From f8662035aadff9131f88b600b5d85e6aaa8dbe84 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Thu, 5 Dec 2024 16:27:44 -0300 Subject: [PATCH 01/20] Clone protos from fspmarshall/pdp-work-02 --- .../decision/v1alpha1/database_access.proto | 54 ++++ .../decision/v1alpha1/decision_service.proto | 39 +++ .../teleport/decision/v1alpha1/identity.proto | 249 ++++++++++++++++++ .../teleport/decision/v1alpha1/metadata.proto | 70 +++++ .../teleport/decision/v1alpha1/resource.proto | 36 +++ .../decision/v1alpha1/ssh_access.proto | 94 +++++++ 6 files changed, 542 insertions(+) create mode 100644 api/proto/teleport/decision/v1alpha1/database_access.proto create mode 100644 api/proto/teleport/decision/v1alpha1/decision_service.proto create mode 100644 api/proto/teleport/decision/v1alpha1/identity.proto create mode 100644 api/proto/teleport/decision/v1alpha1/metadata.proto create mode 100644 api/proto/teleport/decision/v1alpha1/resource.proto create mode 100644 api/proto/teleport/decision/v1alpha1/ssh_access.proto diff --git a/api/proto/teleport/decision/v1alpha1/database_access.proto b/api/proto/teleport/decision/v1alpha1/database_access.proto new file mode 100644 index 0000000000000..47e2ac271a6a5 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/database_access.proto @@ -0,0 +1,54 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "teleport/decision/v1alpha1/identity.proto"; +import "teleport/decision/v1alpha1/metadata.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionv1alpha1"; + +// EvaluateDatabaseAccessRequest describes a request to evaluate wether or not a given +// database access attempt should be permitted. +message EvaluateDatabaseAccessRequest { + RequestMetadata metadata = 1; + + Identity identity = 2; + + // TODO +} + +// EvaluateDatabaseAccessResponse describes the result of a database access evaluation. +message EvaluateDatabaseAccessResponse { + oneof result { + DatabaseAccessPermit permit = 1; + DatabaseAccessDenial denial = 2; + } +} + +// DatabaseAccessPermit describes the parameters/constraints of a permissible database access attempt. +message DatabaseAccessPermit { + PermitMetadata metadata = 1; + + // TODO +} + +// DatabaseAccessDenial describes the details of a database access denial. +message DatabaseAccessDenial { + DenialMetadata metadata = 1; + + // TODO +} diff --git a/api/proto/teleport/decision/v1alpha1/decision_service.proto b/api/proto/teleport/decision/v1alpha1/decision_service.proto new file mode 100644 index 0000000000000..905f46a3ce45c --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/decision_service.proto @@ -0,0 +1,39 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "teleport/decision/v1alpha1/database_access.proto"; +import "teleport/decision/v1alpha1/ssh_access.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionv1alpha1"; + +// DecisionService performs authorization decisions for Teleport. +// +// DecisionService acts the PDP (Policy Decision Point) for Teleport +// services, whereas the services themselves act as the PEP (Policy Enforcement +// Point). In other words, it calculates the outcome of an authorization request +// but does not enforce it - each Teleport service must do so. +// +// Decision responses carry all the data necessary for the enforcement of a +// decision. +service DecisionService { + // EvaluateSSHAccess decides wether or not to permit an SSH access attempt. + rpc EvaluateSSHAccess(EvaluateSSHAccessRequest) returns (EvaluateSSHAccessResponse); + + // EvaluateDatabaseAccess decides wether or not to permit a database access attempt. + rpc EvaluateDatabaseAccess(EvaluateDatabaseAccessRequest) returns (EvaluateDatabaseAccessResponse); +} diff --git a/api/proto/teleport/decision/v1alpha1/identity.proto b/api/proto/teleport/decision/v1alpha1/identity.proto new file mode 100644 index 0000000000000..293c507c657a1 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/identity.proto @@ -0,0 +1,249 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "google/protobuf/timestamp.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionv1alpha1"; + +// Trait encodes a single key-values pair from a user's traits. +message Trait { + // name is the "key" of the trait. + string name = 1; + // values is the list of values the trait name maps to. + repeated string values = 2; +} + +// RouteToApp holds routing information for applications. +message RouteToApp { + // SessionID is an ID used to identify application sessions created by + // this certificate. + string session_id = 1; + + // PublicAddr (and ClusterName) are used to route requests issued with this + // certificate to the appropriate application proxy/cluster. + string public_addr = 2; + + // ClusterName (and PublicAddr) are used to route requests issued with this + // certificate to the appropriate application proxy/cluster. + string cluster_name = 3; + + // Name is the app name. + string name = 4; + + // AWSRoleARN is the AWS role to assume when accessing AWS console. + string aws_role_arn = 5; + + // AzureIdentity is the Azure identity to assume when accessing Azure API. + string azure_identity = 6; + + // GCPServiceAccount is the GCP service account to assume when accessing GCP API. + string gcp_service_account = 7; + + // URI is the URI of the app. This is the internal endpoint where the application is running and isn't user-facing. + string uri = 8; +} + +// RouteToDatabase contains routing information for databases. +message RouteToDatabase { + // ServiceName is the name of the Teleport database proxy service + // to route requests to. + string service_name = 1; + + // Protocol is the database protocol. + // + // It is embedded in identity so clients can understand what type + // of database this is without contacting server. + string protocol = 2; + + // Username is an optional database username to serve as a default + // username to connect as. + string username = 3; + + // Database is an optional database name to serve as a default + // database to connect to. + string database = 4; + + // Roles is an optional list of database roles to use for a database + // session. + // This list should be a subset of allowed database roles. If not + // specified, Database Service will use all allowed database roles for this + // database. + repeated string roles = 5; +} + +// ResourceID is a unique identifier for a teleport resource. +message ResourceID { + // ClusterName is the name of the cluster the resource is in. + string cluster_name = 1; + + // Kind is the resource kind. + string kind = 2; + + // Name is the name of the specific resource. + string name = 3; + + // SubResourceName is the resource belonging to resource identified by "Name" + // that the user is allowed to access to. + // When granting access to a subresource, access to other resources is limited. + // Currently it just supports resources of Kind=pod and the format is the following + // "/". + string sub_resource_name = 4; +} + +// DeviceExtensions holds device-aware extensions for the identity. +message DeviceExtensions { + // DeviceID is the trusted device identifier. + string device_id = 1; + + // AssetTag is the device inventory identifier. + string asset_tag = 2; + + // CredentialID is the identifier for the credential used by the device to + // authenticate itself. + string credential_id = 3; +} + +// Identity is an identity of the user or service, e.g. Proxy or Node +message Identity { + // Username is a username or name of the node connection + string username = 1; + + // Impersonator is a username of a user impersonating this user + string impersonator = 2; + + // Groups is a list of groups (Teleport roles) encoded in the identity + repeated string groups = 3; + + // SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used + // in "multi-role" certificates. Single-role certificates encode the system role + // in `Groups` for back-compat reasons. + repeated string system_roles = 4; + + // Usage is a list of usage restrictions encoded in the identity + repeated string usage = 5; + + // Principals is a list of Unix logins allowed. + repeated string principals = 6; + + // KubernetesGroups is a list of Kubernetes groups allowed + repeated string kubernetes_groups = 7; + + // KubernetesUsers is a list of Kubernetes users allowed + repeated string kubernetes_users = 8; + + // Expires specifies whenever the session will expire + google.protobuf.Timestamp expires = 9; + + // RouteToCluster specifies the target cluster + string route_to_cluster = 10; + + // KubernetesCluster specifies the target kubernetes cluster for TLS + // identities. This can be empty on older Teleport clients. + string kubernetes_cluster = 11; + + // Traits hold claim data used to populate a role at runtime. + repeated Trait traits = 12; + + // RouteToApp holds routing information for applications. Routing metadata + // allows Teleport web proxy to route HTTP requests to the appropriate + // cluster and Teleport application proxy within the cluster. + RouteToApp route_to_app = 13; + + // TeleportCluster is the name of the teleport cluster that this identity + // originated from. For TLS certs this may not be the same as cert issuer, + // in case of multi-hop requests that originate from a remote cluster. + string teleport_cluster = 14; + + // RouteToDatabase contains routing information for databases. + RouteToDatabase route_to_database = 15; + + // DatabaseNames is a list of allowed database names. + repeated string database_names = 16; + + // DatabaseUsers is a list of allowed database users. + repeated string database_users = 17; + + // MFAVerified is the UUID of an MFA device when this Identity was + // confirmed immediately after an MFA check. + string mfa_verified = 18; + + // PreviousIdentityExpires is the expiry time of the identity/cert that this + // identity/cert was derived from. It is used to determine a session's hard + // deadline in cases where both require_session_mfa and disconnect_expired_cert + // are enabled. See https://github.com/gravitational/teleport/issues/18544. + google.protobuf.Timestamp previous_identity_expires = 19; + + // LoginIP is an observed IP of the client that this Identity represents. + string login_ip = 20; + + // PinnedIP is an IP the certificate is pinned to. + string pinned_ip = 21; + + // AWSRoleARNs is a list of allowed AWS role ARNs user can assume. + repeated string aws_role_arns = 22; + + // AzureIdentities is a list of allowed Azure identities user can assume. + repeated string azure_identities = 23; + + // GCPServiceAccounts is a list of allowed GCP service accounts that the user can assume. + repeated string gcp_service_accounts = 24; + + // ActiveRequests is a list of UUIDs of active requests for this Identity. + repeated string active_requests = 25; + + // DisallowReissue is a flag that, if set, instructs the auth server to + // deny any attempts to reissue new certificates while authenticated with + // this certificate. + bool disallow_reissue = 26; + + // Renewable indicates that this identity is allowed to renew it's + // own credentials. This is only enabled for certificate renewal bots. + bool renewable = 27; + + // Generation counts the number of times this certificate has been renewed. + uint64 generation = 28; + + // BotName indicates the name of the Machine ID bot this identity was issued + // to, if any. + string bot_name = 29; + + // BotInstanceID is a unique identifier for Machine ID bots that is + // persisted through renewals. + string bot_instance_id = 30; + + // AllowedResourceIDs lists the resources the identity should be allowed to + // access. + repeated ResourceID allowed_resource_ids = 31; + + // PrivateKeyPolicy is the private key policy supported by this identity. + string private_key_policy = 32; + + // ConnectionDiagnosticID is used to add connection diagnostic messages when Testing a Connection. + string connection_diagnostic_id = 33; + + // DeviceExtensions holds device-aware extensions for the identity. + DeviceExtensions device_extensions = 34; + + // UserType indicates if the User was created by an SSO Provider or locally. + string user_type = 35; +} + +// SSHIdentity is the identity used for SSH connections. +message SSHIdentity { + // TODO +} diff --git a/api/proto/teleport/decision/v1alpha1/metadata.proto b/api/proto/teleport/decision/v1alpha1/metadata.proto new file mode 100644 index 0000000000000..1576d8a8cc209 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/metadata.proto @@ -0,0 +1,70 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionv1alpha1"; + +// Metadata common for authorization decision request operations. +message RequestMetadata { + // FeatureAssertions is a list of DecisionFeature that the PDP *must* implement in order to correctly + // evaluate the decision request. Note that changes that require new features in the PDP in order for + // it to understand a decision request are rare and should be avoided if possible. + repeated DecisionFeature feature_assertions = 1; + + // PepVersionHint is the *likely* version of the PEP that will enforce the decision. Not all decision + // requests can guarantee that the expected PEP version will actually be the version that ends up enforcing + // the decision. Hard compatibility requirements must be enforced via feature assertions so that PEPs can + // correctly reject decisions that they cannot enforce. + string pep_version_hint = 2; +} + +// Metadata common for access permits. +message PermitMetadata { + // FeatureAssertions is a list of EnforcementFeature that the PEP *must* implement in order to correctly + // enforce the decision. Note that where possible new features should be structured to "fail safe" rather + // than relying on feature assertions. + repeated EnforcementFeature feature_assertions = 1; + + // PdpVersion is the version of the PDP that evaluated the decision request. + string pdp_version = 2; +} + +// Metadata common for access denials. +message DenialMetadata { + // FeatureAssertions is a list of EnforcementFeature that the PEP *must* implement in order to correctly + // enforce the decision. Note that denials rarely need feature assertions since they typically "fail safe" + // anyway. + repeated EnforcementFeature feature_assertions = 1; + + // PdpVersion is the version of the PDP that evaluated the decision request. + string pdp_version = 2; + + // UserMessage is a sanitized message safe for return to the subject identity of the decision request. + string user_message = 3; +} + +// DecisionFeature is an enum representing PDP features. +enum DecisionFeature { + // DECISION_FEATURE_UNSPECIFIED is the default/unspecified value for DecisionFeature. Asserting this feature has no effect. + DECISION_FEATURE_UNSPECIFIED = 0; +} + +// EnforcementFeature is the enum representing PEP features. +enum EnforcementFeature { + // ENFORCEMENT_FEATURE_UNSPECIFIED is the default/unspecified value for EnforcementFeature. Asserting this feature has no effect. + ENFORCEMENT_FEATURE_UNSPECIFIED = 0; +} diff --git a/api/proto/teleport/decision/v1alpha1/resource.proto b/api/proto/teleport/decision/v1alpha1/resource.proto new file mode 100644 index 0000000000000..e420bd7d0f711 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/resource.proto @@ -0,0 +1,36 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionv1alpha1"; + +// Resource is the conventional reference type used to refer to the "object" of an action that is +// being considered for an authorization decision. For example, a call to EvaluateSSHAccess +// would use the Resource type to reference the ssh node being accessed. +message Resource { + // Kind is the type of the resource. Wether or not this field is required depends on + // wether the request is for a method that supports multiple types. Typically safe to omit. + string kind = 1; + + // SubKind is the subtype of the resource. This is usually not required as most resource + // types either don't have subkinds, or their subkinds do not have an effect on authorization + // decisions. + string sub_kind = 2; + + // Name is the unique name of the resource. This is usually required. + string name = 3; +} diff --git a/api/proto/teleport/decision/v1alpha1/ssh_access.proto b/api/proto/teleport/decision/v1alpha1/ssh_access.proto new file mode 100644 index 0000000000000..096a472463013 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/ssh_access.proto @@ -0,0 +1,94 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "google/protobuf/duration.proto"; +import "teleport/decision/v1alpha1/identity.proto"; +import "teleport/decision/v1alpha1/metadata.proto"; +import "teleport/decision/v1alpha1/resource.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionv1alpha1"; + +// EvaluateSSHAccessRequest describes a request to evaluate wether or not a given +// ssh access attempt should be permitted. +message EvaluateSSHAccessRequest { + // Metadata holds common authorization decision request fields. + RequestMetadata metadata = 1; + + // User describes the teleport user requesting access. + SSHIdentity user = 2; + + // Node references the target node the user is attempting to access. + Resource node = 3; + + // Login is the host login associated with the access attempt. + string login = 4; +} + +// EvaluateSSHAccessResponse describes the result of an SSH access evaluation. +message EvaluateSSHAccessResponse { + oneof decision { + SSHAccessPermit permit = 1; + SSHAccessDenial denial = 2; + } +} + +// SSHAccessPermit describes the parameters/constraints of a permissible SSH access attempt. +message SSHAccessPermit { + PermitMetadata metadata = 1; + + repeated string logins = 2; + + bool forward_agent = 3; + + google.protobuf.Duration max_session_ttl = 4; + + bool port_forwarding = 5; + + int64 client_idle_timeout = 6; + + bool disconnect_expired_cert = 7; + + repeated string bpf = 8; + + bool x11_forwarding = 9; + + int64 max_connections = 10; + + int64 max_sessions = 11; + + string lock = 12; + + bool create_host_user = 13; + + bool ssh_file_copy = 14; + + string create_host_user_mode = 15; + + string create_host_user_shell = 16; + + repeated string host_groups = 17; + + repeated string host_sudoers = 18; + + // TODO(fspmarshall) more stuff here... +} + +// SSHAccessDenial describes the details of an SSH access denial. +message SSHAccessDenial { + DenialMetadata metadata = 1; +} From 5c5ef3e0119ffb281a1d9031290ff59a3c04952d Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Thu, 5 Dec 2024 17:13:16 -0300 Subject: [PATCH 02/20] Use decisionpb as the Go package alias --- api/proto/teleport/decision/v1alpha1/database_access.proto | 2 +- api/proto/teleport/decision/v1alpha1/decision_service.proto | 2 +- api/proto/teleport/decision/v1alpha1/identity.proto | 2 +- api/proto/teleport/decision/v1alpha1/metadata.proto | 2 +- api/proto/teleport/decision/v1alpha1/resource.proto | 2 +- api/proto/teleport/decision/v1alpha1/ssh_access.proto | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/api/proto/teleport/decision/v1alpha1/database_access.proto b/api/proto/teleport/decision/v1alpha1/database_access.proto index 47e2ac271a6a5..55d22a886de79 100644 --- a/api/proto/teleport/decision/v1alpha1/database_access.proto +++ b/api/proto/teleport/decision/v1alpha1/database_access.proto @@ -19,7 +19,7 @@ package teleport.decision.v1alpha1; import "teleport/decision/v1alpha1/identity.proto"; import "teleport/decision/v1alpha1/metadata.proto"; -option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionv1alpha1"; +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; // EvaluateDatabaseAccessRequest describes a request to evaluate wether or not a given // database access attempt should be permitted. diff --git a/api/proto/teleport/decision/v1alpha1/decision_service.proto b/api/proto/teleport/decision/v1alpha1/decision_service.proto index 905f46a3ce45c..026a9864a0f80 100644 --- a/api/proto/teleport/decision/v1alpha1/decision_service.proto +++ b/api/proto/teleport/decision/v1alpha1/decision_service.proto @@ -19,7 +19,7 @@ package teleport.decision.v1alpha1; import "teleport/decision/v1alpha1/database_access.proto"; import "teleport/decision/v1alpha1/ssh_access.proto"; -option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionv1alpha1"; +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; // DecisionService performs authorization decisions for Teleport. // diff --git a/api/proto/teleport/decision/v1alpha1/identity.proto b/api/proto/teleport/decision/v1alpha1/identity.proto index 293c507c657a1..36501b6a45fd7 100644 --- a/api/proto/teleport/decision/v1alpha1/identity.proto +++ b/api/proto/teleport/decision/v1alpha1/identity.proto @@ -18,7 +18,7 @@ package teleport.decision.v1alpha1; import "google/protobuf/timestamp.proto"; -option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionv1alpha1"; +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; // Trait encodes a single key-values pair from a user's traits. message Trait { diff --git a/api/proto/teleport/decision/v1alpha1/metadata.proto b/api/proto/teleport/decision/v1alpha1/metadata.proto index 1576d8a8cc209..0a5f568997222 100644 --- a/api/proto/teleport/decision/v1alpha1/metadata.proto +++ b/api/proto/teleport/decision/v1alpha1/metadata.proto @@ -16,7 +16,7 @@ syntax = "proto3"; package teleport.decision.v1alpha1; -option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionv1alpha1"; +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; // Metadata common for authorization decision request operations. message RequestMetadata { diff --git a/api/proto/teleport/decision/v1alpha1/resource.proto b/api/proto/teleport/decision/v1alpha1/resource.proto index e420bd7d0f711..a54dd154bbce6 100644 --- a/api/proto/teleport/decision/v1alpha1/resource.proto +++ b/api/proto/teleport/decision/v1alpha1/resource.proto @@ -16,7 +16,7 @@ syntax = "proto3"; package teleport.decision.v1alpha1; -option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionv1alpha1"; +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; // Resource is the conventional reference type used to refer to the "object" of an action that is // being considered for an authorization decision. For example, a call to EvaluateSSHAccess diff --git a/api/proto/teleport/decision/v1alpha1/ssh_access.proto b/api/proto/teleport/decision/v1alpha1/ssh_access.proto index 096a472463013..f23bd09fe9eba 100644 --- a/api/proto/teleport/decision/v1alpha1/ssh_access.proto +++ b/api/proto/teleport/decision/v1alpha1/ssh_access.proto @@ -21,7 +21,7 @@ import "teleport/decision/v1alpha1/identity.proto"; import "teleport/decision/v1alpha1/metadata.proto"; import "teleport/decision/v1alpha1/resource.proto"; -option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionv1alpha1"; +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; // EvaluateSSHAccessRequest describes a request to evaluate wether or not a given // ssh access attempt should be permitted. From ad5ce159545b926f2f505885e96c11fed0cf960a Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Thu, 5 Dec 2024 17:25:14 -0300 Subject: [PATCH 03/20] Update DecisionService docs --- .../decision/v1alpha1/decision_service.proto | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/api/proto/teleport/decision/v1alpha1/decision_service.proto b/api/proto/teleport/decision/v1alpha1/decision_service.proto index 026a9864a0f80..b5f98c7d5e33e 100644 --- a/api/proto/teleport/decision/v1alpha1/decision_service.proto +++ b/api/proto/teleport/decision/v1alpha1/decision_service.proto @@ -23,17 +23,18 @@ option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport // DecisionService performs authorization decisions for Teleport. // -// DecisionService acts the PDP (Policy Decision Point) for Teleport -// services, whereas the services themselves act as the PEP (Policy Enforcement -// Point). In other words, it calculates the outcome of an authorization request -// but does not enforce it - each Teleport service must do so. +// DecisionService acts the PDP (Policy Decision Point) for Teleport services, +// whereas the services themselves act as the PEP (Policy Enforcement Point). +// In other words, it calculates the outcome of an authorization request but +// does not enforce it - each Teleport service must do so. // -// Decision responses carry all the data necessary for the enforcement of a -// decision. +// Evaluation responses carry all the data necessary for the enforcement of a +// decision. A successful evaluation carries a Permit, whereas a failed +// evaluation carries a Denial. service DecisionService { - // EvaluateSSHAccess decides wether or not to permit an SSH access attempt. + // EvaluateSSHAccess evaluates an SSH access attempt. rpc EvaluateSSHAccess(EvaluateSSHAccessRequest) returns (EvaluateSSHAccessResponse); - // EvaluateDatabaseAccess decides wether or not to permit a database access attempt. + // EvaluateDatabaseAccess evaluate a database access attempt. rpc EvaluateDatabaseAccess(EvaluateDatabaseAccessRequest) returns (EvaluateDatabaseAccessResponse); } From a8559459d71a21c6835cbeea97c90d054fc7cf9a Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Thu, 5 Dec 2024 17:38:55 -0300 Subject: [PATCH 04/20] Split identity protos into separate files --- .../decision/v1alpha1/database_access.proto | 4 +- .../decision/v1alpha1/ssh_access.proto | 4 +- .../decision/v1alpha1/ssh_identity.proto | 22 ++ .../{identity.proto => tls_identity.proto} | 254 +++++++++--------- 4 files changed, 152 insertions(+), 132 deletions(-) create mode 100644 api/proto/teleport/decision/v1alpha1/ssh_identity.proto rename api/proto/teleport/decision/v1alpha1/{identity.proto => tls_identity.proto} (80%) diff --git a/api/proto/teleport/decision/v1alpha1/database_access.proto b/api/proto/teleport/decision/v1alpha1/database_access.proto index 55d22a886de79..3d7fa7a1a9ecb 100644 --- a/api/proto/teleport/decision/v1alpha1/database_access.proto +++ b/api/proto/teleport/decision/v1alpha1/database_access.proto @@ -16,8 +16,8 @@ syntax = "proto3"; package teleport.decision.v1alpha1; -import "teleport/decision/v1alpha1/identity.proto"; import "teleport/decision/v1alpha1/metadata.proto"; +import "teleport/decision/v1alpha1/tls_identity.proto"; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; @@ -26,7 +26,7 @@ option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport message EvaluateDatabaseAccessRequest { RequestMetadata metadata = 1; - Identity identity = 2; + TLSIdentity identity = 2; // TODO } diff --git a/api/proto/teleport/decision/v1alpha1/ssh_access.proto b/api/proto/teleport/decision/v1alpha1/ssh_access.proto index f23bd09fe9eba..da57dc3d81dc0 100644 --- a/api/proto/teleport/decision/v1alpha1/ssh_access.proto +++ b/api/proto/teleport/decision/v1alpha1/ssh_access.proto @@ -17,9 +17,9 @@ syntax = "proto3"; package teleport.decision.v1alpha1; import "google/protobuf/duration.proto"; -import "teleport/decision/v1alpha1/identity.proto"; import "teleport/decision/v1alpha1/metadata.proto"; import "teleport/decision/v1alpha1/resource.proto"; +import "teleport/decision/v1alpha1/ssh_identity.proto"; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; @@ -30,7 +30,7 @@ message EvaluateSSHAccessRequest { RequestMetadata metadata = 1; // User describes the teleport user requesting access. - SSHIdentity user = 2; + SSHIdentity ssh_identity = 2; // Node references the target node the user is attempting to access. Resource node = 3; diff --git a/api/proto/teleport/decision/v1alpha1/ssh_identity.proto b/api/proto/teleport/decision/v1alpha1/ssh_identity.proto new file mode 100644 index 0000000000000..bca6fe31086e6 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/ssh_identity.proto @@ -0,0 +1,22 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// SSHIdentity is the identity used for SSH connections. +message SSHIdentity {} diff --git a/api/proto/teleport/decision/v1alpha1/identity.proto b/api/proto/teleport/decision/v1alpha1/tls_identity.proto similarity index 80% rename from api/proto/teleport/decision/v1alpha1/identity.proto rename to api/proto/teleport/decision/v1alpha1/tls_identity.proto index 36501b6a45fd7..2854c6d6c4aed 100644 --- a/api/proto/teleport/decision/v1alpha1/identity.proto +++ b/api/proto/teleport/decision/v1alpha1/tls_identity.proto @@ -20,136 +20,38 @@ import "google/protobuf/timestamp.proto"; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; -// Trait encodes a single key-values pair from a user's traits. -message Trait { - // name is the "key" of the trait. - string name = 1; - // values is the list of values the trait name maps to. - repeated string values = 2; -} - -// RouteToApp holds routing information for applications. -message RouteToApp { - // SessionID is an ID used to identify application sessions created by - // this certificate. - string session_id = 1; - - // PublicAddr (and ClusterName) are used to route requests issued with this - // certificate to the appropriate application proxy/cluster. - string public_addr = 2; - - // ClusterName (and PublicAddr) are used to route requests issued with this - // certificate to the appropriate application proxy/cluster. - string cluster_name = 3; - - // Name is the app name. - string name = 4; - - // AWSRoleARN is the AWS role to assume when accessing AWS console. - string aws_role_arn = 5; - - // AzureIdentity is the Azure identity to assume when accessing Azure API. - string azure_identity = 6; - - // GCPServiceAccount is the GCP service account to assume when accessing GCP API. - string gcp_service_account = 7; - - // URI is the URI of the app. This is the internal endpoint where the application is running and isn't user-facing. - string uri = 8; -} - -// RouteToDatabase contains routing information for databases. -message RouteToDatabase { - // ServiceName is the name of the Teleport database proxy service - // to route requests to. - string service_name = 1; - - // Protocol is the database protocol. - // - // It is embedded in identity so clients can understand what type - // of database this is without contacting server. - string protocol = 2; - - // Username is an optional database username to serve as a default - // username to connect as. - string username = 3; - - // Database is an optional database name to serve as a default - // database to connect to. - string database = 4; - - // Roles is an optional list of database roles to use for a database - // session. - // This list should be a subset of allowed database roles. If not - // specified, Database Service will use all allowed database roles for this - // database. - repeated string roles = 5; -} - -// ResourceID is a unique identifier for a teleport resource. -message ResourceID { - // ClusterName is the name of the cluster the resource is in. - string cluster_name = 1; - - // Kind is the resource kind. - string kind = 2; - - // Name is the name of the specific resource. - string name = 3; - - // SubResourceName is the resource belonging to resource identified by "Name" - // that the user is allowed to access to. - // When granting access to a subresource, access to other resources is limited. - // Currently it just supports resources of Kind=pod and the format is the following - // "/". - string sub_resource_name = 4; -} - -// DeviceExtensions holds device-aware extensions for the identity. -message DeviceExtensions { - // DeviceID is the trusted device identifier. - string device_id = 1; - - // AssetTag is the device inventory identifier. - string asset_tag = 2; - - // CredentialID is the identifier for the credential used by the device to - // authenticate itself. - string credential_id = 3; -} - -// Identity is an identity of the user or service, e.g. Proxy or Node -message Identity { - // Username is a username or name of the node connection +// TLSIdentity is the identity used for TLS connections. +message TLSIdentity { + // Username is a username or name of the node connection. string username = 1; - // Impersonator is a username of a user impersonating this user + // Impersonator is a username of a user impersonating this user. string impersonator = 2; - // Groups is a list of groups (Teleport roles) encoded in the identity + // Groups is a list of groups (Teleport roles) encoded in the identity. repeated string groups = 3; - // SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used - // in "multi-role" certificates. Single-role certificates encode the system role + // SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used in + // "multi-role" certificates. Single-role certificates encode the system role // in `Groups` for back-compat reasons. repeated string system_roles = 4; - // Usage is a list of usage restrictions encoded in the identity + // Usage is a list of usage restrictions encoded in the identity. repeated string usage = 5; // Principals is a list of Unix logins allowed. repeated string principals = 6; - // KubernetesGroups is a list of Kubernetes groups allowed + // KubernetesGroups is a list of Kubernetes groups allowed. repeated string kubernetes_groups = 7; - // KubernetesUsers is a list of Kubernetes users allowed + // KubernetesUsers is a list of Kubernetes users allowed. repeated string kubernetes_users = 8; - // Expires specifies whenever the session will expire + // Expires specifies whenever the session will expire. google.protobuf.Timestamp expires = 9; - // RouteToCluster specifies the target cluster + // RouteToCluster specifies the target cluster. string route_to_cluster = 10; // KubernetesCluster specifies the target kubernetes cluster for TLS @@ -160,13 +62,13 @@ message Identity { repeated Trait traits = 12; // RouteToApp holds routing information for applications. Routing metadata - // allows Teleport web proxy to route HTTP requests to the appropriate - // cluster and Teleport application proxy within the cluster. + // allows Teleport web proxy to route HTTP requests to the appropriate cluster + // and Teleport application proxy within the cluster. RouteToApp route_to_app = 13; // TeleportCluster is the name of the teleport cluster that this identity - // originated from. For TLS certs this may not be the same as cert issuer, - // in case of multi-hop requests that originate from a remote cluster. + // originated from. For TLS certs this may not be the same as cert issuer, in + // case of multi-hop requests that originate from a remote cluster. string teleport_cluster = 14; // RouteToDatabase contains routing information for databases. @@ -184,8 +86,9 @@ message Identity { // PreviousIdentityExpires is the expiry time of the identity/cert that this // identity/cert was derived from. It is used to determine a session's hard - // deadline in cases where both require_session_mfa and disconnect_expired_cert - // are enabled. See https://github.com/gravitational/teleport/issues/18544. + // deadline in cases where both require_session_mfa and + // disconnect_expired_cert are enabled. + // See https://github.com/gravitational/teleport/issues/18544. google.protobuf.Timestamp previous_identity_expires = 19; // LoginIP is an observed IP of the client that this Identity represents. @@ -200,19 +103,20 @@ message Identity { // AzureIdentities is a list of allowed Azure identities user can assume. repeated string azure_identities = 23; - // GCPServiceAccounts is a list of allowed GCP service accounts that the user can assume. + // GCPServiceAccounts is a list of allowed GCP service accounts that the user + // can assume. repeated string gcp_service_accounts = 24; // ActiveRequests is a list of UUIDs of active requests for this Identity. repeated string active_requests = 25; - // DisallowReissue is a flag that, if set, instructs the auth server to - // deny any attempts to reissue new certificates while authenticated with - // this certificate. + // DisallowReissue is a flag that, if set, instructs the auth server to deny + // any attempts to reissue new certificates while authenticated with this + // certificate. bool disallow_reissue = 26; - // Renewable indicates that this identity is allowed to renew it's - // own credentials. This is only enabled for certificate renewal bots. + // Renewable indicates that this identity is allowed to renew it's own + // credentials. This is only enabled for certificate renewal bots. bool renewable = 27; // Generation counts the number of times this certificate has been renewed. @@ -222,8 +126,8 @@ message Identity { // to, if any. string bot_name = 29; - // BotInstanceID is a unique identifier for Machine ID bots that is - // persisted through renewals. + // BotInstanceID is a unique identifier for Machine ID bots that is persisted + // through renewals. string bot_instance_id = 30; // AllowedResourceIDs lists the resources the identity should be allowed to @@ -233,7 +137,8 @@ message Identity { // PrivateKeyPolicy is the private key policy supported by this identity. string private_key_policy = 32; - // ConnectionDiagnosticID is used to add connection diagnostic messages when Testing a Connection. + // ConnectionDiagnosticID is used to add connection diagnostic messages when + // Testing a Connection. string connection_diagnostic_id = 33; // DeviceExtensions holds device-aware extensions for the identity. @@ -243,7 +148,100 @@ message Identity { string user_type = 35; } -// SSHIdentity is the identity used for SSH connections. -message SSHIdentity { - // TODO +// Trait encodes a single key-values pair from a user's traits. +message Trait { + // name is the "key" of the trait. + string name = 1; + // values is the list of values the trait name maps to. + repeated string values = 2; +} + +// RouteToApp holds routing information for applications. +message RouteToApp { + // SessionID is an ID used to identify application sessions created by this + // certificate. + string session_id = 1; + + // PublicAddr (and ClusterName) are used to route requests issued with this + // certificate to the appropriate application proxy/cluster. + string public_addr = 2; + + // ClusterName (and PublicAddr) are used to route requests issued with this + // certificate to the appropriate application proxy/cluster. + string cluster_name = 3; + + // Name is the app name. + string name = 4; + + // AWSRoleARN is the AWS role to assume when accessing AWS console. + string aws_role_arn = 5; + + // AzureIdentity is the Azure identity to assume when accessing Azure API. + string azure_identity = 6; + + // GCPServiceAccount is the GCP service account to assume when accessing GCP + // API. + string gcp_service_account = 7; + + // URI is the URI of the app. This is the internal endpoint where the + // application is running and isn't user-facing. + string uri = 8; +} + +// RouteToDatabase contains routing information for databases. +message RouteToDatabase { + // ServiceName is the name of the Teleport database proxy service to route + // requests to. + string service_name = 1; + + // Protocol is the database protocol. + // + // It is embedded in identity so clients can understand what type of database + // this is without contacting server. + string protocol = 2; + + // Username is an optional database username to serve as a default username to + // connect as. + string username = 3; + + // Database is an optional database name to serve as a default database to + // connect to. + string database = 4; + + // Roles is an optional list of database roles to use for a database session. + // This list should be a subset of allowed database roles. If not specified, + // Database Service will use all allowed database roles for this database. + repeated string roles = 5; +} + +// ResourceID is a unique identifier for a teleport resource. +message ResourceID { + // ClusterName is the name of the cluster the resource is in. + string cluster_name = 1; + + // Kind is the resource kind. + string kind = 2; + + // Name is the name of the specific resource. + string name = 3; + + // SubResourceName is the resource belonging to resource identified by "Name" + // that the user is allowed to access to. When granting access to a + // subresource, access to other resources is limited. Currently it just + // supports resources of Kind=pod and the format is the following + // "/". + string sub_resource_name = 4; +} + +// DeviceExtensions holds device-aware extensions for the identity. +message DeviceExtensions { + // DeviceID is the trusted device identifier. + string device_id = 1; + + // AssetTag is the device inventory identifier. + string asset_tag = 2; + + // CredentialID is the identifier for the credential used by the device to + // authenticate itself. + string credential_id = 3; } From 464ea4026fb57510ab4666c5a59d0d96257152bd Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Thu, 5 Dec 2024 17:45:17 -0300 Subject: [PATCH 05/20] Update Metadata docs --- .../teleport/decision/v1alpha1/metadata.proto | 57 +++++++++++-------- 1 file changed, 34 insertions(+), 23 deletions(-) diff --git a/api/proto/teleport/decision/v1alpha1/metadata.proto b/api/proto/teleport/decision/v1alpha1/metadata.proto index 0a5f568997222..b0b71c8da1236 100644 --- a/api/proto/teleport/decision/v1alpha1/metadata.proto +++ b/api/proto/teleport/decision/v1alpha1/metadata.proto @@ -18,53 +18,64 @@ package teleport.decision.v1alpha1; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; -// Metadata common for authorization decision request operations. +// Metadata for evaluation requests. message RequestMetadata { - // FeatureAssertions is a list of DecisionFeature that the PDP *must* implement in order to correctly - // evaluate the decision request. Note that changes that require new features in the PDP in order for - // it to understand a decision request are rare and should be avoided if possible. + // FeatureAssertions is a list of DecisionFeature that the PDP (Policy + // Decision Point) *must* implement in order to correctly evaluate the + // decision request. Note that changes that require new features in the PDP in + // order for it to understand a decision request are rare and should be + // avoided if possible. repeated DecisionFeature feature_assertions = 1; - // PepVersionHint is the *likely* version of the PEP that will enforce the decision. Not all decision - // requests can guarantee that the expected PEP version will actually be the version that ends up enforcing - // the decision. Hard compatibility requirements must be enforced via feature assertions so that PEPs can - // correctly reject decisions that they cannot enforce. + // PepVersionHint is the *likely* version of the PEP that will enforce the + // decision. Not all decision requests can guarantee that the expected PEP + // (Policy Enforcement Point) version will actually be the version that ends + // up enforcing the decision. Hard compatibility requirements must be enforced + // via feature assertions so that PEPs can correctly reject decisions that + // they cannot enforce. string pep_version_hint = 2; } -// Metadata common for access permits. +// Metadata for access permits. message PermitMetadata { - // FeatureAssertions is a list of EnforcementFeature that the PEP *must* implement in order to correctly - // enforce the decision. Note that where possible new features should be structured to "fail safe" rather - // than relying on feature assertions. + // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy + // Enforcement Point) *must* implement in order to correctly enforce the + // decision. Note that where possible new features should be structured to + // "fail safe" rather than relying on feature assertions. repeated EnforcementFeature feature_assertions = 1; - // PdpVersion is the version of the PDP that evaluated the decision request. + // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated + // the decision request. string pdp_version = 2; } -// Metadata common for access denials. +// Metadata for access denials. message DenialMetadata { - // FeatureAssertions is a list of EnforcementFeature that the PEP *must* implement in order to correctly - // enforce the decision. Note that denials rarely need feature assertions since they typically "fail safe" - // anyway. + // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy + // Enforcement Point) *must* implement in order to correctly enforce the + // decision. Note that denials rarely need feature assertions since they + // typically "fail safe" anyway. repeated EnforcementFeature feature_assertions = 1; - // PdpVersion is the version of the PDP that evaluated the decision request. + // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated + // the decision request. string pdp_version = 2; - // UserMessage is a sanitized message safe for return to the subject identity of the decision request. + // UserMessage is a sanitized message safe for return to the subject identity + // of the decision request. string user_message = 3; } -// DecisionFeature is an enum representing PDP features. +// DecisionFeature represents supported PDP (Policy Decision Point) features. enum DecisionFeature { - // DECISION_FEATURE_UNSPECIFIED is the default/unspecified value for DecisionFeature. Asserting this feature has no effect. + // DECISION_FEATURE_UNSPECIFIED is the default/unspecified value for + // DecisionFeature. Asserting this feature has no effect. DECISION_FEATURE_UNSPECIFIED = 0; } -// EnforcementFeature is the enum representing PEP features. +// EnforcementFeature represents PEP (Policy Enforcement Point) features. enum EnforcementFeature { - // ENFORCEMENT_FEATURE_UNSPECIFIED is the default/unspecified value for EnforcementFeature. Asserting this feature has no effect. + // ENFORCEMENT_FEATURE_UNSPECIFIED is the default/unspecified value for + // EnforcementFeature. Asserting this feature has no effect. ENFORCEMENT_FEATURE_UNSPECIFIED = 0; } From a7d6d41d2781b93ca912586a50af16c6d8a4b6e8 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Thu, 5 Dec 2024 17:49:18 -0300 Subject: [PATCH 06/20] Split metadata into separate files --- .../decision/v1alpha1/database_access.proto | 4 +- .../decision/v1alpha1/denial_metadata.proto | 38 +++++++++++++++++++ .../v1alpha1/enforcement_feature.proto | 26 +++++++++++++ .../decision/v1alpha1/permit_metadata.proto | 34 +++++++++++++++++ ...{metadata.proto => request_metadata.proto} | 37 ------------------ .../decision/v1alpha1/ssh_access.proto | 4 +- 6 files changed, 104 insertions(+), 39 deletions(-) create mode 100644 api/proto/teleport/decision/v1alpha1/denial_metadata.proto create mode 100644 api/proto/teleport/decision/v1alpha1/enforcement_feature.proto create mode 100644 api/proto/teleport/decision/v1alpha1/permit_metadata.proto rename api/proto/teleport/decision/v1alpha1/{metadata.proto => request_metadata.proto} (56%) diff --git a/api/proto/teleport/decision/v1alpha1/database_access.proto b/api/proto/teleport/decision/v1alpha1/database_access.proto index 3d7fa7a1a9ecb..f6bd8f73f95fe 100644 --- a/api/proto/teleport/decision/v1alpha1/database_access.proto +++ b/api/proto/teleport/decision/v1alpha1/database_access.proto @@ -16,7 +16,9 @@ syntax = "proto3"; package teleport.decision.v1alpha1; -import "teleport/decision/v1alpha1/metadata.proto"; +import "teleport/decision/v1alpha1/denial_metadata.proto"; +import "teleport/decision/v1alpha1/permit_metadata.proto"; +import "teleport/decision/v1alpha1/request_metadata.proto"; import "teleport/decision/v1alpha1/tls_identity.proto"; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; diff --git a/api/proto/teleport/decision/v1alpha1/denial_metadata.proto b/api/proto/teleport/decision/v1alpha1/denial_metadata.proto new file mode 100644 index 0000000000000..6c30f1fba49b5 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/denial_metadata.proto @@ -0,0 +1,38 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "teleport/decision/v1alpha1/enforcement_feature.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// Metadata for access denials. +message DenialMetadata { + // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy + // Enforcement Point) *must* implement in order to correctly enforce the + // decision. Note that denials rarely need feature assertions since they + // typically "fail safe" anyway. + repeated EnforcementFeature feature_assertions = 1; + + // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated + // the decision request. + string pdp_version = 2; + + // UserMessage is a sanitized message safe for return to the subject identity + // of the decision request. + string user_message = 3; +} diff --git a/api/proto/teleport/decision/v1alpha1/enforcement_feature.proto b/api/proto/teleport/decision/v1alpha1/enforcement_feature.proto new file mode 100644 index 0000000000000..599a516a1ab92 --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/enforcement_feature.proto @@ -0,0 +1,26 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// EnforcementFeature represents PEP (Policy Enforcement Point) features. +enum EnforcementFeature { + // ENFORCEMENT_FEATURE_UNSPECIFIED is the default/unspecified value for + // EnforcementFeature. Asserting this feature has no effect. + ENFORCEMENT_FEATURE_UNSPECIFIED = 0; +} diff --git a/api/proto/teleport/decision/v1alpha1/permit_metadata.proto b/api/proto/teleport/decision/v1alpha1/permit_metadata.proto new file mode 100644 index 0000000000000..ba7f607a4c62d --- /dev/null +++ b/api/proto/teleport/decision/v1alpha1/permit_metadata.proto @@ -0,0 +1,34 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.decision.v1alpha1; + +import "teleport/decision/v1alpha1/enforcement_feature.proto"; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; + +// Metadata for access permits. +message PermitMetadata { + // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy + // Enforcement Point) *must* implement in order to correctly enforce the + // decision. Note that where possible new features should be structured to + // "fail safe" rather than relying on feature assertions. + repeated EnforcementFeature feature_assertions = 1; + + // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated + // the decision request. + string pdp_version = 2; +} diff --git a/api/proto/teleport/decision/v1alpha1/metadata.proto b/api/proto/teleport/decision/v1alpha1/request_metadata.proto similarity index 56% rename from api/proto/teleport/decision/v1alpha1/metadata.proto rename to api/proto/teleport/decision/v1alpha1/request_metadata.proto index b0b71c8da1236..2059bd59d3407 100644 --- a/api/proto/teleport/decision/v1alpha1/metadata.proto +++ b/api/proto/teleport/decision/v1alpha1/request_metadata.proto @@ -36,46 +36,9 @@ message RequestMetadata { string pep_version_hint = 2; } -// Metadata for access permits. -message PermitMetadata { - // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy - // Enforcement Point) *must* implement in order to correctly enforce the - // decision. Note that where possible new features should be structured to - // "fail safe" rather than relying on feature assertions. - repeated EnforcementFeature feature_assertions = 1; - - // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated - // the decision request. - string pdp_version = 2; -} - -// Metadata for access denials. -message DenialMetadata { - // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy - // Enforcement Point) *must* implement in order to correctly enforce the - // decision. Note that denials rarely need feature assertions since they - // typically "fail safe" anyway. - repeated EnforcementFeature feature_assertions = 1; - - // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated - // the decision request. - string pdp_version = 2; - - // UserMessage is a sanitized message safe for return to the subject identity - // of the decision request. - string user_message = 3; -} - // DecisionFeature represents supported PDP (Policy Decision Point) features. enum DecisionFeature { // DECISION_FEATURE_UNSPECIFIED is the default/unspecified value for // DecisionFeature. Asserting this feature has no effect. DECISION_FEATURE_UNSPECIFIED = 0; } - -// EnforcementFeature represents PEP (Policy Enforcement Point) features. -enum EnforcementFeature { - // ENFORCEMENT_FEATURE_UNSPECIFIED is the default/unspecified value for - // EnforcementFeature. Asserting this feature has no effect. - ENFORCEMENT_FEATURE_UNSPECIFIED = 0; -} diff --git a/api/proto/teleport/decision/v1alpha1/ssh_access.proto b/api/proto/teleport/decision/v1alpha1/ssh_access.proto index da57dc3d81dc0..c4ba44facc682 100644 --- a/api/proto/teleport/decision/v1alpha1/ssh_access.proto +++ b/api/proto/teleport/decision/v1alpha1/ssh_access.proto @@ -17,7 +17,9 @@ syntax = "proto3"; package teleport.decision.v1alpha1; import "google/protobuf/duration.proto"; -import "teleport/decision/v1alpha1/metadata.proto"; +import "teleport/decision/v1alpha1/denial_metadata.proto"; +import "teleport/decision/v1alpha1/permit_metadata.proto"; +import "teleport/decision/v1alpha1/request_metadata.proto"; import "teleport/decision/v1alpha1/resource.proto"; import "teleport/decision/v1alpha1/ssh_identity.proto"; From b0188b4f03a61468dc13f669aadd0cdf94088016 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Thu, 5 Dec 2024 17:41:07 -0300 Subject: [PATCH 07/20] Update Resource docs --- .../teleport/decision/v1alpha1/resource.proto | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/api/proto/teleport/decision/v1alpha1/resource.proto b/api/proto/teleport/decision/v1alpha1/resource.proto index a54dd154bbce6..25b1e970ae114 100644 --- a/api/proto/teleport/decision/v1alpha1/resource.proto +++ b/api/proto/teleport/decision/v1alpha1/resource.proto @@ -18,19 +18,20 @@ package teleport.decision.v1alpha1; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; -// Resource is the conventional reference type used to refer to the "object" of an action that is -// being considered for an authorization decision. For example, a call to EvaluateSSHAccess -// would use the Resource type to reference the ssh node being accessed. +// Resource is the conventional reference type used to refer to the "object" of +// an action that is being considered for an authorization decision. For +// example, a call to EvaluateSSHAccess would use the Resource type to reference +// the ssh node being accessed. message Resource { - // Kind is the type of the resource. Wether or not this field is required depends on - // wether the request is for a method that supports multiple types. Typically safe to omit. + // Kind is the type of the resource. Required for requests that support + // multiple types, otherwise safe to omit. string kind = 1; - // SubKind is the subtype of the resource. This is usually not required as most resource - // types either don't have subkinds, or their subkinds do not have an effect on authorization - // decisions. + // SubKind is the subtype of the resource. Usually not required as most + // resources don't have subkinds, or their subkinds do not have an effect on + // authorization decisions. string sub_kind = 2; - // Name is the unique name of the resource. This is usually required. + // Name is the unique name of the resource. string name = 3; } From 91654f0fe40483eb11c0341cf15f56cee605fac4 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 11:27:51 -0300 Subject: [PATCH 08/20] Update database access docs and fields --- .../decision/v1alpha1/database_access.proto | 21 +++++++------------ 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/api/proto/teleport/decision/v1alpha1/database_access.proto b/api/proto/teleport/decision/v1alpha1/database_access.proto index f6bd8f73f95fe..652df267ef33c 100644 --- a/api/proto/teleport/decision/v1alpha1/database_access.proto +++ b/api/proto/teleport/decision/v1alpha1/database_access.proto @@ -23,17 +23,15 @@ import "teleport/decision/v1alpha1/tls_identity.proto"; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; -// EvaluateDatabaseAccessRequest describes a request to evaluate wether or not a given -// database access attempt should be permitted. +// EvaluateDatabaseAccessRequest describes a request to evaluate whether or not +// a given database access attempt should be permitted. message EvaluateDatabaseAccessRequest { RequestMetadata metadata = 1; - - TLSIdentity identity = 2; - - // TODO + TLSIdentity tls_identity = 2; } -// EvaluateDatabaseAccessResponse describes the result of a database access evaluation. +// EvaluateDatabaseAccessResponse describes the result of a database access +// evaluation. message EvaluateDatabaseAccessResponse { oneof result { DatabaseAccessPermit permit = 1; @@ -41,16 +39,13 @@ message EvaluateDatabaseAccessResponse { } } -// DatabaseAccessPermit describes the parameters/constraints of a permissible database access attempt. +// DatabaseAccessPermit describes the parameters/constraints of a permissible +// database access attempt. message DatabaseAccessPermit { PermitMetadata metadata = 1; - - // TODO } -// DatabaseAccessDenial describes the details of a database access denial. +// DatabaseAccessDenial describes a database access denial. message DatabaseAccessDenial { DenialMetadata metadata = 1; - - // TODO } From 22dbc5b79e0d6027a0af1d1714ed70b516c688e9 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Thu, 5 Dec 2024 17:51:35 -0300 Subject: [PATCH 09/20] Update SSH access docs and fields --- .../decision/v1alpha1/ssh_access.proto | 31 +++---------------- .../decision/v1alpha1/ssh_identity.proto | 4 ++- 2 files changed, 8 insertions(+), 27 deletions(-) diff --git a/api/proto/teleport/decision/v1alpha1/ssh_access.proto b/api/proto/teleport/decision/v1alpha1/ssh_access.proto index c4ba44facc682..df2685c529db5 100644 --- a/api/proto/teleport/decision/v1alpha1/ssh_access.proto +++ b/api/proto/teleport/decision/v1alpha1/ssh_access.proto @@ -25,8 +25,8 @@ import "teleport/decision/v1alpha1/ssh_identity.proto"; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; -// EvaluateSSHAccessRequest describes a request to evaluate wether or not a given -// ssh access attempt should be permitted. +// EvaluateSSHAccessRequest describes a request to evaluate whether or not a +// given ssh access attempt should be permitted. message EvaluateSSHAccessRequest { // Metadata holds common authorization decision request fields. RequestMetadata metadata = 1; @@ -36,9 +36,6 @@ message EvaluateSSHAccessRequest { // Node references the target node the user is attempting to access. Resource node = 3; - - // Login is the host login associated with the access attempt. - string login = 4; } // EvaluateSSHAccessResponse describes the result of an SSH access evaluation. @@ -49,48 +46,30 @@ message EvaluateSSHAccessResponse { } } -// SSHAccessPermit describes the parameters/constraints of a permissible SSH access attempt. +// SSHAccessPermit describes the parameters/constraints of a permissible SSH +// access attempt. message SSHAccessPermit { PermitMetadata metadata = 1; - repeated string logins = 2; - bool forward_agent = 3; - google.protobuf.Duration max_session_ttl = 4; - bool port_forwarding = 5; - int64 client_idle_timeout = 6; - bool disconnect_expired_cert = 7; - repeated string bpf = 8; - bool x11_forwarding = 9; - int64 max_connections = 10; - int64 max_sessions = 11; - string lock = 12; - bool create_host_user = 13; - bool ssh_file_copy = 14; - string create_host_user_mode = 15; - string create_host_user_shell = 16; - repeated string host_groups = 17; - repeated string host_sudoers = 18; - - // TODO(fspmarshall) more stuff here... } -// SSHAccessDenial describes the details of an SSH access denial. +// SSHAccessDenial describes an SSH access denial. message SSHAccessDenial { DenialMetadata metadata = 1; } diff --git a/api/proto/teleport/decision/v1alpha1/ssh_identity.proto b/api/proto/teleport/decision/v1alpha1/ssh_identity.proto index bca6fe31086e6..01f4ea2af2d58 100644 --- a/api/proto/teleport/decision/v1alpha1/ssh_identity.proto +++ b/api/proto/teleport/decision/v1alpha1/ssh_identity.proto @@ -19,4 +19,6 @@ package teleport.decision.v1alpha1; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; // SSHIdentity is the identity used for SSH connections. -message SSHIdentity {} +message SSHIdentity { + // TBD +} From 6578b4b95807071ba0fedf53dea7d1fd731d035d Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 11:31:59 -0300 Subject: [PATCH 10/20] Ignore breaking changes on decision protos --- buf.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/buf.yaml b/buf.yaml index bd4efff817af3..8f01bbe2dea21 100644 --- a/buf.yaml +++ b/buf.yaml @@ -81,6 +81,9 @@ breaking: - WIRE_JSON except: - FIELD_SAME_DEFAULT + ignore: + # TODO(codingllama): Remove ignore once the PDP API is stable. + - api/proto/teleport/decision/v1alpha1 ignore_only: RESERVED_ENUM_NO_DELETE: - api/proto/teleport/legacy/types/types.proto From 44aa5e56dcf9ad03bcfa8ac2a61104ca08a88a54 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 11:35:07 -0300 Subject: [PATCH 11/20] Update generated protos --- .../decision/v1alpha1/database_access.pb.go | 399 +++++++ .../decision/v1alpha1/decision_service.pb.go | 119 ++ .../v1alpha1/decision_service_grpc.pb.go | 199 ++++ .../decision/v1alpha1/denial_metadata.pb.go | 188 +++ .../v1alpha1/enforcement_feature.pb.go | 151 +++ .../decision/v1alpha1/permit_metadata.pb.go | 176 +++ .../decision/v1alpha1/request_metadata.pb.go | 229 ++++ .../teleport/decision/v1alpha1/resource.pb.go | 176 +++ .../decision/v1alpha1/ssh_access.pb.go | 599 ++++++++++ .../decision/v1alpha1/ssh_identity.pb.go | 138 +++ .../decision/v1alpha1/tls_identity.pb.go | 1042 +++++++++++++++++ 11 files changed, 3416 insertions(+) create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/database_access.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/decision_service_grpc.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/denial_metadata.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/enforcement_feature.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/permit_metadata.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/request_metadata.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/resource.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go create mode 100644 api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/database_access.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/database_access.pb.go new file mode 100644 index 0000000000000..d88716d502f40 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/database_access.pb.go @@ -0,0 +1,399 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/database_access.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// EvaluateDatabaseAccessRequest describes a request to evaluate whether or not +// a given database access attempt should be permitted. +type EvaluateDatabaseAccessRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Metadata *RequestMetadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` + TlsIdentity *TLSIdentity `protobuf:"bytes,2,opt,name=tls_identity,json=tlsIdentity,proto3" json:"tls_identity,omitempty"` +} + +func (x *EvaluateDatabaseAccessRequest) Reset() { + *x = EvaluateDatabaseAccessRequest{} + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EvaluateDatabaseAccessRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EvaluateDatabaseAccessRequest) ProtoMessage() {} + +func (x *EvaluateDatabaseAccessRequest) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EvaluateDatabaseAccessRequest.ProtoReflect.Descriptor instead. +func (*EvaluateDatabaseAccessRequest) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_database_access_proto_rawDescGZIP(), []int{0} +} + +func (x *EvaluateDatabaseAccessRequest) GetMetadata() *RequestMetadata { + if x != nil { + return x.Metadata + } + return nil +} + +func (x *EvaluateDatabaseAccessRequest) GetTlsIdentity() *TLSIdentity { + if x != nil { + return x.TlsIdentity + } + return nil +} + +// EvaluateDatabaseAccessResponse describes the result of a database access +// evaluation. +type EvaluateDatabaseAccessResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Result: + // + // *EvaluateDatabaseAccessResponse_Permit + // *EvaluateDatabaseAccessResponse_Denial + Result isEvaluateDatabaseAccessResponse_Result `protobuf_oneof:"result"` +} + +func (x *EvaluateDatabaseAccessResponse) Reset() { + *x = EvaluateDatabaseAccessResponse{} + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EvaluateDatabaseAccessResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EvaluateDatabaseAccessResponse) ProtoMessage() {} + +func (x *EvaluateDatabaseAccessResponse) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EvaluateDatabaseAccessResponse.ProtoReflect.Descriptor instead. +func (*EvaluateDatabaseAccessResponse) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_database_access_proto_rawDescGZIP(), []int{1} +} + +func (m *EvaluateDatabaseAccessResponse) GetResult() isEvaluateDatabaseAccessResponse_Result { + if m != nil { + return m.Result + } + return nil +} + +func (x *EvaluateDatabaseAccessResponse) GetPermit() *DatabaseAccessPermit { + if x, ok := x.GetResult().(*EvaluateDatabaseAccessResponse_Permit); ok { + return x.Permit + } + return nil +} + +func (x *EvaluateDatabaseAccessResponse) GetDenial() *DatabaseAccessDenial { + if x, ok := x.GetResult().(*EvaluateDatabaseAccessResponse_Denial); ok { + return x.Denial + } + return nil +} + +type isEvaluateDatabaseAccessResponse_Result interface { + isEvaluateDatabaseAccessResponse_Result() +} + +type EvaluateDatabaseAccessResponse_Permit struct { + Permit *DatabaseAccessPermit `protobuf:"bytes,1,opt,name=permit,proto3,oneof"` +} + +type EvaluateDatabaseAccessResponse_Denial struct { + Denial *DatabaseAccessDenial `protobuf:"bytes,2,opt,name=denial,proto3,oneof"` +} + +func (*EvaluateDatabaseAccessResponse_Permit) isEvaluateDatabaseAccessResponse_Result() {} + +func (*EvaluateDatabaseAccessResponse_Denial) isEvaluateDatabaseAccessResponse_Result() {} + +// DatabaseAccessPermit describes the parameters/constraints of a permissible +// database access attempt. +type DatabaseAccessPermit struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Metadata *PermitMetadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` +} + +func (x *DatabaseAccessPermit) Reset() { + *x = DatabaseAccessPermit{} + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DatabaseAccessPermit) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DatabaseAccessPermit) ProtoMessage() {} + +func (x *DatabaseAccessPermit) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DatabaseAccessPermit.ProtoReflect.Descriptor instead. +func (*DatabaseAccessPermit) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_database_access_proto_rawDescGZIP(), []int{2} +} + +func (x *DatabaseAccessPermit) GetMetadata() *PermitMetadata { + if x != nil { + return x.Metadata + } + return nil +} + +// DatabaseAccessDenial describes a database access denial. +type DatabaseAccessDenial struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Metadata *DenialMetadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` +} + +func (x *DatabaseAccessDenial) Reset() { + *x = DatabaseAccessDenial{} + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DatabaseAccessDenial) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DatabaseAccessDenial) ProtoMessage() {} + +func (x *DatabaseAccessDenial) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_database_access_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DatabaseAccessDenial.ProtoReflect.Descriptor instead. +func (*DatabaseAccessDenial) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_database_access_proto_rawDescGZIP(), []int{3} +} + +func (x *DatabaseAccessDenial) GetMetadata() *DenialMetadata { + if x != nil { + return x.Metadata + } + return nil +} + +var File_teleport_decision_v1alpha1_database_access_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_database_access_proto_rawDesc = []byte{ + 0x0a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x61, 0x74, + 0x61, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x30, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x65, 0x6e, 0x69, 0x61, + 0x6c, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x1a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x65, 0x72, + 0x6d, 0x69, 0x74, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x1a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x2f, 0x74, 0x6c, 0x73, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb4, 0x01, 0x0a, 0x1d, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, + 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x47, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, + 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, + 0x4a, 0x0a, 0x0c, 0x74, 0x6c, 0x73, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, + 0x61, 0x31, 0x2e, 0x54, 0x4c, 0x53, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0b, + 0x74, 0x6c, 0x73, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x22, 0xc2, 0x01, 0x0a, 0x1e, + 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, + 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4a, + 0x0a, 0x06, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, + 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x61, 0x74, 0x61, + 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x74, + 0x48, 0x00, 0x52, 0x06, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x12, 0x4a, 0x0a, 0x06, 0x64, 0x65, + 0x6e, 0x69, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, + 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x44, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x48, 0x00, 0x52, 0x06, + 0x64, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x42, 0x08, 0x0a, 0x06, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, + 0x22, 0x5e, 0x0a, 0x14, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x12, 0x46, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, + 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x4d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0x22, 0x5e, 0x0a, 0x14, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x44, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x12, 0x46, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, + 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x4d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, + 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_database_access_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_database_access_proto_rawDescData = file_teleport_decision_v1alpha1_database_access_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_database_access_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_database_access_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_database_access_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_database_access_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_database_access_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_database_access_proto_msgTypes = make([]protoimpl.MessageInfo, 4) +var file_teleport_decision_v1alpha1_database_access_proto_goTypes = []any{ + (*EvaluateDatabaseAccessRequest)(nil), // 0: teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest + (*EvaluateDatabaseAccessResponse)(nil), // 1: teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse + (*DatabaseAccessPermit)(nil), // 2: teleport.decision.v1alpha1.DatabaseAccessPermit + (*DatabaseAccessDenial)(nil), // 3: teleport.decision.v1alpha1.DatabaseAccessDenial + (*RequestMetadata)(nil), // 4: teleport.decision.v1alpha1.RequestMetadata + (*TLSIdentity)(nil), // 5: teleport.decision.v1alpha1.TLSIdentity + (*PermitMetadata)(nil), // 6: teleport.decision.v1alpha1.PermitMetadata + (*DenialMetadata)(nil), // 7: teleport.decision.v1alpha1.DenialMetadata +} +var file_teleport_decision_v1alpha1_database_access_proto_depIdxs = []int32{ + 4, // 0: teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest.metadata:type_name -> teleport.decision.v1alpha1.RequestMetadata + 5, // 1: teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest.tls_identity:type_name -> teleport.decision.v1alpha1.TLSIdentity + 2, // 2: teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse.permit:type_name -> teleport.decision.v1alpha1.DatabaseAccessPermit + 3, // 3: teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse.denial:type_name -> teleport.decision.v1alpha1.DatabaseAccessDenial + 6, // 4: teleport.decision.v1alpha1.DatabaseAccessPermit.metadata:type_name -> teleport.decision.v1alpha1.PermitMetadata + 7, // 5: teleport.decision.v1alpha1.DatabaseAccessDenial.metadata:type_name -> teleport.decision.v1alpha1.DenialMetadata + 6, // [6:6] is the sub-list for method output_type + 6, // [6:6] is the sub-list for method input_type + 6, // [6:6] is the sub-list for extension type_name + 6, // [6:6] is the sub-list for extension extendee + 0, // [0:6] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_database_access_proto_init() } +func file_teleport_decision_v1alpha1_database_access_proto_init() { + if File_teleport_decision_v1alpha1_database_access_proto != nil { + return + } + file_teleport_decision_v1alpha1_denial_metadata_proto_init() + file_teleport_decision_v1alpha1_permit_metadata_proto_init() + file_teleport_decision_v1alpha1_request_metadata_proto_init() + file_teleport_decision_v1alpha1_tls_identity_proto_init() + file_teleport_decision_v1alpha1_database_access_proto_msgTypes[1].OneofWrappers = []any{ + (*EvaluateDatabaseAccessResponse_Permit)(nil), + (*EvaluateDatabaseAccessResponse_Denial)(nil), + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_database_access_proto_rawDesc, + NumEnums: 0, + NumMessages: 4, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_database_access_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_database_access_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_database_access_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_database_access_proto = out.File + file_teleport_decision_v1alpha1_database_access_proto_rawDesc = nil + file_teleport_decision_v1alpha1_database_access_proto_goTypes = nil + file_teleport_decision_v1alpha1_database_access_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go new file mode 100644 index 0000000000000..f5e9a7d614117 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go @@ -0,0 +1,119 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/decision_service.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +var File_teleport_decision_v1alpha1_decision_service_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_decision_service_proto_rawDesc = []byte{ + 0x0a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, + 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, + 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x61, 0x74, 0x61, + 0x62, 0x61, 0x73, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x1a, 0x2b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, + 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, + 0x68, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0xa6, + 0x02, 0x0a, 0x0f, 0x44, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x12, 0x80, 0x01, 0x0a, 0x11, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x53, + 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x34, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x53, 0x53, + 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, + 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, 0x61, 0x6c, + 0x75, 0x61, 0x74, 0x65, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, + 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x8f, 0x01, 0x0a, 0x16, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, + 0x74, 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, + 0x12, 0x39, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, + 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, + 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, + 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3a, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, + 0x65, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, + 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, + 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var file_teleport_decision_v1alpha1_decision_service_proto_goTypes = []any{ + (*EvaluateSSHAccessRequest)(nil), // 0: teleport.decision.v1alpha1.EvaluateSSHAccessRequest + (*EvaluateDatabaseAccessRequest)(nil), // 1: teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest + (*EvaluateSSHAccessResponse)(nil), // 2: teleport.decision.v1alpha1.EvaluateSSHAccessResponse + (*EvaluateDatabaseAccessResponse)(nil), // 3: teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse +} +var file_teleport_decision_v1alpha1_decision_service_proto_depIdxs = []int32{ + 0, // 0: teleport.decision.v1alpha1.DecisionService.EvaluateSSHAccess:input_type -> teleport.decision.v1alpha1.EvaluateSSHAccessRequest + 1, // 1: teleport.decision.v1alpha1.DecisionService.EvaluateDatabaseAccess:input_type -> teleport.decision.v1alpha1.EvaluateDatabaseAccessRequest + 2, // 2: teleport.decision.v1alpha1.DecisionService.EvaluateSSHAccess:output_type -> teleport.decision.v1alpha1.EvaluateSSHAccessResponse + 3, // 3: teleport.decision.v1alpha1.DecisionService.EvaluateDatabaseAccess:output_type -> teleport.decision.v1alpha1.EvaluateDatabaseAccessResponse + 2, // [2:4] is the sub-list for method output_type + 0, // [0:2] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_decision_service_proto_init() } +func file_teleport_decision_v1alpha1_decision_service_proto_init() { + if File_teleport_decision_v1alpha1_decision_service_proto != nil { + return + } + file_teleport_decision_v1alpha1_database_access_proto_init() + file_teleport_decision_v1alpha1_ssh_access_proto_init() + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_decision_service_proto_rawDesc, + NumEnums: 0, + NumMessages: 0, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_teleport_decision_v1alpha1_decision_service_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_decision_service_proto_depIdxs, + }.Build() + File_teleport_decision_v1alpha1_decision_service_proto = out.File + file_teleport_decision_v1alpha1_decision_service_proto_rawDesc = nil + file_teleport_decision_v1alpha1_decision_service_proto_goTypes = nil + file_teleport_decision_v1alpha1_decision_service_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/decision_service_grpc.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service_grpc.pb.go new file mode 100644 index 0000000000000..620b4bf79887b --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service_grpc.pb.go @@ -0,0 +1,199 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.5.1 +// - protoc (unknown) +// source: teleport/decision/v1alpha1/decision_service.proto + +package decisionpb + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.64.0 or later. +const _ = grpc.SupportPackageIsVersion9 + +const ( + DecisionService_EvaluateSSHAccess_FullMethodName = "/teleport.decision.v1alpha1.DecisionService/EvaluateSSHAccess" + DecisionService_EvaluateDatabaseAccess_FullMethodName = "/teleport.decision.v1alpha1.DecisionService/EvaluateDatabaseAccess" +) + +// DecisionServiceClient is the client API for DecisionService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +// +// DecisionService performs authorization decisions for Teleport. +// +// DecisionService acts the PDP (Policy Decision Point) for Teleport services, +// whereas the services themselves act as the PEP (Policy Enforcement Point). +// In other words, it calculates the outcome of an authorization request but +// does not enforce it - each Teleport service must do so. +// +// Evaluation responses carry all the data necessary for the enforcement of a +// decision. A successful evaluation carries a Permit, whereas a failed +// evaluation carries a Denial. +type DecisionServiceClient interface { + // EvaluateSSHAccess evaluates an SSH access attempt. + EvaluateSSHAccess(ctx context.Context, in *EvaluateSSHAccessRequest, opts ...grpc.CallOption) (*EvaluateSSHAccessResponse, error) + // EvaluateDatabaseAccess evaluate a database access attempt. + EvaluateDatabaseAccess(ctx context.Context, in *EvaluateDatabaseAccessRequest, opts ...grpc.CallOption) (*EvaluateDatabaseAccessResponse, error) +} + +type decisionServiceClient struct { + cc grpc.ClientConnInterface +} + +func NewDecisionServiceClient(cc grpc.ClientConnInterface) DecisionServiceClient { + return &decisionServiceClient{cc} +} + +func (c *decisionServiceClient) EvaluateSSHAccess(ctx context.Context, in *EvaluateSSHAccessRequest, opts ...grpc.CallOption) (*EvaluateSSHAccessResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(EvaluateSSHAccessResponse) + err := c.cc.Invoke(ctx, DecisionService_EvaluateSSHAccess_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *decisionServiceClient) EvaluateDatabaseAccess(ctx context.Context, in *EvaluateDatabaseAccessRequest, opts ...grpc.CallOption) (*EvaluateDatabaseAccessResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(EvaluateDatabaseAccessResponse) + err := c.cc.Invoke(ctx, DecisionService_EvaluateDatabaseAccess_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +// DecisionServiceServer is the server API for DecisionService service. +// All implementations must embed UnimplementedDecisionServiceServer +// for forward compatibility. +// +// DecisionService performs authorization decisions for Teleport. +// +// DecisionService acts the PDP (Policy Decision Point) for Teleport services, +// whereas the services themselves act as the PEP (Policy Enforcement Point). +// In other words, it calculates the outcome of an authorization request but +// does not enforce it - each Teleport service must do so. +// +// Evaluation responses carry all the data necessary for the enforcement of a +// decision. A successful evaluation carries a Permit, whereas a failed +// evaluation carries a Denial. +type DecisionServiceServer interface { + // EvaluateSSHAccess evaluates an SSH access attempt. + EvaluateSSHAccess(context.Context, *EvaluateSSHAccessRequest) (*EvaluateSSHAccessResponse, error) + // EvaluateDatabaseAccess evaluate a database access attempt. + EvaluateDatabaseAccess(context.Context, *EvaluateDatabaseAccessRequest) (*EvaluateDatabaseAccessResponse, error) + mustEmbedUnimplementedDecisionServiceServer() +} + +// UnimplementedDecisionServiceServer must be embedded to have +// forward compatible implementations. +// +// NOTE: this should be embedded by value instead of pointer to avoid a nil +// pointer dereference when methods are called. +type UnimplementedDecisionServiceServer struct{} + +func (UnimplementedDecisionServiceServer) EvaluateSSHAccess(context.Context, *EvaluateSSHAccessRequest) (*EvaluateSSHAccessResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method EvaluateSSHAccess not implemented") +} +func (UnimplementedDecisionServiceServer) EvaluateDatabaseAccess(context.Context, *EvaluateDatabaseAccessRequest) (*EvaluateDatabaseAccessResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method EvaluateDatabaseAccess not implemented") +} +func (UnimplementedDecisionServiceServer) mustEmbedUnimplementedDecisionServiceServer() {} +func (UnimplementedDecisionServiceServer) testEmbeddedByValue() {} + +// UnsafeDecisionServiceServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to DecisionServiceServer will +// result in compilation errors. +type UnsafeDecisionServiceServer interface { + mustEmbedUnimplementedDecisionServiceServer() +} + +func RegisterDecisionServiceServer(s grpc.ServiceRegistrar, srv DecisionServiceServer) { + // If the following call pancis, it indicates UnimplementedDecisionServiceServer was + // embedded by pointer and is nil. This will cause panics if an + // unimplemented method is ever invoked, so we test this at initialization + // time to prevent it from happening at runtime later due to I/O. + if t, ok := srv.(interface{ testEmbeddedByValue() }); ok { + t.testEmbeddedByValue() + } + s.RegisterService(&DecisionService_ServiceDesc, srv) +} + +func _DecisionService_EvaluateSSHAccess_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(EvaluateSSHAccessRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DecisionServiceServer).EvaluateSSHAccess(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DecisionService_EvaluateSSHAccess_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DecisionServiceServer).EvaluateSSHAccess(ctx, req.(*EvaluateSSHAccessRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _DecisionService_EvaluateDatabaseAccess_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(EvaluateDatabaseAccessRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(DecisionServiceServer).EvaluateDatabaseAccess(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: DecisionService_EvaluateDatabaseAccess_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(DecisionServiceServer).EvaluateDatabaseAccess(ctx, req.(*EvaluateDatabaseAccessRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// DecisionService_ServiceDesc is the grpc.ServiceDesc for DecisionService service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var DecisionService_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "teleport.decision.v1alpha1.DecisionService", + HandlerType: (*DecisionServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "EvaluateSSHAccess", + Handler: _DecisionService_EvaluateSSHAccess_Handler, + }, + { + MethodName: "EvaluateDatabaseAccess", + Handler: _DecisionService_EvaluateDatabaseAccess_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "teleport/decision/v1alpha1/decision_service.proto", +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/denial_metadata.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/denial_metadata.pb.go new file mode 100644 index 0000000000000..196b711084e64 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/denial_metadata.pb.go @@ -0,0 +1,188 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/denial_metadata.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// Metadata for access denials. +type DenialMetadata struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy + // Enforcement Point) *must* implement in order to correctly enforce the + // decision. Note that denials rarely need feature assertions since they + // typically "fail safe" anyway. + FeatureAssertions []EnforcementFeature `protobuf:"varint,1,rep,packed,name=feature_assertions,json=featureAssertions,proto3,enum=teleport.decision.v1alpha1.EnforcementFeature" json:"feature_assertions,omitempty"` + // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated + // the decision request. + PdpVersion string `protobuf:"bytes,2,opt,name=pdp_version,json=pdpVersion,proto3" json:"pdp_version,omitempty"` + // UserMessage is a sanitized message safe for return to the subject identity + // of the decision request. + UserMessage string `protobuf:"bytes,3,opt,name=user_message,json=userMessage,proto3" json:"user_message,omitempty"` +} + +func (x *DenialMetadata) Reset() { + *x = DenialMetadata{} + mi := &file_teleport_decision_v1alpha1_denial_metadata_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DenialMetadata) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DenialMetadata) ProtoMessage() {} + +func (x *DenialMetadata) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_denial_metadata_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DenialMetadata.ProtoReflect.Descriptor instead. +func (*DenialMetadata) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescGZIP(), []int{0} +} + +func (x *DenialMetadata) GetFeatureAssertions() []EnforcementFeature { + if x != nil { + return x.FeatureAssertions + } + return nil +} + +func (x *DenialMetadata) GetPdpVersion() string { + if x != nil { + return x.PdpVersion + } + return "" +} + +func (x *DenialMetadata) GetUserMessage() string { + if x != nil { + return x.UserMessage + } + return "" +} + +var File_teleport_decision_v1alpha1_denial_metadata_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc = []byte{ + 0x0a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x65, 0x6e, + 0x69, 0x61, 0x6c, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x34, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x65, 0x6e, 0x66, 0x6f, 0x72, + 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb3, 0x01, 0x0a, 0x0e, 0x44, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x4d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x5d, 0x0a, 0x12, 0x66, 0x65, 0x61, 0x74, 0x75, + 0x72, 0x65, 0x5f, 0x61, 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, + 0x03, 0x28, 0x0e, 0x32, 0x2e, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, + 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, + 0x2e, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x46, 0x65, 0x61, 0x74, + 0x75, 0x72, 0x65, 0x52, 0x11, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x41, 0x73, 0x73, 0x65, + 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x64, 0x70, 0x5f, 0x76, 0x65, + 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x64, 0x70, + 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x21, 0x0a, 0x0c, 0x75, 0x73, 0x65, 0x72, 0x5f, + 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x75, + 0x73, 0x65, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, + 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, + 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData = file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_denial_metadata_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_teleport_decision_v1alpha1_denial_metadata_proto_goTypes = []any{ + (*DenialMetadata)(nil), // 0: teleport.decision.v1alpha1.DenialMetadata + (EnforcementFeature)(0), // 1: teleport.decision.v1alpha1.EnforcementFeature +} +var file_teleport_decision_v1alpha1_denial_metadata_proto_depIdxs = []int32{ + 1, // 0: teleport.decision.v1alpha1.DenialMetadata.feature_assertions:type_name -> teleport.decision.v1alpha1.EnforcementFeature + 1, // [1:1] is the sub-list for method output_type + 1, // [1:1] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_denial_metadata_proto_init() } +func file_teleport_decision_v1alpha1_denial_metadata_proto_init() { + if File_teleport_decision_v1alpha1_denial_metadata_proto != nil { + return + } + file_teleport_decision_v1alpha1_enforcement_feature_proto_init() + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc, + NumEnums: 0, + NumMessages: 1, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_denial_metadata_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_denial_metadata_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_denial_metadata_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_denial_metadata_proto = out.File + file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc = nil + file_teleport_decision_v1alpha1_denial_metadata_proto_goTypes = nil + file_teleport_decision_v1alpha1_denial_metadata_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/enforcement_feature.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/enforcement_feature.pb.go new file mode 100644 index 0000000000000..c024a46f721a3 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/enforcement_feature.pb.go @@ -0,0 +1,151 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/enforcement_feature.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// EnforcementFeature represents PEP (Policy Enforcement Point) features. +type EnforcementFeature int32 + +const ( + // ENFORCEMENT_FEATURE_UNSPECIFIED is the default/unspecified value for + // EnforcementFeature. Asserting this feature has no effect. + EnforcementFeature_ENFORCEMENT_FEATURE_UNSPECIFIED EnforcementFeature = 0 +) + +// Enum value maps for EnforcementFeature. +var ( + EnforcementFeature_name = map[int32]string{ + 0: "ENFORCEMENT_FEATURE_UNSPECIFIED", + } + EnforcementFeature_value = map[string]int32{ + "ENFORCEMENT_FEATURE_UNSPECIFIED": 0, + } +) + +func (x EnforcementFeature) Enum() *EnforcementFeature { + p := new(EnforcementFeature) + *p = x + return p +} + +func (x EnforcementFeature) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (EnforcementFeature) Descriptor() protoreflect.EnumDescriptor { + return file_teleport_decision_v1alpha1_enforcement_feature_proto_enumTypes[0].Descriptor() +} + +func (EnforcementFeature) Type() protoreflect.EnumType { + return &file_teleport_decision_v1alpha1_enforcement_feature_proto_enumTypes[0] +} + +func (x EnforcementFeature) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use EnforcementFeature.Descriptor instead. +func (EnforcementFeature) EnumDescriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescGZIP(), []int{0} +} + +var File_teleport_decision_v1alpha1_enforcement_feature_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc = []byte{ + 0x0a, 0x34, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x65, 0x6e, 0x66, + 0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, + 0x61, 0x31, 0x2a, 0x39, 0x0a, 0x12, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, + 0x74, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x12, 0x23, 0x0a, 0x1f, 0x45, 0x4e, 0x46, 0x4f, + 0x52, 0x43, 0x45, 0x4d, 0x45, 0x4e, 0x54, 0x5f, 0x46, 0x45, 0x41, 0x54, 0x55, 0x52, 0x45, 0x5f, + 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x42, 0x5a, 0x5a, + 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, + 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, + 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x33, +} + +var ( + file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData = file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_enforcement_feature_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_teleport_decision_v1alpha1_enforcement_feature_proto_goTypes = []any{ + (EnforcementFeature)(0), // 0: teleport.decision.v1alpha1.EnforcementFeature +} +var file_teleport_decision_v1alpha1_enforcement_feature_proto_depIdxs = []int32{ + 0, // [0:0] is the sub-list for method output_type + 0, // [0:0] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_enforcement_feature_proto_init() } +func file_teleport_decision_v1alpha1_enforcement_feature_proto_init() { + if File_teleport_decision_v1alpha1_enforcement_feature_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc, + NumEnums: 1, + NumMessages: 0, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_enforcement_feature_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_enforcement_feature_proto_depIdxs, + EnumInfos: file_teleport_decision_v1alpha1_enforcement_feature_proto_enumTypes, + }.Build() + File_teleport_decision_v1alpha1_enforcement_feature_proto = out.File + file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc = nil + file_teleport_decision_v1alpha1_enforcement_feature_proto_goTypes = nil + file_teleport_decision_v1alpha1_enforcement_feature_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/permit_metadata.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/permit_metadata.pb.go new file mode 100644 index 0000000000000..48d7fb90b5b0e --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/permit_metadata.pb.go @@ -0,0 +1,176 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/permit_metadata.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// Metadata for access permits. +type PermitMetadata struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // FeatureAssertions is a list of EnforcementFeature that the PEP (Policy + // Enforcement Point) *must* implement in order to correctly enforce the + // decision. Note that where possible new features should be structured to + // "fail safe" rather than relying on feature assertions. + FeatureAssertions []EnforcementFeature `protobuf:"varint,1,rep,packed,name=feature_assertions,json=featureAssertions,proto3,enum=teleport.decision.v1alpha1.EnforcementFeature" json:"feature_assertions,omitempty"` + // PdpVersion is the version of the PDP (Policy Decision Point) that evaluated + // the decision request. + PdpVersion string `protobuf:"bytes,2,opt,name=pdp_version,json=pdpVersion,proto3" json:"pdp_version,omitempty"` +} + +func (x *PermitMetadata) Reset() { + *x = PermitMetadata{} + mi := &file_teleport_decision_v1alpha1_permit_metadata_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *PermitMetadata) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PermitMetadata) ProtoMessage() {} + +func (x *PermitMetadata) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_permit_metadata_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PermitMetadata.ProtoReflect.Descriptor instead. +func (*PermitMetadata) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescGZIP(), []int{0} +} + +func (x *PermitMetadata) GetFeatureAssertions() []EnforcementFeature { + if x != nil { + return x.FeatureAssertions + } + return nil +} + +func (x *PermitMetadata) GetPdpVersion() string { + if x != nil { + return x.PdpVersion + } + return "" +} + +var File_teleport_decision_v1alpha1_permit_metadata_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc = []byte{ + 0x0a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x65, 0x72, + 0x6d, 0x69, 0x74, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x34, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x65, 0x6e, 0x66, 0x6f, 0x72, + 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x90, 0x01, 0x0a, 0x0e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x4d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x5d, 0x0a, 0x12, 0x66, 0x65, 0x61, 0x74, 0x75, + 0x72, 0x65, 0x5f, 0x61, 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, + 0x03, 0x28, 0x0e, 0x32, 0x2e, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, + 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, + 0x2e, 0x45, 0x6e, 0x66, 0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x46, 0x65, 0x61, 0x74, + 0x75, 0x72, 0x65, 0x52, 0x11, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x41, 0x73, 0x73, 0x65, + 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x64, 0x70, 0x5f, 0x76, 0x65, + 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x64, 0x70, + 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, + 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, + 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData = file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_permit_metadata_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_teleport_decision_v1alpha1_permit_metadata_proto_goTypes = []any{ + (*PermitMetadata)(nil), // 0: teleport.decision.v1alpha1.PermitMetadata + (EnforcementFeature)(0), // 1: teleport.decision.v1alpha1.EnforcementFeature +} +var file_teleport_decision_v1alpha1_permit_metadata_proto_depIdxs = []int32{ + 1, // 0: teleport.decision.v1alpha1.PermitMetadata.feature_assertions:type_name -> teleport.decision.v1alpha1.EnforcementFeature + 1, // [1:1] is the sub-list for method output_type + 1, // [1:1] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_permit_metadata_proto_init() } +func file_teleport_decision_v1alpha1_permit_metadata_proto_init() { + if File_teleport_decision_v1alpha1_permit_metadata_proto != nil { + return + } + file_teleport_decision_v1alpha1_enforcement_feature_proto_init() + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc, + NumEnums: 0, + NumMessages: 1, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_permit_metadata_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_permit_metadata_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_permit_metadata_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_permit_metadata_proto = out.File + file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc = nil + file_teleport_decision_v1alpha1_permit_metadata_proto_goTypes = nil + file_teleport_decision_v1alpha1_permit_metadata_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/request_metadata.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/request_metadata.pb.go new file mode 100644 index 0000000000000..7755483709400 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/request_metadata.pb.go @@ -0,0 +1,229 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/request_metadata.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// DecisionFeature represents supported PDP (Policy Decision Point) features. +type DecisionFeature int32 + +const ( + // DECISION_FEATURE_UNSPECIFIED is the default/unspecified value for + // DecisionFeature. Asserting this feature has no effect. + DecisionFeature_DECISION_FEATURE_UNSPECIFIED DecisionFeature = 0 +) + +// Enum value maps for DecisionFeature. +var ( + DecisionFeature_name = map[int32]string{ + 0: "DECISION_FEATURE_UNSPECIFIED", + } + DecisionFeature_value = map[string]int32{ + "DECISION_FEATURE_UNSPECIFIED": 0, + } +) + +func (x DecisionFeature) Enum() *DecisionFeature { + p := new(DecisionFeature) + *p = x + return p +} + +func (x DecisionFeature) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (DecisionFeature) Descriptor() protoreflect.EnumDescriptor { + return file_teleport_decision_v1alpha1_request_metadata_proto_enumTypes[0].Descriptor() +} + +func (DecisionFeature) Type() protoreflect.EnumType { + return &file_teleport_decision_v1alpha1_request_metadata_proto_enumTypes[0] +} + +func (x DecisionFeature) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use DecisionFeature.Descriptor instead. +func (DecisionFeature) EnumDescriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_request_metadata_proto_rawDescGZIP(), []int{0} +} + +// Metadata for evaluation requests. +type RequestMetadata struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // FeatureAssertions is a list of DecisionFeature that the PDP (Policy + // Decision Point) *must* implement in order to correctly evaluate the + // decision request. Note that changes that require new features in the PDP in + // order for it to understand a decision request are rare and should be + // avoided if possible. + FeatureAssertions []DecisionFeature `protobuf:"varint,1,rep,packed,name=feature_assertions,json=featureAssertions,proto3,enum=teleport.decision.v1alpha1.DecisionFeature" json:"feature_assertions,omitempty"` + // PepVersionHint is the *likely* version of the PEP that will enforce the + // decision. Not all decision requests can guarantee that the expected PEP + // (Policy Enforcement Point) version will actually be the version that ends + // up enforcing the decision. Hard compatibility requirements must be enforced + // via feature assertions so that PEPs can correctly reject decisions that + // they cannot enforce. + PepVersionHint string `protobuf:"bytes,2,opt,name=pep_version_hint,json=pepVersionHint,proto3" json:"pep_version_hint,omitempty"` +} + +func (x *RequestMetadata) Reset() { + *x = RequestMetadata{} + mi := &file_teleport_decision_v1alpha1_request_metadata_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RequestMetadata) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RequestMetadata) ProtoMessage() {} + +func (x *RequestMetadata) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_request_metadata_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RequestMetadata.ProtoReflect.Descriptor instead. +func (*RequestMetadata) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_request_metadata_proto_rawDescGZIP(), []int{0} +} + +func (x *RequestMetadata) GetFeatureAssertions() []DecisionFeature { + if x != nil { + return x.FeatureAssertions + } + return nil +} + +func (x *RequestMetadata) GetPepVersionHint() string { + if x != nil { + return x.PepVersionHint + } + return "" +} + +var File_teleport_decision_v1alpha1_request_metadata_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc = []byte{ + 0x0a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, + 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x22, + 0x97, 0x01, 0x0a, 0x0f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x12, 0x5a, 0x0a, 0x12, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x5f, 0x61, + 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0e, 0x32, + 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x52, 0x11, 0x66, 0x65, + 0x61, 0x74, 0x75, 0x72, 0x65, 0x41, 0x73, 0x73, 0x65, 0x72, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, + 0x28, 0x0a, 0x10, 0x70, 0x65, 0x70, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x68, + 0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x70, 0x65, 0x70, 0x56, 0x65, + 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x48, 0x69, 0x6e, 0x74, 0x2a, 0x33, 0x0a, 0x0f, 0x44, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x46, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65, 0x12, 0x20, 0x0a, 0x1c, + 0x44, 0x45, 0x43, 0x49, 0x53, 0x49, 0x4f, 0x4e, 0x5f, 0x46, 0x45, 0x41, 0x54, 0x55, 0x52, 0x45, + 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x42, 0x5a, + 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, + 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, + 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_request_metadata_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData = file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_request_metadata_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_request_metadata_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_request_metadata_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_teleport_decision_v1alpha1_request_metadata_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_teleport_decision_v1alpha1_request_metadata_proto_goTypes = []any{ + (DecisionFeature)(0), // 0: teleport.decision.v1alpha1.DecisionFeature + (*RequestMetadata)(nil), // 1: teleport.decision.v1alpha1.RequestMetadata +} +var file_teleport_decision_v1alpha1_request_metadata_proto_depIdxs = []int32{ + 0, // 0: teleport.decision.v1alpha1.RequestMetadata.feature_assertions:type_name -> teleport.decision.v1alpha1.DecisionFeature + 1, // [1:1] is the sub-list for method output_type + 1, // [1:1] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_request_metadata_proto_init() } +func file_teleport_decision_v1alpha1_request_metadata_proto_init() { + if File_teleport_decision_v1alpha1_request_metadata_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc, + NumEnums: 1, + NumMessages: 1, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_request_metadata_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_request_metadata_proto_depIdxs, + EnumInfos: file_teleport_decision_v1alpha1_request_metadata_proto_enumTypes, + MessageInfos: file_teleport_decision_v1alpha1_request_metadata_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_request_metadata_proto = out.File + file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc = nil + file_teleport_decision_v1alpha1_request_metadata_proto_goTypes = nil + file_teleport_decision_v1alpha1_request_metadata_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/resource.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/resource.pb.go new file mode 100644 index 0000000000000..371181ee52344 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/resource.pb.go @@ -0,0 +1,176 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/resource.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// Resource is the conventional reference type used to refer to the "object" of +// an action that is being considered for an authorization decision. For +// example, a call to EvaluateSSHAccess would use the Resource type to reference +// the ssh node being accessed. +type Resource struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Kind is the type of the resource. Required for requests that support + // multiple types, otherwise safe to omit. + Kind string `protobuf:"bytes,1,opt,name=kind,proto3" json:"kind,omitempty"` + // SubKind is the subtype of the resource. Usually not required as most + // resources don't have subkinds, or their subkinds do not have an effect on + // authorization decisions. + SubKind string `protobuf:"bytes,2,opt,name=sub_kind,json=subKind,proto3" json:"sub_kind,omitempty"` + // Name is the unique name of the resource. + Name string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"` +} + +func (x *Resource) Reset() { + *x = Resource{} + mi := &file_teleport_decision_v1alpha1_resource_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Resource) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Resource) ProtoMessage() {} + +func (x *Resource) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_resource_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Resource.ProtoReflect.Descriptor instead. +func (*Resource) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_resource_proto_rawDescGZIP(), []int{0} +} + +func (x *Resource) GetKind() string { + if x != nil { + return x.Kind + } + return "" +} + +func (x *Resource) GetSubKind() string { + if x != nil { + return x.SubKind + } + return "" +} + +func (x *Resource) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +var File_teleport_decision_v1alpha1_resource_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_resource_proto_rawDesc = []byte{ + 0x0a, 0x29, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72, 0x65, 0x73, + 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x22, 0x4d, 0x0a, 0x08, 0x52, 0x65, 0x73, 0x6f, 0x75, + 0x72, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x75, 0x62, 0x5f, 0x6b, + 0x69, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x4b, 0x69, + 0x6e, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, + 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, + 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_resource_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_resource_proto_rawDescData = file_teleport_decision_v1alpha1_resource_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_resource_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_resource_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_resource_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_resource_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_resource_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_resource_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_teleport_decision_v1alpha1_resource_proto_goTypes = []any{ + (*Resource)(nil), // 0: teleport.decision.v1alpha1.Resource +} +var file_teleport_decision_v1alpha1_resource_proto_depIdxs = []int32{ + 0, // [0:0] is the sub-list for method output_type + 0, // [0:0] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_resource_proto_init() } +func file_teleport_decision_v1alpha1_resource_proto_init() { + if File_teleport_decision_v1alpha1_resource_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_resource_proto_rawDesc, + NumEnums: 0, + NumMessages: 1, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_resource_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_resource_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_resource_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_resource_proto = out.File + file_teleport_decision_v1alpha1_resource_proto_rawDesc = nil + file_teleport_decision_v1alpha1_resource_proto_goTypes = nil + file_teleport_decision_v1alpha1_resource_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go new file mode 100644 index 0000000000000..ad064dfd34b3e --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go @@ -0,0 +1,599 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/ssh_access.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + durationpb "google.golang.org/protobuf/types/known/durationpb" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// EvaluateSSHAccessRequest describes a request to evaluate whether or not a +// given ssh access attempt should be permitted. +type EvaluateSSHAccessRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Metadata holds common authorization decision request fields. + Metadata *RequestMetadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` + // User describes the teleport user requesting access. + SshIdentity *SSHIdentity `protobuf:"bytes,2,opt,name=ssh_identity,json=sshIdentity,proto3" json:"ssh_identity,omitempty"` + // Node references the target node the user is attempting to access. + Node *Resource `protobuf:"bytes,3,opt,name=node,proto3" json:"node,omitempty"` +} + +func (x *EvaluateSSHAccessRequest) Reset() { + *x = EvaluateSSHAccessRequest{} + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EvaluateSSHAccessRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EvaluateSSHAccessRequest) ProtoMessage() {} + +func (x *EvaluateSSHAccessRequest) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EvaluateSSHAccessRequest.ProtoReflect.Descriptor instead. +func (*EvaluateSSHAccessRequest) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_ssh_access_proto_rawDescGZIP(), []int{0} +} + +func (x *EvaluateSSHAccessRequest) GetMetadata() *RequestMetadata { + if x != nil { + return x.Metadata + } + return nil +} + +func (x *EvaluateSSHAccessRequest) GetSshIdentity() *SSHIdentity { + if x != nil { + return x.SshIdentity + } + return nil +} + +func (x *EvaluateSSHAccessRequest) GetNode() *Resource { + if x != nil { + return x.Node + } + return nil +} + +// EvaluateSSHAccessResponse describes the result of an SSH access evaluation. +type EvaluateSSHAccessResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Decision: + // + // *EvaluateSSHAccessResponse_Permit + // *EvaluateSSHAccessResponse_Denial + Decision isEvaluateSSHAccessResponse_Decision `protobuf_oneof:"decision"` +} + +func (x *EvaluateSSHAccessResponse) Reset() { + *x = EvaluateSSHAccessResponse{} + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *EvaluateSSHAccessResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EvaluateSSHAccessResponse) ProtoMessage() {} + +func (x *EvaluateSSHAccessResponse) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EvaluateSSHAccessResponse.ProtoReflect.Descriptor instead. +func (*EvaluateSSHAccessResponse) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_ssh_access_proto_rawDescGZIP(), []int{1} +} + +func (m *EvaluateSSHAccessResponse) GetDecision() isEvaluateSSHAccessResponse_Decision { + if m != nil { + return m.Decision + } + return nil +} + +func (x *EvaluateSSHAccessResponse) GetPermit() *SSHAccessPermit { + if x, ok := x.GetDecision().(*EvaluateSSHAccessResponse_Permit); ok { + return x.Permit + } + return nil +} + +func (x *EvaluateSSHAccessResponse) GetDenial() *SSHAccessDenial { + if x, ok := x.GetDecision().(*EvaluateSSHAccessResponse_Denial); ok { + return x.Denial + } + return nil +} + +type isEvaluateSSHAccessResponse_Decision interface { + isEvaluateSSHAccessResponse_Decision() +} + +type EvaluateSSHAccessResponse_Permit struct { + Permit *SSHAccessPermit `protobuf:"bytes,1,opt,name=permit,proto3,oneof"` +} + +type EvaluateSSHAccessResponse_Denial struct { + Denial *SSHAccessDenial `protobuf:"bytes,2,opt,name=denial,proto3,oneof"` +} + +func (*EvaluateSSHAccessResponse_Permit) isEvaluateSSHAccessResponse_Decision() {} + +func (*EvaluateSSHAccessResponse_Denial) isEvaluateSSHAccessResponse_Decision() {} + +// SSHAccessPermit describes the parameters/constraints of a permissible SSH +// access attempt. +type SSHAccessPermit struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Metadata *PermitMetadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` + Logins []string `protobuf:"bytes,2,rep,name=logins,proto3" json:"logins,omitempty"` + ForwardAgent bool `protobuf:"varint,3,opt,name=forward_agent,json=forwardAgent,proto3" json:"forward_agent,omitempty"` + MaxSessionTtl *durationpb.Duration `protobuf:"bytes,4,opt,name=max_session_ttl,json=maxSessionTtl,proto3" json:"max_session_ttl,omitempty"` + PortForwarding bool `protobuf:"varint,5,opt,name=port_forwarding,json=portForwarding,proto3" json:"port_forwarding,omitempty"` + ClientIdleTimeout int64 `protobuf:"varint,6,opt,name=client_idle_timeout,json=clientIdleTimeout,proto3" json:"client_idle_timeout,omitempty"` + DisconnectExpiredCert bool `protobuf:"varint,7,opt,name=disconnect_expired_cert,json=disconnectExpiredCert,proto3" json:"disconnect_expired_cert,omitempty"` + Bpf []string `protobuf:"bytes,8,rep,name=bpf,proto3" json:"bpf,omitempty"` + X11Forwarding bool `protobuf:"varint,9,opt,name=x11_forwarding,json=x11Forwarding,proto3" json:"x11_forwarding,omitempty"` + MaxConnections int64 `protobuf:"varint,10,opt,name=max_connections,json=maxConnections,proto3" json:"max_connections,omitempty"` + MaxSessions int64 `protobuf:"varint,11,opt,name=max_sessions,json=maxSessions,proto3" json:"max_sessions,omitempty"` + Lock string `protobuf:"bytes,12,opt,name=lock,proto3" json:"lock,omitempty"` + CreateHostUser bool `protobuf:"varint,13,opt,name=create_host_user,json=createHostUser,proto3" json:"create_host_user,omitempty"` + SshFileCopy bool `protobuf:"varint,14,opt,name=ssh_file_copy,json=sshFileCopy,proto3" json:"ssh_file_copy,omitempty"` + CreateHostUserMode string `protobuf:"bytes,15,opt,name=create_host_user_mode,json=createHostUserMode,proto3" json:"create_host_user_mode,omitempty"` + CreateHostUserShell string `protobuf:"bytes,16,opt,name=create_host_user_shell,json=createHostUserShell,proto3" json:"create_host_user_shell,omitempty"` + HostGroups []string `protobuf:"bytes,17,rep,name=host_groups,json=hostGroups,proto3" json:"host_groups,omitempty"` + HostSudoers []string `protobuf:"bytes,18,rep,name=host_sudoers,json=hostSudoers,proto3" json:"host_sudoers,omitempty"` +} + +func (x *SSHAccessPermit) Reset() { + *x = SSHAccessPermit{} + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SSHAccessPermit) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SSHAccessPermit) ProtoMessage() {} + +func (x *SSHAccessPermit) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SSHAccessPermit.ProtoReflect.Descriptor instead. +func (*SSHAccessPermit) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_ssh_access_proto_rawDescGZIP(), []int{2} +} + +func (x *SSHAccessPermit) GetMetadata() *PermitMetadata { + if x != nil { + return x.Metadata + } + return nil +} + +func (x *SSHAccessPermit) GetLogins() []string { + if x != nil { + return x.Logins + } + return nil +} + +func (x *SSHAccessPermit) GetForwardAgent() bool { + if x != nil { + return x.ForwardAgent + } + return false +} + +func (x *SSHAccessPermit) GetMaxSessionTtl() *durationpb.Duration { + if x != nil { + return x.MaxSessionTtl + } + return nil +} + +func (x *SSHAccessPermit) GetPortForwarding() bool { + if x != nil { + return x.PortForwarding + } + return false +} + +func (x *SSHAccessPermit) GetClientIdleTimeout() int64 { + if x != nil { + return x.ClientIdleTimeout + } + return 0 +} + +func (x *SSHAccessPermit) GetDisconnectExpiredCert() bool { + if x != nil { + return x.DisconnectExpiredCert + } + return false +} + +func (x *SSHAccessPermit) GetBpf() []string { + if x != nil { + return x.Bpf + } + return nil +} + +func (x *SSHAccessPermit) GetX11Forwarding() bool { + if x != nil { + return x.X11Forwarding + } + return false +} + +func (x *SSHAccessPermit) GetMaxConnections() int64 { + if x != nil { + return x.MaxConnections + } + return 0 +} + +func (x *SSHAccessPermit) GetMaxSessions() int64 { + if x != nil { + return x.MaxSessions + } + return 0 +} + +func (x *SSHAccessPermit) GetLock() string { + if x != nil { + return x.Lock + } + return "" +} + +func (x *SSHAccessPermit) GetCreateHostUser() bool { + if x != nil { + return x.CreateHostUser + } + return false +} + +func (x *SSHAccessPermit) GetSshFileCopy() bool { + if x != nil { + return x.SshFileCopy + } + return false +} + +func (x *SSHAccessPermit) GetCreateHostUserMode() string { + if x != nil { + return x.CreateHostUserMode + } + return "" +} + +func (x *SSHAccessPermit) GetCreateHostUserShell() string { + if x != nil { + return x.CreateHostUserShell + } + return "" +} + +func (x *SSHAccessPermit) GetHostGroups() []string { + if x != nil { + return x.HostGroups + } + return nil +} + +func (x *SSHAccessPermit) GetHostSudoers() []string { + if x != nil { + return x.HostSudoers + } + return nil +} + +// SSHAccessDenial describes an SSH access denial. +type SSHAccessDenial struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Metadata *DenialMetadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` +} + +func (x *SSHAccessDenial) Reset() { + *x = SSHAccessDenial{} + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SSHAccessDenial) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SSHAccessDenial) ProtoMessage() {} + +func (x *SSHAccessDenial) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SSHAccessDenial.ProtoReflect.Descriptor instead. +func (*SSHAccessDenial) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_ssh_access_proto_rawDescGZIP(), []int{3} +} + +func (x *SSHAccessDenial) GetMetadata() *DenialMetadata { + if x != nil { + return x.Metadata + } + return nil +} + +var File_teleport_decision_v1alpha1_ssh_access_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc = []byte{ + 0x0a, 0x2b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, 0x68, + 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74, + 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, + 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, + 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x5f, 0x6d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x30, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x5f, 0x6d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x31, 0x74, + 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, + 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x1a, 0x29, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72, 0x65, 0x73, + 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2d, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, 0x68, 0x5f, 0x69, 0x64, 0x65, 0x6e, + 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xe9, 0x01, 0x0a, 0x18, 0x45, + 0x76, 0x61, 0x6c, 0x75, 0x61, 0x74, 0x65, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x47, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, + 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, + 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, + 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x4d, 0x65, + 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0x12, 0x4a, 0x0a, 0x0c, 0x73, 0x73, 0x68, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, + 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x2e, 0x53, 0x53, 0x48, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, + 0x0b, 0x73, 0x73, 0x68, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x38, 0x0a, 0x04, + 0x6e, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, + 0x52, 0x04, 0x6e, 0x6f, 0x64, 0x65, 0x22, 0xb5, 0x01, 0x0a, 0x19, 0x45, 0x76, 0x61, 0x6c, 0x75, + 0x61, 0x74, 0x65, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x45, 0x0a, 0x06, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x2e, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, + 0x74, 0x48, 0x00, 0x52, 0x06, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x12, 0x45, 0x0a, 0x06, 0x64, + 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, + 0x73, 0x73, 0x44, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x48, 0x00, 0x52, 0x06, 0x64, 0x65, 0x6e, 0x69, + 0x61, 0x6c, 0x42, 0x0a, 0x0a, 0x08, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0xfd, + 0x05, 0x0a, 0x0f, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, + 0x69, 0x74, 0x12, 0x46, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, + 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x6f, + 0x67, 0x69, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x6c, 0x6f, 0x67, 0x69, + 0x6e, 0x73, 0x12, 0x23, 0x0a, 0x0d, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x5f, 0x61, 0x67, + 0x65, 0x6e, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x66, 0x6f, 0x72, 0x77, 0x61, + 0x72, 0x64, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x12, 0x41, 0x0a, 0x0f, 0x6d, 0x61, 0x78, 0x5f, 0x73, + 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x74, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, + 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x6d, 0x61, 0x78, + 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x54, 0x74, 0x6c, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x6f, + 0x72, 0x74, 0x5f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x18, 0x05, 0x20, + 0x01, 0x28, 0x08, 0x52, 0x0e, 0x70, 0x6f, 0x72, 0x74, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, + 0x69, 0x6e, 0x67, 0x12, 0x2e, 0x0a, 0x13, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, + 0x6c, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, + 0x52, 0x11, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x6c, 0x65, 0x54, 0x69, 0x6d, 0x65, + 0x6f, 0x75, 0x74, 0x12, 0x36, 0x0a, 0x17, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, + 0x74, 0x5f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x18, 0x07, + 0x20, 0x01, 0x28, 0x08, 0x52, 0x15, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, + 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x62, + 0x70, 0x66, 0x18, 0x08, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x62, 0x70, 0x66, 0x12, 0x25, 0x0a, + 0x0e, 0x78, 0x31, 0x31, 0x5f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x18, + 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x78, 0x31, 0x31, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, + 0x64, 0x69, 0x6e, 0x67, 0x12, 0x27, 0x0a, 0x0f, 0x6d, 0x61, 0x78, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, + 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x6d, + 0x61, 0x78, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x21, 0x0a, + 0x0c, 0x6d, 0x61, 0x78, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0b, 0x20, + 0x01, 0x28, 0x03, 0x52, 0x0b, 0x6d, 0x61, 0x78, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, + 0x12, 0x12, 0x0a, 0x04, 0x6c, 0x6f, 0x63, 0x6b, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, + 0x6c, 0x6f, 0x63, 0x6b, 0x12, 0x28, 0x0a, 0x10, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x5f, 0x68, + 0x6f, 0x73, 0x74, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, + 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x48, 0x6f, 0x73, 0x74, 0x55, 0x73, 0x65, 0x72, 0x12, 0x22, + 0x0a, 0x0d, 0x73, 0x73, 0x68, 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x63, 0x6f, 0x70, 0x79, 0x18, + 0x0e, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x73, 0x73, 0x68, 0x46, 0x69, 0x6c, 0x65, 0x43, 0x6f, + 0x70, 0x79, 0x12, 0x31, 0x0a, 0x15, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x6f, 0x73, + 0x74, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x0f, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x12, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x48, 0x6f, 0x73, 0x74, 0x55, 0x73, 0x65, + 0x72, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x33, 0x0a, 0x16, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x5f, + 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x73, 0x68, 0x65, 0x6c, 0x6c, 0x18, + 0x10, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x48, 0x6f, 0x73, + 0x74, 0x55, 0x73, 0x65, 0x72, 0x53, 0x68, 0x65, 0x6c, 0x6c, 0x12, 0x1f, 0x0a, 0x0b, 0x68, 0x6f, + 0x73, 0x74, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x11, 0x20, 0x03, 0x28, 0x09, 0x52, + 0x0a, 0x68, 0x6f, 0x73, 0x74, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x68, + 0x6f, 0x73, 0x74, 0x5f, 0x73, 0x75, 0x64, 0x6f, 0x65, 0x72, 0x73, 0x18, 0x12, 0x20, 0x03, 0x28, + 0x09, 0x52, 0x0b, 0x68, 0x6f, 0x73, 0x74, 0x53, 0x75, 0x64, 0x6f, 0x65, 0x72, 0x73, 0x22, 0x59, + 0x0a, 0x0f, 0x53, 0x53, 0x48, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x44, 0x65, 0x6e, 0x69, 0x61, + 0x6c, 0x12, 0x46, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, + 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, + 0x2e, 0x44, 0x65, 0x6e, 0x69, 0x61, 0x6c, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, + 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, + 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, + 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_ssh_access_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData = file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_ssh_access_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_ssh_access_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes = make([]protoimpl.MessageInfo, 4) +var file_teleport_decision_v1alpha1_ssh_access_proto_goTypes = []any{ + (*EvaluateSSHAccessRequest)(nil), // 0: teleport.decision.v1alpha1.EvaluateSSHAccessRequest + (*EvaluateSSHAccessResponse)(nil), // 1: teleport.decision.v1alpha1.EvaluateSSHAccessResponse + (*SSHAccessPermit)(nil), // 2: teleport.decision.v1alpha1.SSHAccessPermit + (*SSHAccessDenial)(nil), // 3: teleport.decision.v1alpha1.SSHAccessDenial + (*RequestMetadata)(nil), // 4: teleport.decision.v1alpha1.RequestMetadata + (*SSHIdentity)(nil), // 5: teleport.decision.v1alpha1.SSHIdentity + (*Resource)(nil), // 6: teleport.decision.v1alpha1.Resource + (*PermitMetadata)(nil), // 7: teleport.decision.v1alpha1.PermitMetadata + (*durationpb.Duration)(nil), // 8: google.protobuf.Duration + (*DenialMetadata)(nil), // 9: teleport.decision.v1alpha1.DenialMetadata +} +var file_teleport_decision_v1alpha1_ssh_access_proto_depIdxs = []int32{ + 4, // 0: teleport.decision.v1alpha1.EvaluateSSHAccessRequest.metadata:type_name -> teleport.decision.v1alpha1.RequestMetadata + 5, // 1: teleport.decision.v1alpha1.EvaluateSSHAccessRequest.ssh_identity:type_name -> teleport.decision.v1alpha1.SSHIdentity + 6, // 2: teleport.decision.v1alpha1.EvaluateSSHAccessRequest.node:type_name -> teleport.decision.v1alpha1.Resource + 2, // 3: teleport.decision.v1alpha1.EvaluateSSHAccessResponse.permit:type_name -> teleport.decision.v1alpha1.SSHAccessPermit + 3, // 4: teleport.decision.v1alpha1.EvaluateSSHAccessResponse.denial:type_name -> teleport.decision.v1alpha1.SSHAccessDenial + 7, // 5: teleport.decision.v1alpha1.SSHAccessPermit.metadata:type_name -> teleport.decision.v1alpha1.PermitMetadata + 8, // 6: teleport.decision.v1alpha1.SSHAccessPermit.max_session_ttl:type_name -> google.protobuf.Duration + 9, // 7: teleport.decision.v1alpha1.SSHAccessDenial.metadata:type_name -> teleport.decision.v1alpha1.DenialMetadata + 8, // [8:8] is the sub-list for method output_type + 8, // [8:8] is the sub-list for method input_type + 8, // [8:8] is the sub-list for extension type_name + 8, // [8:8] is the sub-list for extension extendee + 0, // [0:8] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_ssh_access_proto_init() } +func file_teleport_decision_v1alpha1_ssh_access_proto_init() { + if File_teleport_decision_v1alpha1_ssh_access_proto != nil { + return + } + file_teleport_decision_v1alpha1_denial_metadata_proto_init() + file_teleport_decision_v1alpha1_permit_metadata_proto_init() + file_teleport_decision_v1alpha1_request_metadata_proto_init() + file_teleport_decision_v1alpha1_resource_proto_init() + file_teleport_decision_v1alpha1_ssh_identity_proto_init() + file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes[1].OneofWrappers = []any{ + (*EvaluateSSHAccessResponse_Permit)(nil), + (*EvaluateSSHAccessResponse_Denial)(nil), + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc, + NumEnums: 0, + NumMessages: 4, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_ssh_access_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_ssh_access_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_ssh_access_proto = out.File + file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc = nil + file_teleport_decision_v1alpha1_ssh_access_proto_goTypes = nil + file_teleport_decision_v1alpha1_ssh_access_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go new file mode 100644 index 0000000000000..252275b905871 --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go @@ -0,0 +1,138 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/ssh_identity.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// SSHIdentity is the identity used for SSH connections. +type SSHIdentity struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields +} + +func (x *SSHIdentity) Reset() { + *x = SSHIdentity{} + mi := &file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *SSHIdentity) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SSHIdentity) ProtoMessage() {} + +func (x *SSHIdentity) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SSHIdentity.ProtoReflect.Descriptor instead. +func (*SSHIdentity) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescGZIP(), []int{0} +} + +var File_teleport_decision_v1alpha1_ssh_identity_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc = []byte{ + 0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, 0x68, + 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, + 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x22, 0x0d, 0x0a, 0x0b, 0x53, + 0x53, 0x48, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, + 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, + 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData = file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_teleport_decision_v1alpha1_ssh_identity_proto_goTypes = []any{ + (*SSHIdentity)(nil), // 0: teleport.decision.v1alpha1.SSHIdentity +} +var file_teleport_decision_v1alpha1_ssh_identity_proto_depIdxs = []int32{ + 0, // [0:0] is the sub-list for method output_type + 0, // [0:0] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_ssh_identity_proto_init() } +func file_teleport_decision_v1alpha1_ssh_identity_proto_init() { + if File_teleport_decision_v1alpha1_ssh_identity_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc, + NumEnums: 0, + NumMessages: 1, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_ssh_identity_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_ssh_identity_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_ssh_identity_proto = out.File + file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc = nil + file_teleport_decision_v1alpha1_ssh_identity_proto_goTypes = nil + file_teleport_decision_v1alpha1_ssh_identity_proto_depIdxs = nil +} diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go new file mode 100644 index 0000000000000..fa21d5b6498ee --- /dev/null +++ b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go @@ -0,0 +1,1042 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.35.2 +// protoc (unknown) +// source: teleport/decision/v1alpha1/tls_identity.proto + +package decisionpb + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + timestamppb "google.golang.org/protobuf/types/known/timestamppb" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// TLSIdentity is the identity used for TLS connections. +type TLSIdentity struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Username is a username or name of the node connection. + Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"` + // Impersonator is a username of a user impersonating this user. + Impersonator string `protobuf:"bytes,2,opt,name=impersonator,proto3" json:"impersonator,omitempty"` + // Groups is a list of groups (Teleport roles) encoded in the identity. + Groups []string `protobuf:"bytes,3,rep,name=groups,proto3" json:"groups,omitempty"` + // SystemRoles is a list of system roles (e.g. auth, proxy, node, etc) used in + // "multi-role" certificates. Single-role certificates encode the system role + // in `Groups` for back-compat reasons. + SystemRoles []string `protobuf:"bytes,4,rep,name=system_roles,json=systemRoles,proto3" json:"system_roles,omitempty"` + // Usage is a list of usage restrictions encoded in the identity. + Usage []string `protobuf:"bytes,5,rep,name=usage,proto3" json:"usage,omitempty"` + // Principals is a list of Unix logins allowed. + Principals []string `protobuf:"bytes,6,rep,name=principals,proto3" json:"principals,omitempty"` + // KubernetesGroups is a list of Kubernetes groups allowed. + KubernetesGroups []string `protobuf:"bytes,7,rep,name=kubernetes_groups,json=kubernetesGroups,proto3" json:"kubernetes_groups,omitempty"` + // KubernetesUsers is a list of Kubernetes users allowed. + KubernetesUsers []string `protobuf:"bytes,8,rep,name=kubernetes_users,json=kubernetesUsers,proto3" json:"kubernetes_users,omitempty"` + // Expires specifies whenever the session will expire. + Expires *timestamppb.Timestamp `protobuf:"bytes,9,opt,name=expires,proto3" json:"expires,omitempty"` + // RouteToCluster specifies the target cluster. + RouteToCluster string `protobuf:"bytes,10,opt,name=route_to_cluster,json=routeToCluster,proto3" json:"route_to_cluster,omitempty"` + // KubernetesCluster specifies the target kubernetes cluster for TLS + // identities. This can be empty on older Teleport clients. + KubernetesCluster string `protobuf:"bytes,11,opt,name=kubernetes_cluster,json=kubernetesCluster,proto3" json:"kubernetes_cluster,omitempty"` + // Traits hold claim data used to populate a role at runtime. + Traits []*Trait `protobuf:"bytes,12,rep,name=traits,proto3" json:"traits,omitempty"` + // RouteToApp holds routing information for applications. Routing metadata + // allows Teleport web proxy to route HTTP requests to the appropriate cluster + // and Teleport application proxy within the cluster. + RouteToApp *RouteToApp `protobuf:"bytes,13,opt,name=route_to_app,json=routeToApp,proto3" json:"route_to_app,omitempty"` + // TeleportCluster is the name of the teleport cluster that this identity + // originated from. For TLS certs this may not be the same as cert issuer, in + // case of multi-hop requests that originate from a remote cluster. + TeleportCluster string `protobuf:"bytes,14,opt,name=teleport_cluster,json=teleportCluster,proto3" json:"teleport_cluster,omitempty"` + // RouteToDatabase contains routing information for databases. + RouteToDatabase *RouteToDatabase `protobuf:"bytes,15,opt,name=route_to_database,json=routeToDatabase,proto3" json:"route_to_database,omitempty"` + // DatabaseNames is a list of allowed database names. + DatabaseNames []string `protobuf:"bytes,16,rep,name=database_names,json=databaseNames,proto3" json:"database_names,omitempty"` + // DatabaseUsers is a list of allowed database users. + DatabaseUsers []string `protobuf:"bytes,17,rep,name=database_users,json=databaseUsers,proto3" json:"database_users,omitempty"` + // MFAVerified is the UUID of an MFA device when this Identity was + // confirmed immediately after an MFA check. + MfaVerified string `protobuf:"bytes,18,opt,name=mfa_verified,json=mfaVerified,proto3" json:"mfa_verified,omitempty"` + // PreviousIdentityExpires is the expiry time of the identity/cert that this + // identity/cert was derived from. It is used to determine a session's hard + // deadline in cases where both require_session_mfa and + // disconnect_expired_cert are enabled. + // See https://github.com/gravitational/teleport/issues/18544. + PreviousIdentityExpires *timestamppb.Timestamp `protobuf:"bytes,19,opt,name=previous_identity_expires,json=previousIdentityExpires,proto3" json:"previous_identity_expires,omitempty"` + // LoginIP is an observed IP of the client that this Identity represents. + LoginIp string `protobuf:"bytes,20,opt,name=login_ip,json=loginIp,proto3" json:"login_ip,omitempty"` + // PinnedIP is an IP the certificate is pinned to. + PinnedIp string `protobuf:"bytes,21,opt,name=pinned_ip,json=pinnedIp,proto3" json:"pinned_ip,omitempty"` + // AWSRoleARNs is a list of allowed AWS role ARNs user can assume. + AwsRoleArns []string `protobuf:"bytes,22,rep,name=aws_role_arns,json=awsRoleArns,proto3" json:"aws_role_arns,omitempty"` + // AzureIdentities is a list of allowed Azure identities user can assume. + AzureIdentities []string `protobuf:"bytes,23,rep,name=azure_identities,json=azureIdentities,proto3" json:"azure_identities,omitempty"` + // GCPServiceAccounts is a list of allowed GCP service accounts that the user + // can assume. + GcpServiceAccounts []string `protobuf:"bytes,24,rep,name=gcp_service_accounts,json=gcpServiceAccounts,proto3" json:"gcp_service_accounts,omitempty"` + // ActiveRequests is a list of UUIDs of active requests for this Identity. + ActiveRequests []string `protobuf:"bytes,25,rep,name=active_requests,json=activeRequests,proto3" json:"active_requests,omitempty"` + // DisallowReissue is a flag that, if set, instructs the auth server to deny + // any attempts to reissue new certificates while authenticated with this + // certificate. + DisallowReissue bool `protobuf:"varint,26,opt,name=disallow_reissue,json=disallowReissue,proto3" json:"disallow_reissue,omitempty"` + // Renewable indicates that this identity is allowed to renew it's own + // credentials. This is only enabled for certificate renewal bots. + Renewable bool `protobuf:"varint,27,opt,name=renewable,proto3" json:"renewable,omitempty"` + // Generation counts the number of times this certificate has been renewed. + Generation uint64 `protobuf:"varint,28,opt,name=generation,proto3" json:"generation,omitempty"` + // BotName indicates the name of the Machine ID bot this identity was issued + // to, if any. + BotName string `protobuf:"bytes,29,opt,name=bot_name,json=botName,proto3" json:"bot_name,omitempty"` + // BotInstanceID is a unique identifier for Machine ID bots that is persisted + // through renewals. + BotInstanceId string `protobuf:"bytes,30,opt,name=bot_instance_id,json=botInstanceId,proto3" json:"bot_instance_id,omitempty"` + // AllowedResourceIDs lists the resources the identity should be allowed to + // access. + AllowedResourceIds []*ResourceID `protobuf:"bytes,31,rep,name=allowed_resource_ids,json=allowedResourceIds,proto3" json:"allowed_resource_ids,omitempty"` + // PrivateKeyPolicy is the private key policy supported by this identity. + PrivateKeyPolicy string `protobuf:"bytes,32,opt,name=private_key_policy,json=privateKeyPolicy,proto3" json:"private_key_policy,omitempty"` + // ConnectionDiagnosticID is used to add connection diagnostic messages when + // Testing a Connection. + ConnectionDiagnosticId string `protobuf:"bytes,33,opt,name=connection_diagnostic_id,json=connectionDiagnosticId,proto3" json:"connection_diagnostic_id,omitempty"` + // DeviceExtensions holds device-aware extensions for the identity. + DeviceExtensions *DeviceExtensions `protobuf:"bytes,34,opt,name=device_extensions,json=deviceExtensions,proto3" json:"device_extensions,omitempty"` + // UserType indicates if the User was created by an SSO Provider or locally. + UserType string `protobuf:"bytes,35,opt,name=user_type,json=userType,proto3" json:"user_type,omitempty"` +} + +func (x *TLSIdentity) Reset() { + *x = TLSIdentity{} + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *TLSIdentity) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*TLSIdentity) ProtoMessage() {} + +func (x *TLSIdentity) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use TLSIdentity.ProtoReflect.Descriptor instead. +func (*TLSIdentity) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{0} +} + +func (x *TLSIdentity) GetUsername() string { + if x != nil { + return x.Username + } + return "" +} + +func (x *TLSIdentity) GetImpersonator() string { + if x != nil { + return x.Impersonator + } + return "" +} + +func (x *TLSIdentity) GetGroups() []string { + if x != nil { + return x.Groups + } + return nil +} + +func (x *TLSIdentity) GetSystemRoles() []string { + if x != nil { + return x.SystemRoles + } + return nil +} + +func (x *TLSIdentity) GetUsage() []string { + if x != nil { + return x.Usage + } + return nil +} + +func (x *TLSIdentity) GetPrincipals() []string { + if x != nil { + return x.Principals + } + return nil +} + +func (x *TLSIdentity) GetKubernetesGroups() []string { + if x != nil { + return x.KubernetesGroups + } + return nil +} + +func (x *TLSIdentity) GetKubernetesUsers() []string { + if x != nil { + return x.KubernetesUsers + } + return nil +} + +func (x *TLSIdentity) GetExpires() *timestamppb.Timestamp { + if x != nil { + return x.Expires + } + return nil +} + +func (x *TLSIdentity) GetRouteToCluster() string { + if x != nil { + return x.RouteToCluster + } + return "" +} + +func (x *TLSIdentity) GetKubernetesCluster() string { + if x != nil { + return x.KubernetesCluster + } + return "" +} + +func (x *TLSIdentity) GetTraits() []*Trait { + if x != nil { + return x.Traits + } + return nil +} + +func (x *TLSIdentity) GetRouteToApp() *RouteToApp { + if x != nil { + return x.RouteToApp + } + return nil +} + +func (x *TLSIdentity) GetTeleportCluster() string { + if x != nil { + return x.TeleportCluster + } + return "" +} + +func (x *TLSIdentity) GetRouteToDatabase() *RouteToDatabase { + if x != nil { + return x.RouteToDatabase + } + return nil +} + +func (x *TLSIdentity) GetDatabaseNames() []string { + if x != nil { + return x.DatabaseNames + } + return nil +} + +func (x *TLSIdentity) GetDatabaseUsers() []string { + if x != nil { + return x.DatabaseUsers + } + return nil +} + +func (x *TLSIdentity) GetMfaVerified() string { + if x != nil { + return x.MfaVerified + } + return "" +} + +func (x *TLSIdentity) GetPreviousIdentityExpires() *timestamppb.Timestamp { + if x != nil { + return x.PreviousIdentityExpires + } + return nil +} + +func (x *TLSIdentity) GetLoginIp() string { + if x != nil { + return x.LoginIp + } + return "" +} + +func (x *TLSIdentity) GetPinnedIp() string { + if x != nil { + return x.PinnedIp + } + return "" +} + +func (x *TLSIdentity) GetAwsRoleArns() []string { + if x != nil { + return x.AwsRoleArns + } + return nil +} + +func (x *TLSIdentity) GetAzureIdentities() []string { + if x != nil { + return x.AzureIdentities + } + return nil +} + +func (x *TLSIdentity) GetGcpServiceAccounts() []string { + if x != nil { + return x.GcpServiceAccounts + } + return nil +} + +func (x *TLSIdentity) GetActiveRequests() []string { + if x != nil { + return x.ActiveRequests + } + return nil +} + +func (x *TLSIdentity) GetDisallowReissue() bool { + if x != nil { + return x.DisallowReissue + } + return false +} + +func (x *TLSIdentity) GetRenewable() bool { + if x != nil { + return x.Renewable + } + return false +} + +func (x *TLSIdentity) GetGeneration() uint64 { + if x != nil { + return x.Generation + } + return 0 +} + +func (x *TLSIdentity) GetBotName() string { + if x != nil { + return x.BotName + } + return "" +} + +func (x *TLSIdentity) GetBotInstanceId() string { + if x != nil { + return x.BotInstanceId + } + return "" +} + +func (x *TLSIdentity) GetAllowedResourceIds() []*ResourceID { + if x != nil { + return x.AllowedResourceIds + } + return nil +} + +func (x *TLSIdentity) GetPrivateKeyPolicy() string { + if x != nil { + return x.PrivateKeyPolicy + } + return "" +} + +func (x *TLSIdentity) GetConnectionDiagnosticId() string { + if x != nil { + return x.ConnectionDiagnosticId + } + return "" +} + +func (x *TLSIdentity) GetDeviceExtensions() *DeviceExtensions { + if x != nil { + return x.DeviceExtensions + } + return nil +} + +func (x *TLSIdentity) GetUserType() string { + if x != nil { + return x.UserType + } + return "" +} + +// Trait encodes a single key-values pair from a user's traits. +type Trait struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // name is the "key" of the trait. + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + // values is the list of values the trait name maps to. + Values []string `protobuf:"bytes,2,rep,name=values,proto3" json:"values,omitempty"` +} + +func (x *Trait) Reset() { + *x = Trait{} + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *Trait) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Trait) ProtoMessage() {} + +func (x *Trait) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Trait.ProtoReflect.Descriptor instead. +func (*Trait) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{1} +} + +func (x *Trait) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +func (x *Trait) GetValues() []string { + if x != nil { + return x.Values + } + return nil +} + +// RouteToApp holds routing information for applications. +type RouteToApp struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // SessionID is an ID used to identify application sessions created by this + // certificate. + SessionId string `protobuf:"bytes,1,opt,name=session_id,json=sessionId,proto3" json:"session_id,omitempty"` + // PublicAddr (and ClusterName) are used to route requests issued with this + // certificate to the appropriate application proxy/cluster. + PublicAddr string `protobuf:"bytes,2,opt,name=public_addr,json=publicAddr,proto3" json:"public_addr,omitempty"` + // ClusterName (and PublicAddr) are used to route requests issued with this + // certificate to the appropriate application proxy/cluster. + ClusterName string `protobuf:"bytes,3,opt,name=cluster_name,json=clusterName,proto3" json:"cluster_name,omitempty"` + // Name is the app name. + Name string `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"` + // AWSRoleARN is the AWS role to assume when accessing AWS console. + AwsRoleArn string `protobuf:"bytes,5,opt,name=aws_role_arn,json=awsRoleArn,proto3" json:"aws_role_arn,omitempty"` + // AzureIdentity is the Azure identity to assume when accessing Azure API. + AzureIdentity string `protobuf:"bytes,6,opt,name=azure_identity,json=azureIdentity,proto3" json:"azure_identity,omitempty"` + // GCPServiceAccount is the GCP service account to assume when accessing GCP + // API. + GcpServiceAccount string `protobuf:"bytes,7,opt,name=gcp_service_account,json=gcpServiceAccount,proto3" json:"gcp_service_account,omitempty"` + // URI is the URI of the app. This is the internal endpoint where the + // application is running and isn't user-facing. + Uri string `protobuf:"bytes,8,opt,name=uri,proto3" json:"uri,omitempty"` +} + +func (x *RouteToApp) Reset() { + *x = RouteToApp{} + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RouteToApp) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RouteToApp) ProtoMessage() {} + +func (x *RouteToApp) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RouteToApp.ProtoReflect.Descriptor instead. +func (*RouteToApp) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{2} +} + +func (x *RouteToApp) GetSessionId() string { + if x != nil { + return x.SessionId + } + return "" +} + +func (x *RouteToApp) GetPublicAddr() string { + if x != nil { + return x.PublicAddr + } + return "" +} + +func (x *RouteToApp) GetClusterName() string { + if x != nil { + return x.ClusterName + } + return "" +} + +func (x *RouteToApp) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +func (x *RouteToApp) GetAwsRoleArn() string { + if x != nil { + return x.AwsRoleArn + } + return "" +} + +func (x *RouteToApp) GetAzureIdentity() string { + if x != nil { + return x.AzureIdentity + } + return "" +} + +func (x *RouteToApp) GetGcpServiceAccount() string { + if x != nil { + return x.GcpServiceAccount + } + return "" +} + +func (x *RouteToApp) GetUri() string { + if x != nil { + return x.Uri + } + return "" +} + +// RouteToDatabase contains routing information for databases. +type RouteToDatabase struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // ServiceName is the name of the Teleport database proxy service to route + // requests to. + ServiceName string `protobuf:"bytes,1,opt,name=service_name,json=serviceName,proto3" json:"service_name,omitempty"` + // Protocol is the database protocol. + // + // It is embedded in identity so clients can understand what type of database + // this is without contacting server. + Protocol string `protobuf:"bytes,2,opt,name=protocol,proto3" json:"protocol,omitempty"` + // Username is an optional database username to serve as a default username to + // connect as. + Username string `protobuf:"bytes,3,opt,name=username,proto3" json:"username,omitempty"` + // Database is an optional database name to serve as a default database to + // connect to. + Database string `protobuf:"bytes,4,opt,name=database,proto3" json:"database,omitempty"` + // Roles is an optional list of database roles to use for a database session. + // This list should be a subset of allowed database roles. If not specified, + // Database Service will use all allowed database roles for this database. + Roles []string `protobuf:"bytes,5,rep,name=roles,proto3" json:"roles,omitempty"` +} + +func (x *RouteToDatabase) Reset() { + *x = RouteToDatabase{} + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RouteToDatabase) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RouteToDatabase) ProtoMessage() {} + +func (x *RouteToDatabase) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RouteToDatabase.ProtoReflect.Descriptor instead. +func (*RouteToDatabase) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{3} +} + +func (x *RouteToDatabase) GetServiceName() string { + if x != nil { + return x.ServiceName + } + return "" +} + +func (x *RouteToDatabase) GetProtocol() string { + if x != nil { + return x.Protocol + } + return "" +} + +func (x *RouteToDatabase) GetUsername() string { + if x != nil { + return x.Username + } + return "" +} + +func (x *RouteToDatabase) GetDatabase() string { + if x != nil { + return x.Database + } + return "" +} + +func (x *RouteToDatabase) GetRoles() []string { + if x != nil { + return x.Roles + } + return nil +} + +// ResourceID is a unique identifier for a teleport resource. +type ResourceID struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // ClusterName is the name of the cluster the resource is in. + ClusterName string `protobuf:"bytes,1,opt,name=cluster_name,json=clusterName,proto3" json:"cluster_name,omitempty"` + // Kind is the resource kind. + Kind string `protobuf:"bytes,2,opt,name=kind,proto3" json:"kind,omitempty"` + // Name is the name of the specific resource. + Name string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"` + // SubResourceName is the resource belonging to resource identified by "Name" + // that the user is allowed to access to. When granting access to a + // subresource, access to other resources is limited. Currently it just + // supports resources of Kind=pod and the format is the following + // "/". + SubResourceName string `protobuf:"bytes,4,opt,name=sub_resource_name,json=subResourceName,proto3" json:"sub_resource_name,omitempty"` +} + +func (x *ResourceID) Reset() { + *x = ResourceID{} + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ResourceID) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ResourceID) ProtoMessage() {} + +func (x *ResourceID) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[4] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ResourceID.ProtoReflect.Descriptor instead. +func (*ResourceID) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{4} +} + +func (x *ResourceID) GetClusterName() string { + if x != nil { + return x.ClusterName + } + return "" +} + +func (x *ResourceID) GetKind() string { + if x != nil { + return x.Kind + } + return "" +} + +func (x *ResourceID) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +func (x *ResourceID) GetSubResourceName() string { + if x != nil { + return x.SubResourceName + } + return "" +} + +// DeviceExtensions holds device-aware extensions for the identity. +type DeviceExtensions struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // DeviceID is the trusted device identifier. + DeviceId string `protobuf:"bytes,1,opt,name=device_id,json=deviceId,proto3" json:"device_id,omitempty"` + // AssetTag is the device inventory identifier. + AssetTag string `protobuf:"bytes,2,opt,name=asset_tag,json=assetTag,proto3" json:"asset_tag,omitempty"` + // CredentialID is the identifier for the credential used by the device to + // authenticate itself. + CredentialId string `protobuf:"bytes,3,opt,name=credential_id,json=credentialId,proto3" json:"credential_id,omitempty"` +} + +func (x *DeviceExtensions) Reset() { + *x = DeviceExtensions{} + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *DeviceExtensions) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DeviceExtensions) ProtoMessage() {} + +func (x *DeviceExtensions) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[5] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DeviceExtensions.ProtoReflect.Descriptor instead. +func (*DeviceExtensions) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{5} +} + +func (x *DeviceExtensions) GetDeviceId() string { + if x != nil { + return x.DeviceId + } + return "" +} + +func (x *DeviceExtensions) GetAssetTag() string { + if x != nil { + return x.AssetTag + } + return "" +} + +func (x *DeviceExtensions) GetCredentialId() string { + if x != nil { + return x.CredentialId + } + return "" +} + +var File_teleport_decision_v1alpha1_tls_identity_proto protoreflect.FileDescriptor + +var file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc = []byte{ + 0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x74, 0x6c, 0x73, + 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, + 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, + 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, + 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xbf, 0x0c, 0x0a, + 0x0b, 0x54, 0x4c, 0x53, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x1a, 0x0a, 0x08, + 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, + 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x69, 0x6d, 0x70, 0x65, + 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, + 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x16, 0x0a, 0x06, + 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x67, 0x72, + 0x6f, 0x75, 0x70, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x72, + 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x79, 0x73, 0x74, + 0x65, 0x6d, 0x52, 0x6f, 0x6c, 0x65, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x75, 0x73, 0x61, 0x67, 0x65, + 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x75, 0x73, 0x61, 0x67, 0x65, 0x12, 0x1e, 0x0a, + 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, + 0x09, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x12, 0x2b, 0x0a, + 0x11, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x67, 0x72, 0x6f, 0x75, + 0x70, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, + 0x65, 0x74, 0x65, 0x73, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x6b, 0x75, + 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x08, + 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, + 0x55, 0x73, 0x65, 0x72, 0x73, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, + 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, + 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x10, 0x72, + 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x74, 0x6f, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, + 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x43, 0x6c, + 0x75, 0x73, 0x74, 0x65, 0x72, 0x12, 0x2d, 0x0a, 0x12, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, + 0x74, 0x65, 0x73, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x11, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x43, 0x6c, 0x75, + 0x73, 0x74, 0x65, 0x72, 0x12, 0x39, 0x0a, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x18, 0x0c, + 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69, 0x74, 0x52, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x12, + 0x48, 0x0a, 0x0c, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x74, 0x6f, 0x5f, 0x61, 0x70, 0x70, 0x18, + 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, + 0x61, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x41, 0x70, 0x70, 0x52, 0x0a, 0x72, + 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x41, 0x70, 0x70, 0x12, 0x29, 0x0a, 0x10, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x0e, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x0f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x43, 0x6c, 0x75, + 0x73, 0x74, 0x65, 0x72, 0x12, 0x57, 0x0a, 0x11, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x74, 0x6f, + 0x5f, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x6f, 0x75, + 0x74, 0x65, 0x54, 0x6f, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x52, 0x0f, 0x72, 0x6f, + 0x75, 0x74, 0x65, 0x54, 0x6f, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x12, 0x25, 0x0a, + 0x0e, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, + 0x10, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x4e, + 0x61, 0x6d, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, + 0x5f, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x11, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x64, 0x61, + 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x55, 0x73, 0x65, 0x72, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x6d, + 0x66, 0x61, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x18, 0x12, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x0b, 0x6d, 0x66, 0x61, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x12, 0x56, + 0x0a, 0x19, 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x5f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x13, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x17, 0x70, + 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x45, + 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x19, 0x0a, 0x08, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x5f, + 0x69, 0x70, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x49, + 0x70, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x69, 0x6e, 0x6e, 0x65, 0x64, 0x5f, 0x69, 0x70, 0x18, 0x15, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x69, 0x6e, 0x6e, 0x65, 0x64, 0x49, 0x70, 0x12, 0x22, + 0x0a, 0x0d, 0x61, 0x77, 0x73, 0x5f, 0x72, 0x6f, 0x6c, 0x65, 0x5f, 0x61, 0x72, 0x6e, 0x73, 0x18, + 0x16, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x77, 0x73, 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x72, + 0x6e, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x61, 0x7a, 0x75, 0x72, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, + 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x17, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x61, 0x7a, + 0x75, 0x72, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x30, 0x0a, + 0x14, 0x67, 0x63, 0x70, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, + 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x18, 0x18, 0x20, 0x03, 0x28, 0x09, 0x52, 0x12, 0x67, 0x63, 0x70, + 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x12, + 0x27, 0x0a, 0x0f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x73, 0x18, 0x19, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0e, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x64, 0x69, 0x73, 0x61, + 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x72, 0x65, 0x69, 0x73, 0x73, 0x75, 0x65, 0x18, 0x1a, 0x20, 0x01, + 0x28, 0x08, 0x52, 0x0f, 0x64, 0x69, 0x73, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x52, 0x65, 0x69, 0x73, + 0x73, 0x75, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65, 0x6e, 0x65, 0x77, 0x61, 0x62, 0x6c, 0x65, + 0x18, 0x1b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x72, 0x65, 0x6e, 0x65, 0x77, 0x61, 0x62, 0x6c, + 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, + 0x1c, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0a, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x12, 0x19, 0x0a, 0x08, 0x62, 0x6f, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x1d, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x07, 0x62, 0x6f, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x26, 0x0a, 0x0f, + 0x62, 0x6f, 0x74, 0x5f, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, + 0x1e, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x62, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, + 0x63, 0x65, 0x49, 0x64, 0x12, 0x58, 0x0a, 0x14, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x5f, + 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x73, 0x18, 0x1f, 0x20, 0x03, + 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, + 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, + 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x44, 0x52, 0x12, 0x61, 0x6c, 0x6c, 0x6f, + 0x77, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x64, 0x73, 0x12, 0x2c, + 0x0a, 0x12, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x70, 0x6f, + 0x6c, 0x69, 0x63, 0x79, 0x18, 0x20, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x70, 0x72, 0x69, 0x76, + 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x38, 0x0a, 0x18, + 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, 0x69, 0x61, 0x67, 0x6e, + 0x6f, 0x73, 0x74, 0x69, 0x63, 0x5f, 0x69, 0x64, 0x18, 0x21, 0x20, 0x01, 0x28, 0x09, 0x52, 0x16, + 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x69, 0x61, 0x67, 0x6e, 0x6f, + 0x73, 0x74, 0x69, 0x63, 0x49, 0x64, 0x12, 0x59, 0x0a, 0x11, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, + 0x5f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x22, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x2c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, + 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, + 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, + 0x10, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, + 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x23, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x54, 0x79, 0x70, 0x65, 0x22, 0x33, + 0x0a, 0x05, 0x54, 0x72, 0x61, 0x69, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x73, 0x22, 0x8e, 0x02, 0x0a, 0x0a, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x41, + 0x70, 0x70, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, + 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x61, 0x64, 0x64, 0x72, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x41, 0x64, + 0x64, 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x6e, 0x61, + 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, + 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x20, 0x0a, 0x0c, 0x61, 0x77, 0x73, + 0x5f, 0x72, 0x6f, 0x6c, 0x65, 0x5f, 0x61, 0x72, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x0a, 0x61, 0x77, 0x73, 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x72, 0x6e, 0x12, 0x25, 0x0a, 0x0e, 0x61, + 0x7a, 0x75, 0x72, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x06, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x0d, 0x61, 0x7a, 0x75, 0x72, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, + 0x74, 0x79, 0x12, 0x2e, 0x0a, 0x13, 0x67, 0x63, 0x70, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, + 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x11, 0x67, 0x63, 0x70, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, + 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x03, 0x75, 0x72, 0x69, 0x22, 0x9e, 0x01, 0x0a, 0x0f, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, + 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, + 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, + 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, + 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x18, + 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x12, + 0x14, 0x0a, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, + 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x22, 0x83, 0x01, 0x0a, 0x0a, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, + 0x63, 0x65, 0x49, 0x44, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, + 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, + 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, + 0x2a, 0x0a, 0x11, 0x73, 0x75, 0x62, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, + 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x75, 0x62, 0x52, + 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x71, 0x0a, 0x10, 0x44, + 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, + 0x1b, 0x0a, 0x09, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x08, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1b, 0x0a, 0x09, + 0x61, 0x73, 0x73, 0x65, 0x74, 0x5f, 0x74, 0x61, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x08, 0x61, 0x73, 0x73, 0x65, 0x74, 0x54, 0x61, 0x67, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x72, 0x65, + 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x0c, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x49, 0x64, 0x42, 0x5a, + 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, + 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, + 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, +} + +var ( + file_teleport_decision_v1alpha1_tls_identity_proto_rawDescOnce sync.Once + file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData = file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc +) + +func file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP() []byte { + file_teleport_decision_v1alpha1_tls_identity_proto_rawDescOnce.Do(func() { + file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData) + }) + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData +} + +var file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 6) +var file_teleport_decision_v1alpha1_tls_identity_proto_goTypes = []any{ + (*TLSIdentity)(nil), // 0: teleport.decision.v1alpha1.TLSIdentity + (*Trait)(nil), // 1: teleport.decision.v1alpha1.Trait + (*RouteToApp)(nil), // 2: teleport.decision.v1alpha1.RouteToApp + (*RouteToDatabase)(nil), // 3: teleport.decision.v1alpha1.RouteToDatabase + (*ResourceID)(nil), // 4: teleport.decision.v1alpha1.ResourceID + (*DeviceExtensions)(nil), // 5: teleport.decision.v1alpha1.DeviceExtensions + (*timestamppb.Timestamp)(nil), // 6: google.protobuf.Timestamp +} +var file_teleport_decision_v1alpha1_tls_identity_proto_depIdxs = []int32{ + 6, // 0: teleport.decision.v1alpha1.TLSIdentity.expires:type_name -> google.protobuf.Timestamp + 1, // 1: teleport.decision.v1alpha1.TLSIdentity.traits:type_name -> teleport.decision.v1alpha1.Trait + 2, // 2: teleport.decision.v1alpha1.TLSIdentity.route_to_app:type_name -> teleport.decision.v1alpha1.RouteToApp + 3, // 3: teleport.decision.v1alpha1.TLSIdentity.route_to_database:type_name -> teleport.decision.v1alpha1.RouteToDatabase + 6, // 4: teleport.decision.v1alpha1.TLSIdentity.previous_identity_expires:type_name -> google.protobuf.Timestamp + 4, // 5: teleport.decision.v1alpha1.TLSIdentity.allowed_resource_ids:type_name -> teleport.decision.v1alpha1.ResourceID + 5, // 6: teleport.decision.v1alpha1.TLSIdentity.device_extensions:type_name -> teleport.decision.v1alpha1.DeviceExtensions + 7, // [7:7] is the sub-list for method output_type + 7, // [7:7] is the sub-list for method input_type + 7, // [7:7] is the sub-list for extension type_name + 7, // [7:7] is the sub-list for extension extendee + 0, // [0:7] is the sub-list for field type_name +} + +func init() { file_teleport_decision_v1alpha1_tls_identity_proto_init() } +func file_teleport_decision_v1alpha1_tls_identity_proto_init() { + if File_teleport_decision_v1alpha1_tls_identity_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc, + NumEnums: 0, + NumMessages: 6, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_decision_v1alpha1_tls_identity_proto_goTypes, + DependencyIndexes: file_teleport_decision_v1alpha1_tls_identity_proto_depIdxs, + MessageInfos: file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes, + }.Build() + File_teleport_decision_v1alpha1_tls_identity_proto = out.File + file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc = nil + file_teleport_decision_v1alpha1_tls_identity_proto_goTypes = nil + file_teleport_decision_v1alpha1_tls_identity_proto_depIdxs = nil +} From c64fe7cab9599c58f7a75e818951eb89b096f82b Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 12:44:05 -0300 Subject: [PATCH 12/20] Use teleport.trait.v1.Trait --- .../teleport/decision/v1alpha1/tls_identity.proto | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/api/proto/teleport/decision/v1alpha1/tls_identity.proto b/api/proto/teleport/decision/v1alpha1/tls_identity.proto index 2854c6d6c4aed..ad8361b798023 100644 --- a/api/proto/teleport/decision/v1alpha1/tls_identity.proto +++ b/api/proto/teleport/decision/v1alpha1/tls_identity.proto @@ -17,6 +17,7 @@ syntax = "proto3"; package teleport.decision.v1alpha1; import "google/protobuf/timestamp.proto"; +import "teleport/trait/v1/trait.proto"; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; @@ -59,7 +60,7 @@ message TLSIdentity { string kubernetes_cluster = 11; // Traits hold claim data used to populate a role at runtime. - repeated Trait traits = 12; + repeated teleport.trait.v1.Trait traits = 12; // RouteToApp holds routing information for applications. Routing metadata // allows Teleport web proxy to route HTTP requests to the appropriate cluster @@ -148,14 +149,6 @@ message TLSIdentity { string user_type = 35; } -// Trait encodes a single key-values pair from a user's traits. -message Trait { - // name is the "key" of the trait. - string name = 1; - // values is the list of values the trait name maps to. - repeated string values = 2; -} - // RouteToApp holds routing information for applications. message RouteToApp { // SessionID is an ID used to identify application sessions created by this From c19bdee407f9f029ef6e9ab5cf2a5ff65ab351ad Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 12:47:53 -0300 Subject: [PATCH 13/20] Document mutual dependency between "ResourceID" types --- api/proto/teleport/decision/v1alpha1/tls_identity.proto | 1 + api/proto/teleport/legacy/types/types.proto | 1 + 2 files changed, 2 insertions(+) diff --git a/api/proto/teleport/decision/v1alpha1/tls_identity.proto b/api/proto/teleport/decision/v1alpha1/tls_identity.proto index ad8361b798023..828d2b40be97e 100644 --- a/api/proto/teleport/decision/v1alpha1/tls_identity.proto +++ b/api/proto/teleport/decision/v1alpha1/tls_identity.proto @@ -208,6 +208,7 @@ message RouteToDatabase { } // ResourceID is a unique identifier for a teleport resource. +// Must be kept in sync with types.ResourceID. message ResourceID { // ClusterName is the name of the cluster the resource is in. string cluster_name = 1; diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto index 530d8315a4bdf..327eb1e7e117d 100644 --- a/api/proto/teleport/legacy/types/types.proto +++ b/api/proto/teleport/legacy/types/types.proto @@ -2818,6 +2818,7 @@ message RequestKubernetesResource { } // ResourceID is a unique identifier for a teleport resource. +// Must be kept in sync with teleport.decision.v1alpha1.ResourceID. message ResourceID { // ClusterName is the name of the cluster the resource is in. string ClusterName = 1 [(gogoproto.jsontag) = "cluster"]; From b6accd034d1f75cc7f1bdb6bed29e74636095de1 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 12:49:05 -0300 Subject: [PATCH 14/20] nit: s/ResourceID/ResourceId --- api/proto/teleport/decision/v1alpha1/tls_identity.proto | 6 +++--- api/proto/teleport/legacy/types/types.proto | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/api/proto/teleport/decision/v1alpha1/tls_identity.proto b/api/proto/teleport/decision/v1alpha1/tls_identity.proto index 828d2b40be97e..a2c921ac8088d 100644 --- a/api/proto/teleport/decision/v1alpha1/tls_identity.proto +++ b/api/proto/teleport/decision/v1alpha1/tls_identity.proto @@ -133,7 +133,7 @@ message TLSIdentity { // AllowedResourceIDs lists the resources the identity should be allowed to // access. - repeated ResourceID allowed_resource_ids = 31; + repeated ResourceId allowed_resource_ids = 31; // PrivateKeyPolicy is the private key policy supported by this identity. string private_key_policy = 32; @@ -207,9 +207,9 @@ message RouteToDatabase { repeated string roles = 5; } -// ResourceID is a unique identifier for a teleport resource. +// ResourceId is a unique identifier for a teleport resource. // Must be kept in sync with types.ResourceID. -message ResourceID { +message ResourceId { // ClusterName is the name of the cluster the resource is in. string cluster_name = 1; diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto index 327eb1e7e117d..8031a772739be 100644 --- a/api/proto/teleport/legacy/types/types.proto +++ b/api/proto/teleport/legacy/types/types.proto @@ -2818,7 +2818,7 @@ message RequestKubernetesResource { } // ResourceID is a unique identifier for a teleport resource. -// Must be kept in sync with teleport.decision.v1alpha1.ResourceID. +// Must be kept in sync with teleport.decision.v1alpha1.ResourceId. message ResourceID { // ClusterName is the name of the cluster the resource is in. string ClusterName = 1 [(gogoproto.jsontag) = "cluster"]; From a230b7aa349f8501bf67c049e4eb6023ee9b1af0 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 12:52:01 -0300 Subject: [PATCH 15/20] nit: Use the correct CamelCase field name in comments --- .../decision/v1alpha1/tls_identity.proto | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/api/proto/teleport/decision/v1alpha1/tls_identity.proto b/api/proto/teleport/decision/v1alpha1/tls_identity.proto index a2c921ac8088d..2f3cea2be12ab 100644 --- a/api/proto/teleport/decision/v1alpha1/tls_identity.proto +++ b/api/proto/teleport/decision/v1alpha1/tls_identity.proto @@ -81,7 +81,7 @@ message TLSIdentity { // DatabaseUsers is a list of allowed database users. repeated string database_users = 17; - // MFAVerified is the UUID of an MFA device when this Identity was + // MfaVerified is the UUID of an MFA device when this Identity was // confirmed immediately after an MFA check. string mfa_verified = 18; @@ -92,19 +92,19 @@ message TLSIdentity { // See https://github.com/gravitational/teleport/issues/18544. google.protobuf.Timestamp previous_identity_expires = 19; - // LoginIP is an observed IP of the client that this Identity represents. + // LoginIp is an observed IP of the client that this Identity represents. string login_ip = 20; - // PinnedIP is an IP the certificate is pinned to. + // PinnedIp is an IP the certificate is pinned to. string pinned_ip = 21; - // AWSRoleARNs is a list of allowed AWS role ARNs user can assume. + // AwsRoleArns is a list of allowed AWS role ARNs user can assume. repeated string aws_role_arns = 22; // AzureIdentities is a list of allowed Azure identities user can assume. repeated string azure_identities = 23; - // GCPServiceAccounts is a list of allowed GCP service accounts that the user + // GcpServiceAccounts is a list of allowed GCP service accounts that the user // can assume. repeated string gcp_service_accounts = 24; @@ -127,18 +127,18 @@ message TLSIdentity { // to, if any. string bot_name = 29; - // BotInstanceID is a unique identifier for Machine ID bots that is persisted + // BotInstanceId is a unique identifier for Machine ID bots that is persisted // through renewals. string bot_instance_id = 30; - // AllowedResourceIDs lists the resources the identity should be allowed to + // AllowedResourceIds lists the resources the identity should be allowed to // access. repeated ResourceId allowed_resource_ids = 31; // PrivateKeyPolicy is the private key policy supported by this identity. string private_key_policy = 32; - // ConnectionDiagnosticID is used to add connection diagnostic messages when + // ConnectionDiagnosticId is used to add connection diagnostic messages when // Testing a Connection. string connection_diagnostic_id = 33; @@ -151,7 +151,7 @@ message TLSIdentity { // RouteToApp holds routing information for applications. message RouteToApp { - // SessionID is an ID used to identify application sessions created by this + // SessionId is an ID used to identify application sessions created by this // certificate. string session_id = 1; @@ -166,17 +166,17 @@ message RouteToApp { // Name is the app name. string name = 4; - // AWSRoleARN is the AWS role to assume when accessing AWS console. + // AwsRoleArn is the AWS role to assume when accessing AWS console. string aws_role_arn = 5; // AzureIdentity is the Azure identity to assume when accessing Azure API. string azure_identity = 6; - // GCPServiceAccount is the GCP service account to assume when accessing GCP + // GcpServiceAccount is the GCP service account to assume when accessing GCP // API. string gcp_service_account = 7; - // URI is the URI of the app. This is the internal endpoint where the + // Uri is the URI of the app. This is the internal endpoint where the // application is running and isn't user-facing. string uri = 8; } @@ -229,13 +229,13 @@ message ResourceId { // DeviceExtensions holds device-aware extensions for the identity. message DeviceExtensions { - // DeviceID is the trusted device identifier. + // DeviceId is the trusted device identifier. string device_id = 1; // AssetTag is the device inventory identifier. string asset_tag = 2; - // CredentialID is the identifier for the credential used by the device to + // CredentialId is the identifier for the credential used by the device to // authenticate itself. string credential_id = 3; } From e9e277210e877f4fc385516e48e2fe186006bdc2 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 12:53:29 -0300 Subject: [PATCH 16/20] Update generated protos --- .../decision/v1alpha1/tls_identity.pb.go | 478 ++++++++---------- api/types/types.pb.go | 1 + 2 files changed, 212 insertions(+), 267 deletions(-) diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go index fa21d5b6498ee..80da924fea9d7 100644 --- a/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go +++ b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go @@ -21,6 +21,7 @@ package decisionpb import ( + v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/trait/v1" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" timestamppb "google.golang.org/protobuf/types/known/timestamppb" @@ -67,7 +68,7 @@ type TLSIdentity struct { // identities. This can be empty on older Teleport clients. KubernetesCluster string `protobuf:"bytes,11,opt,name=kubernetes_cluster,json=kubernetesCluster,proto3" json:"kubernetes_cluster,omitempty"` // Traits hold claim data used to populate a role at runtime. - Traits []*Trait `protobuf:"bytes,12,rep,name=traits,proto3" json:"traits,omitempty"` + Traits []*v1.Trait `protobuf:"bytes,12,rep,name=traits,proto3" json:"traits,omitempty"` // RouteToApp holds routing information for applications. Routing metadata // allows Teleport web proxy to route HTTP requests to the appropriate cluster // and Teleport application proxy within the cluster. @@ -82,7 +83,7 @@ type TLSIdentity struct { DatabaseNames []string `protobuf:"bytes,16,rep,name=database_names,json=databaseNames,proto3" json:"database_names,omitempty"` // DatabaseUsers is a list of allowed database users. DatabaseUsers []string `protobuf:"bytes,17,rep,name=database_users,json=databaseUsers,proto3" json:"database_users,omitempty"` - // MFAVerified is the UUID of an MFA device when this Identity was + // MfaVerified is the UUID of an MFA device when this Identity was // confirmed immediately after an MFA check. MfaVerified string `protobuf:"bytes,18,opt,name=mfa_verified,json=mfaVerified,proto3" json:"mfa_verified,omitempty"` // PreviousIdentityExpires is the expiry time of the identity/cert that this @@ -91,15 +92,15 @@ type TLSIdentity struct { // disconnect_expired_cert are enabled. // See https://github.com/gravitational/teleport/issues/18544. PreviousIdentityExpires *timestamppb.Timestamp `protobuf:"bytes,19,opt,name=previous_identity_expires,json=previousIdentityExpires,proto3" json:"previous_identity_expires,omitempty"` - // LoginIP is an observed IP of the client that this Identity represents. + // LoginIp is an observed IP of the client that this Identity represents. LoginIp string `protobuf:"bytes,20,opt,name=login_ip,json=loginIp,proto3" json:"login_ip,omitempty"` - // PinnedIP is an IP the certificate is pinned to. + // PinnedIp is an IP the certificate is pinned to. PinnedIp string `protobuf:"bytes,21,opt,name=pinned_ip,json=pinnedIp,proto3" json:"pinned_ip,omitempty"` - // AWSRoleARNs is a list of allowed AWS role ARNs user can assume. + // AwsRoleArns is a list of allowed AWS role ARNs user can assume. AwsRoleArns []string `protobuf:"bytes,22,rep,name=aws_role_arns,json=awsRoleArns,proto3" json:"aws_role_arns,omitempty"` // AzureIdentities is a list of allowed Azure identities user can assume. AzureIdentities []string `protobuf:"bytes,23,rep,name=azure_identities,json=azureIdentities,proto3" json:"azure_identities,omitempty"` - // GCPServiceAccounts is a list of allowed GCP service accounts that the user + // GcpServiceAccounts is a list of allowed GCP service accounts that the user // can assume. GcpServiceAccounts []string `protobuf:"bytes,24,rep,name=gcp_service_accounts,json=gcpServiceAccounts,proto3" json:"gcp_service_accounts,omitempty"` // ActiveRequests is a list of UUIDs of active requests for this Identity. @@ -116,15 +117,15 @@ type TLSIdentity struct { // BotName indicates the name of the Machine ID bot this identity was issued // to, if any. BotName string `protobuf:"bytes,29,opt,name=bot_name,json=botName,proto3" json:"bot_name,omitempty"` - // BotInstanceID is a unique identifier for Machine ID bots that is persisted + // BotInstanceId is a unique identifier for Machine ID bots that is persisted // through renewals. BotInstanceId string `protobuf:"bytes,30,opt,name=bot_instance_id,json=botInstanceId,proto3" json:"bot_instance_id,omitempty"` - // AllowedResourceIDs lists the resources the identity should be allowed to + // AllowedResourceIds lists the resources the identity should be allowed to // access. - AllowedResourceIds []*ResourceID `protobuf:"bytes,31,rep,name=allowed_resource_ids,json=allowedResourceIds,proto3" json:"allowed_resource_ids,omitempty"` + AllowedResourceIds []*ResourceId `protobuf:"bytes,31,rep,name=allowed_resource_ids,json=allowedResourceIds,proto3" json:"allowed_resource_ids,omitempty"` // PrivateKeyPolicy is the private key policy supported by this identity. PrivateKeyPolicy string `protobuf:"bytes,32,opt,name=private_key_policy,json=privateKeyPolicy,proto3" json:"private_key_policy,omitempty"` - // ConnectionDiagnosticID is used to add connection diagnostic messages when + // ConnectionDiagnosticId is used to add connection diagnostic messages when // Testing a Connection. ConnectionDiagnosticId string `protobuf:"bytes,33,opt,name=connection_diagnostic_id,json=connectionDiagnosticId,proto3" json:"connection_diagnostic_id,omitempty"` // DeviceExtensions holds device-aware extensions for the identity. @@ -240,7 +241,7 @@ func (x *TLSIdentity) GetKubernetesCluster() string { return "" } -func (x *TLSIdentity) GetTraits() []*Trait { +func (x *TLSIdentity) GetTraits() []*v1.Trait { if x != nil { return x.Traits } @@ -373,7 +374,7 @@ func (x *TLSIdentity) GetBotInstanceId() string { return "" } -func (x *TLSIdentity) GetAllowedResourceIds() []*ResourceID { +func (x *TLSIdentity) GetAllowedResourceIds() []*ResourceId { if x != nil { return x.AllowedResourceIds } @@ -408,69 +409,13 @@ func (x *TLSIdentity) GetUserType() string { return "" } -// Trait encodes a single key-values pair from a user's traits. -type Trait struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // name is the "key" of the trait. - Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` - // values is the list of values the trait name maps to. - Values []string `protobuf:"bytes,2,rep,name=values,proto3" json:"values,omitempty"` -} - -func (x *Trait) Reset() { - *x = Trait{} - mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) -} - -func (x *Trait) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*Trait) ProtoMessage() {} - -func (x *Trait) ProtoReflect() protoreflect.Message { - mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[1] - if x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use Trait.ProtoReflect.Descriptor instead. -func (*Trait) Descriptor() ([]byte, []int) { - return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{1} -} - -func (x *Trait) GetName() string { - if x != nil { - return x.Name - } - return "" -} - -func (x *Trait) GetValues() []string { - if x != nil { - return x.Values - } - return nil -} - // RouteToApp holds routing information for applications. type RouteToApp struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // SessionID is an ID used to identify application sessions created by this + // SessionId is an ID used to identify application sessions created by this // certificate. SessionId string `protobuf:"bytes,1,opt,name=session_id,json=sessionId,proto3" json:"session_id,omitempty"` // PublicAddr (and ClusterName) are used to route requests issued with this @@ -481,21 +426,21 @@ type RouteToApp struct { ClusterName string `protobuf:"bytes,3,opt,name=cluster_name,json=clusterName,proto3" json:"cluster_name,omitempty"` // Name is the app name. Name string `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"` - // AWSRoleARN is the AWS role to assume when accessing AWS console. + // AwsRoleArn is the AWS role to assume when accessing AWS console. AwsRoleArn string `protobuf:"bytes,5,opt,name=aws_role_arn,json=awsRoleArn,proto3" json:"aws_role_arn,omitempty"` // AzureIdentity is the Azure identity to assume when accessing Azure API. AzureIdentity string `protobuf:"bytes,6,opt,name=azure_identity,json=azureIdentity,proto3" json:"azure_identity,omitempty"` - // GCPServiceAccount is the GCP service account to assume when accessing GCP + // GcpServiceAccount is the GCP service account to assume when accessing GCP // API. GcpServiceAccount string `protobuf:"bytes,7,opt,name=gcp_service_account,json=gcpServiceAccount,proto3" json:"gcp_service_account,omitempty"` - // URI is the URI of the app. This is the internal endpoint where the + // Uri is the URI of the app. This is the internal endpoint where the // application is running and isn't user-facing. Uri string `protobuf:"bytes,8,opt,name=uri,proto3" json:"uri,omitempty"` } func (x *RouteToApp) Reset() { *x = RouteToApp{} - mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[2] + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -507,7 +452,7 @@ func (x *RouteToApp) String() string { func (*RouteToApp) ProtoMessage() {} func (x *RouteToApp) ProtoReflect() protoreflect.Message { - mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[2] + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[1] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -520,7 +465,7 @@ func (x *RouteToApp) ProtoReflect() protoreflect.Message { // Deprecated: Use RouteToApp.ProtoReflect.Descriptor instead. func (*RouteToApp) Descriptor() ([]byte, []int) { - return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{2} + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{1} } func (x *RouteToApp) GetSessionId() string { @@ -607,7 +552,7 @@ type RouteToDatabase struct { func (x *RouteToDatabase) Reset() { *x = RouteToDatabase{} - mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[3] + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -619,7 +564,7 @@ func (x *RouteToDatabase) String() string { func (*RouteToDatabase) ProtoMessage() {} func (x *RouteToDatabase) ProtoReflect() protoreflect.Message { - mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[3] + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[2] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -632,7 +577,7 @@ func (x *RouteToDatabase) ProtoReflect() protoreflect.Message { // Deprecated: Use RouteToDatabase.ProtoReflect.Descriptor instead. func (*RouteToDatabase) Descriptor() ([]byte, []int) { - return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{3} + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{2} } func (x *RouteToDatabase) GetServiceName() string { @@ -670,8 +615,9 @@ func (x *RouteToDatabase) GetRoles() []string { return nil } -// ResourceID is a unique identifier for a teleport resource. -type ResourceID struct { +// ResourceId is a unique identifier for a teleport resource. +// Must be kept in sync with types.ResourceID. +type ResourceId struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields @@ -690,21 +636,21 @@ type ResourceID struct { SubResourceName string `protobuf:"bytes,4,opt,name=sub_resource_name,json=subResourceName,proto3" json:"sub_resource_name,omitempty"` } -func (x *ResourceID) Reset() { - *x = ResourceID{} - mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[4] +func (x *ResourceId) Reset() { + *x = ResourceId{} + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } -func (x *ResourceID) String() string { +func (x *ResourceId) String() string { return protoimpl.X.MessageStringOf(x) } -func (*ResourceID) ProtoMessage() {} +func (*ResourceId) ProtoMessage() {} -func (x *ResourceID) ProtoReflect() protoreflect.Message { - mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[4] +func (x *ResourceId) ProtoReflect() protoreflect.Message { + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[3] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -715,33 +661,33 @@ func (x *ResourceID) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use ResourceID.ProtoReflect.Descriptor instead. -func (*ResourceID) Descriptor() ([]byte, []int) { - return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{4} +// Deprecated: Use ResourceId.ProtoReflect.Descriptor instead. +func (*ResourceId) Descriptor() ([]byte, []int) { + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{3} } -func (x *ResourceID) GetClusterName() string { +func (x *ResourceId) GetClusterName() string { if x != nil { return x.ClusterName } return "" } -func (x *ResourceID) GetKind() string { +func (x *ResourceId) GetKind() string { if x != nil { return x.Kind } return "" } -func (x *ResourceID) GetName() string { +func (x *ResourceId) GetName() string { if x != nil { return x.Name } return "" } -func (x *ResourceID) GetSubResourceName() string { +func (x *ResourceId) GetSubResourceName() string { if x != nil { return x.SubResourceName } @@ -754,18 +700,18 @@ type DeviceExtensions struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // DeviceID is the trusted device identifier. + // DeviceId is the trusted device identifier. DeviceId string `protobuf:"bytes,1,opt,name=device_id,json=deviceId,proto3" json:"device_id,omitempty"` // AssetTag is the device inventory identifier. AssetTag string `protobuf:"bytes,2,opt,name=asset_tag,json=assetTag,proto3" json:"asset_tag,omitempty"` - // CredentialID is the identifier for the credential used by the device to + // CredentialId is the identifier for the credential used by the device to // authenticate itself. CredentialId string `protobuf:"bytes,3,opt,name=credential_id,json=credentialId,proto3" json:"credential_id,omitempty"` } func (x *DeviceExtensions) Reset() { *x = DeviceExtensions{} - mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[5] + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -777,7 +723,7 @@ func (x *DeviceExtensions) String() string { func (*DeviceExtensions) ProtoMessage() {} func (x *DeviceExtensions) ProtoReflect() protoreflect.Message { - mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[5] + mi := &file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes[4] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -790,7 +736,7 @@ func (x *DeviceExtensions) ProtoReflect() protoreflect.Message { // Deprecated: Use DeviceExtensions.ProtoReflect.Descriptor instead. func (*DeviceExtensions) Descriptor() ([]byte, []int) { - return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{5} + return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP(), []int{4} } func (x *DeviceExtensions) GetDeviceId() string { @@ -823,160 +769,158 @@ var file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc = []byte{ 0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, - 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xbf, 0x0c, 0x0a, - 0x0b, 0x54, 0x4c, 0x53, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x1a, 0x0a, 0x08, - 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, - 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x69, 0x6d, 0x70, 0x65, - 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, - 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x16, 0x0a, 0x06, - 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x67, 0x72, - 0x6f, 0x75, 0x70, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x72, - 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x79, 0x73, 0x74, - 0x65, 0x6d, 0x52, 0x6f, 0x6c, 0x65, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x75, 0x73, 0x61, 0x67, 0x65, - 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x75, 0x73, 0x61, 0x67, 0x65, 0x12, 0x1e, 0x0a, - 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, - 0x09, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x12, 0x2b, 0x0a, - 0x11, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x67, 0x72, 0x6f, 0x75, - 0x70, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, - 0x65, 0x74, 0x65, 0x73, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x6b, 0x75, - 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x08, - 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, - 0x55, 0x73, 0x65, 0x72, 0x73, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, - 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, - 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x10, 0x72, - 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x74, 0x6f, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, - 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x43, 0x6c, - 0x75, 0x73, 0x74, 0x65, 0x72, 0x12, 0x2d, 0x0a, 0x12, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, - 0x74, 0x65, 0x73, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x11, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x43, 0x6c, 0x75, - 0x73, 0x74, 0x65, 0x72, 0x12, 0x39, 0x0a, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x18, 0x0c, - 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, - 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69, 0x74, 0x52, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x12, - 0x48, 0x0a, 0x0c, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x74, 0x6f, 0x5f, 0x61, 0x70, 0x70, 0x18, - 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1d, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x74, 0x72, 0x61, 0x69, 0x74, 0x2f, 0x76, 0x31, 0x2f, + 0x74, 0x72, 0x61, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xb6, 0x0c, 0x0a, 0x0b, + 0x54, 0x4c, 0x53, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x75, + 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, + 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x69, 0x6d, 0x70, 0x65, 0x72, + 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x69, + 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x67, + 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x67, 0x72, 0x6f, + 0x75, 0x70, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x72, 0x6f, + 0x6c, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x79, 0x73, 0x74, 0x65, + 0x6d, 0x52, 0x6f, 0x6c, 0x65, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x75, 0x73, 0x61, 0x67, 0x65, 0x18, + 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x75, 0x73, 0x61, 0x67, 0x65, 0x12, 0x1e, 0x0a, 0x0a, + 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, + 0x52, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x12, 0x2b, 0x0a, 0x11, + 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, + 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, + 0x74, 0x65, 0x73, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x6b, 0x75, 0x62, + 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x08, 0x20, + 0x03, 0x28, 0x09, 0x52, 0x0f, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x55, + 0x73, 0x65, 0x72, 0x73, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, + 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, + 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x10, 0x72, 0x6f, + 0x75, 0x74, 0x65, 0x5f, 0x74, 0x6f, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x0a, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x43, 0x6c, 0x75, + 0x73, 0x74, 0x65, 0x72, 0x12, 0x2d, 0x0a, 0x12, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, + 0x65, 0x73, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x11, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x43, 0x6c, 0x75, 0x73, + 0x74, 0x65, 0x72, 0x12, 0x30, 0x0a, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x18, 0x0c, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, + 0x72, 0x61, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69, 0x74, 0x52, 0x06, 0x74, + 0x72, 0x61, 0x69, 0x74, 0x73, 0x12, 0x48, 0x0a, 0x0c, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x74, + 0x6f, 0x5f, 0x61, 0x70, 0x70, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, + 0x41, 0x70, 0x70, 0x52, 0x0a, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x41, 0x70, 0x70, 0x12, + 0x29, 0x0a, 0x10, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x63, 0x6c, 0x75, 0x73, + 0x74, 0x65, 0x72, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x12, 0x57, 0x0a, 0x11, 0x72, 0x6f, + 0x75, 0x74, 0x65, 0x5f, 0x74, 0x6f, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x18, + 0x0f, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, - 0x61, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x41, 0x70, 0x70, 0x52, 0x0a, 0x72, - 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x41, 0x70, 0x70, 0x12, 0x29, 0x0a, 0x10, 0x74, 0x65, 0x6c, - 0x65, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x0e, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x43, 0x6c, 0x75, - 0x73, 0x74, 0x65, 0x72, 0x12, 0x57, 0x0a, 0x11, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x74, 0x6f, - 0x5f, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, - 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x6f, 0x75, - 0x74, 0x65, 0x54, 0x6f, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x52, 0x0f, 0x72, 0x6f, - 0x75, 0x74, 0x65, 0x54, 0x6f, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x12, 0x25, 0x0a, - 0x0e, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, - 0x10, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x4e, - 0x61, 0x6d, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, - 0x5f, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x11, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x64, 0x61, - 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x55, 0x73, 0x65, 0x72, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x6d, - 0x66, 0x61, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x18, 0x12, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x0b, 0x6d, 0x66, 0x61, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x12, 0x56, - 0x0a, 0x19, 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, - 0x69, 0x74, 0x79, 0x5f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x13, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x17, 0x70, - 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x45, - 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x19, 0x0a, 0x08, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x5f, - 0x69, 0x70, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x49, - 0x70, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x69, 0x6e, 0x6e, 0x65, 0x64, 0x5f, 0x69, 0x70, 0x18, 0x15, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x69, 0x6e, 0x6e, 0x65, 0x64, 0x49, 0x70, 0x12, 0x22, - 0x0a, 0x0d, 0x61, 0x77, 0x73, 0x5f, 0x72, 0x6f, 0x6c, 0x65, 0x5f, 0x61, 0x72, 0x6e, 0x73, 0x18, - 0x16, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x77, 0x73, 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x72, - 0x6e, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x61, 0x7a, 0x75, 0x72, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, - 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x17, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x61, 0x7a, - 0x75, 0x72, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x30, 0x0a, - 0x14, 0x67, 0x63, 0x70, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, - 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x18, 0x18, 0x20, 0x03, 0x28, 0x09, 0x52, 0x12, 0x67, 0x63, 0x70, - 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x12, - 0x27, 0x0a, 0x0f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x73, 0x18, 0x19, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0e, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x64, 0x69, 0x73, 0x61, - 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x72, 0x65, 0x69, 0x73, 0x73, 0x75, 0x65, 0x18, 0x1a, 0x20, 0x01, - 0x28, 0x08, 0x52, 0x0f, 0x64, 0x69, 0x73, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x52, 0x65, 0x69, 0x73, - 0x73, 0x75, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65, 0x6e, 0x65, 0x77, 0x61, 0x62, 0x6c, 0x65, - 0x18, 0x1b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x72, 0x65, 0x6e, 0x65, 0x77, 0x61, 0x62, 0x6c, - 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, - 0x1c, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0a, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x12, 0x19, 0x0a, 0x08, 0x62, 0x6f, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x1d, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x07, 0x62, 0x6f, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x26, 0x0a, 0x0f, - 0x62, 0x6f, 0x74, 0x5f, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, - 0x1e, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x62, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, - 0x63, 0x65, 0x49, 0x64, 0x12, 0x58, 0x0a, 0x14, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x5f, - 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x73, 0x18, 0x1f, 0x20, 0x03, - 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, - 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, - 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x44, 0x52, 0x12, 0x61, 0x6c, 0x6c, 0x6f, - 0x77, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x64, 0x73, 0x12, 0x2c, - 0x0a, 0x12, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x70, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0x18, 0x20, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x70, 0x72, 0x69, 0x76, - 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x38, 0x0a, 0x18, - 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, 0x69, 0x61, 0x67, 0x6e, - 0x6f, 0x73, 0x74, 0x69, 0x63, 0x5f, 0x69, 0x64, 0x18, 0x21, 0x20, 0x01, 0x28, 0x09, 0x52, 0x16, - 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x69, 0x61, 0x67, 0x6e, 0x6f, - 0x73, 0x74, 0x69, 0x63, 0x49, 0x64, 0x12, 0x59, 0x0a, 0x11, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, - 0x5f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x22, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x2c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, - 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, - 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, - 0x10, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, - 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x23, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x54, 0x79, 0x70, 0x65, 0x22, 0x33, - 0x0a, 0x05, 0x54, 0x72, 0x61, 0x69, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x73, 0x22, 0x8e, 0x02, 0x0a, 0x0a, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x41, - 0x70, 0x70, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, - 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x61, 0x64, 0x64, 0x72, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x41, 0x64, - 0x64, 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x6e, 0x61, - 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, - 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x20, 0x0a, 0x0c, 0x61, 0x77, 0x73, - 0x5f, 0x72, 0x6f, 0x6c, 0x65, 0x5f, 0x61, 0x72, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x0a, 0x61, 0x77, 0x73, 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x72, 0x6e, 0x12, 0x25, 0x0a, 0x0e, 0x61, - 0x7a, 0x75, 0x72, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x06, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0d, 0x61, 0x7a, 0x75, 0x72, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, - 0x74, 0x79, 0x12, 0x2e, 0x0a, 0x13, 0x67, 0x63, 0x70, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, - 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x11, 0x67, 0x63, 0x70, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, - 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x03, 0x75, 0x72, 0x69, 0x22, 0x9e, 0x01, 0x0a, 0x0f, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, - 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, - 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, - 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, - 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, - 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x12, - 0x14, 0x0a, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, - 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x22, 0x83, 0x01, 0x0a, 0x0a, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, - 0x63, 0x65, 0x49, 0x44, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, - 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, - 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, - 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, - 0x2a, 0x0a, 0x11, 0x73, 0x75, 0x62, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, - 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x75, 0x62, 0x52, - 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x71, 0x0a, 0x10, 0x44, - 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, - 0x1b, 0x0a, 0x09, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x08, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1b, 0x0a, 0x09, - 0x61, 0x73, 0x73, 0x65, 0x74, 0x5f, 0x74, 0x61, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x08, 0x61, 0x73, 0x73, 0x65, 0x74, 0x54, 0x61, 0x67, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x72, 0x65, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x0c, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x49, 0x64, 0x42, 0x5a, - 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, - 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, - 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, - 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, - 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, + 0x61, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, + 0x73, 0x65, 0x52, 0x0f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x44, 0x61, 0x74, 0x61, 0x62, + 0x61, 0x73, 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x5f, + 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x10, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x64, 0x61, 0x74, + 0x61, 0x62, 0x61, 0x73, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x64, 0x61, + 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x11, 0x20, 0x03, + 0x28, 0x09, 0x52, 0x0d, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x55, 0x73, 0x65, 0x72, + 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x6d, 0x66, 0x61, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, + 0x64, 0x18, 0x12, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x6d, 0x66, 0x61, 0x56, 0x65, 0x72, 0x69, + 0x66, 0x69, 0x65, 0x64, 0x12, 0x56, 0x0a, 0x19, 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, + 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, + 0x73, 0x18, 0x13, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, + 0x61, 0x6d, 0x70, 0x52, 0x17, 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x49, 0x64, 0x65, + 0x6e, 0x74, 0x69, 0x74, 0x79, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x19, 0x0a, 0x08, + 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x5f, 0x69, 0x70, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, + 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x49, 0x70, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x69, 0x6e, 0x6e, 0x65, + 0x64, 0x5f, 0x69, 0x70, 0x18, 0x15, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x69, 0x6e, 0x6e, + 0x65, 0x64, 0x49, 0x70, 0x12, 0x22, 0x0a, 0x0d, 0x61, 0x77, 0x73, 0x5f, 0x72, 0x6f, 0x6c, 0x65, + 0x5f, 0x61, 0x72, 0x6e, 0x73, 0x18, 0x16, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x77, 0x73, + 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x72, 0x6e, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x61, 0x7a, 0x75, 0x72, + 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x17, 0x20, 0x03, + 0x28, 0x09, 0x52, 0x0f, 0x61, 0x7a, 0x75, 0x72, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, + 0x69, 0x65, 0x73, 0x12, 0x30, 0x0a, 0x14, 0x67, 0x63, 0x70, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x18, 0x18, 0x20, 0x03, 0x28, + 0x09, 0x52, 0x12, 0x67, 0x63, 0x70, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, + 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x12, 0x27, 0x0a, 0x0f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, + 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x19, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0e, + 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x12, 0x29, + 0x0a, 0x10, 0x64, 0x69, 0x73, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x72, 0x65, 0x69, 0x73, 0x73, + 0x75, 0x65, 0x18, 0x1a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x64, 0x69, 0x73, 0x61, 0x6c, 0x6c, + 0x6f, 0x77, 0x52, 0x65, 0x69, 0x73, 0x73, 0x75, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65, 0x6e, + 0x65, 0x77, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x1b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x72, 0x65, + 0x6e, 0x65, 0x77, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x67, 0x65, 0x6e, 0x65, 0x72, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x1c, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0a, 0x67, 0x65, 0x6e, + 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x08, 0x62, 0x6f, 0x74, 0x5f, 0x6e, + 0x61, 0x6d, 0x65, 0x18, 0x1d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x62, 0x6f, 0x74, 0x4e, 0x61, + 0x6d, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x62, 0x6f, 0x74, 0x5f, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, + 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x1e, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x62, 0x6f, 0x74, + 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x49, 0x64, 0x12, 0x58, 0x0a, 0x14, 0x61, 0x6c, + 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x69, + 0x64, 0x73, 0x18, 0x1f, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, + 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x64, + 0x52, 0x12, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, + 0x65, 0x49, 0x64, 0x73, 0x12, 0x2c, 0x0a, 0x12, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, + 0x6b, 0x65, 0x79, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x20, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x10, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x50, 0x6f, 0x6c, 0x69, + 0x63, 0x79, 0x12, 0x38, 0x0a, 0x18, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x5f, 0x64, 0x69, 0x61, 0x67, 0x6e, 0x6f, 0x73, 0x74, 0x69, 0x63, 0x5f, 0x69, 0x64, 0x18, 0x21, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x16, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x44, 0x69, 0x61, 0x67, 0x6e, 0x6f, 0x73, 0x74, 0x69, 0x63, 0x49, 0x64, 0x12, 0x59, 0x0a, 0x11, + 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, + 0x73, 0x18, 0x22, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, + 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, + 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x10, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, + 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x75, 0x73, 0x65, 0x72, 0x5f, + 0x74, 0x79, 0x70, 0x65, 0x18, 0x23, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, + 0x54, 0x79, 0x70, 0x65, 0x22, 0x8e, 0x02, 0x0a, 0x0a, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, + 0x41, 0x70, 0x70, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, + 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, + 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x61, 0x64, 0x64, + 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x41, + 0x64, 0x64, 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x6e, + 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, 0x74, + 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x20, 0x0a, 0x0c, 0x61, 0x77, + 0x73, 0x5f, 0x72, 0x6f, 0x6c, 0x65, 0x5f, 0x61, 0x72, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x0a, 0x61, 0x77, 0x73, 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x72, 0x6e, 0x12, 0x25, 0x0a, 0x0e, + 0x61, 0x7a, 0x75, 0x72, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x18, 0x06, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x61, 0x7a, 0x75, 0x72, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x12, 0x2e, 0x0a, 0x13, 0x67, 0x63, 0x70, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, + 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x11, 0x67, 0x63, 0x70, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, + 0x75, 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x03, 0x75, 0x72, 0x69, 0x22, 0x9e, 0x01, 0x0a, 0x0f, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, + 0x6f, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72, + 0x76, 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, + 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, + 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, + 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, + 0x12, 0x14, 0x0a, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, + 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x22, 0x83, 0x01, 0x0a, 0x0a, 0x52, 0x65, 0x73, 0x6f, 0x75, + 0x72, 0x63, 0x65, 0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, + 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, + 0x73, 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x12, 0x0a, 0x04, + 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, + 0x12, 0x2a, 0x0a, 0x11, 0x73, 0x75, 0x62, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, + 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x75, 0x62, + 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x71, 0x0a, 0x10, + 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, + 0x12, 0x1b, 0x0a, 0x09, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1b, 0x0a, + 0x09, 0x61, 0x73, 0x73, 0x65, 0x74, 0x5f, 0x74, 0x61, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x08, 0x61, 0x73, 0x73, 0x65, 0x74, 0x54, 0x61, 0x67, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x72, + 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x0c, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x49, 0x64, 0x42, + 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, + 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, + 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, + 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, + 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( @@ -991,24 +935,24 @@ func file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP() []byte { return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData } -var file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 6) +var file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 5) var file_teleport_decision_v1alpha1_tls_identity_proto_goTypes = []any{ (*TLSIdentity)(nil), // 0: teleport.decision.v1alpha1.TLSIdentity - (*Trait)(nil), // 1: teleport.decision.v1alpha1.Trait - (*RouteToApp)(nil), // 2: teleport.decision.v1alpha1.RouteToApp - (*RouteToDatabase)(nil), // 3: teleport.decision.v1alpha1.RouteToDatabase - (*ResourceID)(nil), // 4: teleport.decision.v1alpha1.ResourceID - (*DeviceExtensions)(nil), // 5: teleport.decision.v1alpha1.DeviceExtensions - (*timestamppb.Timestamp)(nil), // 6: google.protobuf.Timestamp + (*RouteToApp)(nil), // 1: teleport.decision.v1alpha1.RouteToApp + (*RouteToDatabase)(nil), // 2: teleport.decision.v1alpha1.RouteToDatabase + (*ResourceId)(nil), // 3: teleport.decision.v1alpha1.ResourceId + (*DeviceExtensions)(nil), // 4: teleport.decision.v1alpha1.DeviceExtensions + (*timestamppb.Timestamp)(nil), // 5: google.protobuf.Timestamp + (*v1.Trait)(nil), // 6: teleport.trait.v1.Trait } var file_teleport_decision_v1alpha1_tls_identity_proto_depIdxs = []int32{ - 6, // 0: teleport.decision.v1alpha1.TLSIdentity.expires:type_name -> google.protobuf.Timestamp - 1, // 1: teleport.decision.v1alpha1.TLSIdentity.traits:type_name -> teleport.decision.v1alpha1.Trait - 2, // 2: teleport.decision.v1alpha1.TLSIdentity.route_to_app:type_name -> teleport.decision.v1alpha1.RouteToApp - 3, // 3: teleport.decision.v1alpha1.TLSIdentity.route_to_database:type_name -> teleport.decision.v1alpha1.RouteToDatabase - 6, // 4: teleport.decision.v1alpha1.TLSIdentity.previous_identity_expires:type_name -> google.protobuf.Timestamp - 4, // 5: teleport.decision.v1alpha1.TLSIdentity.allowed_resource_ids:type_name -> teleport.decision.v1alpha1.ResourceID - 5, // 6: teleport.decision.v1alpha1.TLSIdentity.device_extensions:type_name -> teleport.decision.v1alpha1.DeviceExtensions + 5, // 0: teleport.decision.v1alpha1.TLSIdentity.expires:type_name -> google.protobuf.Timestamp + 6, // 1: teleport.decision.v1alpha1.TLSIdentity.traits:type_name -> teleport.trait.v1.Trait + 1, // 2: teleport.decision.v1alpha1.TLSIdentity.route_to_app:type_name -> teleport.decision.v1alpha1.RouteToApp + 2, // 3: teleport.decision.v1alpha1.TLSIdentity.route_to_database:type_name -> teleport.decision.v1alpha1.RouteToDatabase + 5, // 4: teleport.decision.v1alpha1.TLSIdentity.previous_identity_expires:type_name -> google.protobuf.Timestamp + 3, // 5: teleport.decision.v1alpha1.TLSIdentity.allowed_resource_ids:type_name -> teleport.decision.v1alpha1.ResourceId + 4, // 6: teleport.decision.v1alpha1.TLSIdentity.device_extensions:type_name -> teleport.decision.v1alpha1.DeviceExtensions 7, // [7:7] is the sub-list for method output_type 7, // [7:7] is the sub-list for method input_type 7, // [7:7] is the sub-list for extension type_name @@ -1027,7 +971,7 @@ func file_teleport_decision_v1alpha1_tls_identity_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc, NumEnums: 0, - NumMessages: 6, + NumMessages: 5, NumExtensions: 0, NumServices: 0, }, diff --git a/api/types/types.pb.go b/api/types/types.pb.go index 6a74944d3b486..3cfb4f6a637ad 100644 --- a/api/types/types.pb.go +++ b/api/types/types.pb.go @@ -7832,6 +7832,7 @@ func (m *RequestKubernetesResource) XXX_DiscardUnknown() { var xxx_messageInfo_RequestKubernetesResource proto.InternalMessageInfo // ResourceID is a unique identifier for a teleport resource. +// Must be kept in sync with teleport.decision.v1alpha1.ResourceId. type ResourceID struct { // ClusterName is the name of the cluster the resource is in. ClusterName string `protobuf:"bytes,1,opt,name=ClusterName,proto3" json:"cluster"` From 929f1c2d7faa8a3592ba6c71b96781cafc860b9c Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 12:59:51 -0300 Subject: [PATCH 17/20] Add RouteToApp.target_port --- api/proto/teleport/decision/v1alpha1/tls_identity.proto | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/api/proto/teleport/decision/v1alpha1/tls_identity.proto b/api/proto/teleport/decision/v1alpha1/tls_identity.proto index 2f3cea2be12ab..846ef622ed105 100644 --- a/api/proto/teleport/decision/v1alpha1/tls_identity.proto +++ b/api/proto/teleport/decision/v1alpha1/tls_identity.proto @@ -179,6 +179,12 @@ message RouteToApp { // Uri is the URI of the app. This is the internal endpoint where the // application is running and isn't user-facing. string uri = 8; + + // TargetPort is the port to which connections should be routed to. Used only + // for multi-port TCP apps. It is appended to the hostname from the URI in the + // app spec, since the URI from RouteToApp is not used as the source of truth + // for routing. + int32 target_port = 9; } // RouteToDatabase contains routing information for databases. From 2744b1180c534b5f000ec3d2d9fd56a07857d118 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 13:01:40 -0300 Subject: [PATCH 18/20] Update generated protos --- .../decision/v1alpha1/tls_identity.pb.go | 82 +++++++++++-------- 1 file changed, 48 insertions(+), 34 deletions(-) diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go index 80da924fea9d7..4cdc57d505e71 100644 --- a/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go +++ b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go @@ -436,6 +436,11 @@ type RouteToApp struct { // Uri is the URI of the app. This is the internal endpoint where the // application is running and isn't user-facing. Uri string `protobuf:"bytes,8,opt,name=uri,proto3" json:"uri,omitempty"` + // TargetPort is the port to which connections should be routed to. Used only + // for multi-port TCP apps. It is appended to the hostname from the URI in the + // app spec, since the URI from RouteToApp is not used as the source of truth + // for routing. + TargetPort int32 `protobuf:"varint,9,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"` } func (x *RouteToApp) Reset() { @@ -524,6 +529,13 @@ func (x *RouteToApp) GetUri() string { return "" } +func (x *RouteToApp) GetTargetPort() int32 { + if x != nil { + return x.TargetPort + } + return 0 +} + // RouteToDatabase contains routing information for databases. type RouteToDatabase struct { state protoimpl.MessageState @@ -871,7 +883,7 @@ var file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc = []byte{ 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x10, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x23, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, - 0x54, 0x79, 0x70, 0x65, 0x22, 0x8e, 0x02, 0x0a, 0x0a, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, + 0x54, 0x79, 0x70, 0x65, 0x22, 0xaf, 0x02, 0x0a, 0x0a, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x41, 0x70, 0x70, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x61, 0x64, 0x64, @@ -888,39 +900,41 @@ var file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc = []byte{ 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x67, 0x63, 0x70, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x03, 0x75, 0x72, 0x69, 0x22, 0x9e, 0x01, 0x0a, 0x0f, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x54, - 0x6f, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72, - 0x76, 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, - 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, - 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, - 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, - 0x12, 0x14, 0x0a, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, - 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x22, 0x83, 0x01, 0x0a, 0x0a, 0x52, 0x65, 0x73, 0x6f, 0x75, - 0x72, 0x63, 0x65, 0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, - 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, - 0x73, 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x12, 0x0a, 0x04, - 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, - 0x12, 0x2a, 0x0a, 0x11, 0x73, 0x75, 0x62, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, - 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x75, 0x62, - 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x71, 0x0a, 0x10, - 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, - 0x12, 0x1b, 0x0a, 0x09, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1b, 0x0a, - 0x09, 0x61, 0x73, 0x73, 0x65, 0x74, 0x5f, 0x74, 0x61, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x08, 0x61, 0x73, 0x73, 0x65, 0x74, 0x54, 0x61, 0x67, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x72, - 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x0c, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x49, 0x64, 0x42, - 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, - 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, - 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, - 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, - 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x33, + 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x1f, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, + 0x70, 0x6f, 0x72, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, + 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x22, 0x9e, 0x01, 0x0a, 0x0f, 0x52, 0x6f, 0x75, 0x74, 0x65, + 0x54, 0x6f, 0x44, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x0b, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, + 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, + 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, + 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, + 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x61, 0x74, 0x61, 0x62, 0x61, 0x73, + 0x65, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, + 0x52, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x22, 0x83, 0x01, 0x0a, 0x0a, 0x52, 0x65, 0x73, 0x6f, + 0x75, 0x72, 0x63, 0x65, 0x49, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, + 0x72, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, + 0x75, 0x73, 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, + 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x12, 0x0a, + 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, + 0x65, 0x12, 0x2a, 0x0a, 0x11, 0x73, 0x75, 0x62, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, + 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x75, + 0x62, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x71, 0x0a, + 0x10, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, + 0x73, 0x12, 0x1b, 0x0a, 0x09, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1b, + 0x0a, 0x09, 0x61, 0x73, 0x73, 0x65, 0x74, 0x5f, 0x74, 0x61, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x08, 0x61, 0x73, 0x73, 0x65, 0x74, 0x54, 0x61, 0x67, 0x12, 0x23, 0x0a, 0x0d, 0x63, + 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0c, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x49, 0x64, + 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, + 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, } var ( From 4060fa4df2ba12f4e6424c930d8ce3ff5a87c7b5 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 13:07:53 -0300 Subject: [PATCH 19/20] Update comments on TLSIdentity / tlsca.Identity --- api/proto/teleport/decision/v1alpha1/tls_identity.proto | 4 +++- lib/tlsca/ca.go | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/api/proto/teleport/decision/v1alpha1/tls_identity.proto b/api/proto/teleport/decision/v1alpha1/tls_identity.proto index 846ef622ed105..4e36f3c8d380a 100644 --- a/api/proto/teleport/decision/v1alpha1/tls_identity.proto +++ b/api/proto/teleport/decision/v1alpha1/tls_identity.proto @@ -22,8 +22,10 @@ import "teleport/trait/v1/trait.proto"; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb"; // TLSIdentity is the identity used for TLS connections. +// Must be kept in sync with tlsca.Identity. message TLSIdentity { - // Username is a username or name of the node connection. + // Username is the name of the user (for end-users/bots) or the Host ID (for + // Teleport processes). string username = 1; // Impersonator is a username of a user impersonating this user. diff --git a/lib/tlsca/ca.go b/lib/tlsca/ca.go index 1ad08b5d1d64e..de002163584ea 100644 --- a/lib/tlsca/ca.go +++ b/lib/tlsca/ca.go @@ -110,8 +110,10 @@ type CertAuthority struct { } // Identity is an identity of the user or service, e.g. Proxy or Node +// Must be kept in sync with teleport.decision.v1alpha1.TLSIdentity. type Identity struct { - // Username is a username or name of the node connection + // Username is the name of the user (for end-users/bots) or the Host ID (for + // Teleport processes). Username string // Impersonator is a username of a user impersonating this user Impersonator string From 2759f5eddf8a30714dc6a5b93b5600b55ab70b4a Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 6 Dec 2024 13:09:04 -0300 Subject: [PATCH 20/20] Update generated protos --- .../proto/go/teleport/decision/v1alpha1/tls_identity.pb.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go index 4cdc57d505e71..d5b8151bddc1d 100644 --- a/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go +++ b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go @@ -37,12 +37,14 @@ const ( ) // TLSIdentity is the identity used for TLS connections. +// Must be kept in sync with tlsca.Identity. type TLSIdentity struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // Username is a username or name of the node connection. + // Username is the name of the user (for end-users/bots) or the Host ID (for + // Teleport processes). Username string `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"` // Impersonator is a username of a user impersonating this user. Impersonator string `protobuf:"bytes,2,opt,name=impersonator,proto3" json:"impersonator,omitempty"`