From bbf90354d8ac596b988324adec05a1cfd59e3a58 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Mon, 16 Dec 2024 15:02:29 -0300 Subject: [PATCH] Add initial Decision (aka PDP) protos (#49875) * Clone protos from fspmarshall/pdp-work-02 * Use decisionpb as the Go package alias * Update DecisionService docs * Split identity protos into separate files * Update Metadata docs * Split metadata into separate files * Update Resource docs * Update database access docs and fields * Update SSH access docs and fields * Ignore breaking changes on decision protos * Update generated protos * Use teleport.trait.v1.Trait * Document mutual dependency between "ResourceID" types * nit: s/ResourceID/ResourceId * nit: Use the correct CamelCase field name in comments * Update generated protos * Add RouteToApp.target_port * Update generated protos * Update comments on TLSIdentity / tlsca.Identity * Update generated protos --- .../decision/v1alpha1/database_access.pb.go | 399 +++++++ .../decision/v1alpha1/decision_service.pb.go | 119 ++ .../v1alpha1/decision_service_grpc.pb.go | 199 ++++ .../decision/v1alpha1/denial_metadata.pb.go | 188 ++++ .../v1alpha1/enforcement_feature.pb.go | 151 +++ .../decision/v1alpha1/permit_metadata.pb.go | 176 +++ .../decision/v1alpha1/request_metadata.pb.go | 229 ++++ .../teleport/decision/v1alpha1/resource.pb.go | 176 +++ .../decision/v1alpha1/ssh_access.pb.go | 599 ++++++++++ .../decision/v1alpha1/ssh_identity.pb.go | 138 +++ .../decision/v1alpha1/tls_identity.pb.go | 1002 +++++++++++++++++ .../decision/v1alpha1/database_access.proto | 51 + .../decision/v1alpha1/decision_service.proto | 40 + .../decision/v1alpha1/denial_metadata.proto | 38 + .../v1alpha1/enforcement_feature.proto | 26 + .../decision/v1alpha1/permit_metadata.proto | 34 + .../decision/v1alpha1/request_metadata.proto | 44 + .../teleport/decision/v1alpha1/resource.proto | 37 + .../decision/v1alpha1/ssh_access.proto | 75 ++ .../decision/v1alpha1/ssh_identity.proto | 24 + .../decision/v1alpha1/tls_identity.proto | 249 ++++ api/proto/teleport/legacy/types/types.proto | 1 + api/types/types.pb.go | 1 + buf.yaml | 3 + lib/tlsca/ca.go | 4 +- 25 files changed, 4002 insertions(+), 1 deletion(-) create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/database_access.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/decision_service_grpc.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/denial_metadata.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/enforcement_feature.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/permit_metadata.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/request_metadata.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/resource.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go create mode 100644 api/proto/teleport/decision/v1alpha1/database_access.proto create mode 100644 api/proto/teleport/decision/v1alpha1/decision_service.proto create mode 100644 api/proto/teleport/decision/v1alpha1/denial_metadata.proto create mode 100644 api/proto/teleport/decision/v1alpha1/enforcement_feature.proto create mode 100644 api/proto/teleport/decision/v1alpha1/permit_metadata.proto create mode 100644 api/proto/teleport/decision/v1alpha1/request_metadata.proto create mode 100644 api/proto/teleport/decision/v1alpha1/resource.proto create mode 100644 api/proto/teleport/decision/v1alpha1/ssh_access.proto create mode 100644 api/proto/teleport/decision/v1alpha1/ssh_identity.proto create mode 100644 api/proto/teleport/decision/v1alpha1/tls_identity.proto diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/database_access.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/database_access.pb.go new file mode 100644 index 0000000000000..d88716d502f40 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/database_access.pb.go @@ -0,0 +1,399 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/database_access.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// EvaluateDatabaseAccessRequest describes a request to evaluate whether or not +// a given database access attempt should be permitted. +type EvaluateDatabaseAccessRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Metadata *RequestMetadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` + TlsIdentity *TLSIdentity `protobuf:"bytes,2,opt,name=tls_identity,json=tlsIdentity,proto3" json:"tls_identity,omitempty"` +} + +func (x *EvaluateDatabaseAccessRequest) Reset() { + *x = EvaluateDatabaseAccessRequest{} + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EvaluateDatabaseAccessRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EvaluateDatabaseAccessRequest) ProtoMessage() {} + +func (x *EvaluateDatabaseAccessRequest) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EvaluateDatabaseAccessRequest.ProtoReflect.Descriptor instead. +func (*EvaluateDatabaseAccessRequest) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_database_access_proto_rawDescGZIP(), []int{0} +} + +func (x *EvaluateDatabaseAccessRequest) GetMetadata() *RequestMetadata { + if x != nil { + return x.Metadata + } + return nil +} + +func (x *EvaluateDatabaseAccessRequest) GetTlsIdentity() *TLSIdentity { + if x != nil { + return x.TlsIdentity + } + return nil +} + +// EvaluateDatabaseAccessResponse describes the result of a database access +// evaluation. +type EvaluateDatabaseAccessResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Result: + // + // *EvaluateDatabaseAccessResponse_Permit + // *EvaluateDatabaseAccessResponse_Denial + Result isEvaluateDatabaseAccessResponse_Result `protobuf_oneof:"result"` +} + +func (x *EvaluateDatabaseAccessResponse) Reset() { + *x = EvaluateDatabaseAccessResponse{} + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EvaluateDatabaseAccessResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EvaluateDatabaseAccessResponse) ProtoMessage() {} + +func (x *EvaluateDatabaseAccessResponse) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EvaluateDatabaseAccessResponse.ProtoReflect.Descriptor instead. +func (*EvaluateDatabaseAccessResponse) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_database_access_proto_rawDescGZIP(), []int{1} +} + +func (m *EvaluateDatabaseAccessResponse) GetResult() isEvaluateDatabaseAccessResponse_Result { + if m != nil { + return m.Result + } + return nil +} + +func (x *EvaluateDatabaseAccessResponse) GetPermit() *DatabaseAccessPermit { + if x, ok := x.GetResult().(*EvaluateDatabaseAccessResponse_Permit); ok { + return x.Permit + } + return nil +} + +func (x *EvaluateDatabaseAccessResponse) GetDenial() *DatabaseAccessDenial { + if x, ok := x.GetResult().(*EvaluateDatabaseAccessResponse_Denial); ok { + return x.Denial + } + return nil +} + +type isEvaluateDatabaseAccessResponse_Result interface { + isEvaluateDatabaseAccessResponse_Result() +} + +type EvaluateDatabaseAccessResponse_Permit struct { + Permit *DatabaseAccessPermit `protobuf:"bytes,1,opt,name=permit,proto3,oneof"` +} + +type EvaluateDatabaseAccessResponse_Denial struct { + Denial *DatabaseAccessDenial `protobuf:"bytes,2,opt,name=denial,proto3,oneof"` +} + +func (*EvaluateDatabaseAccessResponse_Permit) isEvaluateDatabaseAccessResponse_Result() {} + +func (*EvaluateDatabaseAccessResponse_Denial) isEvaluateDatabaseAccessResponse_Result() {} + +// DatabaseAccessPermit describes the parameters/constraints of a permissible +// database access attempt. +type DatabaseAccessPermit struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Metadata *PermitMetadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` +} + +func (x *DatabaseAccessPermit) Reset() { + *x = DatabaseAccessPermit{} + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DatabaseAccessPermit) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DatabaseAccessPermit) ProtoMessage() {} + +func (x *DatabaseAccessPermit) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DatabaseAccessPermit.ProtoReflect.Descriptor instead. +func (*DatabaseAccessPermit) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_database_access_proto_rawDescGZIP(), []int{2} +} + +func (x *DatabaseAccessPermit) GetMetadata() *PermitMetadata { + if x != nil { + return x.Metadata + } + return nil +} + +// DatabaseAccessDenial describes a database access denial. +type DatabaseAccessDenial struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Metadata *DenialMetadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` +} + +func (x *DatabaseAccessDenial) Reset() { + *x = DatabaseAccessDenial{} + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DatabaseAccessDenial) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DatabaseAccessDenial) ProtoMessage() {} + +func (x *DatabaseAccessDenial) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DatabaseAccessDenial.ProtoReflect.Descriptor instead. +func (*DatabaseAccessDenial) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_database_access_proto_rawDescGZIP(), []int{3} +} + +func (x *DatabaseAccessDenial) GetMetadata() *DenialMetadata { + if x != nil { + return x.Metadata + } + return nil +} + +var File_teleport_decision_v1alpha1_database_access_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_database_access_proto_rawDesc = []byte{ + 0x0a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x61, 0x74, + 0x61, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x30, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x65, 0x6e, 0x69, 0x61, + 0x6c, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x1a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x65, 0x72, + 0x6d, 0x69, 0x74, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x1a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x2f, 0x74, 0x6c, 0x73, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb4, 0x01, 0x0a, 0x1d, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, + 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x47, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, + 0x4a, 0x0a, 0x0c, 0x74, 0x6c, 0x73, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, + 0x61, 0x31, 0x2e, 0x54, 0x4c, 0x53, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0b, + 0x74, 0x6c, 0x73, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x22, 0xc2, 0x01, 0x0a, 0x1e, + 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, + 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4a, + 0x0a, 0x06, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, + 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x61, 0x74, 0x61, + 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x74, + 0x48, 0x00, 0x52, 0x06, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x12, 0x4a, 0x0a, 0x06, 0x64, 0x65, + 0x6e, 0x69, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, + 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x44, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x48, 0x00, 0x52, 0x06, + 0x64, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x42, 0x08, 0x0a, 0x06, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, + 0x22, 0x5e, 0x0a, 0x14, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x12, 0x46, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, + 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x4d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0x22, 0x5e, 0x0a, 0x14, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x44, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x12, 0x46, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, + 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x4d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, + 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_database_access_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_database_access_proto_rawDescData = file_teleport_decision_v1alpha1_database_access_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_database_access_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_database_access_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_database_access_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_database_access_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_database_access_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_database_access_proto_msgTypes = make([]protoimpl.MessageInfo, 4) +var file_teleport_decision_v1alpha1_database_access_proto_goTypes = []any{ + (*EvaluateDatabaseAccessRequest)(nil), // 0: teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest + (*EvaluateDatabaseAccessResponse)(nil), // 1: teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse + (*DatabaseAccessPermit)(nil), // 2: teleport.decision.v1alpha1.DatabaseAccessPermit + (*DatabaseAccessDenial)(nil), // 3: teleport.decision.v1alpha1.DatabaseAccessDenial + (*RequestMetadata)(nil), // 4: teleport.decision.v1alpha1.RequestMetadata + (*TLSIdentity)(nil), // 5: teleport.decision.v1alpha1.TLSIdentity + (*PermitMetadata)(nil), // 6: teleport.decision.v1alpha1.PermitMetadata + (*DenialMetadata)(nil), // 7: teleport.decision.v1alpha1.DenialMetadata +} +var file_teleport_decision_v1alpha1_database_access_proto_depIdxs = []int32{ + 4, // 0: teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest.metadata:type_name -> teleport.decision.v1alpha1.RequestMetadata + 5, // 1: teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest.tls_identity:type_name -> teleport.decision.v1alpha1.TLSIdentity + 2, // 2: teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse.permit:type_name -> teleport.decision.v1alpha1.DatabaseAccessPermit + 3, // 3: teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse.denial:type_name -> teleport.decision.v1alpha1.DatabaseAccessDenial + 6, // 4: teleport.decision.v1alpha1.DatabaseAccessPermit.metadata:type_name -> teleport.decision.v1alpha1.PermitMetadata + 7, // 5: teleport.decision.v1alpha1.DatabaseAccessDenial.metadata:type_name -> teleport.decision.v1alpha1.DenialMetadata + 6, // [6:6] is the sub-list for method output_type + 6, // [6:6] is the sub-list for method input_type + 6, // [6:6] is the sub-list for extension type_name + 6, // [6:6] is the sub-list for extension extendee + 0, // [0:6] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_database_access_proto_init() } +func file_teleport_decision_v1alpha1_database_access_proto_init() { + if File_teleport_decision_v1alpha1_database_access_proto != nil { + return + } + file_teleport_decision_v1alpha1_denial_metadata_proto_init() + file_teleport_decision_v1alpha1_permit_metadata_proto_init() + file_teleport_decision_v1alpha1_request_metadata_proto_init() + file_teleport_decision_v1alpha1_tls_identity_proto_init() + file_teleport_decision_v1alpha1_database_access_proto_msgTypes[1].OneofWrappers = []any{ + (*EvaluateDatabaseAccessResponse_Permit)(nil), + (*EvaluateDatabaseAccessResponse_Denial)(nil), + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_database_access_proto_rawDesc, + NumEnums: 0, + NumMessages: 4, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_database_access_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_database_access_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_database_access_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_database_access_proto = out.File + file_teleport_decision_v1alpha1_database_access_proto_rawDesc = nil + file_teleport_decision_v1alpha1_database_access_proto_goTypes = nil + file_teleport_decision_v1alpha1_database_access_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go new file mode 100644 index 0000000000000..f5e9a7d614117 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go @@ -0,0 +1,119 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/decision_service.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +var File_teleport_decision_v1alpha1_decision_service_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_decision_service_proto_rawDesc = []byte{ + 0x0a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, + 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, + 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x61, 0x74, 0x61, + 0x62, 0x61, 0x73, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x1a, 0x2b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, + 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, + 0x68, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0xa6, + 0x02, 0x0a, 0x0f, 0x44, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x12, 0x80, 0x01, 0x0a, 0x11, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x53, + 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x34, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x53, 0x53, + 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, + 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, 0x61, 0x6c, + 0x75, 0x61, 0x74, 0x65, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x8f, 0x01, 0x0a, 0x16, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, + 0x74, 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, + 0x12, 0x39, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, + 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, + 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, + 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3a, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, + 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, + 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, + 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var file_teleport_decision_v1alpha1_decision_service_proto_goTypes = []any{ + (*EvaluateSSHAccessRequest)(nil), // 0: teleport.decision.v1alpha1.EvaluateSSHAccessRequest + (*EvaluateDatabaseAccessRequest)(nil), // 1: teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest + (*EvaluateSSHAccessResponse)(nil), // 2: teleport.decision.v1alpha1.EvaluateSSHAccessResponse + (*EvaluateDatabaseAccessResponse)(nil), // 3: teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse +} +var file_teleport_decision_v1alpha1_decision_service_proto_depIdxs = []int32{ + 0, // 0: teleport.decision.v1alpha1.DecisionService.EvaluateSSHAccess:input_type -> teleport.decision.v1alpha1.EvaluateSSHAccessRequest + 1, // 1: teleport.decision.v1alpha1.DecisionService.EvaluateDatabaseAccess:input_type -> teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest + 2, // 2: teleport.decision.v1alpha1.DecisionService.EvaluateSSHAccess:output_type -> teleport.decision.v1alpha1.EvaluateSSHAccessResponse + 3, // 3: teleport.decision.v1alpha1.DecisionService.EvaluateDatabaseAccess:output_type -> teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse + 2, // [2:4] is the sub-list for method output_type + 0, // [0:2] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_decision_service_proto_init() } +func file_teleport_decision_v1alpha1_decision_service_proto_init() { + if File_teleport_decision_v1alpha1_decision_service_proto != nil { + return + } + file_teleport_decision_v1alpha1_database_access_proto_init() + file_teleport_decision_v1alpha1_ssh_access_proto_init() + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_decision_service_proto_rawDesc, + NumEnums: 0, + NumMessages: 0, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_teleport_decision_v1alpha1_decision_service_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_decision_service_proto_depIdxs, + }.Build() + File_teleport_decision_v1alpha1_decision_service_proto = out.File + file_teleport_decision_v1alpha1_decision_service_proto_rawDesc = nil + file_teleport_decision_v1alpha1_decision_service_proto_goTypes = nil + file_teleport_decision_v1alpha1_decision_service_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/decision_service_grpc.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service_grpc.pb.go new file mode 100644 index 0000000000000..620b4bf79887b --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service_grpc.pb.go @@ -0,0 +1,199 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.5.1 +// - protoc (unknown) +// source: teleport/decision/v1alpha1/decision_service.proto + +package decisionpb + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.64.0 or later. +const _ = grpc.SupportPackageIsVersion9 + +const ( + DecisionService_EvaluateSSHAccess_FullMethodName = "/teleport.decision.v1alpha1.DecisionService/EvaluateSSHAccess" + DecisionService_EvaluateDatabaseAccess_FullMethodName = "/teleport.decision.v1alpha1.DecisionService/EvaluateDatabaseAccess" +) + +// DecisionServiceClient is the client API for DecisionService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// DecisionService performs authorization decisions for Teleport. +// +// DecisionService acts the PDP (Policy Decision Point) for Teleport services, +// whereas the services themselves act as the PEP (Policy Enforcement Point). +// In other words, it calculates the outcome of an authorization request but +// does not enforce it - each Teleport service must do so. +// +// Evaluation responses carry all the data necessary for the enforcement of a +// decision. A successful evaluation carries a Permit, whereas a failed +// evaluation carries a Denial. +type DecisionServiceClient interface { + // EvaluateSSHAccess evaluates an SSH access attempt. + EvaluateSSHAccess(ctx context.Context, in *EvaluateSSHAccessRequest, opts ...grpc.CallOption) (*EvaluateSSHAccessResponse, error) + // EvaluateDatabaseAccess evaluate a database access attempt. + EvaluateDatabaseAccess(ctx context.Context, in *EvaluateDatabaseAccessRequest, opts ...grpc.CallOption) (*EvaluateDatabaseAccessResponse, error) +} + +type decisionServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewDecisionServiceClient(cc grpc.ClientConnInterface) DecisionServiceClient { + return &decisionServiceClient{cc} +} + +func (c *decisionServiceClient) EvaluateSSHAccess(ctx context.Context, in *EvaluateSSHAccessRequest, opts ...grpc.CallOption) (*EvaluateSSHAccessResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(EvaluateSSHAccessResponse) + err := c.cc.Invoke(ctx, DecisionService_EvaluateSSHAccess_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *decisionServiceClient) EvaluateDatabaseAccess(ctx context.Context, in *EvaluateDatabaseAccessRequest, opts ...grpc.CallOption) (*EvaluateDatabaseAccessResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(EvaluateDatabaseAccessResponse) + err := c.cc.Invoke(ctx, DecisionService_EvaluateDatabaseAccess_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// DecisionServiceServer is the server API for DecisionService service. +// All implementations must embed UnimplementedDecisionServiceServer +// for forward compatibility. +// +// DecisionService performs authorization decisions for Teleport. +// +// DecisionService acts the PDP (Policy Decision Point) for Teleport services, +// whereas the services themselves act as the PEP (Policy Enforcement Point). +// In other words, it calculates the outcome of an authorization request but +// does not enforce it - each Teleport service must do so. +// +// Evaluation responses carry all the data necessary for the enforcement of a +// decision. A successful evaluation carries a Permit, whereas a failed +// evaluation carries a Denial. +type DecisionServiceServer interface { + // EvaluateSSHAccess evaluates an SSH access attempt. + EvaluateSSHAccess(context.Context, *EvaluateSSHAccessRequest) (*EvaluateSSHAccessResponse, error) + // EvaluateDatabaseAccess evaluate a database access attempt. + EvaluateDatabaseAccess(context.Context, *EvaluateDatabaseAccessRequest) (*EvaluateDatabaseAccessResponse, error) + mustEmbedUnimplementedDecisionServiceServer() +} + +// UnimplementedDecisionServiceServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedDecisionServiceServer struct{} + +func (UnimplementedDecisionServiceServer) EvaluateSSHAccess(context.Context, *EvaluateSSHAccessRequest) (*EvaluateSSHAccessResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method EvaluateSSHAccess not implemented") +} +func (UnimplementedDecisionServiceServer) EvaluateDatabaseAccess(context.Context, *EvaluateDatabaseAccessRequest) (*EvaluateDatabaseAccessResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method EvaluateDatabaseAccess not implemented") +} +func (UnimplementedDecisionServiceServer) mustEmbedUnimplementedDecisionServiceServer() {} +func (UnimplementedDecisionServiceServer) testEmbeddedByValue() {} + +// UnsafeDecisionServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to DecisionServiceServer will +// result in compilation errors. +type UnsafeDecisionServiceServer interface { + mustEmbedUnimplementedDecisionServiceServer() +} + +func RegisterDecisionServiceServer(s grpc.ServiceRegistrar, srv DecisionServiceServer) { + // If the following call pancis, it indicates UnimplementedDecisionServiceServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&DecisionService_ServiceDesc, srv) +} + +func _DecisionService_EvaluateSSHAccess_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(EvaluateSSHAccessRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DecisionServiceServer).EvaluateSSHAccess(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DecisionService_EvaluateSSHAccess_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DecisionServiceServer).EvaluateSSHAccess(ctx, req.(*EvaluateSSHAccessRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _DecisionService_EvaluateDatabaseAccess_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(EvaluateDatabaseAccessRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DecisionServiceServer).EvaluateDatabaseAccess(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DecisionService_EvaluateDatabaseAccess_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DecisionServiceServer).EvaluateDatabaseAccess(ctx, req.(*EvaluateDatabaseAccessRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// DecisionService_ServiceDesc is the grpc.ServiceDesc for DecisionService service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var DecisionService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "teleport.decision.v1alpha1.DecisionService", + HandlerType: (*DecisionServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "EvaluateSSHAccess", + Handler: _DecisionService_EvaluateSSHAccess_Handler, + }, + { + MethodName: "EvaluateDatabaseAccess", + Handler: _DecisionService_EvaluateDatabaseAccess_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "teleport/decision/v1alpha1/decision_service.proto", +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/denial_metadata.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/denial_metadata.pb.go new file mode 100644 index 0000000000000..196b711084e64 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/denial_metadata.pb.go @@ -0,0 +1,188 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/denial_metadata.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// Metadata for access denials. +type DenialMetadata struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy + // Enforcement Point) *must* implement in order to correctly enforce the + // decision. Note that denials rarely need feature assertions since they + // typically "fail safe" anyway. + FeatureAssertions []EnforcementFeature `protobuf:"varint,1,rep,packed,name=feature_assertions,json=featureAssertions,proto3,enum=teleport.decision.v1alpha1.EnforcementFeature" json:"feature_assertions,omitempty"` + // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated + // the decision request. + PdpVersion string `protobuf:"bytes,2,opt,name=pdp_version,json=pdpVersion,proto3" json:"pdp_version,omitempty"` + // UserMessage is a sanitized message safe for return to the subject identity + // of the decision request. + UserMessage string `protobuf:"bytes,3,opt,name=user_message,json=userMessage,proto3" json:"user_message,omitempty"` +} + +func (x *DenialMetadata) Reset() { + *x = DenialMetadata{} + mi := &file_teleport_decision_v1alpha1_denial_metadata_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DenialMetadata) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DenialMetadata) ProtoMessage() {} + +func (x *DenialMetadata) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_denial_metadata_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DenialMetadata.ProtoReflect.Descriptor instead. +func (*DenialMetadata) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescGZIP(), []int{0} +} + +func (x *DenialMetadata) GetFeatureAssertions() []EnforcementFeature { + if x != nil { + return x.FeatureAssertions + } + return nil +} + +func (x *DenialMetadata) GetPdpVersion() string { + if x != nil { + return x.PdpVersion + } + return "" +} + +func (x *DenialMetadata) GetUserMessage() string { + if x != nil { + return x.UserMessage + } + return "" +} + +var File_teleport_decision_v1alpha1_denial_metadata_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc = []byte{ + 0x0a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x65, 0x6e, + 0x69, 0x61, 0x6c, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x34, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x65, 0x6e, 0x66, 0x6f, 0x72, + 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb3, 0x01, 0x0a, 0x0e, 0x44, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x4d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x5d, 0x0a, 0x12, 0x66, 0x65, 0x61, 0x74, 0x75, + 0x72, 0x65, 0x5f, 0x61, 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, + 0x03, 0x28, 0x0e, 0x32, 0x2e, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, + 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, + 0x2e, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x46, 0x65, 0x61, 0x74, + 0x75, 0x72, 0x65, 0x52, 0x11, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x41, 0x73, 0x73, 0x65, + 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x64, 0x70, 0x5f, 0x76, 0x65, + 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x64, 0x70, + 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x21, 0x0a, 0x0c, 0x75, 0x73, 0x65, 0x72, 0x5f, + 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x75, + 0x73, 0x65, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, + 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, + 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData = file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_denial_metadata_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_teleport_decision_v1alpha1_denial_metadata_proto_goTypes = []any{ + (*DenialMetadata)(nil), // 0: teleport.decision.v1alpha1.DenialMetadata + (EnforcementFeature)(0), // 1: teleport.decision.v1alpha1.EnforcementFeature +} +var file_teleport_decision_v1alpha1_denial_metadata_proto_depIdxs = []int32{ + 1, // 0: teleport.decision.v1alpha1.DenialMetadata.feature_assertions:type_name -> teleport.decision.v1alpha1.EnforcementFeature + 1, // [1:1] is the sub-list for method output_type + 1, // [1:1] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_denial_metadata_proto_init() } +func file_teleport_decision_v1alpha1_denial_metadata_proto_init() { + if File_teleport_decision_v1alpha1_denial_metadata_proto != nil { + return + } + file_teleport_decision_v1alpha1_enforcement_feature_proto_init() + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc, + NumEnums: 0, + NumMessages: 1, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_denial_metadata_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_denial_metadata_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_denial_metadata_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_denial_metadata_proto = out.File + file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc = nil + file_teleport_decision_v1alpha1_denial_metadata_proto_goTypes = nil + file_teleport_decision_v1alpha1_denial_metadata_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/enforcement_feature.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/enforcement_feature.pb.go new file mode 100644 index 0000000000000..c024a46f721a3 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/enforcement_feature.pb.go @@ -0,0 +1,151 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/enforcement_feature.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// EnforcementFeature represents PEP (Policy Enforcement Point) features. +type EnforcementFeature int32 + +const ( + // ENFORCEMENT_FEATURE_UNSPECIFIED is the default/unspecified value for + // EnforcementFeature. Asserting this feature has no effect. + EnforcementFeature_ENFORCEMENT_FEATURE_UNSPECIFIED EnforcementFeature = 0 +) + +// Enum value maps for EnforcementFeature. +var ( + EnforcementFeature_name = map[int32]string{ + 0: "ENFORCEMENT_FEATURE_UNSPECIFIED", + } + EnforcementFeature_value = map[string]int32{ + "ENFORCEMENT_FEATURE_UNSPECIFIED": 0, + } +) + +func (x EnforcementFeature) Enum() *EnforcementFeature { + p := new(EnforcementFeature) + *p = x + return p +} + +func (x EnforcementFeature) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (EnforcementFeature) Descriptor() protoreflect.EnumDescriptor { + return file_teleport_decision_v1alpha1_enforcement_feature_proto_enumTypes[0].Descriptor() +} + +func (EnforcementFeature) Type() protoreflect.EnumType { + return &file_teleport_decision_v1alpha1_enforcement_feature_proto_enumTypes[0] +} + +func (x EnforcementFeature) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use EnforcementFeature.Descriptor instead. +func (EnforcementFeature) EnumDescriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescGZIP(), []int{0} +} + +var File_teleport_decision_v1alpha1_enforcement_feature_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc = []byte{ + 0x0a, 0x34, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x65, 0x6e, 0x66, + 0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, + 0x61, 0x31, 0x2a, 0x39, 0x0a, 0x12, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x12, 0x23, 0x0a, 0x1f, 0x45, 0x4e, 0x46, 0x4f, + 0x52, 0x43, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x46, 0x45, 0x41, 0x54, 0x55, 0x52, 0x45, 0x5f, + 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x42, 0x5a, 0x5a, + 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, + 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, + 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x33, +} + +var ( + file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData = file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_enforcement_feature_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_teleport_decision_v1alpha1_enforcement_feature_proto_goTypes = []any{ + (EnforcementFeature)(0), // 0: teleport.decision.v1alpha1.EnforcementFeature +} +var file_teleport_decision_v1alpha1_enforcement_feature_proto_depIdxs = []int32{ + 0, // [0:0] is the sub-list for method output_type + 0, // [0:0] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_enforcement_feature_proto_init() } +func file_teleport_decision_v1alpha1_enforcement_feature_proto_init() { + if File_teleport_decision_v1alpha1_enforcement_feature_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc, + NumEnums: 1, + NumMessages: 0, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_enforcement_feature_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_enforcement_feature_proto_depIdxs, + EnumInfos: file_teleport_decision_v1alpha1_enforcement_feature_proto_enumTypes, + }.Build() + File_teleport_decision_v1alpha1_enforcement_feature_proto = out.File + file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc = nil + file_teleport_decision_v1alpha1_enforcement_feature_proto_goTypes = nil + file_teleport_decision_v1alpha1_enforcement_feature_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/permit_metadata.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/permit_metadata.pb.go new file mode 100644 index 0000000000000..48d7fb90b5b0e --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/permit_metadata.pb.go @@ -0,0 +1,176 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/permit_metadata.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// Metadata for access permits. +type PermitMetadata struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy + // Enforcement Point) *must* implement in order to correctly enforce the + // decision. Note that where possible new features should be structured to + // "fail safe" rather than relying on feature assertions. + FeatureAssertions []EnforcementFeature `protobuf:"varint,1,rep,packed,name=feature_assertions,json=featureAssertions,proto3,enum=teleport.decision.v1alpha1.EnforcementFeature" json:"feature_assertions,omitempty"` + // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated + // the decision request. + PdpVersion string `protobuf:"bytes,2,opt,name=pdp_version,json=pdpVersion,proto3" json:"pdp_version,omitempty"` +} + +func (x *PermitMetadata) Reset() { + *x = PermitMetadata{} + mi := &file_teleport_decision_v1alpha1_permit_metadata_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *PermitMetadata) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PermitMetadata) ProtoMessage() {} + +func (x *PermitMetadata) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_permit_metadata_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PermitMetadata.ProtoReflect.Descriptor instead. +func (*PermitMetadata) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescGZIP(), []int{0} +} + +func (x *PermitMetadata) GetFeatureAssertions() []EnforcementFeature { + if x != nil { + return x.FeatureAssertions + } + return nil +} + +func (x *PermitMetadata) GetPdpVersion() string { + if x != nil { + return x.PdpVersion + } + return "" +} + +var File_teleport_decision_v1alpha1_permit_metadata_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc = []byte{ + 0x0a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x65, 0x72, + 0x6d, 0x69, 0x74, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x34, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x65, 0x6e, 0x66, 0x6f, 0x72, + 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x90, 0x01, 0x0a, 0x0e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x4d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x5d, 0x0a, 0x12, 0x66, 0x65, 0x61, 0x74, 0x75, + 0x72, 0x65, 0x5f, 0x61, 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, + 0x03, 0x28, 0x0e, 0x32, 0x2e, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, + 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, + 0x2e, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x46, 0x65, 0x61, 0x74, + 0x75, 0x72, 0x65, 0x52, 0x11, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x41, 0x73, 0x73, 0x65, + 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x64, 0x70, 0x5f, 0x76, 0x65, + 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x64, 0x70, + 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, + 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, + 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData = file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_permit_metadata_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_teleport_decision_v1alpha1_permit_metadata_proto_goTypes = []any{ + (*PermitMetadata)(nil), // 0: teleport.decision.v1alpha1.PermitMetadata + (EnforcementFeature)(0), // 1: teleport.decision.v1alpha1.EnforcementFeature +} +var file_teleport_decision_v1alpha1_permit_metadata_proto_depIdxs = []int32{ + 1, // 0: teleport.decision.v1alpha1.PermitMetadata.feature_assertions:type_name -> teleport.decision.v1alpha1.EnforcementFeature + 1, // [1:1] is the sub-list for method output_type + 1, // [1:1] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_permit_metadata_proto_init() } +func file_teleport_decision_v1alpha1_permit_metadata_proto_init() { + if File_teleport_decision_v1alpha1_permit_metadata_proto != nil { + return + } + file_teleport_decision_v1alpha1_enforcement_feature_proto_init() + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc, + NumEnums: 0, + NumMessages: 1, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_permit_metadata_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_permit_metadata_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_permit_metadata_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_permit_metadata_proto = out.File + file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc = nil + file_teleport_decision_v1alpha1_permit_metadata_proto_goTypes = nil + file_teleport_decision_v1alpha1_permit_metadata_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/request_metadata.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/request_metadata.pb.go new file mode 100644 index 0000000000000..7755483709400 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/request_metadata.pb.go @@ -0,0 +1,229 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/request_metadata.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// DecisionFeature represents supported PDP (Policy Decision Point) features. +type DecisionFeature int32 + +const ( + // DECISION_FEATURE_UNSPECIFIED is the default/unspecified value for + // DecisionFeature. Asserting this feature has no effect. + DecisionFeature_DECISION_FEATURE_UNSPECIFIED DecisionFeature = 0 +) + +// Enum value maps for DecisionFeature. +var ( + DecisionFeature_name = map[int32]string{ + 0: "DECISION_FEATURE_UNSPECIFIED", + } + DecisionFeature_value = map[string]int32{ + "DECISION_FEATURE_UNSPECIFIED": 0, + } +) + +func (x DecisionFeature) Enum() *DecisionFeature { + p := new(DecisionFeature) + *p = x + return p +} + +func (x DecisionFeature) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (DecisionFeature) Descriptor() protoreflect.EnumDescriptor { + return file_teleport_decision_v1alpha1_request_metadata_proto_enumTypes[0].Descriptor() +} + +func (DecisionFeature) Type() protoreflect.EnumType { + return &file_teleport_decision_v1alpha1_request_metadata_proto_enumTypes[0] +} + +func (x DecisionFeature) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use DecisionFeature.Descriptor instead. +func (DecisionFeature) EnumDescriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_request_metadata_proto_rawDescGZIP(), []int{0} +} + +// Metadata for evaluation requests. +type RequestMetadata struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // FeatureAssertions is a list of DecisionFeature that the PDP (Policy + // Decision Point) *must* implement in order to correctly evaluate the + // decision request. Note that changes that require new features in the PDP in + // order for it to understand a decision request are rare and should be + // avoided if possible. + FeatureAssertions []DecisionFeature `protobuf:"varint,1,rep,packed,name=feature_assertions,json=featureAssertions,proto3,enum=teleport.decision.v1alpha1.DecisionFeature" json:"feature_assertions,omitempty"` + // PepVersionHint is the *likely* version of the PEP that will enforce the + // decision. Not all decision requests can guarantee that the expected PEP + // (Policy Enforcement Point) version will actually be the version that ends + // up enforcing the decision. Hard compatibility requirements must be enforced + // via feature assertions so that PEPs can correctly reject decisions that + // they cannot enforce. + PepVersionHint string `protobuf:"bytes,2,opt,name=pep_version_hint,json=pepVersionHint,proto3" json:"pep_version_hint,omitempty"` +} + +func (x *RequestMetadata) Reset() { + *x = RequestMetadata{} + mi := &file_teleport_decision_v1alpha1_request_metadata_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RequestMetadata) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RequestMetadata) ProtoMessage() {} + +func (x *RequestMetadata) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_request_metadata_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RequestMetadata.ProtoReflect.Descriptor instead. +func (*RequestMetadata) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_request_metadata_proto_rawDescGZIP(), []int{0} +} + +func (x *RequestMetadata) GetFeatureAssertions() []DecisionFeature { + if x != nil { + return x.FeatureAssertions + } + return nil +} + +func (x *RequestMetadata) GetPepVersionHint() string { + if x != nil { + return x.PepVersionHint + } + return "" +} + +var File_teleport_decision_v1alpha1_request_metadata_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc = []byte{ + 0x0a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, + 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x22, + 0x97, 0x01, 0x0a, 0x0f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x12, 0x5a, 0x0a, 0x12, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x5f, 0x61, + 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0e, 0x32, + 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x52, 0x11, 0x66, 0x65, + 0x61, 0x74, 0x75, 0x72, 0x65, 0x41, 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, + 0x28, 0x0a, 0x10, 0x70, 0x65, 0x70, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x68, + 0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x70, 0x65, 0x70, 0x56, 0x65, + 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x48, 0x69, 0x6e, 0x74, 0x2a, 0x33, 0x0a, 0x0f, 0x44, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x12, 0x20, 0x0a, 0x1c, + 0x44, 0x45, 0x43, 0x49, 0x53, 0x49, 0x4f, 0x4e, 0x5f, 0x46, 0x45, 0x41, 0x54, 0x55, 0x52, 0x45, + 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x42, 0x5a, + 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, + 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, + 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_request_metadata_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData = file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_request_metadata_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_request_metadata_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_request_metadata_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_teleport_decision_v1alpha1_request_metadata_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_teleport_decision_v1alpha1_request_metadata_proto_goTypes = []any{ + (DecisionFeature)(0), // 0: teleport.decision.v1alpha1.DecisionFeature + (*RequestMetadata)(nil), // 1: teleport.decision.v1alpha1.RequestMetadata +} +var file_teleport_decision_v1alpha1_request_metadata_proto_depIdxs = []int32{ + 0, // 0: teleport.decision.v1alpha1.RequestMetadata.feature_assertions:type_name -> teleport.decision.v1alpha1.DecisionFeature + 1, // [1:1] is the sub-list for method output_type + 1, // [1:1] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_request_metadata_proto_init() } +func file_teleport_decision_v1alpha1_request_metadata_proto_init() { + if File_teleport_decision_v1alpha1_request_metadata_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc, + NumEnums: 1, + NumMessages: 1, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_request_metadata_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_request_metadata_proto_depIdxs, + EnumInfos: file_teleport_decision_v1alpha1_request_metadata_proto_enumTypes, + MessageInfos: file_teleport_decision_v1alpha1_request_metadata_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_request_metadata_proto = out.File + file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc = nil + file_teleport_decision_v1alpha1_request_metadata_proto_goTypes = nil + file_teleport_decision_v1alpha1_request_metadata_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/resource.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/resource.pb.go new file mode 100644 index 0000000000000..371181ee52344 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/resource.pb.go @@ -0,0 +1,176 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/resource.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// Resource is the conventional reference type used to refer to the "object" of +// an action that is being considered for an authorization decision. For +// example, a call to EvaluateSSHAccess would use the Resource type to reference +// the ssh node being accessed. +type Resource struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Kind is the type of the resource. Required for requests that support + // multiple types, otherwise safe to omit. + Kind string `protobuf:"bytes,1,opt,name=kind,proto3" json:"kind,omitempty"` + // SubKind is the subtype of the resource. Usually not required as most + // resources don't have subkinds, or their subkinds do not have an effect on + // authorization decisions. + SubKind string `protobuf:"bytes,2,opt,name=sub_kind,json=subKind,proto3" json:"sub_kind,omitempty"` + // Name is the unique name of the resource. + Name string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"` +} + +func (x *Resource) Reset() { + *x = Resource{} + mi := &file_teleport_decision_v1alpha1_resource_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Resource) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Resource) ProtoMessage() {} + +func (x *Resource) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_resource_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Resource.ProtoReflect.Descriptor instead. +func (*Resource) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_resource_proto_rawDescGZIP(), []int{0} +} + +func (x *Resource) GetKind() string { + if x != nil { + return x.Kind + } + return "" +} + +func (x *Resource) GetSubKind() string { + if x != nil { + return x.SubKind + } + return "" +} + +func (x *Resource) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +var File_teleport_decision_v1alpha1_resource_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_resource_proto_rawDesc = []byte{ + 0x0a, 0x29, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72, 0x65, 0x73, + 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x22, 0x4d, 0x0a, 0x08, 0x52, 0x65, 0x73, 0x6f, 0x75, + 0x72, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x75, 0x62, 0x5f, 0x6b, + 0x69, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x4b, 0x69, + 0x6e, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, + 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, + 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_resource_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_resource_proto_rawDescData = file_teleport_decision_v1alpha1_resource_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_resource_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_resource_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_resource_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_resource_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_resource_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_resource_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_teleport_decision_v1alpha1_resource_proto_goTypes = []any{ + (*Resource)(nil), // 0: teleport.decision.v1alpha1.Resource +} +var file_teleport_decision_v1alpha1_resource_proto_depIdxs = []int32{ + 0, // [0:0] is the sub-list for method output_type + 0, // [0:0] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_resource_proto_init() } +func file_teleport_decision_v1alpha1_resource_proto_init() { + if File_teleport_decision_v1alpha1_resource_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_resource_proto_rawDesc, + NumEnums: 0, + NumMessages: 1, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_resource_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_resource_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_resource_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_resource_proto = out.File + file_teleport_decision_v1alpha1_resource_proto_rawDesc = nil + file_teleport_decision_v1alpha1_resource_proto_goTypes = nil + file_teleport_decision_v1alpha1_resource_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go new file mode 100644 index 0000000000000..ad064dfd34b3e --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go @@ -0,0 +1,599 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/ssh_access.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + durationpb "google.golang.org/protobuf/types/known/durationpb" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// EvaluateSSHAccessRequest describes a request to evaluate whether or not a +// given ssh access attempt should be permitted. +type EvaluateSSHAccessRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Metadata holds common authorization decision request fields. + Metadata *RequestMetadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` + // User describes the teleport user requesting access. + SshIdentity *SSHIdentity `protobuf:"bytes,2,opt,name=ssh_identity,json=sshIdentity,proto3" json:"ssh_identity,omitempty"` + // Node references the target node the user is attempting to access. + Node *Resource `protobuf:"bytes,3,opt,name=node,proto3" json:"node,omitempty"` +} + +func (x *EvaluateSSHAccessRequest) Reset() { + *x = EvaluateSSHAccessRequest{} + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EvaluateSSHAccessRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EvaluateSSHAccessRequest) ProtoMessage() {} + +func (x *EvaluateSSHAccessRequest) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EvaluateSSHAccessRequest.ProtoReflect.Descriptor instead. +func (*EvaluateSSHAccessRequest) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_ssh_access_proto_rawDescGZIP(), []int{0} +} + +func (x *EvaluateSSHAccessRequest) GetMetadata() *RequestMetadata { + if x != nil { + return x.Metadata + } + return nil +} + +func (x *EvaluateSSHAccessRequest) GetSshIdentity() *SSHIdentity { + if x != nil { + return x.SshIdentity + } + return nil +} + +func (x *EvaluateSSHAccessRequest) GetNode() *Resource { + if x != nil { + return x.Node + } + return nil +} + +// EvaluateSSHAccessResponse describes the result of an SSH access evaluation. +type EvaluateSSHAccessResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Decision: + // + // *EvaluateSSHAccessResponse_Permit + // *EvaluateSSHAccessResponse_Denial + Decision isEvaluateSSHAccessResponse_Decision `protobuf_oneof:"decision"` +} + +func (x *EvaluateSSHAccessResponse) Reset() { + *x = EvaluateSSHAccessResponse{} + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EvaluateSSHAccessResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EvaluateSSHAccessResponse) ProtoMessage() {} + +func (x *EvaluateSSHAccessResponse) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EvaluateSSHAccessResponse.ProtoReflect.Descriptor instead. +func (*EvaluateSSHAccessResponse) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_ssh_access_proto_rawDescGZIP(), []int{1} +} + +func (m *EvaluateSSHAccessResponse) GetDecision() isEvaluateSSHAccessResponse_Decision { + if m != nil { + return m.Decision + } + return nil +} + +func (x *EvaluateSSHAccessResponse) GetPermit() *SSHAccessPermit { + if x, ok := x.GetDecision().(*EvaluateSSHAccessResponse_Permit); ok { + return x.Permit + } + return nil +} + +func (x *EvaluateSSHAccessResponse) GetDenial() *SSHAccessDenial { + if x, ok := x.GetDecision().(*EvaluateSSHAccessResponse_Denial); ok { + return x.Denial + } + return nil +} + +type isEvaluateSSHAccessResponse_Decision interface { + isEvaluateSSHAccessResponse_Decision() +} + +type EvaluateSSHAccessResponse_Permit struct { + Permit *SSHAccessPermit `protobuf:"bytes,1,opt,name=permit,proto3,oneof"` +} + +type EvaluateSSHAccessResponse_Denial struct { + Denial *SSHAccessDenial `protobuf:"bytes,2,opt,name=denial,proto3,oneof"` +} + +func (*EvaluateSSHAccessResponse_Permit) isEvaluateSSHAccessResponse_Decision() {} + +func (*EvaluateSSHAccessResponse_Denial) isEvaluateSSHAccessResponse_Decision() {} + +// SSHAccessPermit describes the parameters/constraints of a permissible SSH +// access attempt. +type SSHAccessPermit struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Metadata *PermitMetadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` + Logins []string `protobuf:"bytes,2,rep,name=logins,proto3" json:"logins,omitempty"` + ForwardAgent bool `protobuf:"varint,3,opt,name=forward_agent,json=forwardAgent,proto3" json:"forward_agent,omitempty"` + MaxSessionTtl *durationpb.Duration `protobuf:"bytes,4,opt,name=max_session_ttl,json=maxSessionTtl,proto3" json:"max_session_ttl,omitempty"` + PortForwarding bool `protobuf:"varint,5,opt,name=port_forwarding,json=portForwarding,proto3" json:"port_forwarding,omitempty"` + ClientIdleTimeout int64 `protobuf:"varint,6,opt,name=client_idle_timeout,json=clientIdleTimeout,proto3" json:"client_idle_timeout,omitempty"` + DisconnectExpiredCert bool `protobuf:"varint,7,opt,name=disconnect_expired_cert,json=disconnectExpiredCert,proto3" json:"disconnect_expired_cert,omitempty"` + Bpf []string `protobuf:"bytes,8,rep,name=bpf,proto3" json:"bpf,omitempty"` + X11Forwarding bool `protobuf:"varint,9,opt,name=x11_forwarding,json=x11Forwarding,proto3" json:"x11_forwarding,omitempty"` + MaxConnections int64 `protobuf:"varint,10,opt,name=max_connections,json=maxConnections,proto3" json:"max_connections,omitempty"` + MaxSessions int64 `protobuf:"varint,11,opt,name=max_sessions,json=maxSessions,proto3" json:"max_sessions,omitempty"` + Lock string `protobuf:"bytes,12,opt,name=lock,proto3" json:"lock,omitempty"` + CreateHostUser bool `protobuf:"varint,13,opt,name=create_host_user,json=createHostUser,proto3" json:"create_host_user,omitempty"` + SshFileCopy bool `protobuf:"varint,14,opt,name=ssh_file_copy,json=sshFileCopy,proto3" json:"ssh_file_copy,omitempty"` + CreateHostUserMode string `protobuf:"bytes,15,opt,name=create_host_user_mode,json=createHostUserMode,proto3" json:"create_host_user_mode,omitempty"` + CreateHostUserShell string `protobuf:"bytes,16,opt,name=create_host_user_shell,json=createHostUserShell,proto3" json:"create_host_user_shell,omitempty"` + HostGroups []string `protobuf:"bytes,17,rep,name=host_groups,json=hostGroups,proto3" json:"host_groups,omitempty"` + HostSudoers []string `protobuf:"bytes,18,rep,name=host_sudoers,json=hostSudoers,proto3" json:"host_sudoers,omitempty"` +} + +func (x *SSHAccessPermit) Reset() { + *x = SSHAccessPermit{} + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SSHAccessPermit) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SSHAccessPermit) ProtoMessage() {} + +func (x *SSHAccessPermit) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SSHAccessPermit.ProtoReflect.Descriptor instead. +func (*SSHAccessPermit) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_ssh_access_proto_rawDescGZIP(), []int{2} +} + +func (x *SSHAccessPermit) GetMetadata() *PermitMetadata { + if x != nil { + return x.Metadata + } + return nil +} + +func (x *SSHAccessPermit) GetLogins() []string { + if x != nil { + return x.Logins + } + return nil +} + +func (x *SSHAccessPermit) GetForwardAgent() bool { + if x != nil { + return x.ForwardAgent + } + return false +} + +func (x *SSHAccessPermit) GetMaxSessionTtl() *durationpb.Duration { + if x != nil { + return x.MaxSessionTtl + } + return nil +} + +func (x *SSHAccessPermit) GetPortForwarding() bool { + if x != nil { + return x.PortForwarding + } + return false +} + +func (x *SSHAccessPermit) GetClientIdleTimeout() int64 { + if x != nil { + return x.ClientIdleTimeout + } + return 0 +} + +func (x *SSHAccessPermit) GetDisconnectExpiredCert() bool { + if x != nil { + return x.DisconnectExpiredCert + } + return false +} + +func (x *SSHAccessPermit) GetBpf() []string { + if x != nil { + return x.Bpf + } + return nil +} + +func (x *SSHAccessPermit) GetX11Forwarding() bool { + if x != nil { + return x.X11Forwarding + } + return false +} + +func (x *SSHAccessPermit) GetMaxConnections() int64 { + if x != nil { + return x.MaxConnections + } + return 0 +} + +func (x *SSHAccessPermit) GetMaxSessions() int64 { + if x != nil { + return x.MaxSessions + } + return 0 +} + +func (x *SSHAccessPermit) GetLock() string { + if x != nil { + return x.Lock + } + return "" +} + +func (x *SSHAccessPermit) GetCreateHostUser() bool { + if x != nil { + return x.CreateHostUser + } + return false +} + +func (x *SSHAccessPermit) GetSshFileCopy() bool { + if x != nil { + return x.SshFileCopy + } + return false +} + +func (x *SSHAccessPermit) GetCreateHostUserMode() string { + if x != nil { + return x.CreateHostUserMode + } + return "" +} + +func (x *SSHAccessPermit) GetCreateHostUserShell() string { + if x != nil { + return x.CreateHostUserShell + } + return "" +} + +func (x *SSHAccessPermit) GetHostGroups() []string { + if x != nil { + return x.HostGroups + } + return nil +} + +func (x *SSHAccessPermit) GetHostSudoers() []string { + if x != nil { + return x.HostSudoers + } + return nil +} + +// SSHAccessDenial describes an SSH access denial. +type SSHAccessDenial struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Metadata *DenialMetadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` +} + +func (x *SSHAccessDenial) Reset() { + *x = SSHAccessDenial{} + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SSHAccessDenial) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SSHAccessDenial) ProtoMessage() {} + +func (x *SSHAccessDenial) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SSHAccessDenial.ProtoReflect.Descriptor instead. +func (*SSHAccessDenial) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_ssh_access_proto_rawDescGZIP(), []int{3} +} + +func (x *SSHAccessDenial) GetMetadata() *DenialMetadata { + if x != nil { + return x.Metadata + } + return nil +} + +var File_teleport_decision_v1alpha1_ssh_access_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc = []byte{ + 0x0a, 0x2b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, 0x68, + 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74, + 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, + 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, + 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x5f, 0x6d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x30, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x5f, 0x6d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x31, 0x74, + 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, + 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x1a, 0x29, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72, 0x65, 0x73, + 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2d, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, 0x68, 0x5f, 0x69, 0x64, 0x65, 0x6e, + 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xe9, 0x01, 0x0a, 0x18, 0x45, + 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x47, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, + 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, + 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0x12, 0x4a, 0x0a, 0x0c, 0x73, 0x73, 0x68, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, + 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x2e, 0x53, 0x53, 0x48, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, + 0x0b, 0x73, 0x73, 0x68, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x38, 0x0a, 0x04, + 0x6e, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, + 0x52, 0x04, 0x6e, 0x6f, 0x64, 0x65, 0x22, 0xb5, 0x01, 0x0a, 0x19, 0x45, 0x76, 0x61, 0x6c, 0x75, + 0x61, 0x74, 0x65, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x45, 0x0a, 0x06, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x2e, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, + 0x74, 0x48, 0x00, 0x52, 0x06, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x12, 0x45, 0x0a, 0x06, 0x64, + 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x44, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x48, 0x00, 0x52, 0x06, 0x64, 0x65, 0x6e, 0x69, + 0x61, 0x6c, 0x42, 0x0a, 0x0a, 0x08, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0xfd, + 0x05, 0x0a, 0x0f, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, + 0x69, 0x74, 0x12, 0x46, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x6f, + 0x67, 0x69, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x6c, 0x6f, 0x67, 0x69, + 0x6e, 0x73, 0x12, 0x23, 0x0a, 0x0d, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x5f, 0x61, 0x67, + 0x65, 0x6e, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x66, 0x6f, 0x72, 0x77, 0x61, + 0x72, 0x64, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x12, 0x41, 0x0a, 0x0f, 0x6d, 0x61, 0x78, 0x5f, 0x73, + 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x74, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, + 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x6d, 0x61, 0x78, + 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x54, 0x74, 0x6c, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x6f, + 0x72, 0x74, 0x5f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x18, 0x05, 0x20, + 0x01, 0x28, 0x08, 0x52, 0x0e, 0x70, 0x6f, 0x72, 0x74, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, + 0x69, 0x6e, 0x67, 0x12, 0x2e, 0x0a, 0x13, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, + 0x6c, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, + 0x52, 0x11, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x6c, 0x65, 0x54, 0x69, 0x6d, 0x65, + 0x6f, 0x75, 0x74, 0x12, 0x36, 0x0a, 0x17, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, + 0x74, 0x5f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x18, 0x07, + 0x20, 0x01, 0x28, 0x08, 0x52, 0x15, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, + 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x62, + 0x70, 0x66, 0x18, 0x08, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x62, 0x70, 0x66, 0x12, 0x25, 0x0a, + 0x0e, 0x78, 0x31, 0x31, 0x5f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x18, + 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x78, 0x31, 0x31, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, + 0x64, 0x69, 0x6e, 0x67, 0x12, 0x27, 0x0a, 0x0f, 0x6d, 0x61, 0x78, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, + 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x6d, + 0x61, 0x78, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x21, 0x0a, + 0x0c, 0x6d, 0x61, 0x78, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0b, 0x20, + 0x01, 0x28, 0x03, 0x52, 0x0b, 0x6d, 0x61, 0x78, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, + 0x12, 0x12, 0x0a, 0x04, 0x6c, 0x6f, 0x63, 0x6b, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, + 0x6c, 0x6f, 0x63, 0x6b, 0x12, 0x28, 0x0a, 0x10, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x5f, 0x68, + 0x6f, 0x73, 0x74, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, + 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x48, 0x6f, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x12, 0x22, + 0x0a, 0x0d, 0x73, 0x73, 0x68, 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x63, 0x6f, 0x70, 0x79, 0x18, + 0x0e, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x73, 0x73, 0x68, 0x46, 0x69, 0x6c, 0x65, 0x43, 0x6f, + 0x70, 0x79, 0x12, 0x31, 0x0a, 0x15, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x6f, 0x73, + 0x74, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x0f, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x12, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x48, 0x6f, 0x73, 0x74, 0x55, 0x73, 0x65, + 0x72, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x33, 0x0a, 0x16, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x5f, + 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x73, 0x68, 0x65, 0x6c, 0x6c, 0x18, + 0x10, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x48, 0x6f, 0x73, + 0x74, 0x55, 0x73, 0x65, 0x72, 0x53, 0x68, 0x65, 0x6c, 0x6c, 0x12, 0x1f, 0x0a, 0x0b, 0x68, 0x6f, + 0x73, 0x74, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x11, 0x20, 0x03, 0x28, 0x09, 0x52, + 0x0a, 0x68, 0x6f, 0x73, 0x74, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x68, + 0x6f, 0x73, 0x74, 0x5f, 0x73, 0x75, 0x64, 0x6f, 0x65, 0x72, 0x73, 0x18, 0x12, 0x20, 0x03, 0x28, + 0x09, 0x52, 0x0b, 0x68, 0x6f, 0x73, 0x74, 0x53, 0x75, 0x64, 0x6f, 0x65, 0x72, 0x73, 0x22, 0x59, + 0x0a, 0x0f, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x44, 0x65, 0x6e, 0x69, 0x61, + 0x6c, 0x12, 0x46, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, + 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, + 0x2e, 0x44, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, + 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, + 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_ssh_access_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData = file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_ssh_access_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_ssh_access_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes = make([]protoimpl.MessageInfo, 4) +var file_teleport_decision_v1alpha1_ssh_access_proto_goTypes = []any{ + (*EvaluateSSHAccessRequest)(nil), // 0: teleport.decision.v1alpha1.EvaluateSSHAccessRequest + (*EvaluateSSHAccessResponse)(nil), // 1: teleport.decision.v1alpha1.EvaluateSSHAccessResponse + (*SSHAccessPermit)(nil), // 2: teleport.decision.v1alpha1.SSHAccessPermit + (*SSHAccessDenial)(nil), // 3: teleport.decision.v1alpha1.SSHAccessDenial + (*RequestMetadata)(nil), // 4: teleport.decision.v1alpha1.RequestMetadata + (*SSHIdentity)(nil), // 5: teleport.decision.v1alpha1.SSHIdentity + (*Resource)(nil), // 6: teleport.decision.v1alpha1.Resource + (*PermitMetadata)(nil), // 7: teleport.decision.v1alpha1.PermitMetadata + (*durationpb.Duration)(nil), // 8: google.protobuf.Duration + (*DenialMetadata)(nil), // 9: teleport.decision.v1alpha1.DenialMetadata +} +var file_teleport_decision_v1alpha1_ssh_access_proto_depIdxs = []int32{ + 4, // 0: teleport.decision.v1alpha1.EvaluateSSHAccessRequest.metadata:type_name -> teleport.decision.v1alpha1.RequestMetadata + 5, // 1: teleport.decision.v1alpha1.EvaluateSSHAccessRequest.ssh_identity:type_name -> teleport.decision.v1alpha1.SSHIdentity + 6, // 2: teleport.decision.v1alpha1.EvaluateSSHAccessRequest.node:type_name -> teleport.decision.v1alpha1.Resource + 2, // 3: teleport.decision.v1alpha1.EvaluateSSHAccessResponse.permit:type_name -> teleport.decision.v1alpha1.SSHAccessPermit + 3, // 4: teleport.decision.v1alpha1.EvaluateSSHAccessResponse.denial:type_name -> teleport.decision.v1alpha1.SSHAccessDenial + 7, // 5: teleport.decision.v1alpha1.SSHAccessPermit.metadata:type_name -> teleport.decision.v1alpha1.PermitMetadata + 8, // 6: teleport.decision.v1alpha1.SSHAccessPermit.max_session_ttl:type_name -> google.protobuf.Duration + 9, // 7: teleport.decision.v1alpha1.SSHAccessDenial.metadata:type_name -> teleport.decision.v1alpha1.DenialMetadata + 8, // [8:8] is the sub-list for method output_type + 8, // [8:8] is the sub-list for method input_type + 8, // [8:8] is the sub-list for extension type_name + 8, // [8:8] is the sub-list for extension extendee + 0, // [0:8] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_ssh_access_proto_init() } +func file_teleport_decision_v1alpha1_ssh_access_proto_init() { + if File_teleport_decision_v1alpha1_ssh_access_proto != nil { + return + } + file_teleport_decision_v1alpha1_denial_metadata_proto_init() + file_teleport_decision_v1alpha1_permit_metadata_proto_init() + file_teleport_decision_v1alpha1_request_metadata_proto_init() + file_teleport_decision_v1alpha1_resource_proto_init() + file_teleport_decision_v1alpha1_ssh_identity_proto_init() + file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[1].OneofWrappers = []any{ + (*EvaluateSSHAccessResponse_Permit)(nil), + (*EvaluateSSHAccessResponse_Denial)(nil), + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc, + NumEnums: 0, + NumMessages: 4, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_ssh_access_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_ssh_access_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_ssh_access_proto = out.File + file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc = nil + file_teleport_decision_v1alpha1_ssh_access_proto_goTypes = nil + file_teleport_decision_v1alpha1_ssh_access_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go new file mode 100644 index 0000000000000..252275b905871 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go @@ -0,0 +1,138 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/ssh_identity.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// SSHIdentity is the identity used for SSH connections. +type SSHIdentity struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields +} + +func (x *SSHIdentity) Reset() { + *x = SSHIdentity{} + mi := &file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SSHIdentity) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SSHIdentity) ProtoMessage() {} + +func (x *SSHIdentity) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SSHIdentity.ProtoReflect.Descriptor instead. +func (*SSHIdentity) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescGZIP(), []int{0} +} + +var File_teleport_decision_v1alpha1_ssh_identity_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc = []byte{ + 0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, 0x68, + 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, + 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x22, 0x0d, 0x0a, 0x0b, 0x53, + 0x53, 0x48, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, + 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, + 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData = file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_teleport_decision_v1alpha1_ssh_identity_proto_goTypes = []any{ + (*SSHIdentity)(nil), // 0: teleport.decision.v1alpha1.SSHIdentity +} +var file_teleport_decision_v1alpha1_ssh_identity_proto_depIdxs = []int32{ + 0, // [0:0] is the sub-list for method output_type + 0, // [0:0] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_ssh_identity_proto_init() } +func file_teleport_decision_v1alpha1_ssh_identity_proto_init() { + if File_teleport_decision_v1alpha1_ssh_identity_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc, + NumEnums: 0, + NumMessages: 1, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_ssh_identity_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_ssh_identity_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_ssh_identity_proto = out.File + file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc = nil + file_teleport_decision_v1alpha1_ssh_identity_proto_goTypes = nil + file_teleport_decision_v1alpha1_ssh_identity_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go new file mode 100644 index 0000000000000..d5b8151bddc1d --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go @@ -0,0 +1,1002 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/tls_identity.proto + +package decisionpb + +import ( + v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/trait/v1" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + timestamppb "google.golang.org/protobuf/types/known/timestamppb" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// TLSIdentity is the identity used for TLS connections. +// Must be kept in sync with tlsca.Identity. +type TLSIdentity struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Username is the name of the user (for end-users/bots) or the Host ID (for + // Teleport processes). + Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"` + // Impersonator is a username of a user impersonating this user. + Impersonator string `protobuf:"bytes,2,opt,name=impersonator,proto3" json:"impersonator,omitempty"` + // Groups is a list of groups (Teleport roles) encoded in the identity. + Groups []string `protobuf:"bytes,3,rep,name=groups,proto3" json:"groups,omitempty"` + // SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used in + // "multi-role" certificates. Single-role certificates encode the system role + // in `Groups` for back-compat reasons. + SystemRoles []string `protobuf:"bytes,4,rep,name=system_roles,json=systemRoles,proto3" json:"system_roles,omitempty"` + // Usage is a list of usage restrictions encoded in the identity. + Usage []string `protobuf:"bytes,5,rep,name=usage,proto3" json:"usage,omitempty"` + // Principals is a list of Unix logins allowed. + Principals []string `protobuf:"bytes,6,rep,name=principals,proto3" json:"principals,omitempty"` + // KubernetesGroups is a list of Kubernetes groups allowed. + KubernetesGroups []string `protobuf:"bytes,7,rep,name=kubernetes_groups,json=kubernetesGroups,proto3" json:"kubernetes_groups,omitempty"` + // KubernetesUsers is a list of Kubernetes users allowed. + KubernetesUsers []string `protobuf:"bytes,8,rep,name=kubernetes_users,json=kubernetesUsers,proto3" json:"kubernetes_users,omitempty"` + // Expires specifies whenever the session will expire. + Expires *timestamppb.Timestamp `protobuf:"bytes,9,opt,name=expires,proto3" json:"expires,omitempty"` + // RouteToCluster specifies the target cluster. + RouteToCluster string `protobuf:"bytes,10,opt,name=route_to_cluster,json=routeToCluster,proto3" json:"route_to_cluster,omitempty"` + // KubernetesCluster specifies the target kubernetes cluster for TLS + // identities. This can be empty on older Teleport clients. + KubernetesCluster string `protobuf:"bytes,11,opt,name=kubernetes_cluster,json=kubernetesCluster,proto3" json:"kubernetes_cluster,omitempty"` + // Traits hold claim data used to populate a role at runtime. + Traits []*v1.Trait `protobuf:"bytes,12,rep,name=traits,proto3" json:"traits,omitempty"` + // RouteToApp holds routing information for applications. Routing metadata + // allows Teleport web proxy to route HTTP requests to the appropriate cluster + // and Teleport application proxy within the cluster. + RouteToApp *RouteToApp `protobuf:"bytes,13,opt,name=route_to_app,json=routeToApp,proto3" json:"route_to_app,omitempty"` + // TeleportCluster is the name of the teleport cluster that this identity + // originated from. For TLS certs this may not be the same as cert issuer, in + // case of multi-hop requests that originate from a remote cluster. + TeleportCluster string `protobuf:"bytes,14,opt,name=teleport_cluster,json=teleportCluster,proto3" json:"teleport_cluster,omitempty"` + // RouteToDatabase contains routing information for databases. + RouteToDatabase *RouteToDatabase `protobuf:"bytes,15,opt,name=route_to_database,json=routeToDatabase,proto3" json:"route_to_database,omitempty"` + // DatabaseNames is a list of allowed database names. + DatabaseNames []string `protobuf:"bytes,16,rep,name=database_names,json=databaseNames,proto3" json:"database_names,omitempty"` + // DatabaseUsers is a list of allowed database users. + DatabaseUsers []string `protobuf:"bytes,17,rep,name=database_users,json=databaseUsers,proto3" json:"database_users,omitempty"` + // MfaVerified is the UUID of an MFA device when this Identity was + // confirmed immediately after an MFA check. + MfaVerified string `protobuf:"bytes,18,opt,name=mfa_verified,json=mfaVerified,proto3" json:"mfa_verified,omitempty"` + // PreviousIdentityExpires is the expiry time of the identity/cert that this + // identity/cert was derived from. It is used to determine a session's hard + // deadline in cases where both require_session_mfa and + // disconnect_expired_cert are enabled. + // See https://github.com/gravitational/teleport/issues/18544. + PreviousIdentityExpires *timestamppb.Timestamp `protobuf:"bytes,19,opt,name=previous_identity_expires,json=previousIdentityExpires,proto3" json:"previous_identity_expires,omitempty"` + // LoginIp is an observed IP of the client that this Identity represents. + LoginIp string `protobuf:"bytes,20,opt,name=login_ip,json=loginIp,proto3" json:"login_ip,omitempty"` + // PinnedIp is an IP the certificate is pinned to. + PinnedIp string `protobuf:"bytes,21,opt,name=pinned_ip,json=pinnedIp,proto3" json:"pinned_ip,omitempty"` + // AwsRoleArns is a list of allowed AWS role ARNs user can assume. + AwsRoleArns []string `protobuf:"bytes,22,rep,name=aws_role_arns,json=awsRoleArns,proto3" json:"aws_role_arns,omitempty"` + // AzureIdentities is a list of allowed Azure identities user can assume. + AzureIdentities []string `protobuf:"bytes,23,rep,name=azure_identities,json=azureIdentities,proto3" json:"azure_identities,omitempty"` + // GcpServiceAccounts is a list of allowed GCP service accounts that the user + // can assume. + GcpServiceAccounts []string `protobuf:"bytes,24,rep,name=gcp_service_accounts,json=gcpServiceAccounts,proto3" json:"gcp_service_accounts,omitempty"` + // ActiveRequests is a list of UUIDs of active requests for this Identity. + ActiveRequests []string `protobuf:"bytes,25,rep,name=active_requests,json=activeRequests,proto3" json:"active_requests,omitempty"` + // DisallowReissue is a flag that, if set, instructs the auth server to deny + // any attempts to reissue new certificates while authenticated with this + // certificate. + DisallowReissue bool `protobuf:"varint,26,opt,name=disallow_reissue,json=disallowReissue,proto3" json:"disallow_reissue,omitempty"` + // Renewable indicates that this identity is allowed to renew it's own + // credentials. This is only enabled for certificate renewal bots. + Renewable bool `protobuf:"varint,27,opt,name=renewable,proto3" json:"renewable,omitempty"` + // Generation counts the number of times this certificate has been renewed. + Generation uint64 `protobuf:"varint,28,opt,name=generation,proto3" json:"generation,omitempty"` + // BotName indicates the name of the Machine ID bot this identity was issued + // to, if any. + BotName string `protobuf:"bytes,29,opt,name=bot_name,json=botName,proto3" json:"bot_name,omitempty"` + // BotInstanceId is a unique identifier for Machine ID bots that is persisted + // through renewals. + BotInstanceId string `protobuf:"bytes,30,opt,name=bot_instance_id,json=botInstanceId,proto3" json:"bot_instance_id,omitempty"` + // AllowedResourceIds lists the resources the identity should be allowed to + // access. + AllowedResourceIds []*ResourceId `protobuf:"bytes,31,rep,name=allowed_resource_ids,json=allowedResourceIds,proto3" json:"allowed_resource_ids,omitempty"` + // PrivateKeyPolicy is the private key policy supported by this identity. + PrivateKeyPolicy string `protobuf:"bytes,32,opt,name=private_key_policy,json=privateKeyPolicy,proto3" json:"private_key_policy,omitempty"` + // ConnectionDiagnosticId is used to add connection diagnostic messages when + // Testing a Connection. + ConnectionDiagnosticId string `protobuf:"bytes,33,opt,name=connection_diagnostic_id,json=connectionDiagnosticId,proto3" json:"connection_diagnostic_id,omitempty"` + // DeviceExtensions holds device-aware extensions for the identity. + DeviceExtensions *DeviceExtensions `protobuf:"bytes,34,opt,name=device_extensions,json=deviceExtensions,proto3" json:"device_extensions,omitempty"` + // UserType indicates if the User was created by an SSO Provider or locally. + UserType string `protobuf:"bytes,35,opt,name=user_type,json=userType,proto3" json:"user_type,omitempty"` +} + +func (x *TLSIdentity) Reset() { + *x = TLSIdentity{} + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *TLSIdentity) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*TLSIdentity) ProtoMessage() {} + +func (x *TLSIdentity) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use TLSIdentity.ProtoReflect.Descriptor instead. +func (*TLSIdentity) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{0} +} + +func (x *TLSIdentity) GetUsername() string { + if x != nil { + return x.Username + } + return "" +} + +func (x *TLSIdentity) GetImpersonator() string { + if x != nil { + return x.Impersonator + } + return "" +} + +func (x *TLSIdentity) GetGroups() []string { + if x != nil { + return x.Groups + } + return nil +} + +func (x *TLSIdentity) GetSystemRoles() []string { + if x != nil { + return x.SystemRoles + } + return nil +} + +func (x *TLSIdentity) GetUsage() []string { + if x != nil { + return x.Usage + } + return nil +} + +func (x *TLSIdentity) GetPrincipals() []string { + if x != nil { + return x.Principals + } + return nil +} + +func (x *TLSIdentity) GetKubernetesGroups() []string { + if x != nil { + return x.KubernetesGroups + } + return nil +} + +func (x *TLSIdentity) GetKubernetesUsers() []string { + if x != nil { + return x.KubernetesUsers + } + return nil +} + +func (x *TLSIdentity) GetExpires() *timestamppb.Timestamp { + if x != nil { + return x.Expires + } + return nil +} + +func (x *TLSIdentity) GetRouteToCluster() string { + if x != nil { + return x.RouteToCluster + } + return "" +} + +func (x *TLSIdentity) GetKubernetesCluster() string { + if x != nil { + return x.KubernetesCluster + } + return "" +} + +func (x *TLSIdentity) GetTraits() []*v1.Trait { + if x != nil { + return x.Traits + } + return nil +} + +func (x *TLSIdentity) GetRouteToApp() *RouteToApp { + if x != nil { + return x.RouteToApp + } + return nil +} + +func (x *TLSIdentity) GetTeleportCluster() string { + if x != nil { + return x.TeleportCluster + } + return "" +} + +func (x *TLSIdentity) GetRouteToDatabase() *RouteToDatabase { + if x != nil { + return x.RouteToDatabase + } + return nil +} + +func (x *TLSIdentity) GetDatabaseNames() []string { + if x != nil { + return x.DatabaseNames + } + return nil +} + +func (x *TLSIdentity) GetDatabaseUsers() []string { + if x != nil { + return x.DatabaseUsers + } + return nil +} + +func (x *TLSIdentity) GetMfaVerified() string { + if x != nil { + return x.MfaVerified + } + return "" +} + +func (x *TLSIdentity) GetPreviousIdentityExpires() *timestamppb.Timestamp { + if x != nil { + return x.PreviousIdentityExpires + } + return nil +} + +func (x *TLSIdentity) GetLoginIp() string { + if x != nil { + return x.LoginIp + } + return "" +} + +func (x *TLSIdentity) GetPinnedIp() string { + if x != nil { + return x.PinnedIp + } + return "" +} + +func (x *TLSIdentity) GetAwsRoleArns() []string { + if x != nil { + return x.AwsRoleArns + } + return nil +} + +func (x *TLSIdentity) GetAzureIdentities() []string { + if x != nil { + return x.AzureIdentities + } + return nil +} + +func (x *TLSIdentity) GetGcpServiceAccounts() []string { + if x != nil { + return x.GcpServiceAccounts + } + return nil +} + +func (x *TLSIdentity) GetActiveRequests() []string { + if x != nil { + return x.ActiveRequests + } + return nil +} + +func (x *TLSIdentity) GetDisallowReissue() bool { + if x != nil { + return x.DisallowReissue + } + return false +} + +func (x *TLSIdentity) GetRenewable() bool { + if x != nil { + return x.Renewable + } + return false +} + +func (x *TLSIdentity) GetGeneration() uint64 { + if x != nil { + return x.Generation + } + return 0 +} + +func (x *TLSIdentity) GetBotName() string { + if x != nil { + return x.BotName + } + return "" +} + +func (x *TLSIdentity) GetBotInstanceId() string { + if x != nil { + return x.BotInstanceId + } + return "" +} + +func (x *TLSIdentity) GetAllowedResourceIds() []*ResourceId { + if x != nil { + return x.AllowedResourceIds + } + return nil +} + +func (x *TLSIdentity) GetPrivateKeyPolicy() string { + if x != nil { + return x.PrivateKeyPolicy + } + return "" +} + +func (x *TLSIdentity) GetConnectionDiagnosticId() string { + if x != nil { + return x.ConnectionDiagnosticId + } + return "" +} + +func (x *TLSIdentity) GetDeviceExtensions() *DeviceExtensions { + if x != nil { + return x.DeviceExtensions + } + return nil +} + +func (x *TLSIdentity) GetUserType() string { + if x != nil { + return x.UserType + } + return "" +} + +// RouteToApp holds routing information for applications. +type RouteToApp struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // SessionId is an ID used to identify application sessions created by this + // certificate. + SessionId string `protobuf:"bytes,1,opt,name=session_id,json=sessionId,proto3" json:"session_id,omitempty"` + // PublicAddr (and ClusterName) are used to route requests issued with this + // certificate to the appropriate application proxy/cluster. + PublicAddr string `protobuf:"bytes,2,opt,name=public_addr,json=publicAddr,proto3" json:"public_addr,omitempty"` + // ClusterName (and PublicAddr) are used to route requests issued with this + // certificate to the appropriate application proxy/cluster. + ClusterName string `protobuf:"bytes,3,opt,name=cluster_name,json=clusterName,proto3" json:"cluster_name,omitempty"` + // Name is the app name. + Name string `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"` + // AwsRoleArn is the AWS role to assume when accessing AWS console. + AwsRoleArn string `protobuf:"bytes,5,opt,name=aws_role_arn,json=awsRoleArn,proto3" json:"aws_role_arn,omitempty"` + // AzureIdentity is the Azure identity to assume when accessing Azure API. + AzureIdentity string `protobuf:"bytes,6,opt,name=azure_identity,json=azureIdentity,proto3" json:"azure_identity,omitempty"` + // GcpServiceAccount is the GCP service account to assume when accessing GCP + // API. + GcpServiceAccount string `protobuf:"bytes,7,opt,name=gcp_service_account,json=gcpServiceAccount,proto3" json:"gcp_service_account,omitempty"` + // Uri is the URI of the app. This is the internal endpoint where the + // application is running and isn't user-facing. + Uri string `protobuf:"bytes,8,opt,name=uri,proto3" json:"uri,omitempty"` + // TargetPort is the port to which connections should be routed to. Used only + // for multi-port TCP apps. It is appended to the hostname from the URI in the + // app spec, since the URI from RouteToApp is not used as the source of truth + // for routing. + TargetPort int32 `protobuf:"varint,9,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"` +} + +func (x *RouteToApp) Reset() { + *x = RouteToApp{} + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RouteToApp) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RouteToApp) ProtoMessage() {} + +func (x *RouteToApp) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RouteToApp.ProtoReflect.Descriptor instead. +func (*RouteToApp) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{1} +} + +func (x *RouteToApp) GetSessionId() string { + if x != nil { + return x.SessionId + } + return "" +} + +func (x *RouteToApp) GetPublicAddr() string { + if x != nil { + return x.PublicAddr + } + return "" +} + +func (x *RouteToApp) GetClusterName() string { + if x != nil { + return x.ClusterName + } + return "" +} + +func (x *RouteToApp) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +func (x *RouteToApp) GetAwsRoleArn() string { + if x != nil { + return x.AwsRoleArn + } + return "" +} + +func (x *RouteToApp) GetAzureIdentity() string { + if x != nil { + return x.AzureIdentity + } + return "" +} + +func (x *RouteToApp) GetGcpServiceAccount() string { + if x != nil { + return x.GcpServiceAccount + } + return "" +} + +func (x *RouteToApp) GetUri() string { + if x != nil { + return x.Uri + } + return "" +} + +func (x *RouteToApp) GetTargetPort() int32 { + if x != nil { + return x.TargetPort + } + return 0 +} + +// RouteToDatabase contains routing information for databases. +type RouteToDatabase struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // ServiceName is the name of the Teleport database proxy service to route + // requests to. + ServiceName string `protobuf:"bytes,1,opt,name=service_name,json=serviceName,proto3" json:"service_name,omitempty"` + // Protocol is the database protocol. + // + // It is embedded in identity so clients can understand what type of database + // this is without contacting server. + Protocol string `protobuf:"bytes,2,opt,name=protocol,proto3" json:"protocol,omitempty"` + // Username is an optional database username to serve as a default username to + // connect as. + Username string `protobuf:"bytes,3,opt,name=username,proto3" json:"username,omitempty"` + // Database is an optional database name to serve as a default database to + // connect to. + Database string `protobuf:"bytes,4,opt,name=database,proto3" json:"database,omitempty"` + // Roles is an optional list of database roles to use for a database session. + // This list should be a subset of allowed database roles. If not specified, + // Database Service will use all allowed database roles for this database. + Roles []string `protobuf:"bytes,5,rep,name=roles,proto3" json:"roles,omitempty"` +} + +func (x *RouteToDatabase) Reset() { + *x = RouteToDatabase{} + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RouteToDatabase) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RouteToDatabase) ProtoMessage() {} + +func (x *RouteToDatabase) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RouteToDatabase.ProtoReflect.Descriptor instead. +func (*RouteToDatabase) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{2} +} + +func (x *RouteToDatabase) GetServiceName() string { + if x != nil { + return x.ServiceName + } + return "" +} + +func (x *RouteToDatabase) GetProtocol() string { + if x != nil { + return x.Protocol + } + return "" +} + +func (x *RouteToDatabase) GetUsername() string { + if x != nil { + return x.Username + } + return "" +} + +func (x *RouteToDatabase) GetDatabase() string { + if x != nil { + return x.Database + } + return "" +} + +func (x *RouteToDatabase) GetRoles() []string { + if x != nil { + return x.Roles + } + return nil +} + +// ResourceId is a unique identifier for a teleport resource. +// Must be kept in sync with types.ResourceID. +type ResourceId struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // ClusterName is the name of the cluster the resource is in. + ClusterName string `protobuf:"bytes,1,opt,name=cluster_name,json=clusterName,proto3" json:"cluster_name,omitempty"` + // Kind is the resource kind. + Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"` + // Name is the name of the specific resource. + Name string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"` + // SubResourceName is the resource belonging to resource identified by "Name" + // that the user is allowed to access to. When granting access to a + // subresource, access to other resources is limited. Currently it just + // supports resources of Kind=pod and the format is the following + // "/". + SubResourceName string `protobuf:"bytes,4,opt,name=sub_resource_name,json=subResourceName,proto3" json:"sub_resource_name,omitempty"` +} + +func (x *ResourceId) Reset() { + *x = ResourceId{} + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ResourceId) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ResourceId) ProtoMessage() {} + +func (x *ResourceId) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ResourceId.ProtoReflect.Descriptor instead. +func (*ResourceId) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{3} +} + +func (x *ResourceId) GetClusterName() string { + if x != nil { + return x.ClusterName + } + return "" +} + +func (x *ResourceId) GetKind() string { + if x != nil { + return x.Kind + } + return "" +} + +func (x *ResourceId) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +func (x *ResourceId) GetSubResourceName() string { + if x != nil { + return x.SubResourceName + } + return "" +} + +// DeviceExtensions holds device-aware extensions for the identity. +type DeviceExtensions struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // DeviceId is the trusted device identifier. + DeviceId string `protobuf:"bytes,1,opt,name=device_id,json=deviceId,proto3" json:"device_id,omitempty"` + // AssetTag is the device inventory identifier. + AssetTag string `protobuf:"bytes,2,opt,name=asset_tag,json=assetTag,proto3" json:"asset_tag,omitempty"` + // CredentialId is the identifier for the credential used by the device to + // authenticate itself. + CredentialId string `protobuf:"bytes,3,opt,name=credential_id,json=credentialId,proto3" json:"credential_id,omitempty"` +} + +func (x *DeviceExtensions) Reset() { + *x = DeviceExtensions{} + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DeviceExtensions) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeviceExtensions) ProtoMessage() {} + +func (x *DeviceExtensions) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[4] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeviceExtensions.ProtoReflect.Descriptor instead. +func (*DeviceExtensions) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{4} +} + +func (x *DeviceExtensions) GetDeviceId() string { + if x != nil { + return x.DeviceId + } + return "" +} + +func (x *DeviceExtensions) GetAssetTag() string { + if x != nil { + return x.AssetTag + } + return "" +} + +func (x *DeviceExtensions) GetCredentialId() string { + if x != nil { + return x.CredentialId + } + return "" +} + +var File_teleport_decision_v1alpha1_tls_identity_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc = []byte{ + 0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x74, 0x6c, 0x73, + 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, + 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, + 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, + 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1d, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x74, 0x72, 0x61, 0x69, 0x74, 0x2f, 0x76, 0x31, 0x2f, + 0x74, 0x72, 0x61, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb6, 0x0c, 0x0a, 0x0b, + 0x54, 0x4c, 0x53, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x75, + 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, + 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x69, 0x6d, 0x70, 0x65, 0x72, + 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x69, + 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x67, + 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x67, 0x72, 0x6f, + 0x75, 0x70, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x72, 0x6f, + 0x6c, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x79, 0x73, 0x74, 0x65, + 0x6d, 0x52, 0x6f, 0x6c, 0x65, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x75, 0x73, 0x61, 0x67, 0x65, 0x18, + 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x75, 0x73, 0x61, 0x67, 0x65, 0x12, 0x1e, 0x0a, 0x0a, + 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, + 0x52, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x12, 0x2b, 0x0a, 0x11, + 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, + 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, + 0x74, 0x65, 0x73, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x6b, 0x75, 0x62, + 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x08, 0x20, + 0x03, 0x28, 0x09, 0x52, 0x0f, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x55, + 0x73, 0x65, 0x72, 0x73, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, + 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, + 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x10, 0x72, 0x6f, + 0x75, 0x74, 0x65, 0x5f, 0x74, 0x6f, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x0a, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x43, 0x6c, 0x75, + 0x73, 0x74, 0x65, 0x72, 0x12, 0x2d, 0x0a, 0x12, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, + 0x65, 0x73, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x11, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x43, 0x6c, 0x75, 0x73, + 0x74, 0x65, 0x72, 0x12, 0x30, 0x0a, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x18, 0x0c, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, + 0x72, 0x61, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69, 0x74, 0x52, 0x06, 0x74, + 0x72, 0x61, 0x69, 0x74, 0x73, 0x12, 0x48, 0x0a, 0x0c, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x74, + 0x6f, 0x5f, 0x61, 0x70, 0x70, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, + 0x41, 0x70, 0x70, 0x52, 0x0a, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x41, 0x70, 0x70, 0x12, + 0x29, 0x0a, 0x10, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x63, 0x6c, 0x75, 0x73, + 0x74, 0x65, 0x72, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x12, 0x57, 0x0a, 0x11, 0x72, 0x6f, + 0x75, 0x74, 0x65, 0x5f, 0x74, 0x6f, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x18, + 0x0f, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, + 0x61, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, + 0x73, 0x65, 0x52, 0x0f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x44, 0x61, 0x74, 0x61, 0x62, + 0x61, 0x73, 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x5f, + 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x10, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x64, 0x61, 0x74, + 0x61, 0x62, 0x61, 0x73, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x64, 0x61, + 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x11, 0x20, 0x03, + 0x28, 0x09, 0x52, 0x0d, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x55, 0x73, 0x65, 0x72, + 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x6d, 0x66, 0x61, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, + 0x64, 0x18, 0x12, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x6d, 0x66, 0x61, 0x56, 0x65, 0x72, 0x69, + 0x66, 0x69, 0x65, 0x64, 0x12, 0x56, 0x0a, 0x19, 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, + 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, + 0x73, 0x18, 0x13, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, + 0x61, 0x6d, 0x70, 0x52, 0x17, 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x49, 0x64, 0x65, + 0x6e, 0x74, 0x69, 0x74, 0x79, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x19, 0x0a, 0x08, + 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x5f, 0x69, 0x70, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, + 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x49, 0x70, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x69, 0x6e, 0x6e, 0x65, + 0x64, 0x5f, 0x69, 0x70, 0x18, 0x15, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x69, 0x6e, 0x6e, + 0x65, 0x64, 0x49, 0x70, 0x12, 0x22, 0x0a, 0x0d, 0x61, 0x77, 0x73, 0x5f, 0x72, 0x6f, 0x6c, 0x65, + 0x5f, 0x61, 0x72, 0x6e, 0x73, 0x18, 0x16, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x77, 0x73, + 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x72, 0x6e, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x61, 0x7a, 0x75, 0x72, + 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x17, 0x20, 0x03, + 0x28, 0x09, 0x52, 0x0f, 0x61, 0x7a, 0x75, 0x72, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, + 0x69, 0x65, 0x73, 0x12, 0x30, 0x0a, 0x14, 0x67, 0x63, 0x70, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x18, 0x18, 0x20, 0x03, 0x28, + 0x09, 0x52, 0x12, 0x67, 0x63, 0x70, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, + 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x12, 0x27, 0x0a, 0x0f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, + 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x19, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0e, + 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x12, 0x29, + 0x0a, 0x10, 0x64, 0x69, 0x73, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x72, 0x65, 0x69, 0x73, 0x73, + 0x75, 0x65, 0x18, 0x1a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x64, 0x69, 0x73, 0x61, 0x6c, 0x6c, + 0x6f, 0x77, 0x52, 0x65, 0x69, 0x73, 0x73, 0x75, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65, 0x6e, + 0x65, 0x77, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x1b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x72, 0x65, + 0x6e, 0x65, 0x77, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x67, 0x65, 0x6e, 0x65, 0x72, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x1c, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0a, 0x67, 0x65, 0x6e, + 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x08, 0x62, 0x6f, 0x74, 0x5f, 0x6e, + 0x61, 0x6d, 0x65, 0x18, 0x1d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x62, 0x6f, 0x74, 0x4e, 0x61, + 0x6d, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x62, 0x6f, 0x74, 0x5f, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, + 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x1e, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x62, 0x6f, 0x74, + 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x49, 0x64, 0x12, 0x58, 0x0a, 0x14, 0x61, 0x6c, + 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x69, + 0x64, 0x73, 0x18, 0x1f, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x64, + 0x52, 0x12, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, + 0x65, 0x49, 0x64, 0x73, 0x12, 0x2c, 0x0a, 0x12, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, + 0x6b, 0x65, 0x79, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x20, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x10, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x50, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x12, 0x38, 0x0a, 0x18, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x5f, 0x64, 0x69, 0x61, 0x67, 0x6e, 0x6f, 0x73, 0x74, 0x69, 0x63, 0x5f, 0x69, 0x64, 0x18, 0x21, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x16, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x44, 0x69, 0x61, 0x67, 0x6e, 0x6f, 0x73, 0x74, 0x69, 0x63, 0x49, 0x64, 0x12, 0x59, 0x0a, 0x11, + 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, + 0x73, 0x18, 0x22, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, + 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, + 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x10, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, + 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x75, 0x73, 0x65, 0x72, 0x5f, + 0x74, 0x79, 0x70, 0x65, 0x18, 0x23, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, + 0x54, 0x79, 0x70, 0x65, 0x22, 0xaf, 0x02, 0x0a, 0x0a, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, + 0x41, 0x70, 0x70, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, + 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, + 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x61, 0x64, 0x64, + 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x41, + 0x64, 0x64, 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x6e, + 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, 0x74, + 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x20, 0x0a, 0x0c, 0x61, 0x77, + 0x73, 0x5f, 0x72, 0x6f, 0x6c, 0x65, 0x5f, 0x61, 0x72, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x0a, 0x61, 0x77, 0x73, 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x72, 0x6e, 0x12, 0x25, 0x0a, 0x0e, + 0x61, 0x7a, 0x75, 0x72, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x06, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x61, 0x7a, 0x75, 0x72, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x12, 0x2e, 0x0a, 0x13, 0x67, 0x63, 0x70, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x11, 0x67, 0x63, 0x70, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, + 0x75, 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x1f, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, + 0x70, 0x6f, 0x72, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, + 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x22, 0x9e, 0x01, 0x0a, 0x0f, 0x52, 0x6f, 0x75, 0x74, 0x65, + 0x54, 0x6f, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, + 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, + 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, + 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, + 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, + 0x65, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, + 0x52, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x22, 0x83, 0x01, 0x0a, 0x0a, 0x52, 0x65, 0x73, 0x6f, + 0x75, 0x72, 0x63, 0x65, 0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, + 0x72, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, + 0x75, 0x73, 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, + 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x12, 0x0a, + 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, + 0x65, 0x12, 0x2a, 0x0a, 0x11, 0x73, 0x75, 0x62, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, + 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x75, + 0x62, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x71, 0x0a, + 0x10, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, + 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1b, + 0x0a, 0x09, 0x61, 0x73, 0x73, 0x65, 0x74, 0x5f, 0x74, 0x61, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x08, 0x61, 0x73, 0x73, 0x65, 0x74, 0x54, 0x61, 0x67, 0x12, 0x23, 0x0a, 0x0d, 0x63, + 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0c, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x49, 0x64, + 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, + 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_tls_identity_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData = file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_tls_identity_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 5) +var file_teleport_decision_v1alpha1_tls_identity_proto_goTypes = []any{ + (*TLSIdentity)(nil), // 0: teleport.decision.v1alpha1.TLSIdentity + (*RouteToApp)(nil), // 1: teleport.decision.v1alpha1.RouteToApp + (*RouteToDatabase)(nil), // 2: teleport.decision.v1alpha1.RouteToDatabase + (*ResourceId)(nil), // 3: teleport.decision.v1alpha1.ResourceId + (*DeviceExtensions)(nil), // 4: teleport.decision.v1alpha1.DeviceExtensions + (*timestamppb.Timestamp)(nil), // 5: google.protobuf.Timestamp + (*v1.Trait)(nil), // 6: teleport.trait.v1.Trait +} +var file_teleport_decision_v1alpha1_tls_identity_proto_depIdxs = []int32{ + 5, // 0: teleport.decision.v1alpha1.TLSIdentity.expires:type_name -> google.protobuf.Timestamp + 6, // 1: teleport.decision.v1alpha1.TLSIdentity.traits:type_name -> teleport.trait.v1.Trait + 1, // 2: teleport.decision.v1alpha1.TLSIdentity.route_to_app:type_name -> teleport.decision.v1alpha1.RouteToApp + 2, // 3: teleport.decision.v1alpha1.TLSIdentity.route_to_database:type_name -> teleport.decision.v1alpha1.RouteToDatabase + 5, // 4: teleport.decision.v1alpha1.TLSIdentity.previous_identity_expires:type_name -> google.protobuf.Timestamp + 3, // 5: teleport.decision.v1alpha1.TLSIdentity.allowed_resource_ids:type_name -> teleport.decision.v1alpha1.ResourceId + 4, // 6: teleport.decision.v1alpha1.TLSIdentity.device_extensions:type_name -> teleport.decision.v1alpha1.DeviceExtensions + 7, // [7:7] is the sub-list for method output_type + 7, // [7:7] is the sub-list for method input_type + 7, // [7:7] is the sub-list for extension type_name + 7, // [7:7] is the sub-list for extension extendee + 0, // [0:7] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_tls_identity_proto_init() } +func file_teleport_decision_v1alpha1_tls_identity_proto_init() { + if File_teleport_decision_v1alpha1_tls_identity_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc, + NumEnums: 0, + NumMessages: 5, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_tls_identity_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_tls_identity_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_tls_identity_proto = out.File + file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc = nil + file_teleport_decision_v1alpha1_tls_identity_proto_goTypes = nil + file_teleport_decision_v1alpha1_tls_identity_proto_depIdxs = nil +} diff --git a/api/proto/teleport/decision/v1alpha1/database_access.proto b/api/proto/teleport/decision/v1alpha1/database_access.proto new file mode 100644 index 0000000000000..652df267ef33c --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/database_access.proto @@ -0,0 +1,51 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "teleport/decision/v1alpha1/denial_metadata.proto"; +import "teleport/decision/v1alpha1/permit_metadata.proto"; +import "teleport/decision/v1alpha1/request_metadata.proto"; +import "teleport/decision/v1alpha1/tls_identity.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// EvaluateDatabaseAccessRequest describes a request to evaluate whether or not +// a given database access attempt should be permitted. +message EvaluateDatabaseAccessRequest { + RequestMetadata metadata = 1; + TLSIdentity tls_identity = 2; +} + +// EvaluateDatabaseAccessResponse describes the result of a database access +// evaluation. +message EvaluateDatabaseAccessResponse { + oneof result { + DatabaseAccessPermit permit = 1; + DatabaseAccessDenial denial = 2; + } +} + +// DatabaseAccessPermit describes the parameters/constraints of a permissible +// database access attempt. +message DatabaseAccessPermit { + PermitMetadata metadata = 1; +} + +// DatabaseAccessDenial describes a database access denial. +message DatabaseAccessDenial { + DenialMetadata metadata = 1; +} diff --git a/api/proto/teleport/decision/v1alpha1/decision_service.proto b/api/proto/teleport/decision/v1alpha1/decision_service.proto new file mode 100644 index 0000000000000..b5f98c7d5e33e --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/decision_service.proto @@ -0,0 +1,40 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "teleport/decision/v1alpha1/database_access.proto"; +import "teleport/decision/v1alpha1/ssh_access.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// DecisionService performs authorization decisions for Teleport. +// +// DecisionService acts the PDP (Policy Decision Point) for Teleport services, +// whereas the services themselves act as the PEP (Policy Enforcement Point). +// In other words, it calculates the outcome of an authorization request but +// does not enforce it - each Teleport service must do so. +// +// Evaluation responses carry all the data necessary for the enforcement of a +// decision. A successful evaluation carries a Permit, whereas a failed +// evaluation carries a Denial. +service DecisionService { + // EvaluateSSHAccess evaluates an SSH access attempt. + rpc EvaluateSSHAccess(EvaluateSSHAccessRequest) returns (EvaluateSSHAccessResponse); + + // EvaluateDatabaseAccess evaluate a database access attempt. + rpc EvaluateDatabaseAccess(EvaluateDatabaseAccessRequest) returns (EvaluateDatabaseAccessResponse); +} diff --git a/api/proto/teleport/decision/v1alpha1/denial_metadata.proto b/api/proto/teleport/decision/v1alpha1/denial_metadata.proto new file mode 100644 index 0000000000000..6c30f1fba49b5 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/denial_metadata.proto @@ -0,0 +1,38 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "teleport/decision/v1alpha1/enforcement_feature.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// Metadata for access denials. +message DenialMetadata { + // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy + // Enforcement Point) *must* implement in order to correctly enforce the + // decision. Note that denials rarely need feature assertions since they + // typically "fail safe" anyway. + repeated EnforcementFeature feature_assertions = 1; + + // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated + // the decision request. + string pdp_version = 2; + + // UserMessage is a sanitized message safe for return to the subject identity + // of the decision request. + string user_message = 3; +} diff --git a/api/proto/teleport/decision/v1alpha1/enforcement_feature.proto b/api/proto/teleport/decision/v1alpha1/enforcement_feature.proto new file mode 100644 index 0000000000000..599a516a1ab92 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/enforcement_feature.proto @@ -0,0 +1,26 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// EnforcementFeature represents PEP (Policy Enforcement Point) features. +enum EnforcementFeature { + // ENFORCEMENT_FEATURE_UNSPECIFIED is the default/unspecified value for + // EnforcementFeature. Asserting this feature has no effect. + ENFORCEMENT_FEATURE_UNSPECIFIED = 0; +} diff --git a/api/proto/teleport/decision/v1alpha1/permit_metadata.proto b/api/proto/teleport/decision/v1alpha1/permit_metadata.proto new file mode 100644 index 0000000000000..ba7f607a4c62d --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/permit_metadata.proto @@ -0,0 +1,34 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "teleport/decision/v1alpha1/enforcement_feature.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// Metadata for access permits. +message PermitMetadata { + // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy + // Enforcement Point) *must* implement in order to correctly enforce the + // decision. Note that where possible new features should be structured to + // "fail safe" rather than relying on feature assertions. + repeated EnforcementFeature feature_assertions = 1; + + // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated + // the decision request. + string pdp_version = 2; +} diff --git a/api/proto/teleport/decision/v1alpha1/request_metadata.proto b/api/proto/teleport/decision/v1alpha1/request_metadata.proto new file mode 100644 index 0000000000000..2059bd59d3407 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/request_metadata.proto @@ -0,0 +1,44 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// Metadata for evaluation requests. +message RequestMetadata { + // FeatureAssertions is a list of DecisionFeature that the PDP (Policy + // Decision Point) *must* implement in order to correctly evaluate the + // decision request. Note that changes that require new features in the PDP in + // order for it to understand a decision request are rare and should be + // avoided if possible. + repeated DecisionFeature feature_assertions = 1; + + // PepVersionHint is the *likely* version of the PEP that will enforce the + // decision. Not all decision requests can guarantee that the expected PEP + // (Policy Enforcement Point) version will actually be the version that ends + // up enforcing the decision. Hard compatibility requirements must be enforced + // via feature assertions so that PEPs can correctly reject decisions that + // they cannot enforce. + string pep_version_hint = 2; +} + +// DecisionFeature represents supported PDP (Policy Decision Point) features. +enum DecisionFeature { + // DECISION_FEATURE_UNSPECIFIED is the default/unspecified value for + // DecisionFeature. Asserting this feature has no effect. + DECISION_FEATURE_UNSPECIFIED = 0; +} diff --git a/api/proto/teleport/decision/v1alpha1/resource.proto b/api/proto/teleport/decision/v1alpha1/resource.proto new file mode 100644 index 0000000000000..25b1e970ae114 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/resource.proto @@ -0,0 +1,37 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// Resource is the conventional reference type used to refer to the "object" of +// an action that is being considered for an authorization decision. For +// example, a call to EvaluateSSHAccess would use the Resource type to reference +// the ssh node being accessed. +message Resource { + // Kind is the type of the resource. Required for requests that support + // multiple types, otherwise safe to omit. + string kind = 1; + + // SubKind is the subtype of the resource. Usually not required as most + // resources don't have subkinds, or their subkinds do not have an effect on + // authorization decisions. + string sub_kind = 2; + + // Name is the unique name of the resource. + string name = 3; +} diff --git a/api/proto/teleport/decision/v1alpha1/ssh_access.proto b/api/proto/teleport/decision/v1alpha1/ssh_access.proto new file mode 100644 index 0000000000000..df2685c529db5 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/ssh_access.proto @@ -0,0 +1,75 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "google/protobuf/duration.proto"; +import "teleport/decision/v1alpha1/denial_metadata.proto"; +import "teleport/decision/v1alpha1/permit_metadata.proto"; +import "teleport/decision/v1alpha1/request_metadata.proto"; +import "teleport/decision/v1alpha1/resource.proto"; +import "teleport/decision/v1alpha1/ssh_identity.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// EvaluateSSHAccessRequest describes a request to evaluate whether or not a +// given ssh access attempt should be permitted. +message EvaluateSSHAccessRequest { + // Metadata holds common authorization decision request fields. + RequestMetadata metadata = 1; + + // User describes the teleport user requesting access. + SSHIdentity ssh_identity = 2; + + // Node references the target node the user is attempting to access. + Resource node = 3; +} + +// EvaluateSSHAccessResponse describes the result of an SSH access evaluation. +message EvaluateSSHAccessResponse { + oneof decision { + SSHAccessPermit permit = 1; + SSHAccessDenial denial = 2; + } +} + +// SSHAccessPermit describes the parameters/constraints of a permissible SSH +// access attempt. +message SSHAccessPermit { + PermitMetadata metadata = 1; + repeated string logins = 2; + bool forward_agent = 3; + google.protobuf.Duration max_session_ttl = 4; + bool port_forwarding = 5; + int64 client_idle_timeout = 6; + bool disconnect_expired_cert = 7; + repeated string bpf = 8; + bool x11_forwarding = 9; + int64 max_connections = 10; + int64 max_sessions = 11; + string lock = 12; + bool create_host_user = 13; + bool ssh_file_copy = 14; + string create_host_user_mode = 15; + string create_host_user_shell = 16; + repeated string host_groups = 17; + repeated string host_sudoers = 18; +} + +// SSHAccessDenial describes an SSH access denial. +message SSHAccessDenial { + DenialMetadata metadata = 1; +} diff --git a/api/proto/teleport/decision/v1alpha1/ssh_identity.proto b/api/proto/teleport/decision/v1alpha1/ssh_identity.proto new file mode 100644 index 0000000000000..01f4ea2af2d58 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/ssh_identity.proto @@ -0,0 +1,24 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// SSHIdentity is the identity used for SSH connections. +message SSHIdentity { + // TBD +} diff --git a/api/proto/teleport/decision/v1alpha1/tls_identity.proto b/api/proto/teleport/decision/v1alpha1/tls_identity.proto new file mode 100644 index 0000000000000..4e36f3c8d380a --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/tls_identity.proto @@ -0,0 +1,249 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "google/protobuf/timestamp.proto"; +import "teleport/trait/v1/trait.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// TLSIdentity is the identity used for TLS connections. +// Must be kept in sync with tlsca.Identity. +message TLSIdentity { + // Username is the name of the user (for end-users/bots) or the Host ID (for + // Teleport processes). + string username = 1; + + // Impersonator is a username of a user impersonating this user. + string impersonator = 2; + + // Groups is a list of groups (Teleport roles) encoded in the identity. + repeated string groups = 3; + + // SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used in + // "multi-role" certificates. Single-role certificates encode the system role + // in `Groups` for back-compat reasons. + repeated string system_roles = 4; + + // Usage is a list of usage restrictions encoded in the identity. + repeated string usage = 5; + + // Principals is a list of Unix logins allowed. + repeated string principals = 6; + + // KubernetesGroups is a list of Kubernetes groups allowed. + repeated string kubernetes_groups = 7; + + // KubernetesUsers is a list of Kubernetes users allowed. + repeated string kubernetes_users = 8; + + // Expires specifies whenever the session will expire. + google.protobuf.Timestamp expires = 9; + + // RouteToCluster specifies the target cluster. + string route_to_cluster = 10; + + // KubernetesCluster specifies the target kubernetes cluster for TLS + // identities. This can be empty on older Teleport clients. + string kubernetes_cluster = 11; + + // Traits hold claim data used to populate a role at runtime. + repeated teleport.trait.v1.Trait traits = 12; + + // RouteToApp holds routing information for applications. Routing metadata + // allows Teleport web proxy to route HTTP requests to the appropriate cluster + // and Teleport application proxy within the cluster. + RouteToApp route_to_app = 13; + + // TeleportCluster is the name of the teleport cluster that this identity + // originated from. For TLS certs this may not be the same as cert issuer, in + // case of multi-hop requests that originate from a remote cluster. + string teleport_cluster = 14; + + // RouteToDatabase contains routing information for databases. + RouteToDatabase route_to_database = 15; + + // DatabaseNames is a list of allowed database names. + repeated string database_names = 16; + + // DatabaseUsers is a list of allowed database users. + repeated string database_users = 17; + + // MfaVerified is the UUID of an MFA device when this Identity was + // confirmed immediately after an MFA check. + string mfa_verified = 18; + + // PreviousIdentityExpires is the expiry time of the identity/cert that this + // identity/cert was derived from. It is used to determine a session's hard + // deadline in cases where both require_session_mfa and + // disconnect_expired_cert are enabled. + // See https://github.com/gravitational/teleport/issues/18544. + google.protobuf.Timestamp previous_identity_expires = 19; + + // LoginIp is an observed IP of the client that this Identity represents. + string login_ip = 20; + + // PinnedIp is an IP the certificate is pinned to. + string pinned_ip = 21; + + // AwsRoleArns is a list of allowed AWS role ARNs user can assume. + repeated string aws_role_arns = 22; + + // AzureIdentities is a list of allowed Azure identities user can assume. + repeated string azure_identities = 23; + + // GcpServiceAccounts is a list of allowed GCP service accounts that the user + // can assume. + repeated string gcp_service_accounts = 24; + + // ActiveRequests is a list of UUIDs of active requests for this Identity. + repeated string active_requests = 25; + + // DisallowReissue is a flag that, if set, instructs the auth server to deny + // any attempts to reissue new certificates while authenticated with this + // certificate. + bool disallow_reissue = 26; + + // Renewable indicates that this identity is allowed to renew it's own + // credentials. This is only enabled for certificate renewal bots. + bool renewable = 27; + + // Generation counts the number of times this certificate has been renewed. + uint64 generation = 28; + + // BotName indicates the name of the Machine ID bot this identity was issued + // to, if any. + string bot_name = 29; + + // BotInstanceId is a unique identifier for Machine ID bots that is persisted + // through renewals. + string bot_instance_id = 30; + + // AllowedResourceIds lists the resources the identity should be allowed to + // access. + repeated ResourceId allowed_resource_ids = 31; + + // PrivateKeyPolicy is the private key policy supported by this identity. + string private_key_policy = 32; + + // ConnectionDiagnosticId is used to add connection diagnostic messages when + // Testing a Connection. + string connection_diagnostic_id = 33; + + // DeviceExtensions holds device-aware extensions for the identity. + DeviceExtensions device_extensions = 34; + + // UserType indicates if the User was created by an SSO Provider or locally. + string user_type = 35; +} + +// RouteToApp holds routing information for applications. +message RouteToApp { + // SessionId is an ID used to identify application sessions created by this + // certificate. + string session_id = 1; + + // PublicAddr (and ClusterName) are used to route requests issued with this + // certificate to the appropriate application proxy/cluster. + string public_addr = 2; + + // ClusterName (and PublicAddr) are used to route requests issued with this + // certificate to the appropriate application proxy/cluster. + string cluster_name = 3; + + // Name is the app name. + string name = 4; + + // AwsRoleArn is the AWS role to assume when accessing AWS console. + string aws_role_arn = 5; + + // AzureIdentity is the Azure identity to assume when accessing Azure API. + string azure_identity = 6; + + // GcpServiceAccount is the GCP service account to assume when accessing GCP + // API. + string gcp_service_account = 7; + + // Uri is the URI of the app. This is the internal endpoint where the + // application is running and isn't user-facing. + string uri = 8; + + // TargetPort is the port to which connections should be routed to. Used only + // for multi-port TCP apps. It is appended to the hostname from the URI in the + // app spec, since the URI from RouteToApp is not used as the source of truth + // for routing. + int32 target_port = 9; +} + +// RouteToDatabase contains routing information for databases. +message RouteToDatabase { + // ServiceName is the name of the Teleport database proxy service to route + // requests to. + string service_name = 1; + + // Protocol is the database protocol. + // + // It is embedded in identity so clients can understand what type of database + // this is without contacting server. + string protocol = 2; + + // Username is an optional database username to serve as a default username to + // connect as. + string username = 3; + + // Database is an optional database name to serve as a default database to + // connect to. + string database = 4; + + // Roles is an optional list of database roles to use for a database session. + // This list should be a subset of allowed database roles. If not specified, + // Database Service will use all allowed database roles for this database. + repeated string roles = 5; +} + +// ResourceId is a unique identifier for a teleport resource. +// Must be kept in sync with types.ResourceID. +message ResourceId { + // ClusterName is the name of the cluster the resource is in. + string cluster_name = 1; + + // Kind is the resource kind. + string kind = 2; + + // Name is the name of the specific resource. + string name = 3; + + // SubResourceName is the resource belonging to resource identified by "Name" + // that the user is allowed to access to. When granting access to a + // subresource, access to other resources is limited. Currently it just + // supports resources of Kind=pod and the format is the following + // "/". + string sub_resource_name = 4; +} + +// DeviceExtensions holds device-aware extensions for the identity. +message DeviceExtensions { + // DeviceId is the trusted device identifier. + string device_id = 1; + + // AssetTag is the device inventory identifier. + string asset_tag = 2; + + // CredentialId is the identifier for the credential used by the device to + // authenticate itself. + string credential_id = 3; +} diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto index 42b6852923223..f89b6aca16cf7 100644 --- a/api/proto/teleport/legacy/types/types.proto +++ b/api/proto/teleport/legacy/types/types.proto @@ -2820,6 +2820,7 @@ message RequestKubernetesResource { } // ResourceID is a unique identifier for a teleport resource. +// Must be kept in sync with teleport.decision.v1alpha1.ResourceId. message ResourceID { // ClusterName is the name of the cluster the resource is in. string ClusterName = 1 [(gogoproto.jsontag) = "cluster"]; diff --git a/api/types/types.pb.go b/api/types/types.pb.go index 5a5743a778c11..bede358a5c6e9 100644 --- a/api/types/types.pb.go +++ b/api/types/types.pb.go @@ -7831,6 +7831,7 @@ func (m *RequestKubernetesResource) XXX_DiscardUnknown() { var xxx_messageInfo_RequestKubernetesResource proto.InternalMessageInfo // ResourceID is a unique identifier for a teleport resource. +// Must be kept in sync with teleport.decision.v1alpha1.ResourceId. type ResourceID struct { // ClusterName is the name of the cluster the resource is in. ClusterName string `protobuf:"bytes,1,opt,name=ClusterName,proto3" json:"cluster"` diff --git a/buf.yaml b/buf.yaml index bd4efff817af3..8f01bbe2dea21 100644 --- a/buf.yaml +++ b/buf.yaml @@ -81,6 +81,9 @@ breaking: - WIRE_JSON except: - FIELD_SAME_DEFAULT + ignore: + # TODO(codingllama): Remove ignore once the PDP API is stable. + - api/proto/teleport/decision/v1alpha1 ignore_only: RESERVED_ENUM_NO_DELETE: - api/proto/teleport/legacy/types/types.proto diff --git a/lib/tlsca/ca.go b/lib/tlsca/ca.go index 1ad08b5d1d64e..de002163584ea 100644 --- a/lib/tlsca/ca.go +++ b/lib/tlsca/ca.go @@ -110,8 +110,10 @@ type CertAuthority struct { } // Identity is an identity of the user or service, e.g. Proxy or Node +// Must be kept in sync with teleport.decision.v1alpha1.TLSIdentity. type Identity struct { - // Username is a username or name of the node connection + // Username is the name of the user (for end-users/bots) or the Host ID (for + // Teleport processes). Username string // Impersonator is a username of a user impersonating this user Impersonator string