resulting +// identity object is not authoratative, and is meant for use only in the context of auditing and introspection. +message GetSimulatedTLSIdentityRequest { + // Username is the teleport username of the target user. + string username = 1; +} + +// GetSimulatedTLSIdentityResponse is used to return a TLS identity object based on a target user. The resulting +// identity object is not authoratative, and is meant for use only in the context of auditing and introspection. +message GetSimulatedTLSIdentityResponse { + // TlsIdentity is a simulated TLS identity object. + TLSIdentity tls_identity = 1; +} + +// GetSimulatedSSHIdentityRequest is used to request a SSH identity object based on a target user. The resulting +// identity object is not authoratative, and is meant for use only in the context of auditing and introspection. +message GetSimulatedSSHIdentityRequest { + // Username is the teleport username of the target user. + string username = 1; +} + +// GetSimulatedSSHIdentityResponse is used to return a SSH identity object based on a target user. The resulting +// identity object is not authoratative, and is meant for use only in the context of auditing and introspection. +message GetSimulatedSSHIdentityResponse { + // SshIdentity is a simulated SSH identity object. + SSHIdentity ssh_identity = 1; +}