Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add bot field to certificates and various usage events #35881

Merged
merged 18 commits into from
Jan 4, 2024
Merged

Add bot field to certificates and various usage events #35881

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
2d46160
Add bot field to certificates and various usage events
timothyb89 Dec 19, 2023
4409436
Merge remote-tracking branch 'origin/master' into timothyb89/bot-flag…
timothyb89 Dec 19, 2023
8889b64
Small bot flag plumbing fixes
timothyb89 Dec 22, 2023
ded03c0
Merge remote-tracking branch 'origin/master' into timothyb89/bot-flag…
timothyb89 Dec 27, 2023
7cb5a0e
Convert bot flag to BotName and UserKind enum
timothyb89 Dec 27, 2023
113a6fb
Add a quick unit test for bot cert extensions
timothyb89 Dec 28, 2023
5738078
Fix outdated grpc
timothyb89 Dec 28, 2023
cc783fe
Include bot flag on initial certs
timothyb89 Dec 29, 2023
de0cc17
Log a warning and override user kind for usage records if they differ
timothyb89 Dec 29, 2023
c32f158
Fix several unit tests; add a bot metadata test case
timothyb89 Dec 29, 2023
3558b50
Merge remote-tracking branch 'origin/master' into timothyb89/bot-flag…
timothyb89 Dec 29, 2023
4012947
Merge remote-tracking branch 'origin/master' into timothyb89/bot-flag…
timothyb89 Dec 30, 2023
ee77d9c
Fix unit tests with UserKind zero value
timothyb89 Dec 30, 2023
ba60a89
Rename SSH cert extension to use standard format
timothyb89 Jan 2, 2024
73dc21e
Attempt to improve unspecified userkind aggregating logic
timothyb89 Jan 2, 2024
9d7b12d
Merge remote-tracking branch 'origin/master' into timothyb89/bot-flag…
timothyb89 Jan 4, 2024
764c8c4
Merge branch 'master' into timothyb89/bot-flag-usage-events
timothyb89 Jan 4, 2024
4e33a32
Merge branch 'master' into timothyb89/bot-flag-usage-events
timothyb89 Jan 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
22 changes: 22 additions & 0 deletions api/proto/teleport/legacy/types/events/events.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,21 @@ message SessionMetadata {
string PrivateKeyPolicy = 3 [(gogoproto.jsontag) = "private_key_policy,omitempty"];
}

// The kind of user a given username refers to. Usernames should always refer to
// a valid cluster user (even if temporary, e.g. SSO), but may be Machine ID
// bot users.
enum UserKind {
// Indicates a legacy cluster emitting events without a defined user kind.
USER_KIND_UNSPECIFIED = 0;

// Indicates the user associated with this event is human, either created
// locally or via SSO.
USER_KIND_HUMAN = 1;

// Indicates the user associated with this event is a Machine ID bot user.
USER_KIND_BOT = 2;
}

// UserMetadata is a common user event metadata
message UserMetadata {
// User is teleport user name
Expand Down Expand Up @@ -92,6 +107,10 @@ message UserMetadata {

// RequiredPrivateKeyPolicy is the private key policy enforced for this login.
string RequiredPrivateKeyPolicy = 9 [(gogoproto.jsontag) = "required_private_key_policy,omitempty"];

// UserKind indicates what type of user this is, e.g. a human or Machine ID
// bot user.
UserKind UserKind = 10 [(gogoproto.jsontag) = "user_kind,omitempty"];
}

// Server is a server metadata
Expand Down Expand Up @@ -3870,6 +3889,9 @@ message Identity {
repeated string GCPServiceAccounts = 25 [(gogoproto.jsontag) = "gcp_service_accounts,omitempty"];
// PrivateKeyPolicy is the private key policy of the user's private key.
string PrivateKeyPolicy = 26 [(gogoproto.jsontag) = "private_key_policy,omitempty"];
// BotName indicates the name of the Machine ID bot this identity was issued
// to, if any.
string BotName = 27 [(gogoproto.jsontag) = "bot_name,omitempty"];
}

// RouteToApp contains parameters for application access certificate requests.
Expand Down
1,788 changes: 953 additions & 835 deletions api/types/events/events.pb.go
View file
Open in desktop

Large diffs are not rendered by default.

3 changes: 3 additions & 0 deletions constants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,9 @@ const (
// CertExtensionDeviceCredentialID is the identifier for the credential used
// by the device to authenticate itself.
CertExtensionDeviceCredentialID = "teleport-device-credential-id"
// CertExtensionBot indicates the name of the Machine ID bot this
// certificate was issued to, if any.
CertExtensionBot = "teleport-bot"
timothyb89 marked this conversation as resolved.
Show resolved Hide resolved

// CertCriticalOptionSourceAddress is a critical option that defines IP addresses (in CIDR notation)
// from which this certificate is accepted for authentication.
Expand Down
18 changes: 18 additions & 0 deletions gen/proto/go/prehog/v1/prehogv1connect/teleport.connect.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

268 changes: 190 additions & 78 deletions gen/proto/go/prehog/v1/teleport.pb.go
View file
Open in desktop

Large diffs are not rendered by default.