From bbb99dfb09f28fd106e2781c3a484a8b5135314e Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Mon, 25 Nov 2024 18:40:33 +0000 Subject: [PATCH] Persist Join Attributes in X509 Cert --- .../teleport/machineid/v1/bot_instance.pb.go | 232 ++- .../teleport/workloadidentity/v1/attrs.pb.go | 171 +- .../workloadidentity/v1/join_attrs.pb.go | 1772 +++++++++++++++++ .../teleport/machineid/v1/bot_instance.proto | 8 + .../teleport/workloadidentity/v1/attrs.proto | 4 + .../workloadidentity/v1/join_attrs.proto | 312 +++ lib/auth/auth.go | 7 +- lib/auth/auth_with_roles.go | 3 + lib/auth/bot.go | 25 +- lib/auth/join.go | 158 +- lib/auth/join_azure.go | 43 +- lib/auth/join_iam.go | 50 +- lib/auth/join_tpm.go | 17 +- lib/bitbucket/bitbucket.go | 29 +- lib/circleci/circleci.go | 26 +- lib/gcp/gcp.go | 32 +- lib/githubactions/githubactions.go | 23 + lib/gitlab/gitlab.go | 39 +- lib/kube/token/validator.go | 70 +- lib/spacelift/spacelift.go | 17 + lib/terraformcloud/terraform.go | 30 +- lib/tlsca/ca.go | 36 + lib/tpm/validate.go | 21 +- tool/tctl/common/bots_command.go | 23 +- 24 files changed, 2750 insertions(+), 398 deletions(-) create mode 100644 api/gen/proto/go/teleport/workloadidentity/v1/join_attrs.pb.go create mode 100644 api/proto/teleport/workloadidentity/v1/join_attrs.proto diff --git a/api/gen/proto/go/teleport/machineid/v1/bot_instance.pb.go b/api/gen/proto/go/teleport/machineid/v1/bot_instance.pb.go index b794040d05ba0..8007dc110356a 100644 --- a/api/gen/proto/go/teleport/machineid/v1/bot_instance.pb.go +++ b/api/gen/proto/go/teleport/machineid/v1/bot_instance.pb.go @@ -22,6 +22,7 @@ package machineidv1 import ( v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1" + v11 "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" durationpb "google.golang.org/protobuf/types/known/durationpb" @@ -317,11 +318,14 @@ type BotInstanceStatusAuthentication struct { // Server. AuthenticatedAt *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=authenticated_at,json=authenticatedAt,proto3" json:"authenticated_at,omitempty"` // The join method used for this join or renewal. + // Deprecated: prefer using join_attrs.meta.join_method JoinMethod string `protobuf:"bytes,2,opt,name=join_method,json=joinMethod,proto3" json:"join_method,omitempty"` // The join token used for this join or renewal. This is only populated for // delegated join methods as the value for `token` join methods is sensitive. + // Deprecated: prefer using join_attrs.meta.join_token_name JoinToken string `protobuf:"bytes,3,opt,name=join_token,json=joinToken,proto3" json:"join_token,omitempty"` // The metadata sourced from the join method. + // Deprecated: per using join_attrs. Metadata *structpb.Struct `protobuf:"bytes,4,opt,name=metadata,proto3" json:"metadata,omitempty"` // On each renewal, this generation is incremented. For delegated join // methods, this counter is not checked during renewal. For the `token` join @@ -332,7 +336,9 @@ type BotInstanceStatusAuthentication struct { // The public key of the Bot instance. This must be a PEM wrapped, PKIX DER // encoded public key. This provides consistency and supports multiple types // of public key algorithm. - PublicKey []byte `protobuf:"bytes,6,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` + PublicKey []byte `protobuf:"bytes,6,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` + // The attributes generated during the join process. + JoinAttrs *v11.JoinAttrs `protobuf:"bytes,8,opt,name=join_attrs,json=joinAttrs,proto3" json:"join_attrs,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -409,6 +415,13 @@ func (x *BotInstanceStatusAuthentication) GetPublicKey() []byte { return nil } +func (x *BotInstanceStatusAuthentication) GetJoinAttrs() *v11.JoinAttrs { + if x != nil { + return x.JoinAttrs + } + return nil +} + // BotInstanceStatus holds the status of a BotInstance. type BotInstanceStatus struct { state protoimpl.MessageState `protogen:"open.v1"` @@ -497,103 +510,110 @@ var file_teleport_machineid_v1_bot_instance_proto_rawDesc = []byte{ 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x21, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x22, 0x8e, 0x02, 0x0a, 0x0b, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, - 0x6e, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x75, 0x62, 0x5f, 0x6b, - 0x69, 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x4b, 0x69, - 0x6e, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x38, 0x0a, 0x08, - 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, - 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, - 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, - 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x3a, 0x0a, 0x04, 0x73, 0x70, 0x65, 0x63, 0x18, 0x05, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, - 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x74, - 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x70, 0x65, 0x63, 0x52, 0x04, 0x73, 0x70, - 0x65, 0x63, 0x12, 0x40, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x06, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, 0x61, - 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x74, 0x49, 0x6e, - 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, - 0x61, 0x74, 0x75, 0x73, 0x22, 0x58, 0x0a, 0x0f, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, - 0x6e, 0x63, 0x65, 0x53, 0x70, 0x65, 0x63, 0x12, 0x19, 0x0a, 0x08, 0x62, 0x6f, 0x74, 0x5f, 0x6e, - 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x62, 0x6f, 0x74, 0x4e, 0x61, - 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x69, - 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, - 0x65, 0x49, 0x64, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x52, 0x03, 0x74, 0x74, 0x6c, 0x22, 0xd1, - 0x02, 0x0a, 0x1a, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, - 0x61, 0x74, 0x75, 0x73, 0x48, 0x65, 0x61, 0x72, 0x74, 0x62, 0x65, 0x61, 0x74, 0x12, 0x3b, 0x0a, - 0x0b, 0x72, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0a, - 0x72, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x65, 0x64, 0x41, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x73, - 0x5f, 0x73, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, - 0x69, 0x73, 0x53, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, - 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, - 0x69, 0x6f, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, - 0x31, 0x0a, 0x06, 0x75, 0x70, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x75, 0x70, 0x74, 0x69, - 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x6a, 0x6f, 0x69, 0x6e, 0x5f, 0x6d, 0x65, 0x74, 0x68, 0x6f, - 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6a, 0x6f, 0x69, 0x6e, 0x4d, 0x65, 0x74, - 0x68, 0x6f, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x6e, 0x65, 0x5f, 0x73, 0x68, 0x6f, 0x74, 0x18, - 0x07, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x6f, 0x6e, 0x65, 0x53, 0x68, 0x6f, 0x74, 0x12, 0x22, - 0x0a, 0x0c, 0x61, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x18, 0x08, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x61, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, - 0x72, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x6f, 0x73, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, - 0x6f, 0x73, 0x22, 0xaf, 0x02, 0x0a, 0x1f, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, - 0x63, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, - 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x45, 0x0a, 0x10, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, - 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, - 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0f, 0x61, 0x75, - 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x1f, 0x0a, - 0x0b, 0x6a, 0x6f, 0x69, 0x6e, 0x5f, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0a, 0x6a, 0x6f, 0x69, 0x6e, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x1d, - 0x0a, 0x0a, 0x6a, 0x6f, 0x69, 0x6e, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x09, 0x6a, 0x6f, 0x69, 0x6e, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x33, 0x0a, - 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x12, 0x1e, 0x0a, 0x0a, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x18, 0x05, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, - 0x18, 0x06, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, - 0x79, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x52, 0x0b, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, - 0x72, 0x69, 0x6e, 0x74, 0x22, 0xb1, 0x03, 0x0a, 0x11, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, - 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x6d, 0x0a, 0x16, 0x69, 0x6e, - 0x69, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x36, 0x2e, 0x74, 0x65, 0x6c, + 0x6f, 0x74, 0x6f, 0x1a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, + 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, + 0x31, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x5f, 0x61, 0x74, 0x74, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x22, 0x8e, 0x02, 0x0a, 0x0b, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, + 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x75, 0x62, 0x5f, 0x6b, 0x69, + 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x4b, 0x69, 0x6e, + 0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x38, 0x0a, 0x08, 0x6d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2e, + 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, + 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x3a, 0x0a, 0x04, 0x73, 0x70, 0x65, 0x63, 0x18, 0x05, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, + 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x74, 0x49, + 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x70, 0x65, 0x63, 0x52, 0x04, 0x73, 0x70, 0x65, + 0x63, 0x12, 0x40, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x06, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x28, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, 0x61, 0x63, + 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, + 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x22, 0x58, 0x0a, 0x0f, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, + 0x63, 0x65, 0x53, 0x70, 0x65, 0x63, 0x12, 0x19, 0x0a, 0x08, 0x62, 0x6f, 0x74, 0x5f, 0x6e, 0x61, + 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x62, 0x6f, 0x74, 0x4e, 0x61, 0x6d, + 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x64, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, + 0x49, 0x64, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x52, 0x03, 0x74, 0x74, 0x6c, 0x22, 0xd1, 0x02, + 0x0a, 0x1a, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x48, 0x65, 0x61, 0x72, 0x74, 0x62, 0x65, 0x61, 0x74, 0x12, 0x3b, 0x0a, 0x0b, + 0x72, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0a, 0x72, + 0x65, 0x63, 0x6f, 0x72, 0x64, 0x65, 0x64, 0x41, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x73, 0x5f, + 0x73, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, + 0x73, 0x53, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, + 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, + 0x6f, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x31, + 0x0a, 0x06, 0x75, 0x70, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, + 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, + 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x75, 0x70, 0x74, 0x69, 0x6d, + 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x6a, 0x6f, 0x69, 0x6e, 0x5f, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, + 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6a, 0x6f, 0x69, 0x6e, 0x4d, 0x65, 0x74, 0x68, + 0x6f, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x6f, 0x6e, 0x65, 0x5f, 0x73, 0x68, 0x6f, 0x74, 0x18, 0x07, + 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x6f, 0x6e, 0x65, 0x53, 0x68, 0x6f, 0x74, 0x12, 0x22, 0x0a, + 0x0c, 0x61, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x18, 0x08, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x0c, 0x61, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, + 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x6f, 0x73, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x6f, + 0x73, 0x22, 0xf7, 0x02, 0x0a, 0x1f, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, + 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x45, 0x0a, 0x10, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0f, 0x61, 0x75, 0x74, + 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x1f, 0x0a, 0x0b, + 0x6a, 0x6f, 0x69, 0x6e, 0x5f, 0x6d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x0a, 0x6a, 0x6f, 0x69, 0x6e, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x1d, 0x0a, + 0x0a, 0x6a, 0x6f, 0x69, 0x6e, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x09, 0x6a, 0x6f, 0x69, 0x6e, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x33, 0x0a, 0x08, + 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, + 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, + 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, + 0x61, 0x12, 0x1e, 0x0a, 0x0a, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, + 0x05, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, + 0x06, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, + 0x12, 0x46, 0x0a, 0x0a, 0x6a, 0x6f, 0x69, 0x6e, 0x5f, 0x61, 0x74, 0x74, 0x72, 0x73, 0x18, 0x08, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, + 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, + 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x52, 0x09, 0x6a, + 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x52, 0x0b, + 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x22, 0xb1, 0x03, 0x0a, 0x11, + 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, + 0x73, 0x12, 0x6d, 0x0a, 0x16, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x61, 0x75, 0x74, + 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x36, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, 0x61, 0x63, + 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, + 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x41, 0x75, 0x74, 0x68, 0x65, + 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x15, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x61, 0x6c, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x12, 0x6d, 0x0a, 0x16, 0x6c, 0x61, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x65, + 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x36, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, 0x61, 0x63, 0x68, + 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, + 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, + 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x15, 0x6c, 0x61, 0x74, 0x65, 0x73, 0x74, + 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, + 0x5e, 0x0a, 0x11, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x68, 0x65, 0x61, 0x72, 0x74, + 0x62, 0x65, 0x61, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, - 0x61, 0x74, 0x75, 0x73, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x52, 0x15, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x41, 0x75, 0x74, 0x68, 0x65, - 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x6d, 0x0a, 0x16, 0x6c, 0x61, 0x74, - 0x65, 0x73, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x36, 0x2e, 0x74, 0x65, 0x6c, 0x65, - 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, - 0x31, 0x2e, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61, - 0x74, 0x75, 0x73, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x52, 0x15, 0x6c, 0x61, 0x74, 0x65, 0x73, 0x74, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, - 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x5e, 0x0a, 0x11, 0x69, 0x6e, 0x69, 0x74, - 0x69, 0x61, 0x6c, 0x5f, 0x68, 0x65, 0x61, 0x72, 0x74, 0x62, 0x65, 0x61, 0x74, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, - 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x74, 0x49, - 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x48, 0x65, 0x61, - 0x72, 0x74, 0x62, 0x65, 0x61, 0x74, 0x52, 0x10, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x48, - 0x65, 0x61, 0x72, 0x74, 0x62, 0x65, 0x61, 0x74, 0x12, 0x5e, 0x0a, 0x11, 0x6c, 0x61, 0x74, 0x65, - 0x73, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x72, 0x74, 0x62, 0x65, 0x61, 0x74, 0x73, 0x18, 0x04, 0x20, - 0x03, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, - 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x74, 0x49, - 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x48, 0x65, 0x61, - 0x72, 0x74, 0x62, 0x65, 0x61, 0x74, 0x52, 0x10, 0x6c, 0x61, 0x74, 0x65, 0x73, 0x74, 0x48, 0x65, - 0x61, 0x72, 0x74, 0x62, 0x65, 0x61, 0x74, 0x73, 0x42, 0x56, 0x5a, 0x54, 0x67, 0x69, 0x74, 0x68, - 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, - 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, - 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, - 0x64, 0x2f, 0x76, 0x31, 0x3b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x76, 0x31, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x61, 0x74, 0x75, 0x73, 0x48, 0x65, 0x61, 0x72, 0x74, 0x62, 0x65, 0x61, 0x74, 0x52, 0x10, 0x69, + 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, 0x48, 0x65, 0x61, 0x72, 0x74, 0x62, 0x65, 0x61, 0x74, 0x12, + 0x5e, 0x0a, 0x11, 0x6c, 0x61, 0x74, 0x65, 0x73, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x72, 0x74, 0x62, + 0x65, 0x61, 0x74, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2e, + 0x76, 0x31, 0x2e, 0x42, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x53, 0x74, + 0x61, 0x74, 0x75, 0x73, 0x48, 0x65, 0x61, 0x72, 0x74, 0x62, 0x65, 0x61, 0x74, 0x52, 0x10, 0x6c, + 0x61, 0x74, 0x65, 0x73, 0x74, 0x48, 0x65, 0x61, 0x72, 0x74, 0x62, 0x65, 0x61, 0x74, 0x73, 0x42, + 0x56, 0x5a, 0x54, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, + 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, + 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, + 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x3b, 0x6d, 0x61, 0x63, 0x68, + 0x69, 0x6e, 0x65, 0x69, 0x64, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -619,6 +639,7 @@ var file_teleport_machineid_v1_bot_instance_proto_goTypes = []any{ (*timestamppb.Timestamp)(nil), // 6: google.protobuf.Timestamp (*durationpb.Duration)(nil), // 7: google.protobuf.Duration (*structpb.Struct)(nil), // 8: google.protobuf.Struct + (*v11.JoinAttrs)(nil), // 9: teleport.workloadidentity.v1.JoinAttrs } var file_teleport_machineid_v1_bot_instance_proto_depIdxs = []int32{ 5, // 0: teleport.machineid.v1.BotInstance.metadata:type_name -> teleport.header.v1.Metadata @@ -628,15 +649,16 @@ var file_teleport_machineid_v1_bot_instance_proto_depIdxs = []int32{ 7, // 4: teleport.machineid.v1.BotInstanceStatusHeartbeat.uptime:type_name -> google.protobuf.Duration 6, // 5: teleport.machineid.v1.BotInstanceStatusAuthentication.authenticated_at:type_name -> google.protobuf.Timestamp 8, // 6: teleport.machineid.v1.BotInstanceStatusAuthentication.metadata:type_name -> google.protobuf.Struct - 3, // 7: teleport.machineid.v1.BotInstanceStatus.initial_authentication:type_name -> teleport.machineid.v1.BotInstanceStatusAuthentication - 3, // 8: teleport.machineid.v1.BotInstanceStatus.latest_authentications:type_name -> teleport.machineid.v1.BotInstanceStatusAuthentication - 2, // 9: teleport.machineid.v1.BotInstanceStatus.initial_heartbeat:type_name -> teleport.machineid.v1.BotInstanceStatusHeartbeat - 2, // 10: teleport.machineid.v1.BotInstanceStatus.latest_heartbeats:type_name -> teleport.machineid.v1.BotInstanceStatusHeartbeat - 11, // [11:11] is the sub-list for method output_type - 11, // [11:11] is the sub-list for method input_type - 11, // [11:11] is the sub-list for extension type_name - 11, // [11:11] is the sub-list for extension extendee - 0, // [0:11] is the sub-list for field type_name + 9, // 7: teleport.machineid.v1.BotInstanceStatusAuthentication.join_attrs:type_name -> teleport.workloadidentity.v1.JoinAttrs + 3, // 8: teleport.machineid.v1.BotInstanceStatus.initial_authentication:type_name -> teleport.machineid.v1.BotInstanceStatusAuthentication + 3, // 9: teleport.machineid.v1.BotInstanceStatus.latest_authentications:type_name -> teleport.machineid.v1.BotInstanceStatusAuthentication + 2, // 10: teleport.machineid.v1.BotInstanceStatus.initial_heartbeat:type_name -> teleport.machineid.v1.BotInstanceStatusHeartbeat + 2, // 11: teleport.machineid.v1.BotInstanceStatus.latest_heartbeats:type_name -> teleport.machineid.v1.BotInstanceStatusHeartbeat + 12, // [12:12] is the sub-list for method output_type + 12, // [12:12] is the sub-list for method input_type + 12, // [12:12] is the sub-list for extension type_name + 12, // [12:12] is the sub-list for extension extendee + 0, // [0:12] is the sub-list for field type_name } func init() { file_teleport_machineid_v1_bot_instance_proto_init() } diff --git a/api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go b/api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go index bc75d65f597e0..a344144557c73 100644 --- a/api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go +++ b/api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go @@ -347,7 +347,9 @@ type Attrs struct { Workload *WorkloadAttrs `protobuf:"bytes,1,opt,name=workload,proto3" json:"workload,omitempty"` // Attributes sourced from the user/bot making the request for a workload // identity credential. - User *UserAttrs `protobuf:"bytes,2,opt,name=user,proto3" json:"user,omitempty"` + User *UserAttrs `protobuf:"bytes,2,opt,name=user,proto3" json:"user,omitempty"` + // Attributes resulting from the join process. + Join *JoinAttrs `protobuf:"bytes,3,opt,name=join,proto3" json:"join,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -396,6 +398,13 @@ func (x *Attrs) GetUser() *UserAttrs { return nil } +func (x *Attrs) GetJoin() *JoinAttrs { + if x != nil { + return x.Join + } + return nil +} + var File_teleport_workloadidentity_v1_attrs_proto protoreflect.FileDescriptor var file_teleport_workloadidentity_v1_attrs_proto_rawDesc = []byte{ @@ -403,77 +412,84 @@ var file_teleport_workloadidentity_v1_attrs_proto_rawDesc = []byte{ 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x74, 0x74, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1c, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, - 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x22, 0xc6, 0x02, 0x0a, 0x17, 0x57, 0x6f, 0x72, - 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, - 0x65, 0x74, 0x65, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, - 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x19, - 0x0a, 0x08, 0x70, 0x6f, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x07, 0x70, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x27, 0x0a, 0x0f, 0x73, 0x65, 0x72, - 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, - 0x6e, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x70, 0x6f, 0x64, 0x5f, 0x75, 0x69, 0x64, 0x18, 0x05, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x6f, 0x64, 0x55, 0x69, 0x64, 0x12, 0x59, 0x0a, 0x06, 0x6c, - 0x61, 0x62, 0x65, 0x6c, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x41, 0x2e, 0x74, 0x65, - 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, - 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, - 0x65, 0x73, 0x2e, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, - 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x1a, 0x39, 0x0a, 0x0b, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, - 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, - 0x01, 0x22, 0x65, 0x0a, 0x11, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, - 0x72, 0x73, 0x55, 0x6e, 0x69, 0x78, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, - 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, - 0x65, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x70, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, - 0x03, 0x70, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x67, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x0d, 0x52, 0x03, 0x67, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x69, 0x64, 0x18, 0x04, 0x20, - 0x01, 0x28, 0x0d, 0x52, 0x03, 0x75, 0x69, 0x64, 0x22, 0xab, 0x01, 0x0a, 0x0d, 0x57, 0x6f, 0x72, - 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x12, 0x43, 0x0a, 0x04, 0x75, 0x6e, - 0x69, 0x78, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, - 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, - 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, - 0x41, 0x74, 0x74, 0x72, 0x73, 0x55, 0x6e, 0x69, 0x78, 0x52, 0x04, 0x75, 0x6e, 0x69, 0x78, 0x12, - 0x55, 0x0a, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, - 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, - 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, - 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65, - 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x22, 0x81, 0x02, 0x0a, 0x09, 0x55, 0x73, 0x65, 0x72, 0x41, - 0x74, 0x74, 0x72, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x15, 0x0a, 0x06, 0x69, 0x73, 0x5f, 0x62, - 0x6f, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x69, 0x73, 0x42, 0x6f, 0x74, 0x12, - 0x19, 0x0a, 0x08, 0x62, 0x6f, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x07, 0x62, 0x6f, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x62, 0x6f, - 0x74, 0x5f, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0d, 0x62, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, - 0x49, 0x64, 0x12, 0x4b, 0x0a, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x18, 0x05, 0x20, 0x03, - 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, + 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x1a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x6a, 0x6f, 0x69, 0x6e, 0x5f, 0x61, 0x74, 0x74, 0x72, + 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc6, 0x02, 0x0a, 0x17, 0x57, 0x6f, 0x72, 0x6b, + 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, + 0x74, 0x65, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, 0x12, + 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x19, 0x0a, + 0x08, 0x70, 0x6f, 0x64, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x07, 0x70, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x27, 0x0a, 0x0f, 0x73, 0x65, 0x72, 0x76, + 0x69, 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x0e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, + 0x74, 0x12, 0x17, 0x0a, 0x07, 0x70, 0x6f, 0x64, 0x5f, 0x75, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x06, 0x70, 0x6f, 0x64, 0x55, 0x69, 0x64, 0x12, 0x59, 0x0a, 0x06, 0x6c, 0x61, + 0x62, 0x65, 0x6c, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x41, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, + 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, + 0x73, 0x2e, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x6c, + 0x61, 0x62, 0x65, 0x6c, 0x73, 0x1a, 0x39, 0x0a, 0x0b, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, + 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, + 0x22, 0x65, 0x0a, 0x11, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, + 0x73, 0x55, 0x6e, 0x69, 0x78, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, + 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, + 0x64, 0x12, 0x10, 0x0a, 0x03, 0x70, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x03, + 0x70, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x67, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, + 0x52, 0x03, 0x67, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x0d, 0x52, 0x03, 0x75, 0x69, 0x64, 0x22, 0xab, 0x01, 0x0a, 0x0d, 0x57, 0x6f, 0x72, 0x6b, + 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x12, 0x43, 0x0a, 0x04, 0x75, 0x6e, 0x69, + 0x78, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, + 0x74, 0x74, 0x72, 0x73, 0x55, 0x6e, 0x69, 0x78, 0x52, 0x04, 0x75, 0x6e, 0x69, 0x78, 0x12, 0x55, + 0x0a, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, - 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x41, 0x74, 0x74, 0x72, 0x73, 0x2e, 0x4c, 0x61, 0x62, 0x65, - 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x1a, - 0x39, 0x0a, 0x0b, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, - 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, - 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x8d, 0x01, 0x0a, 0x05, 0x41, - 0x74, 0x74, 0x72, 0x73, 0x12, 0x47, 0x0a, 0x08, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, - 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, - 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, - 0x74, 0x72, 0x73, 0x52, 0x08, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x12, 0x3b, 0x0a, - 0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, - 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x41, - 0x74, 0x74, 0x72, 0x73, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72, 0x42, 0x64, 0x5a, 0x62, 0x67, 0x69, - 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, - 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, - 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, - 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x3b, 0x77, 0x6f, - 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x76, 0x31, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x4b, + 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x72, + 0x6e, 0x65, 0x74, 0x65, 0x73, 0x22, 0x81, 0x02, 0x0a, 0x09, 0x55, 0x73, 0x65, 0x72, 0x41, 0x74, + 0x74, 0x72, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x15, 0x0a, 0x06, 0x69, 0x73, 0x5f, 0x62, 0x6f, + 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x69, 0x73, 0x42, 0x6f, 0x74, 0x12, 0x19, + 0x0a, 0x08, 0x62, 0x6f, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x07, 0x62, 0x6f, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x62, 0x6f, 0x74, + 0x5f, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0d, 0x62, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x49, + 0x64, 0x12, 0x4b, 0x0a, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, + 0x0b, 0x32, 0x33, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, + 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, + 0x2e, 0x55, 0x73, 0x65, 0x72, 0x41, 0x74, 0x74, 0x72, 0x73, 0x2e, 0x4c, 0x61, 0x62, 0x65, 0x6c, + 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x1a, 0x39, + 0x0a, 0x0b, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, + 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, + 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xca, 0x01, 0x0a, 0x05, 0x41, 0x74, + 0x74, 0x72, 0x73, 0x12, 0x47, 0x0a, 0x08, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, + 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, + 0x72, 0x73, 0x52, 0x08, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x12, 0x3b, 0x0a, 0x04, + 0x75, 0x73, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x41, 0x74, + 0x74, 0x72, 0x73, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72, 0x12, 0x3b, 0x0a, 0x04, 0x6a, 0x6f, 0x69, + 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, + 0x52, 0x04, 0x6a, 0x6f, 0x69, 0x6e, 0x42, 0x64, 0x5a, 0x62, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, + 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x3b, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, + 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -497,6 +513,7 @@ var file_teleport_workloadidentity_v1_attrs_proto_goTypes = []any{ (*Attrs)(nil), // 4: teleport.workloadidentity.v1.Attrs nil, // 5: teleport.workloadidentity.v1.WorkloadAttrsKubernetes.LabelsEntry nil, // 6: teleport.workloadidentity.v1.UserAttrs.LabelsEntry + (*JoinAttrs)(nil), // 7: teleport.workloadidentity.v1.JoinAttrs } var file_teleport_workloadidentity_v1_attrs_proto_depIdxs = []int32{ 5, // 0: teleport.workloadidentity.v1.WorkloadAttrsKubernetes.labels:type_name -> teleport.workloadidentity.v1.WorkloadAttrsKubernetes.LabelsEntry @@ -505,11 +522,12 @@ var file_teleport_workloadidentity_v1_attrs_proto_depIdxs = []int32{ 6, // 3: teleport.workloadidentity.v1.UserAttrs.labels:type_name -> teleport.workloadidentity.v1.UserAttrs.LabelsEntry 2, // 4: teleport.workloadidentity.v1.Attrs.workload:type_name -> teleport.workloadidentity.v1.WorkloadAttrs 3, // 5: teleport.workloadidentity.v1.Attrs.user:type_name -> teleport.workloadidentity.v1.UserAttrs - 6, // [6:6] is the sub-list for method output_type - 6, // [6:6] is the sub-list for method input_type - 6, // [6:6] is the sub-list for extension type_name - 6, // [6:6] is the sub-list for extension extendee - 0, // [0:6] is the sub-list for field type_name + 7, // 6: teleport.workloadidentity.v1.Attrs.join:type_name -> teleport.workloadidentity.v1.JoinAttrs + 7, // [7:7] is the sub-list for method output_type + 7, // [7:7] is the sub-list for method input_type + 7, // [7:7] is the sub-list for extension type_name + 7, // [7:7] is the sub-list for extension extendee + 0, // [0:7] is the sub-list for field type_name } func init() { file_teleport_workloadidentity_v1_attrs_proto_init() } @@ -517,6 +535,7 @@ func file_teleport_workloadidentity_v1_attrs_proto_init() { if File_teleport_workloadidentity_v1_attrs_proto != nil { return } + file_teleport_workloadidentity_v1_join_attrs_proto_init() type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ diff --git a/api/gen/proto/go/teleport/workloadidentity/v1/join_attrs.pb.go b/api/gen/proto/go/teleport/workloadidentity/v1/join_attrs.pb.go new file mode 100644 index 0000000000000..3c22e037d5bc2 --- /dev/null +++ b/api/gen/proto/go/teleport/workloadidentity/v1/join_attrs.pb.go @@ -0,0 +1,1772 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.0 +// protoc (unknown) +// source: teleport/workloadidentity/v1/join_attrs.proto + +package workloadidentityv1 + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// The collection of attributes that result from the join process. +type JoinAttrs struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The collection of attributes that result from the join process but are not + // specific to any particular join method. + Meta *JoinAttrsMeta `protobuf:"bytes,1,opt,name=meta,proto3" json:"meta,omitempty"` + // Attributes that are specific to the GitLab (`gitlab`) join method. + Gitlab *JoinAttrsGitLab `protobuf:"bytes,2,opt,name=gitlab,proto3" json:"gitlab,omitempty"` + // Attributes that are specific to the GitHub (`github`) join method. + Github *JoinAttrsGitHub `protobuf:"bytes,3,opt,name=github,proto3" json:"github,omitempty"` + // Attributes that are specific to the AWS IAM (`iam`) join method. + Iam *JoinAttrsAWSIAM `protobuf:"bytes,4,opt,name=iam,proto3" json:"iam,omitempty"` + // Attributes that are specific to the TPM (`tpm`) join method. + Tpm *JoinAttrsTPM `protobuf:"bytes,5,opt,name=tpm,proto3" json:"tpm,omitempty"` + // Attributes that are specific to the Azure (`azure`) join method. + Azure *JoinAttrsAzure `protobuf:"bytes,6,opt,name=azure,proto3" json:"azure,omitempty"` + // Attributes that are specific to the CircleCI (`circleci`) join method. + Circleci *JoinAttrsCircleCI `protobuf:"bytes,7,opt,name=circleci,proto3" json:"circleci,omitempty"` + // Attributes that are specific to the Bitbucket (`bitbucket`) join method. + Bitbucket *JoinAttrsBitbucket `protobuf:"bytes,8,opt,name=bitbucket,proto3" json:"bitbucket,omitempty"` + // Attributes that are specific to the Terraform Cloud (`terraform_cloud`) join method. + TerraformCloud *JoinAttrsTerraformCloud `protobuf:"bytes,9,opt,name=terraform_cloud,json=terraformCloud,proto3" json:"terraform_cloud,omitempty"` + // Attributes that are specific to the Spacelift (`spacelift`) join method. + Spacelift *JoinAttrsSpacelift `protobuf:"bytes,10,opt,name=spacelift,proto3" json:"spacelift,omitempty"` + // Attributes that are specific to the GCP (`gcp`) join method. + Gcp *JoinAttrsGCP `protobuf:"bytes,11,opt,name=gcp,proto3" json:"gcp,omitempty"` + // Attributes that are specific to the Kubernetes (`kubernetes`) join method. + Kubernetes *JoinAttrsKubernetes `protobuf:"bytes,12,opt,name=kubernetes,proto3" json:"kubernetes,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrs) Reset() { + *x = JoinAttrs{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrs) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrs) ProtoMessage() {} + +func (x *JoinAttrs) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrs.ProtoReflect.Descriptor instead. +func (*JoinAttrs) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{0} +} + +func (x *JoinAttrs) GetMeta() *JoinAttrsMeta { + if x != nil { + return x.Meta + } + return nil +} + +func (x *JoinAttrs) GetGitlab() *JoinAttrsGitLab { + if x != nil { + return x.Gitlab + } + return nil +} + +func (x *JoinAttrs) GetGithub() *JoinAttrsGitHub { + if x != nil { + return x.Github + } + return nil +} + +func (x *JoinAttrs) GetIam() *JoinAttrsAWSIAM { + if x != nil { + return x.Iam + } + return nil +} + +func (x *JoinAttrs) GetTpm() *JoinAttrsTPM { + if x != nil { + return x.Tpm + } + return nil +} + +func (x *JoinAttrs) GetAzure() *JoinAttrsAzure { + if x != nil { + return x.Azure + } + return nil +} + +func (x *JoinAttrs) GetCircleci() *JoinAttrsCircleCI { + if x != nil { + return x.Circleci + } + return nil +} + +func (x *JoinAttrs) GetBitbucket() *JoinAttrsBitbucket { + if x != nil { + return x.Bitbucket + } + return nil +} + +func (x *JoinAttrs) GetTerraformCloud() *JoinAttrsTerraformCloud { + if x != nil { + return x.TerraformCloud + } + return nil +} + +func (x *JoinAttrs) GetSpacelift() *JoinAttrsSpacelift { + if x != nil { + return x.Spacelift + } + return nil +} + +func (x *JoinAttrs) GetGcp() *JoinAttrsGCP { + if x != nil { + return x.Gcp + } + return nil +} + +func (x *JoinAttrs) GetKubernetes() *JoinAttrsKubernetes { + if x != nil { + return x.Kubernetes + } + return nil +} + +// The collection of attributes that result from the join process but are not +// specific to any particular join method. +type JoinAttrsMeta struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The name of the join token that was used to join. + // + // This field is omitted if the join token that was used to join was of the + // `token` method as in this case, the name of the join token is sensitive. + // + // Example: `my-gitlab-join-token` + JoinTokenName string `protobuf:"bytes,1,opt,name=join_token_name,json=joinTokenName,proto3" json:"join_token_name,omitempty"` + // The name of the join method that was used to join. + // + // Example: `gitlab` + JoinMethod string `protobuf:"bytes,2,opt,name=join_method,json=joinMethod,proto3" json:"join_method,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsMeta) Reset() { + *x = JoinAttrsMeta{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsMeta) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsMeta) ProtoMessage() {} + +func (x *JoinAttrsMeta) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[1] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsMeta.ProtoReflect.Descriptor instead. +func (*JoinAttrsMeta) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{1} +} + +func (x *JoinAttrsMeta) GetJoinTokenName() string { + if x != nil { + return x.JoinTokenName + } + return "" +} + +func (x *JoinAttrsMeta) GetJoinMethod() string { + if x != nil { + return x.JoinMethod + } + return "" +} + +// Attributes that are specific to the GitLab join method. +// +// Typically, these are mapped directly from the claims of the GitLab JWT that +// was used to join. You can view the documentation for those claims at: +// https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload +type JoinAttrsGitLab struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The `sub` claim of the GitLab JWT that was used to join. + // For example: `project_path:mygroup/my-project:ref_type:branch:ref:main` + Sub string `protobuf:"bytes,1,opt,name=sub,proto3" json:"sub,omitempty"` + // The ref that the pipeline is running against. + // For example: `main` + Ref string `protobuf:"bytes,2,opt,name=ref,proto3" json:"ref,omitempty"` + // The type of ref that the pipeline is running against. + // This is typically `branch` or `tag`. + RefType string `protobuf:"bytes,3,opt,name=ref_type,json=refType,proto3" json:"ref_type,omitempty"` + // Whether or not the ref that the pipeline is running against is protected. + RefProtected bool `protobuf:"varint,4,opt,name=ref_protected,json=refProtected,proto3" json:"ref_protected,omitempty"` + // The path of the namespace of the project that the pipeline is running within. + // For example: `mygroup` + NamespacePath string `protobuf:"bytes,5,opt,name=namespace_path,json=namespacePath,proto3" json:"namespace_path,omitempty"` + // The full qualified path of the project that the pipeline is running within. + // This includes the namespace path. + // For example: `mygroup/my-project` + ProjectPath string `protobuf:"bytes,6,opt,name=project_path,json=projectPath,proto3" json:"project_path,omitempty"` + // The name of the user that triggered the pipeline run. + UserLogin string `protobuf:"bytes,7,opt,name=user_login,json=userLogin,proto3" json:"user_login,omitempty"` + // The email of the user that triggered the pipeline run. + UserEmail string `protobuf:"bytes,8,opt,name=user_email,json=userEmail,proto3" json:"user_email,omitempty"` + // The ID of the pipeline. + PipelineId string `protobuf:"bytes,9,opt,name=pipeline_id,json=pipelineId,proto3" json:"pipeline_id,omitempty"` + // The source of the pipeline. + // For example: `push` or `web` + PipelineSource string `protobuf:"bytes,10,opt,name=pipeline_source,json=pipelineSource,proto3" json:"pipeline_source,omitempty"` + // The environment the pipeline is running against, if any. + Environment string `protobuf:"bytes,11,opt,name=environment,proto3" json:"environment,omitempty"` + // Whether or not the pipeline is running against a protected environment. + // If there is no configured environment, this field is false. + EnvironmentProtected bool `protobuf:"varint,12,opt,name=environment_protected,json=environmentProtected,proto3" json:"environment_protected,omitempty"` + // The ID of the runner that this pipeline is running on. + RunnerId int64 `protobuf:"varint,13,opt,name=runner_id,json=runnerId,proto3" json:"runner_id,omitempty"` + // The type of runner that is processing the pipeline. + // Either `gitlab-hosted` or `self-hosted`. + RunnerEnvironment string `protobuf:"bytes,14,opt,name=runner_environment,json=runnerEnvironment,proto3" json:"runner_environment,omitempty"` + // The SHA of the commit that triggered the pipeline run. + Sha string `protobuf:"bytes,15,opt,name=sha,proto3" json:"sha,omitempty"` + // The ref URI of the CI config configuring the pipeline. + CiConfigRefUri string `protobuf:"bytes,16,opt,name=ci_config_ref_uri,json=ciConfigRefUri,proto3" json:"ci_config_ref_uri,omitempty"` + // The Git SHA of the CI config ref configuring the pipeline. + CiConfigSha string `protobuf:"bytes,17,opt,name=ci_config_sha,json=ciConfigSha,proto3" json:"ci_config_sha,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsGitLab) Reset() { + *x = JoinAttrsGitLab{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsGitLab) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsGitLab) ProtoMessage() {} + +func (x *JoinAttrsGitLab) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsGitLab.ProtoReflect.Descriptor instead. +func (*JoinAttrsGitLab) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{2} +} + +func (x *JoinAttrsGitLab) GetSub() string { + if x != nil { + return x.Sub + } + return "" +} + +func (x *JoinAttrsGitLab) GetRef() string { + if x != nil { + return x.Ref + } + return "" +} + +func (x *JoinAttrsGitLab) GetRefType() string { + if x != nil { + return x.RefType + } + return "" +} + +func (x *JoinAttrsGitLab) GetRefProtected() bool { + if x != nil { + return x.RefProtected + } + return false +} + +func (x *JoinAttrsGitLab) GetNamespacePath() string { + if x != nil { + return x.NamespacePath + } + return "" +} + +func (x *JoinAttrsGitLab) GetProjectPath() string { + if x != nil { + return x.ProjectPath + } + return "" +} + +func (x *JoinAttrsGitLab) GetUserLogin() string { + if x != nil { + return x.UserLogin + } + return "" +} + +func (x *JoinAttrsGitLab) GetUserEmail() string { + if x != nil { + return x.UserEmail + } + return "" +} + +func (x *JoinAttrsGitLab) GetPipelineId() string { + if x != nil { + return x.PipelineId + } + return "" +} + +func (x *JoinAttrsGitLab) GetPipelineSource() string { + if x != nil { + return x.PipelineSource + } + return "" +} + +func (x *JoinAttrsGitLab) GetEnvironment() string { + if x != nil { + return x.Environment + } + return "" +} + +func (x *JoinAttrsGitLab) GetEnvironmentProtected() bool { + if x != nil { + return x.EnvironmentProtected + } + return false +} + +func (x *JoinAttrsGitLab) GetRunnerId() int64 { + if x != nil { + return x.RunnerId + } + return 0 +} + +func (x *JoinAttrsGitLab) GetRunnerEnvironment() string { + if x != nil { + return x.RunnerEnvironment + } + return "" +} + +func (x *JoinAttrsGitLab) GetSha() string { + if x != nil { + return x.Sha + } + return "" +} + +func (x *JoinAttrsGitLab) GetCiConfigRefUri() string { + if x != nil { + return x.CiConfigRefUri + } + return "" +} + +func (x *JoinAttrsGitLab) GetCiConfigSha() string { + if x != nil { + return x.CiConfigSha + } + return "" +} + +// Attributes that are specific to the GitHub (`github`) join method. +// +// Typically, these are mapped directly from the claims of the GitHub JWT that +// was used to join. You can view the documentation for those claims at: +// https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token +type JoinAttrsGitHub struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The `sub` claim of the GitHub JWT that was used to join. + Sub string `protobuf:"bytes,1,opt,name=sub,proto3" json:"sub,omitempty"` + // The username of the actor that initiated the workflow run. + Actor string `protobuf:"bytes,2,opt,name=actor,proto3" json:"actor,omitempty"` + // The name of the environment that the workflow is running against, if any. + Environment string `protobuf:"bytes,3,opt,name=environment,proto3" json:"environment,omitempty"` + // The ref that the workflow is running against. + Ref string `protobuf:"bytes,4,opt,name=ref,proto3" json:"ref,omitempty"` + // The type of ref that the workflow is running against. + // For example, `branch`. + RefType string `protobuf:"bytes,5,opt,name=ref_type,json=refType,proto3" json:"ref_type,omitempty"` + // The name of the repository that the workflow is running within. + Repository string `protobuf:"bytes,6,opt,name=repository,proto3" json:"repository,omitempty"` + // The name of the owner of the repository that the workflow is running within. + RepositoryOwner string `protobuf:"bytes,7,opt,name=repository_owner,json=repositoryOwner,proto3" json:"repository_owner,omitempty"` + // The name of the workflow that is running. + Workflow string `protobuf:"bytes,8,opt,name=workflow,proto3" json:"workflow,omitempty"` + // The name of the event that triggered the workflow run. + EventName string `protobuf:"bytes,9,opt,name=event_name,json=eventName,proto3" json:"event_name,omitempty"` + // The SHA of the commit that triggered the workflow run. + Sha string `protobuf:"bytes,10,opt,name=sha,proto3" json:"sha,omitempty"` + // The ID of this GitHub actions workflow run. + RunId string `protobuf:"bytes,11,opt,name=run_id,json=runId,proto3" json:"run_id,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsGitHub) Reset() { + *x = JoinAttrsGitHub{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsGitHub) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsGitHub) ProtoMessage() {} + +func (x *JoinAttrsGitHub) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsGitHub.ProtoReflect.Descriptor instead. +func (*JoinAttrsGitHub) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{3} +} + +func (x *JoinAttrsGitHub) GetSub() string { + if x != nil { + return x.Sub + } + return "" +} + +func (x *JoinAttrsGitHub) GetActor() string { + if x != nil { + return x.Actor + } + return "" +} + +func (x *JoinAttrsGitHub) GetEnvironment() string { + if x != nil { + return x.Environment + } + return "" +} + +func (x *JoinAttrsGitHub) GetRef() string { + if x != nil { + return x.Ref + } + return "" +} + +func (x *JoinAttrsGitHub) GetRefType() string { + if x != nil { + return x.RefType + } + return "" +} + +func (x *JoinAttrsGitHub) GetRepository() string { + if x != nil { + return x.Repository + } + return "" +} + +func (x *JoinAttrsGitHub) GetRepositoryOwner() string { + if x != nil { + return x.RepositoryOwner + } + return "" +} + +func (x *JoinAttrsGitHub) GetWorkflow() string { + if x != nil { + return x.Workflow + } + return "" +} + +func (x *JoinAttrsGitHub) GetEventName() string { + if x != nil { + return x.EventName + } + return "" +} + +func (x *JoinAttrsGitHub) GetSha() string { + if x != nil { + return x.Sha + } + return "" +} + +func (x *JoinAttrsGitHub) GetRunId() string { + if x != nil { + return x.RunId + } + return "" +} + +// Attributes that are specific to the AWS IAM (`iam`) join method. +// +// Typically, these are mapped directly from the results of the +// STS GetCallerIdentity call that is made as part of the join process. +type JoinAttrsAWSIAM struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The identifier of the account that the joining entity is a part of. + // For example: `123456789012` + Account string `protobuf:"bytes,1,opt,name=account,proto3" json:"account,omitempty"` + // The AWS ARN of the joining entity. + // For example: `arn:aws:sts::123456789012:assumed-role/my-role-name/my-role-session-name` + Arn string `protobuf:"bytes,2,opt,name=arn,proto3" json:"arn,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsAWSIAM) Reset() { + *x = JoinAttrsAWSIAM{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsAWSIAM) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsAWSIAM) ProtoMessage() {} + +func (x *JoinAttrsAWSIAM) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[4] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsAWSIAM.ProtoReflect.Descriptor instead. +func (*JoinAttrsAWSIAM) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{4} +} + +func (x *JoinAttrsAWSIAM) GetAccount() string { + if x != nil { + return x.Account + } + return "" +} + +func (x *JoinAttrsAWSIAM) GetArn() string { + if x != nil { + return x.Arn + } + return "" +} + +// Attributes that are specific to the TPM (`tpm`) join method. +type JoinAttrsTPM struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The SHA256 hash of the PKIX formatted EK public key, encoded in hex. + // This effectively identifies a specific TPM. + EkPubHash string `protobuf:"bytes,1,opt,name=ek_pub_hash,json=ekPubHash,proto3" json:"ek_pub_hash,omitempty"` + // The serial number of the EK certificate, if present. + EkCertSerial string `protobuf:"bytes,2,opt,name=ek_cert_serial,json=ekCertSerial,proto3" json:"ek_cert_serial,omitempty"` + // Whether or not the EK certificate was verified against a certificate + // authority. + EkCertVerified bool `protobuf:"varint,3,opt,name=ek_cert_verified,json=ekCertVerified,proto3" json:"ek_cert_verified,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsTPM) Reset() { + *x = JoinAttrsTPM{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsTPM) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsTPM) ProtoMessage() {} + +func (x *JoinAttrsTPM) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[5] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsTPM.ProtoReflect.Descriptor instead. +func (*JoinAttrsTPM) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{5} +} + +func (x *JoinAttrsTPM) GetEkPubHash() string { + if x != nil { + return x.EkPubHash + } + return "" +} + +func (x *JoinAttrsTPM) GetEkCertSerial() string { + if x != nil { + return x.EkCertSerial + } + return "" +} + +func (x *JoinAttrsTPM) GetEkCertVerified() bool { + if x != nil { + return x.EkCertVerified + } + return false +} + +// Attributes that are specific to the Azure (`azure`) join method. +type JoinAttrsAzure struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The subscription ID of the Azure account that the joining entity is a part of. + Subscription string `protobuf:"bytes,1,opt,name=subscription,proto3" json:"subscription,omitempty"` + // The resource group of the Azure account that the joining entity is a part of. + ResourceGroup string `protobuf:"bytes,2,opt,name=resource_group,json=resourceGroup,proto3" json:"resource_group,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsAzure) Reset() { + *x = JoinAttrsAzure{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsAzure) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsAzure) ProtoMessage() {} + +func (x *JoinAttrsAzure) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[6] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsAzure.ProtoReflect.Descriptor instead. +func (*JoinAttrsAzure) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{6} +} + +func (x *JoinAttrsAzure) GetSubscription() string { + if x != nil { + return x.Subscription + } + return "" +} + +func (x *JoinAttrsAzure) GetResourceGroup() string { + if x != nil { + return x.ResourceGroup + } + return "" +} + +// Attributes that are specific to the CircleCI (`circleci`) join method. +// These are mapped from the claims of the JWT issued by CircleCI to runs, +// which is documented at: https://circleci.com/docs/openid-connect-tokens/ +type JoinAttrsCircleCI struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The `sub` claim of the CircleCI JWT that was used to join. + // For example: `org/ORGANIZATION_ID/project/PROJECT_ID/user/USER_ID` + Sub string `protobuf:"bytes,1,opt,name=sub,proto3" json:"sub,omitempty"` + // The UUIDs of the contexts used in the job. + ContextIds []string `protobuf:"bytes,2,rep,name=context_ids,json=contextIds,proto3" json:"context_ids,omitempty"` + // The UUID of the project in which the job is running. + ProjectId string `protobuf:"bytes,3,opt,name=project_id,json=projectId,proto3" json:"project_id,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsCircleCI) Reset() { + *x = JoinAttrsCircleCI{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsCircleCI) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsCircleCI) ProtoMessage() {} + +func (x *JoinAttrsCircleCI) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[7] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsCircleCI.ProtoReflect.Descriptor instead. +func (*JoinAttrsCircleCI) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{7} +} + +func (x *JoinAttrsCircleCI) GetSub() string { + if x != nil { + return x.Sub + } + return "" +} + +func (x *JoinAttrsCircleCI) GetContextIds() []string { + if x != nil { + return x.ContextIds + } + return nil +} + +func (x *JoinAttrsCircleCI) GetProjectId() string { + if x != nil { + return x.ProjectId + } + return "" +} + +// Attributes that are specific to the Bitbucket (`bitbucket`) join method. +// These are mapped from the claims of the JWT issued by BitBucket to runs, +// which is documented at: https://support.atlassian.com/bitbucket-cloud/docs/integrate-pipelines-with-resource-servers-using-oidc/ +type JoinAttrsBitbucket struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The `sub` claim of the Bitbucket JWT that was used to join. + Sub string `protobuf:"bytes,1,opt,name=sub,proto3" json:"sub,omitempty"` + // The UUID of the pipeline step. + StepUuid string `protobuf:"bytes,2,opt,name=step_uuid,json=stepUuid,proto3" json:"step_uuid,omitempty"` + // The UUID of the repository the pipeline step is running within. + RepositoryUuid string `protobuf:"bytes,3,opt,name=repository_uuid,json=repositoryUuid,proto3" json:"repository_uuid,omitempty"` + // The UUID of the pipeline the step is running within. + PipelineUuid string `protobuf:"bytes,4,opt,name=pipeline_uuid,json=pipelineUuid,proto3" json:"pipeline_uuid,omitempty"` + // The UUID of the workspace the pipeline belongs to. + WorkspaceUuid string `protobuf:"bytes,5,opt,name=workspace_uuid,json=workspaceUuid,proto3" json:"workspace_uuid,omitempty"` + // The UUID of the deployment environment the pipeline is running against. + DeploymentEnvironmentUuid string `protobuf:"bytes,6,opt,name=deployment_environment_uuid,json=deploymentEnvironmentUuid,proto3" json:"deployment_environment_uuid,omitempty"` + // The name of the branch the pipeline is running against. + BranchName string `protobuf:"bytes,7,opt,name=branch_name,json=branchName,proto3" json:"branch_name,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsBitbucket) Reset() { + *x = JoinAttrsBitbucket{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[8] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsBitbucket) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsBitbucket) ProtoMessage() {} + +func (x *JoinAttrsBitbucket) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[8] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsBitbucket.ProtoReflect.Descriptor instead. +func (*JoinAttrsBitbucket) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{8} +} + +func (x *JoinAttrsBitbucket) GetSub() string { + if x != nil { + return x.Sub + } + return "" +} + +func (x *JoinAttrsBitbucket) GetStepUuid() string { + if x != nil { + return x.StepUuid + } + return "" +} + +func (x *JoinAttrsBitbucket) GetRepositoryUuid() string { + if x != nil { + return x.RepositoryUuid + } + return "" +} + +func (x *JoinAttrsBitbucket) GetPipelineUuid() string { + if x != nil { + return x.PipelineUuid + } + return "" +} + +func (x *JoinAttrsBitbucket) GetWorkspaceUuid() string { + if x != nil { + return x.WorkspaceUuid + } + return "" +} + +func (x *JoinAttrsBitbucket) GetDeploymentEnvironmentUuid() string { + if x != nil { + return x.DeploymentEnvironmentUuid + } + return "" +} + +func (x *JoinAttrsBitbucket) GetBranchName() string { + if x != nil { + return x.BranchName + } + return "" +} + +// Attributes that are specific to the Terraform Cloud (`terraform_cloud`) join method. +// These are mapped from the claims of the JWT issued by Terraform Cloud to runs, +// which is documented at: https://developer.hashicorp.com/terraform/enterprise/workspaces/dynamic-provider-credentials/workload-identity-tokens +type JoinAttrsTerraformCloud struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The `sub` claim of the Terraform Cloud JWT that was used to join. + Sub string `protobuf:"bytes,1,opt,name=sub,proto3" json:"sub,omitempty"` + // The name of the organization the project and workspace belong to. + OrganizationName string `protobuf:"bytes,2,opt,name=organization_name,json=organizationName,proto3" json:"organization_name,omitempty"` + // The name of the project the workspace belongs to. + ProjectName string `protobuf:"bytes,3,opt,name=project_name,json=projectName,proto3" json:"project_name,omitempty"` + // The name of the workspace that the plan/apply is running within. + WorkspaceName string `protobuf:"bytes,4,opt,name=workspace_name,json=workspaceName,proto3" json:"workspace_name,omitempty"` + // The fully qualified workspace path, including the organization and project + // name. + // For example: `organization::project::workspace:` + FullWorkspace string `protobuf:"bytes,5,opt,name=full_workspace,json=fullWorkspace,proto3" json:"full_workspace,omitempty"` + // The ID of the run that is being executed. + RunId string `protobuf:"bytes,6,opt,name=run_id,json=runId,proto3" json:"run_id,omitempty"` + // The phase of the run that is being executed, either `plan` or `apply`. + RunPhase string `protobuf:"bytes,7,opt,name=run_phase,json=runPhase,proto3" json:"run_phase,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsTerraformCloud) Reset() { + *x = JoinAttrsTerraformCloud{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsTerraformCloud) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsTerraformCloud) ProtoMessage() {} + +func (x *JoinAttrsTerraformCloud) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[9] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsTerraformCloud.ProtoReflect.Descriptor instead. +func (*JoinAttrsTerraformCloud) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{9} +} + +func (x *JoinAttrsTerraformCloud) GetSub() string { + if x != nil { + return x.Sub + } + return "" +} + +func (x *JoinAttrsTerraformCloud) GetOrganizationName() string { + if x != nil { + return x.OrganizationName + } + return "" +} + +func (x *JoinAttrsTerraformCloud) GetProjectName() string { + if x != nil { + return x.ProjectName + } + return "" +} + +func (x *JoinAttrsTerraformCloud) GetWorkspaceName() string { + if x != nil { + return x.WorkspaceName + } + return "" +} + +func (x *JoinAttrsTerraformCloud) GetFullWorkspace() string { + if x != nil { + return x.FullWorkspace + } + return "" +} + +func (x *JoinAttrsTerraformCloud) GetRunId() string { + if x != nil { + return x.RunId + } + return "" +} + +func (x *JoinAttrsTerraformCloud) GetRunPhase() string { + if x != nil { + return x.RunPhase + } + return "" +} + +// Attributes that are specific to the Spacelift (`spacelift`) join method. +// These are mapped from the claims of the JWT issued by Spacelift to runs, +// which is documented at: https://docs.spacelift.io/integrations/cloud-providers/oidc/#standard-claims +type JoinAttrsSpacelift struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The `sub` claim of the Spacelift JWT that was used to join. + Sub string `protobuf:"bytes,1,opt,name=sub,proto3" json:"sub,omitempty"` + // The ID of the space in which the run is executing. + SpaceId string `protobuf:"bytes,2,opt,name=space_id,json=spaceId,proto3" json:"space_id,omitempty"` + // The type of the caller that owns the run, either `stack` or `module`. + CallerType string `protobuf:"bytes,3,opt,name=caller_type,json=callerType,proto3" json:"caller_type,omitempty"` + // The ID of the caller that generated the run. + CallerId string `protobuf:"bytes,4,opt,name=caller_id,json=callerId,proto3" json:"caller_id,omitempty"` + // The type of the run, either `PROPOSED`, `TRACKED`, `TASK`, `TESTING` or `DESTROY`. + RunType string `protobuf:"bytes,5,opt,name=run_type,json=runType,proto3" json:"run_type,omitempty"` + // The ID of the run. + RunId string `protobuf:"bytes,6,opt,name=run_id,json=runId,proto3" json:"run_id,omitempty"` + // The configured scope of the token, either `read` or `write`. + Scope string `protobuf:"bytes,7,opt,name=scope,proto3" json:"scope,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsSpacelift) Reset() { + *x = JoinAttrsSpacelift{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[10] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsSpacelift) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsSpacelift) ProtoMessage() {} + +func (x *JoinAttrsSpacelift) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[10] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsSpacelift.ProtoReflect.Descriptor instead. +func (*JoinAttrsSpacelift) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{10} +} + +func (x *JoinAttrsSpacelift) GetSub() string { + if x != nil { + return x.Sub + } + return "" +} + +func (x *JoinAttrsSpacelift) GetSpaceId() string { + if x != nil { + return x.SpaceId + } + return "" +} + +func (x *JoinAttrsSpacelift) GetCallerType() string { + if x != nil { + return x.CallerType + } + return "" +} + +func (x *JoinAttrsSpacelift) GetCallerId() string { + if x != nil { + return x.CallerId + } + return "" +} + +func (x *JoinAttrsSpacelift) GetRunType() string { + if x != nil { + return x.RunType + } + return "" +} + +func (x *JoinAttrsSpacelift) GetRunId() string { + if x != nil { + return x.RunId + } + return "" +} + +func (x *JoinAttrsSpacelift) GetScope() string { + if x != nil { + return x.Scope + } + return "" +} + +// Attributes specific to the GCP join method when the joining entity is on a +// GCE instance. +type JoinAttrsGCPGCE struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The name of the GCE instance that the joining entity is running on. + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + // The zone of the GCE instance that the joining entity is running on. + Zone string `protobuf:"bytes,2,opt,name=zone,proto3" json:"zone,omitempty"` + // The ID of the GCE instance that the joining entity is running on. + Id string `protobuf:"bytes,3,opt,name=id,proto3" json:"id,omitempty"` + // The project ID of the GCP project that the instance is running within. + Project string `protobuf:"bytes,4,opt,name=project,proto3" json:"project,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsGCPGCE) Reset() { + *x = JoinAttrsGCPGCE{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[11] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsGCPGCE) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsGCPGCE) ProtoMessage() {} + +func (x *JoinAttrsGCPGCE) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[11] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsGCPGCE.ProtoReflect.Descriptor instead. +func (*JoinAttrsGCPGCE) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{11} +} + +func (x *JoinAttrsGCPGCE) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +func (x *JoinAttrsGCPGCE) GetZone() string { + if x != nil { + return x.Zone + } + return "" +} + +func (x *JoinAttrsGCPGCE) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *JoinAttrsGCPGCE) GetProject() string { + if x != nil { + return x.Project + } + return "" +} + +// Attributes that are specific to the GCP (`gcp`) join method. +// These are mapped from the claims of the JWT instance identity token, which +// is documented at: https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload +type JoinAttrsGCP struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The service account email of the service account that the instance is running as. + ServiceAccount string `protobuf:"bytes,1,opt,name=service_account,json=serviceAccount,proto3" json:"service_account,omitempty"` + // Attributes specific to the GCP join method when the joining entity is on a + // GCE instance. This may not be present if the joining entity is not on + // GCE. + Gce *JoinAttrsGCPGCE `protobuf:"bytes,2,opt,name=gce,proto3" json:"gce,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsGCP) Reset() { + *x = JoinAttrsGCP{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[12] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsGCP) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsGCP) ProtoMessage() {} + +func (x *JoinAttrsGCP) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[12] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsGCP.ProtoReflect.Descriptor instead. +func (*JoinAttrsGCP) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{12} +} + +func (x *JoinAttrsGCP) GetServiceAccount() string { + if x != nil { + return x.ServiceAccount + } + return "" +} + +func (x *JoinAttrsGCP) GetGce() *JoinAttrsGCPGCE { + if x != nil { + return x.Gce + } + return nil +} + +// Attributes that are specific to the Kubernetes (`kubernetes`) join method +// when a pod-bound service account token is used. +type JoinAttrsKubernetesPod struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The name of the service account that the joining entity is running as. + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsKubernetesPod) Reset() { + *x = JoinAttrsKubernetesPod{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[13] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsKubernetesPod) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsKubernetesPod) ProtoMessage() {} + +func (x *JoinAttrsKubernetesPod) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[13] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsKubernetesPod.ProtoReflect.Descriptor instead. +func (*JoinAttrsKubernetesPod) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{13} +} + +func (x *JoinAttrsKubernetesPod) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +// Attributes that are specific to the Kubernetes (`kubernetes`) join method +// when a service account token is used. +type JoinAttrsKubernetesServiceAccount struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The name of the service account that the joining entity is running as. + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + // The namespace of the service account that the joining entity is running as. + Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsKubernetesServiceAccount) Reset() { + *x = JoinAttrsKubernetesServiceAccount{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[14] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsKubernetesServiceAccount) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsKubernetesServiceAccount) ProtoMessage() {} + +func (x *JoinAttrsKubernetesServiceAccount) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[14] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsKubernetesServiceAccount.ProtoReflect.Descriptor instead. +func (*JoinAttrsKubernetesServiceAccount) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{14} +} + +func (x *JoinAttrsKubernetesServiceAccount) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +func (x *JoinAttrsKubernetesServiceAccount) GetNamespace() string { + if x != nil { + return x.Namespace + } + return "" +} + +// Attributes that are specific to the Kubernetes (`kubernetes`) join method. +type JoinAttrsKubernetes struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The fully qualified identifier of the entity based on the Kubernetes + // token. For a service account, this takes the form of + // `system:serviceaccount::`. + Subject string `protobuf:"bytes,1,opt,name=subject,proto3" json:"subject,omitempty"` + // Attributes specific to the Kubernetes join method when the joining entity + // is a service account token. This will only be present if the joining entity + // is a service account (as opposed to a human user or similar). + ServiceAccount *JoinAttrsKubernetesServiceAccount `protobuf:"bytes,2,opt,name=service_account,json=serviceAccount,proto3" json:"service_account,omitempty"` + // Attributes specific to the Kubernetes join method when the joining entity + // is a pod-bound service account token. This will only be present if the + // joining entity is a service account, and, the token has been bound to a + // pod. + Pod *JoinAttrsKubernetesPod `protobuf:"bytes,3,opt,name=pod,proto3" json:"pod,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *JoinAttrsKubernetes) Reset() { + *x = JoinAttrsKubernetes{} + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[15] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *JoinAttrsKubernetes) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*JoinAttrsKubernetes) ProtoMessage() {} + +func (x *JoinAttrsKubernetes) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes[15] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use JoinAttrsKubernetes.ProtoReflect.Descriptor instead. +func (*JoinAttrsKubernetes) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP(), []int{15} +} + +func (x *JoinAttrsKubernetes) GetSubject() string { + if x != nil { + return x.Subject + } + return "" +} + +func (x *JoinAttrsKubernetes) GetServiceAccount() *JoinAttrsKubernetesServiceAccount { + if x != nil { + return x.ServiceAccount + } + return nil +} + +func (x *JoinAttrsKubernetes) GetPod() *JoinAttrsKubernetesPod { + if x != nil { + return x.Pod + } + return nil +} + +var File_teleport_workloadidentity_v1_join_attrs_proto protoreflect.FileDescriptor + +var file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc = []byte{ + 0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c, + 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x6a, + 0x6f, 0x69, 0x6e, 0x5f, 0x61, 0x74, 0x74, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, + 0x1c, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, + 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x22, 0xfb, 0x06, + 0x0a, 0x09, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x12, 0x3f, 0x0a, 0x04, 0x6d, + 0x65, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, + 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, + 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, + 0x72, 0x73, 0x4d, 0x65, 0x74, 0x61, 0x52, 0x04, 0x6d, 0x65, 0x74, 0x61, 0x12, 0x45, 0x0a, 0x06, + 0x67, 0x69, 0x74, 0x6c, 0x61, 0x62, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x74, + 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, + 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, + 0x41, 0x74, 0x74, 0x72, 0x73, 0x47, 0x69, 0x74, 0x4c, 0x61, 0x62, 0x52, 0x06, 0x67, 0x69, 0x74, + 0x6c, 0x61, 0x62, 0x12, 0x45, 0x0a, 0x06, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, + 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, + 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x47, 0x69, 0x74, 0x48, + 0x75, 0x62, 0x52, 0x06, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x12, 0x3f, 0x0a, 0x03, 0x69, 0x61, + 0x6d, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, + 0x41, 0x57, 0x53, 0x49, 0x41, 0x4d, 0x52, 0x03, 0x69, 0x61, 0x6d, 0x12, 0x3c, 0x0a, 0x03, 0x74, + 0x70, 0x6d, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, + 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, + 0x73, 0x54, 0x50, 0x4d, 0x52, 0x03, 0x74, 0x70, 0x6d, 0x12, 0x42, 0x0a, 0x05, 0x61, 0x7a, 0x75, + 0x72, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, + 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, + 0x73, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x52, 0x05, 0x61, 0x7a, 0x75, 0x72, 0x65, 0x12, 0x4b, 0x0a, + 0x08, 0x63, 0x69, 0x72, 0x63, 0x6c, 0x65, 0x63, 0x69, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x2f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, + 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, + 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x43, 0x69, 0x72, 0x63, 0x6c, 0x65, 0x43, 0x49, + 0x52, 0x08, 0x63, 0x69, 0x72, 0x63, 0x6c, 0x65, 0x63, 0x69, 0x12, 0x4e, 0x0a, 0x09, 0x62, 0x69, + 0x74, 0x62, 0x75, 0x63, 0x6b, 0x65, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, + 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, + 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x42, 0x69, 0x74, 0x62, 0x75, 0x63, 0x6b, 0x65, 0x74, 0x52, + 0x09, 0x62, 0x69, 0x74, 0x62, 0x75, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x5e, 0x0a, 0x0f, 0x74, 0x65, + 0x72, 0x72, 0x61, 0x66, 0x6f, 0x72, 0x6d, 0x5f, 0x63, 0x6c, 0x6f, 0x75, 0x64, 0x18, 0x09, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, + 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, + 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x54, 0x65, 0x72, 0x72, + 0x61, 0x66, 0x6f, 0x72, 0x6d, 0x43, 0x6c, 0x6f, 0x75, 0x64, 0x52, 0x0e, 0x74, 0x65, 0x72, 0x72, + 0x61, 0x66, 0x6f, 0x72, 0x6d, 0x43, 0x6c, 0x6f, 0x75, 0x64, 0x12, 0x4e, 0x0a, 0x09, 0x73, 0x70, + 0x61, 0x63, 0x65, 0x6c, 0x69, 0x66, 0x74, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, + 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, + 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, + 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x53, 0x70, 0x61, 0x63, 0x65, 0x6c, 0x69, 0x66, 0x74, 0x52, + 0x09, 0x73, 0x70, 0x61, 0x63, 0x65, 0x6c, 0x69, 0x66, 0x74, 0x12, 0x3c, 0x0a, 0x03, 0x67, 0x63, + 0x70, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, + 0x47, 0x43, 0x50, 0x52, 0x03, 0x67, 0x63, 0x70, 0x12, 0x51, 0x0a, 0x0a, 0x6b, 0x75, 0x62, 0x65, + 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x74, + 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, + 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, + 0x41, 0x74, 0x74, 0x72, 0x73, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x52, + 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x22, 0x58, 0x0a, 0x0d, 0x4a, + 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x4d, 0x65, 0x74, 0x61, 0x12, 0x26, 0x0a, 0x0f, + 0x6a, 0x6f, 0x69, 0x6e, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6a, 0x6f, 0x69, 0x6e, 0x54, 0x6f, 0x6b, 0x65, 0x6e, + 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x6a, 0x6f, 0x69, 0x6e, 0x5f, 0x6d, 0x65, 0x74, + 0x68, 0x6f, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6a, 0x6f, 0x69, 0x6e, 0x4d, + 0x65, 0x74, 0x68, 0x6f, 0x64, 0x22, 0xcb, 0x04, 0x0a, 0x0f, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, + 0x74, 0x72, 0x73, 0x47, 0x69, 0x74, 0x4c, 0x61, 0x62, 0x12, 0x10, 0x0a, 0x03, 0x73, 0x75, 0x62, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x73, 0x75, 0x62, 0x12, 0x10, 0x0a, 0x03, 0x72, + 0x65, 0x66, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x72, 0x65, 0x66, 0x12, 0x19, 0x0a, + 0x08, 0x72, 0x65, 0x66, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x07, 0x72, 0x65, 0x66, 0x54, 0x79, 0x70, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x66, 0x5f, + 0x70, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, + 0x0c, 0x72, 0x65, 0x66, 0x50, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x12, 0x25, 0x0a, + 0x0e, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, + 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, + 0x50, 0x61, 0x74, 0x68, 0x12, 0x21, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x5f, + 0x70, 0x61, 0x74, 0x68, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x70, 0x72, 0x6f, 0x6a, + 0x65, 0x63, 0x74, 0x50, 0x61, 0x74, 0x68, 0x12, 0x1d, 0x0a, 0x0a, 0x75, 0x73, 0x65, 0x72, 0x5f, + 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x75, 0x73, 0x65, + 0x72, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1d, 0x0a, 0x0a, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x65, + 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x75, 0x73, 0x65, 0x72, + 0x45, 0x6d, 0x61, 0x69, 0x6c, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x69, 0x70, 0x65, 0x6c, 0x69, 0x6e, + 0x65, 0x5f, 0x69, 0x64, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x69, 0x70, 0x65, + 0x6c, 0x69, 0x6e, 0x65, 0x49, 0x64, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x69, 0x70, 0x65, 0x6c, 0x69, + 0x6e, 0x65, 0x5f, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x0e, 0x70, 0x69, 0x70, 0x65, 0x6c, 0x69, 0x6e, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, + 0x20, 0x0a, 0x0b, 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x0b, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, + 0x74, 0x12, 0x33, 0x0a, 0x15, 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, + 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x08, + 0x52, 0x14, 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x50, 0x72, 0x6f, + 0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x12, 0x1b, 0x0a, 0x09, 0x72, 0x75, 0x6e, 0x6e, 0x65, 0x72, + 0x5f, 0x69, 0x64, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x72, 0x75, 0x6e, 0x6e, 0x65, + 0x72, 0x49, 0x64, 0x12, 0x2d, 0x0a, 0x12, 0x72, 0x75, 0x6e, 0x6e, 0x65, 0x72, 0x5f, 0x65, 0x6e, + 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x11, 0x72, 0x75, 0x6e, 0x6e, 0x65, 0x72, 0x45, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, + 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x73, 0x68, 0x61, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x03, 0x73, 0x68, 0x61, 0x12, 0x29, 0x0a, 0x11, 0x63, 0x69, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, + 0x67, 0x5f, 0x72, 0x65, 0x66, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x10, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x0e, 0x63, 0x69, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x66, 0x55, 0x72, 0x69, 0x12, + 0x22, 0x0a, 0x0d, 0x63, 0x69, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x68, 0x61, + 0x18, 0x11, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x69, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, + 0x53, 0x68, 0x61, 0x22, 0xb7, 0x02, 0x0a, 0x0f, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, + 0x73, 0x47, 0x69, 0x74, 0x48, 0x75, 0x62, 0x12, 0x10, 0x0a, 0x03, 0x73, 0x75, 0x62, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x73, 0x75, 0x62, 0x12, 0x14, 0x0a, 0x05, 0x61, 0x63, 0x74, + 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x12, + 0x20, 0x0a, 0x0b, 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x03, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, + 0x74, 0x12, 0x10, 0x0a, 0x03, 0x72, 0x65, 0x66, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, + 0x72, 0x65, 0x66, 0x12, 0x19, 0x0a, 0x08, 0x72, 0x65, 0x66, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, + 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x72, 0x65, 0x66, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1e, + 0x0a, 0x0a, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x18, 0x06, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0a, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x12, 0x29, + 0x0a, 0x10, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x5f, 0x6f, 0x77, 0x6e, + 0x65, 0x72, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, + 0x74, 0x6f, 0x72, 0x79, 0x4f, 0x77, 0x6e, 0x65, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x77, 0x6f, 0x72, + 0x6b, 0x66, 0x6c, 0x6f, 0x77, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x77, 0x6f, 0x72, + 0x6b, 0x66, 0x6c, 0x6f, 0x77, 0x12, 0x1d, 0x0a, 0x0a, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x5f, 0x6e, + 0x61, 0x6d, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x65, 0x76, 0x65, 0x6e, 0x74, + 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x73, 0x68, 0x61, 0x18, 0x0a, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x03, 0x73, 0x68, 0x61, 0x12, 0x15, 0x0a, 0x06, 0x72, 0x75, 0x6e, 0x5f, 0x69, 0x64, + 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x72, 0x75, 0x6e, 0x49, 0x64, 0x22, 0x3d, 0x0a, + 0x0f, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x41, 0x57, 0x53, 0x49, 0x41, 0x4d, + 0x12, 0x18, 0x0a, 0x07, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x07, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x61, 0x72, + 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x61, 0x72, 0x6e, 0x22, 0x7e, 0x0a, 0x0c, + 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x54, 0x50, 0x4d, 0x12, 0x1e, 0x0a, 0x0b, + 0x65, 0x6b, 0x5f, 0x70, 0x75, 0x62, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x09, 0x65, 0x6b, 0x50, 0x75, 0x62, 0x48, 0x61, 0x73, 0x68, 0x12, 0x24, 0x0a, 0x0e, + 0x65, 0x6b, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x6b, 0x43, 0x65, 0x72, 0x74, 0x53, 0x65, 0x72, 0x69, + 0x61, 0x6c, 0x12, 0x28, 0x0a, 0x10, 0x65, 0x6b, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x76, 0x65, + 0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, 0x65, 0x6b, + 0x43, 0x65, 0x72, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x22, 0x5b, 0x0a, 0x0e, + 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x12, 0x22, + 0x0a, 0x0c, 0x73, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, + 0x6f, 0x6e, 0x12, 0x25, 0x0a, 0x0e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x67, + 0x72, 0x6f, 0x75, 0x70, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x72, 0x65, 0x73, 0x6f, + 0x75, 0x72, 0x63, 0x65, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x22, 0x65, 0x0a, 0x11, 0x4a, 0x6f, 0x69, + 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x43, 0x69, 0x72, 0x63, 0x6c, 0x65, 0x43, 0x49, 0x12, 0x10, + 0x0a, 0x03, 0x73, 0x75, 0x62, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x73, 0x75, 0x62, + 0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x5f, 0x69, 0x64, 0x73, 0x18, + 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x49, 0x64, + 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x69, 0x64, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, + 0x22, 0x99, 0x02, 0x0a, 0x12, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x42, 0x69, + 0x74, 0x62, 0x75, 0x63, 0x6b, 0x65, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x73, 0x75, 0x62, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x73, 0x75, 0x62, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x74, 0x65, + 0x70, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x74, + 0x65, 0x70, 0x55, 0x75, 0x69, 0x64, 0x12, 0x27, 0x0a, 0x0f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, + 0x74, 0x6f, 0x72, 0x79, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x0e, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72, 0x79, 0x55, 0x75, 0x69, 0x64, 0x12, + 0x23, 0x0a, 0x0d, 0x70, 0x69, 0x70, 0x65, 0x6c, 0x69, 0x6e, 0x65, 0x5f, 0x75, 0x75, 0x69, 0x64, + 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x69, 0x70, 0x65, 0x6c, 0x69, 0x6e, 0x65, + 0x55, 0x75, 0x69, 0x64, 0x12, 0x25, 0x0a, 0x0e, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63, + 0x65, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x77, 0x6f, + 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63, 0x65, 0x55, 0x75, 0x69, 0x64, 0x12, 0x3e, 0x0a, 0x1b, 0x64, + 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, + 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x19, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x45, 0x6e, 0x76, 0x69, + 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x75, 0x69, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x62, + 0x72, 0x61, 0x6e, 0x63, 0x68, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x0a, 0x62, 0x72, 0x61, 0x6e, 0x63, 0x68, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0xfd, 0x01, 0x0a, + 0x17, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x54, 0x65, 0x72, 0x72, 0x61, 0x66, + 0x6f, 0x72, 0x6d, 0x43, 0x6c, 0x6f, 0x75, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x73, 0x75, 0x62, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x73, 0x75, 0x62, 0x12, 0x2b, 0x0a, 0x11, 0x6f, 0x72, + 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x6f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x6a, 0x65, + 0x63, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x70, + 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x77, 0x6f, + 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0d, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63, 0x65, 0x4e, 0x61, 0x6d, + 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x66, 0x75, 0x6c, 0x6c, 0x5f, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x70, + 0x61, 0x63, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x66, 0x75, 0x6c, 0x6c, 0x57, + 0x6f, 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x15, 0x0a, 0x06, 0x72, 0x75, 0x6e, 0x5f, + 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x72, 0x75, 0x6e, 0x49, 0x64, 0x12, + 0x1b, 0x0a, 0x09, 0x72, 0x75, 0x6e, 0x5f, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x07, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x08, 0x72, 0x75, 0x6e, 0x50, 0x68, 0x61, 0x73, 0x65, 0x22, 0xc7, 0x01, 0x0a, + 0x12, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x53, 0x70, 0x61, 0x63, 0x65, 0x6c, + 0x69, 0x66, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x73, 0x75, 0x62, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x03, 0x73, 0x75, 0x62, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, + 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, + 0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x61, 0x6c, 0x6c, 0x65, 0x72, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x61, 0x6c, 0x6c, 0x65, 0x72, 0x54, 0x79, 0x70, + 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x63, 0x61, 0x6c, 0x6c, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x63, 0x61, 0x6c, 0x6c, 0x65, 0x72, 0x49, 0x64, 0x12, 0x19, + 0x0a, 0x08, 0x72, 0x75, 0x6e, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x07, 0x72, 0x75, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x12, 0x15, 0x0a, 0x06, 0x72, 0x75, 0x6e, + 0x5f, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x72, 0x75, 0x6e, 0x49, 0x64, + 0x12, 0x14, 0x0a, 0x05, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x05, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x22, 0x63, 0x0a, 0x0f, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, + 0x74, 0x72, 0x73, 0x47, 0x43, 0x50, 0x47, 0x43, 0x45, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, + 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, + 0x04, 0x7a, 0x6f, 0x6e, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x7a, 0x6f, 0x6e, + 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, + 0x64, 0x12, 0x18, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x22, 0x78, 0x0a, 0x0c, 0x4a, + 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x47, 0x43, 0x50, 0x12, 0x27, 0x0a, 0x0f, 0x73, + 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, + 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x3f, 0x0a, 0x03, 0x67, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, + 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, + 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x47, 0x43, 0x50, 0x47, 0x43, 0x45, + 0x52, 0x03, 0x67, 0x63, 0x65, 0x22, 0x2c, 0x0a, 0x16, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, + 0x72, 0x73, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x50, 0x6f, 0x64, 0x12, + 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x22, 0x55, 0x0a, 0x21, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, + 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, + 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a, 0x09, + 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0xe1, 0x01, 0x0a, 0x13, 0x4a, + 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, + 0x65, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x68, 0x0a, 0x0f, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, + 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x4b, 0x75, + 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, + 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x0e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, + 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x46, 0x0a, 0x03, 0x70, 0x6f, 0x64, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, + 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, + 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x4b, 0x75, 0x62, 0x65, + 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x50, 0x6f, 0x64, 0x52, 0x03, 0x70, 0x6f, 0x64, 0x42, 0x64, + 0x5a, 0x62, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, + 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, + 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, + 0x31, 0x3b, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, + 0x74, 0x79, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_teleport_workloadidentity_v1_join_attrs_proto_rawDescOnce sync.Once + file_teleport_workloadidentity_v1_join_attrs_proto_rawDescData = file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc +) + +func file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP() []byte { + file_teleport_workloadidentity_v1_join_attrs_proto_rawDescOnce.Do(func() { + file_teleport_workloadidentity_v1_join_attrs_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_workloadidentity_v1_join_attrs_proto_rawDescData) + }) + return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescData +} + +var file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes = make([]protoimpl.MessageInfo, 16) +var file_teleport_workloadidentity_v1_join_attrs_proto_goTypes = []any{ + (*JoinAttrs)(nil), // 0: teleport.workloadidentity.v1.JoinAttrs + (*JoinAttrsMeta)(nil), // 1: teleport.workloadidentity.v1.JoinAttrsMeta + (*JoinAttrsGitLab)(nil), // 2: teleport.workloadidentity.v1.JoinAttrsGitLab + (*JoinAttrsGitHub)(nil), // 3: teleport.workloadidentity.v1.JoinAttrsGitHub + (*JoinAttrsAWSIAM)(nil), // 4: teleport.workloadidentity.v1.JoinAttrsAWSIAM + (*JoinAttrsTPM)(nil), // 5: teleport.workloadidentity.v1.JoinAttrsTPM + (*JoinAttrsAzure)(nil), // 6: teleport.workloadidentity.v1.JoinAttrsAzure + (*JoinAttrsCircleCI)(nil), // 7: teleport.workloadidentity.v1.JoinAttrsCircleCI + (*JoinAttrsBitbucket)(nil), // 8: teleport.workloadidentity.v1.JoinAttrsBitbucket + (*JoinAttrsTerraformCloud)(nil), // 9: teleport.workloadidentity.v1.JoinAttrsTerraformCloud + (*JoinAttrsSpacelift)(nil), // 10: teleport.workloadidentity.v1.JoinAttrsSpacelift + (*JoinAttrsGCPGCE)(nil), // 11: teleport.workloadidentity.v1.JoinAttrsGCPGCE + (*JoinAttrsGCP)(nil), // 12: teleport.workloadidentity.v1.JoinAttrsGCP + (*JoinAttrsKubernetesPod)(nil), // 13: teleport.workloadidentity.v1.JoinAttrsKubernetesPod + (*JoinAttrsKubernetesServiceAccount)(nil), // 14: teleport.workloadidentity.v1.JoinAttrsKubernetesServiceAccount + (*JoinAttrsKubernetes)(nil), // 15: teleport.workloadidentity.v1.JoinAttrsKubernetes +} +var file_teleport_workloadidentity_v1_join_attrs_proto_depIdxs = []int32{ + 1, // 0: teleport.workloadidentity.v1.JoinAttrs.meta:type_name -> teleport.workloadidentity.v1.JoinAttrsMeta + 2, // 1: teleport.workloadidentity.v1.JoinAttrs.gitlab:type_name -> teleport.workloadidentity.v1.JoinAttrsGitLab + 3, // 2: teleport.workloadidentity.v1.JoinAttrs.github:type_name -> teleport.workloadidentity.v1.JoinAttrsGitHub + 4, // 3: teleport.workloadidentity.v1.JoinAttrs.iam:type_name -> teleport.workloadidentity.v1.JoinAttrsAWSIAM + 5, // 4: teleport.workloadidentity.v1.JoinAttrs.tpm:type_name -> teleport.workloadidentity.v1.JoinAttrsTPM + 6, // 5: teleport.workloadidentity.v1.JoinAttrs.azure:type_name -> teleport.workloadidentity.v1.JoinAttrsAzure + 7, // 6: teleport.workloadidentity.v1.JoinAttrs.circleci:type_name -> teleport.workloadidentity.v1.JoinAttrsCircleCI + 8, // 7: teleport.workloadidentity.v1.JoinAttrs.bitbucket:type_name -> teleport.workloadidentity.v1.JoinAttrsBitbucket + 9, // 8: teleport.workloadidentity.v1.JoinAttrs.terraform_cloud:type_name -> teleport.workloadidentity.v1.JoinAttrsTerraformCloud + 10, // 9: teleport.workloadidentity.v1.JoinAttrs.spacelift:type_name -> teleport.workloadidentity.v1.JoinAttrsSpacelift + 12, // 10: teleport.workloadidentity.v1.JoinAttrs.gcp:type_name -> teleport.workloadidentity.v1.JoinAttrsGCP + 15, // 11: teleport.workloadidentity.v1.JoinAttrs.kubernetes:type_name -> teleport.workloadidentity.v1.JoinAttrsKubernetes + 11, // 12: teleport.workloadidentity.v1.JoinAttrsGCP.gce:type_name -> teleport.workloadidentity.v1.JoinAttrsGCPGCE + 14, // 13: teleport.workloadidentity.v1.JoinAttrsKubernetes.service_account:type_name -> teleport.workloadidentity.v1.JoinAttrsKubernetesServiceAccount + 13, // 14: teleport.workloadidentity.v1.JoinAttrsKubernetes.pod:type_name -> teleport.workloadidentity.v1.JoinAttrsKubernetesPod + 15, // [15:15] is the sub-list for method output_type + 15, // [15:15] is the sub-list for method input_type + 15, // [15:15] is the sub-list for extension type_name + 15, // [15:15] is the sub-list for extension extendee + 0, // [0:15] is the sub-list for field type_name +} + +func init() { file_teleport_workloadidentity_v1_join_attrs_proto_init() } +func file_teleport_workloadidentity_v1_join_attrs_proto_init() { + if File_teleport_workloadidentity_v1_join_attrs_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc, + NumEnums: 0, + NumMessages: 16, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_teleport_workloadidentity_v1_join_attrs_proto_goTypes, + DependencyIndexes: file_teleport_workloadidentity_v1_join_attrs_proto_depIdxs, + MessageInfos: file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes, + }.Build() + File_teleport_workloadidentity_v1_join_attrs_proto = out.File + file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc = nil + file_teleport_workloadidentity_v1_join_attrs_proto_goTypes = nil + file_teleport_workloadidentity_v1_join_attrs_proto_depIdxs = nil +} diff --git a/api/proto/teleport/machineid/v1/bot_instance.proto b/api/proto/teleport/machineid/v1/bot_instance.proto index 6ff4719ed15f8..676b980af99f4 100644 --- a/api/proto/teleport/machineid/v1/bot_instance.proto +++ b/api/proto/teleport/machineid/v1/bot_instance.proto @@ -20,6 +20,7 @@ import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; import "teleport/header/v1/metadata.proto"; +import "teleport/workloadidentity/v1/join_attrs.proto"; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1;machineidv1"; @@ -89,12 +90,16 @@ message BotInstanceStatusAuthentication { // Server. google.protobuf.Timestamp authenticated_at = 1; // The join method used for this join or renewal. + // Deprecated: prefer using join_attrs.meta.join_method string join_method = 2; // The join token used for this join or renewal. This is only populated for // delegated join methods as the value for `token` join methods is sensitive. + // Deprecated: prefer using join_attrs.meta.join_token_name string join_token = 3; // The metadata sourced from the join method. + // Deprecated: per using join_attrs. google.protobuf.Struct metadata = 4; + // On each renewal, this generation is incremented. For delegated join // methods, this counter is not checked during renewal. For the `token` join // method, this counter is checked during renewal and the Bot is locked out if @@ -108,6 +113,9 @@ message BotInstanceStatusAuthentication { reserved 7; reserved "fingerprint"; + + // The attributes generated during the join process. + teleport.workloadidentity.v1.JoinAttrs join_attrs = 8; } // BotInstanceStatus holds the status of a BotInstance. diff --git a/api/proto/teleport/workloadidentity/v1/attrs.proto b/api/proto/teleport/workloadidentity/v1/attrs.proto index 3bcdd27ed2517..10303b74cf462 100644 --- a/api/proto/teleport/workloadidentity/v1/attrs.proto +++ b/api/proto/teleport/workloadidentity/v1/attrs.proto @@ -16,6 +16,8 @@ syntax = "proto3"; package teleport.workloadidentity.v1; +import "teleport/workloadidentity/v1/join_attrs.proto"; + option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1;workloadidentityv1"; // Attributes sourced from the Kubernetes workload attestor. @@ -80,4 +82,6 @@ message Attrs { // Attributes sourced from the user/bot making the request for a workload // identity credential. UserAttrs user = 2; + // Attributes resulting from the join process. + JoinAttrs join = 3; } diff --git a/api/proto/teleport/workloadidentity/v1/join_attrs.proto b/api/proto/teleport/workloadidentity/v1/join_attrs.proto new file mode 100644 index 0000000000000..05a517417d43f --- /dev/null +++ b/api/proto/teleport/workloadidentity/v1/join_attrs.proto @@ -0,0 +1,312 @@ +// Copyright 2024 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package teleport.workloadidentity.v1; + +option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1;workloadidentityv1"; + +// The collection of attributes that result from the join process. +message JoinAttrs { + // The collection of attributes that result from the join process but are not + // specific to any particular join method. + JoinAttrsMeta meta = 1; + // Attributes that are specific to the GitLab (`gitlab`) join method. + JoinAttrsGitLab gitlab = 2; + // Attributes that are specific to the GitHub (`github`) join method. + JoinAttrsGitHub github = 3; + // Attributes that are specific to the AWS IAM (`iam`) join method. + JoinAttrsAWSIAM iam = 4; + // Attributes that are specific to the TPM (`tpm`) join method. + JoinAttrsTPM tpm = 5; + // Attributes that are specific to the Azure (`azure`) join method. + JoinAttrsAzure azure = 6; + // Attributes that are specific to the CircleCI (`circleci`) join method. + JoinAttrsCircleCI circleci = 7; + // Attributes that are specific to the Bitbucket (`bitbucket`) join method. + JoinAttrsBitbucket bitbucket = 8; + // Attributes that are specific to the Terraform Cloud (`terraform_cloud`) join method. + JoinAttrsTerraformCloud terraform_cloud = 9; + // Attributes that are specific to the Spacelift (`spacelift`) join method. + JoinAttrsSpacelift spacelift = 10; + // Attributes that are specific to the GCP (`gcp`) join method. + JoinAttrsGCP gcp = 11; + // Attributes that are specific to the Kubernetes (`kubernetes`) join method. + JoinAttrsKubernetes kubernetes = 12; +} + +// The collection of attributes that result from the join process but are not +// specific to any particular join method. +message JoinAttrsMeta { + // The name of the join token that was used to join. + // + // This field is omitted if the join token that was used to join was of the + // `token` method as in this case, the name of the join token is sensitive. + // + // Example: `my-gitlab-join-token` + string join_token_name = 1; + // The name of the join method that was used to join. + // + // Example: `gitlab` + string join_method = 2; +} + +// Attributes that are specific to the GitLab join method. +// +// Typically, these are mapped directly from the claims of the GitLab JWT that +// was used to join. You can view the documentation for those claims at: +// https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload +message JoinAttrsGitLab { + // The `sub` claim of the GitLab JWT that was used to join. + // For example: `project_path:mygroup/my-project:ref_type:branch:ref:main` + string sub = 1; + // The ref that the pipeline is running against. + // For example: `main` + string ref = 2; + // The type of ref that the pipeline is running against. + // This is typically `branch` or `tag`. + string ref_type = 3; + // Whether or not the ref that the pipeline is running against is protected. + bool ref_protected = 4; + // The path of the namespace of the project that the pipeline is running within. + // For example: `mygroup` + string namespace_path = 5; + // The full qualified path of the project that the pipeline is running within. + // This includes the namespace path. + // For example: `mygroup/my-project` + string project_path = 6; + // The name of the user that triggered the pipeline run. + string user_login = 7; + // The email of the user that triggered the pipeline run. + string user_email = 8; + // The ID of the pipeline. + string pipeline_id = 9; + // The source of the pipeline. + // For example: `push` or `web` + string pipeline_source = 10; + // The environment the pipeline is running against, if any. + string environment = 11; + // Whether or not the pipeline is running against a protected environment. + // If there is no configured environment, this field is false. + bool environment_protected = 12; + // The ID of the runner that this pipeline is running on. + int64 runner_id = 13; + // The type of runner that is processing the pipeline. + // Either `gitlab-hosted` or `self-hosted`. + string runner_environment = 14; + // The SHA of the commit that triggered the pipeline run. + string sha = 15; + // The ref URI of the CI config configuring the pipeline. + string ci_config_ref_uri = 16; + // The Git SHA of the CI config ref configuring the pipeline. + string ci_config_sha = 17; +} + +// Attributes that are specific to the GitHub (`github`) join method. +// +// Typically, these are mapped directly from the claims of the GitHub JWT that +// was used to join. You can view the documentation for those claims at: +// https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token +message JoinAttrsGitHub { + // The `sub` claim of the GitHub JWT that was used to join. + string sub = 1; + // The username of the actor that initiated the workflow run. + string actor = 2; + // The name of the environment that the workflow is running against, if any. + string environment = 3; + // The ref that the workflow is running against. + string ref = 4; + // The type of ref that the workflow is running against. + // For example, `branch`. + string ref_type = 5; + // The name of the repository that the workflow is running within. + string repository = 6; + // The name of the owner of the repository that the workflow is running within. + string repository_owner = 7; + // The name of the workflow that is running. + string workflow = 8; + // The name of the event that triggered the workflow run. + string event_name = 9; + // The SHA of the commit that triggered the workflow run. + string sha = 10; + // The ID of this GitHub actions workflow run. + string run_id = 11; +} + +// Attributes that are specific to the AWS IAM (`iam`) join method. +// +// Typically, these are mapped directly from the results of the +// STS GetCallerIdentity call that is made as part of the join process. +message JoinAttrsAWSIAM { + // The identifier of the account that the joining entity is a part of. + // For example: `123456789012` + string account = 1; + // The AWS ARN of the joining entity. + // For example: `arn:aws:sts::123456789012:assumed-role/my-role-name/my-role-session-name` + string arn = 2; +} + +// Attributes that are specific to the TPM (`tpm`) join method. +message JoinAttrsTPM { + // The SHA256 hash of the PKIX formatted EK public key, encoded in hex. + // This effectively identifies a specific TPM. + string ek_pub_hash = 1; + // The serial number of the EK certificate, if present. + string ek_cert_serial = 2; + // Whether or not the EK certificate was verified against a certificate + // authority. + bool ek_cert_verified = 3; +} + +// Attributes that are specific to the Azure (`azure`) join method. +message JoinAttrsAzure { + // The subscription ID of the Azure account that the joining entity is a part of. + string subscription = 1; + // The resource group of the Azure account that the joining entity is a part of. + string resource_group = 2; +} + +// Attributes that are specific to the CircleCI (`circleci`) join method. +// These are mapped from the claims of the JWT issued by CircleCI to runs, +// which is documented at: https://circleci.com/docs/openid-connect-tokens/ +message JoinAttrsCircleCI { + // The `sub` claim of the CircleCI JWT that was used to join. + // For example: `org/ORGANIZATION_ID/project/PROJECT_ID/user/USER_ID` + string sub = 1; + // The UUIDs of the contexts used in the job. + repeated string context_ids = 2; + // The UUID of the project in which the job is running. + string project_id = 3; +} + +// Attributes that are specific to the Bitbucket (`bitbucket`) join method. +// These are mapped from the claims of the JWT issued by BitBucket to runs, +// which is documented at: https://support.atlassian.com/bitbucket-cloud/docs/integrate-pipelines-with-resource-servers-using-oidc/ +message JoinAttrsBitbucket { + // The `sub` claim of the Bitbucket JWT that was used to join. + string sub = 1; + // The UUID of the pipeline step. + string step_uuid = 2; + // The UUID of the repository the pipeline step is running within. + string repository_uuid = 3; + // The UUID of the pipeline the step is running within. + string pipeline_uuid = 4; + // The UUID of the workspace the pipeline belongs to. + string workspace_uuid = 5; + // The UUID of the deployment environment the pipeline is running against. + string deployment_environment_uuid = 6; + // The name of the branch the pipeline is running against. + string branch_name = 7; +} + +// Attributes that are specific to the Terraform Cloud (`terraform_cloud`) join method. +// These are mapped from the claims of the JWT issued by Terraform Cloud to runs, +// which is documented at: https://developer.hashicorp.com/terraform/enterprise/workspaces/dynamic-provider-credentials/workload-identity-tokens +message JoinAttrsTerraformCloud { + // The `sub` claim of the Terraform Cloud JWT that was used to join. + string sub = 1; + // The name of the organization the project and workspace belong to. + string organization_name = 2; + // The name of the project the workspace belongs to. + string project_name = 3; + // The name of the workspace that the plan/apply is running within. + string workspace_name = 4; + // The fully qualified workspace path, including the organization and project + // name. + // For example: `organization::project::workspace:` + string full_workspace = 5; + // The ID of the run that is being executed. + string run_id = 6; + // The phase of the run that is being executed, either `plan` or `apply`. + string run_phase = 7; +} + +// Attributes that are specific to the Spacelift (`spacelift`) join method. +// These are mapped from the claims of the JWT issued by Spacelift to runs, +// which is documented at: https://docs.spacelift.io/integrations/cloud-providers/oidc/#standard-claims +message JoinAttrsSpacelift { + // The `sub` claim of the Spacelift JWT that was used to join. + string sub = 1; + // The ID of the space in which the run is executing. + string space_id = 2; + // The type of the caller that owns the run, either `stack` or `module`. + string caller_type = 3; + // The ID of the caller that generated the run. + string caller_id = 4; + // The type of the run, either `PROPOSED`, `TRACKED`, `TASK`, `TESTING` or `DESTROY`. + string run_type = 5; + // The ID of the run. + string run_id = 6; + // The configured scope of the token, either `read` or `write`. + string scope = 7; +} + +// Attributes specific to the GCP join method when the joining entity is on a +// GCE instance. +message JoinAttrsGCPGCE { + // The name of the GCE instance that the joining entity is running on. + string name = 1; + // The zone of the GCE instance that the joining entity is running on. + string zone = 2; + // The ID of the GCE instance that the joining entity is running on. + string id = 3; + // The project ID of the GCP project that the instance is running within. + string project = 4; +} + +// Attributes that are specific to the GCP (`gcp`) join method. +// These are mapped from the claims of the JWT instance identity token, which +// is documented at: https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload +message JoinAttrsGCP { + // The service account email of the service account that the instance is running as. + string service_account = 1; + // Attributes specific to the GCP join method when the joining entity is on a + // GCE instance. This may not be present if the joining entity is not on + // GCE. + JoinAttrsGCPGCE gce = 2; +} + +// Attributes that are specific to the Kubernetes (`kubernetes`) join method +// when a pod-bound service account token is used. +message JoinAttrsKubernetesPod { + // The name of the service account that the joining entity is running as. + string name = 1; +} + +// Attributes that are specific to the Kubernetes (`kubernetes`) join method +// when a service account token is used. +message JoinAttrsKubernetesServiceAccount { + // The name of the service account that the joining entity is running as. + string name = 1; + // The namespace of the service account that the joining entity is running as. + string namespace = 2; +} + +// Attributes that are specific to the Kubernetes (`kubernetes`) join method. +message JoinAttrsKubernetes { + // The fully qualified identifier of the entity based on the Kubernetes + // token. For a service account, this takes the form of + // `system:serviceaccount::`. + string subject = 1; + // Attributes specific to the Kubernetes join method when the joining entity + // is a service account token. This will only be present if the joining entity + // is a service account (as opposed to a human user or similar). + JoinAttrsKubernetesServiceAccount service_account = 2; + // Attributes specific to the Kubernetes join method when the joining entity + // is a pod-bound service account token. This will only be present if the + // joining entity is a service account, and, the token has been bound to a + // pod. + JoinAttrsKubernetesPod pod = 3; +} diff --git a/lib/auth/auth.go b/lib/auth/auth.go index c240ad6fc585f..4fde155fbb015 100644 --- a/lib/auth/auth.go +++ b/lib/auth/auth.go @@ -71,6 +71,7 @@ import ( headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1" mfav1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/mfa/v1" notificationsv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/notifications/v1" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" "github.com/gravitational/teleport/api/internalutils/stream" "github.com/gravitational/teleport/api/metadata" "github.com/gravitational/teleport/api/types" @@ -2276,6 +2277,9 @@ type certRequest struct { // botInstanceID is the unique identifier of the bot instance associated // with this cert, if any botInstanceID string + // joinAttributes holds attributes derived from attested metadata from the + // join process, should any exist. + joinAttributes *workloadidentityv1pb.JoinAttrs } // check verifies the cert request is valid. @@ -3356,7 +3360,8 @@ func generateCert(ctx context.Context, a *Server, req certRequest, caType types. AssetTag: req.deviceExtensions.AssetTag, CredentialID: req.deviceExtensions.CredentialID, }, - UserType: req.user.GetUserType(), + UserType: req.user.GetUserType(), + JoinAttributes: req.joinAttributes, } var signedTLSCert []byte diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index e5fdaa9dab8ce..fd33f9c709ea1 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -3326,6 +3326,9 @@ func (a *ServerWithRoles) generateUserCerts(ctx context.Context, req proto.UserC // `updateBotInstance()` is called below, and this (empty) value will be // overridden. botInstanceID: a.context.Identity.GetIdentity().BotInstanceID, + // Propagate any join attributes from the current identity to the new + // identity. + joinAttributes: a.context.Identity.GetIdentity().JoinAttributes, } if user.GetName() != a.context.User.GetName() { diff --git a/lib/auth/bot.go b/lib/auth/bot.go index d2ce2518abb50..840fe80195444 100644 --- a/lib/auth/bot.go +++ b/lib/auth/bot.go @@ -32,6 +32,7 @@ import ( "github.com/gravitational/teleport/api/client/proto" headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1" machineidv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" "github.com/gravitational/teleport/api/types" apievents "github.com/gravitational/teleport/api/types/events" apiutils "github.com/gravitational/teleport/api/utils" @@ -312,7 +313,7 @@ func (a *Server) updateBotInstance( if templateAuthRecord != nil { authRecord.JoinToken = templateAuthRecord.JoinToken authRecord.JoinMethod = templateAuthRecord.JoinMethod - authRecord.Metadata = templateAuthRecord.Metadata + authRecord.JoinAttrs = templateAuthRecord.JoinAttrs } // An empty bot instance most likely means a bot is rejoining after an @@ -489,6 +490,7 @@ func (a *Server) generateInitialBotCerts( expires time.Time, renewable bool, initialAuth *machineidv1pb.BotInstanceStatusAuthentication, existingInstanceID string, currentIdentityGeneration int32, + joinAttrs *workloadidentityv1pb.JoinAttrs, ) (*proto.Certs, string, error) { var err error @@ -528,16 +530,17 @@ func (a *Server) generateInitialBotCerts( // Generate certificate certReq := certRequest{ - user: userState, - ttl: expires.Sub(a.GetClock().Now()), - sshPublicKey: sshPubKey, - tlsPublicKey: tlsPubKey, - checker: checker, - traits: accessInfo.Traits, - renewable: renewable, - includeHostCA: true, - loginIP: loginIP, - botName: botName, + user: userState, + ttl: expires.Sub(a.GetClock().Now()), + sshPublicKey: sshPubKey, + tlsPublicKey: tlsPubKey, + checker: checker, + traits: accessInfo.Traits, + renewable: renewable, + includeHostCA: true, + loginIP: loginIP, + botName: botName, + joinAttributes: joinAttrs, } if existingInstanceID == "" { diff --git a/lib/auth/join.go b/lib/auth/join.go index 53880bf9955e2..1b3455fdeebb9 100644 --- a/lib/auth/join.go +++ b/lib/auth/join.go @@ -27,6 +27,7 @@ import ( "slices" "strings" + "github.com/go-jose/go-jose/v3/json" "github.com/gravitational/trace" "github.com/sirupsen/logrus" "google.golang.org/grpc/peer" @@ -35,6 +36,7 @@ import ( "github.com/gravitational/teleport/api/client/proto" machineidv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/machineid/v1" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" "github.com/gravitational/teleport/api/types" apievents "github.com/gravitational/teleport/api/types/events" "github.com/gravitational/teleport/lib/auth/machineid/machineidv1" @@ -96,12 +98,6 @@ func (a *Server) checkTokenJoinRequestCommon(ctx context.Context, req *types.Reg return provisionToken, nil } -type joinAttributeSourcer interface { - // JoinAuditAttributes returns a series of attributes that can be inserted into - // audit events related to a specific join. - JoinAuditAttributes() (map[string]interface{}, error) -} - func setRemoteAddrFromContext(ctx context.Context, req *types.RegisterUsingTokenRequest) error { var addr string if clientIP, err := authz.ClientSrcAddrFromContext(ctx); err == nil { @@ -123,7 +119,7 @@ func setRemoteAddrFromContext(ctx context.Context, req *types.RegisterUsingToken func (a *Server) handleJoinFailure( origErr error, pt types.ProvisionToken, - attributeSource joinAttributeSourcer, + rawJoinAttrs any, req *types.RegisterUsingTokenRequest, ) { fields := logrus.Fields{} @@ -134,19 +130,13 @@ func (a *Server) handleJoinFailure( fields["remote_addr"] = req.RemoteAddr } - // Fetch and encode attributes if they are available. - var attributesProto *apievents.Struct - if attributeSource != nil { - var err error - attributes, err := attributeSource.JoinAuditAttributes() - if err != nil { - log.WithError(err).Warn("Unable to fetch join attributes from join method") - } - fields["attributes"] = attributes - attributesProto, err = apievents.EncodeMap(attributes) - if err != nil { - log.WithError(err).Warn("Unable to encode join attributes for audit event") - } + // Fetch and encode rawJoinAttrs if they are available. + attributesStruct, err := rawJoinAttrsToStruct(rawJoinAttrs) + if err != nil { + log.WithError(err).Warn("Unable to encode join rawJoinAttrs for audit event.") + } + if attributesStruct != nil { + fields["attributes"] = attributesStruct } // Add log fields from token if available. @@ -168,7 +158,7 @@ func (a *Server) handleJoinFailure( Code: events.BotJoinFailureCode, }, Status: status, - Attributes: attributesProto, + Attributes: attributesStruct, ConnectionMetadata: apievents.ConnectionMetadata{ RemoteAddr: req.RemoteAddr, }, @@ -186,7 +176,7 @@ func (a *Server) handleJoinFailure( Code: events.InstanceJoinFailureCode, }, Status: status, - Attributes: attributesProto, + Attributes: attributesStruct, } if pt != nil { instanceJoinEvent.Method = string(pt.GetJoinMethod()) @@ -217,12 +207,13 @@ func (a *Server) handleJoinFailure( // If the token includes a specific join method, the rules for that join method // will be checked. func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsingTokenRequest) (certs *proto.Certs, err error) { - var joinAttributeSrc joinAttributeSourcer + attrs := &workloadidentityv1pb.JoinAttrs{} + var rawClaims any var provisionToken types.ProvisionToken defer func() { // Emit a log message and audit event on join failure. if err != nil { - a.handleJoinFailure(err, provisionToken, joinAttributeSrc, req) + a.handleJoinFailure(err, provisionToken, rawClaims, req) } }() @@ -244,7 +235,8 @@ func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsin case types.JoinMethodGitHub: claims, err := a.checkGitHubJoinRequest(ctx, req) if claims != nil { - joinAttributeSrc = claims + rawClaims = claims + attrs.Github = claims.JoinAttrs() } if err != nil { return nil, trace.Wrap(err) @@ -252,7 +244,8 @@ func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsin case types.JoinMethodGitLab: claims, err := a.checkGitLabJoinRequest(ctx, req) if claims != nil { - joinAttributeSrc = claims + rawClaims = claims + attrs.Gitlab = claims.JoinAttrs() } if err != nil { return nil, trace.Wrap(err) @@ -260,7 +253,8 @@ func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsin case types.JoinMethodCircleCI: claims, err := a.checkCircleCIJoinRequest(ctx, req) if claims != nil { - joinAttributeSrc = claims + rawClaims = claims + attrs.Circleci = claims.JoinAttrs() } if err != nil { return nil, trace.Wrap(err) @@ -268,7 +262,8 @@ func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsin case types.JoinMethodKubernetes: claims, err := a.checkKubernetesJoinRequest(ctx, req) if claims != nil { - joinAttributeSrc = claims + rawClaims = claims + attrs.Kubernetes = claims.JoinAttrs() } if err != nil { return nil, trace.Wrap(err) @@ -276,7 +271,8 @@ func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsin case types.JoinMethodGCP: claims, err := a.checkGCPJoinRequest(ctx, req) if claims != nil { - joinAttributeSrc = claims + rawClaims = claims + attrs.Gcp = claims.JoinAttrs() } if err != nil { return nil, trace.Wrap(err) @@ -284,7 +280,8 @@ func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsin case types.JoinMethodSpacelift: claims, err := a.checkSpaceliftJoinRequest(ctx, req) if claims != nil { - joinAttributeSrc = claims + rawClaims = claims + attrs.Spacelift = claims.JoinAttrs() } if err != nil { return nil, trace.Wrap(err) @@ -292,7 +289,8 @@ func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsin case types.JoinMethodTerraformCloud: claims, err := a.checkTerraformCloudJoinRequest(ctx, req) if claims != nil { - joinAttributeSrc = claims + rawClaims = claims + attrs.TerraformCloud = claims.JoinAttrs() } if err != nil { return nil, trace.Wrap(err) @@ -300,7 +298,8 @@ func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsin case types.JoinMethodBitbucket: claims, err := a.checkBitbucketJoinRequest(ctx, req) if claims != nil { - joinAttributeSrc = claims + rawClaims = claims + attrs.Bitbucket = claims.JoinAttrs() } if err != nil { return nil, trace.Wrap(err) @@ -323,10 +322,16 @@ func (a *Server) RegisterUsingToken(ctx context.Context, req *types.RegisterUsin // With all elements of the token validated, we can now generate & return // certificates. if req.Role == types.RoleBot { - certs, err = a.generateCertsBot(ctx, provisionToken, req, joinAttributeSrc) + certs, err = a.generateCertsBot( + ctx, + provisionToken, + req, + rawClaims, + attrs, + ) return certs, trace.Wrap(err) } - certs, err = a.generateCerts(ctx, provisionToken, req, joinAttributeSrc) + certs, err = a.generateCerts(ctx, provisionToken, req, rawClaims) return certs, trace.Wrap(err) } @@ -334,7 +339,8 @@ func (a *Server) generateCertsBot( ctx context.Context, provisionToken types.ProvisionToken, req *types.RegisterUsingTokenRequest, - joinAttributeSrc joinAttributeSourcer, + rawJoinClaims any, + attrs *workloadidentityv1pb.JoinAttrs, ) (*proto.Certs, error) { // bots use this endpoint but get a user cert // botResourceName must be set, enforced in CheckAndSetDefaults @@ -382,6 +388,23 @@ func (a *Server) generateCertsBot( RemoteAddr: req.RemoteAddr, }, } + var err error + joinEvent.Attributes, err = rawJoinAttrsToStruct(rawJoinClaims) + if err != nil { + log.WithError(err).Warn("Unable to encode join attributes for audit event.") + } + + // Prepare join attributes for encoding into the X509 cert and for inclusion + // in audit logs. + if attrs == nil { + attrs = &workloadidentityv1pb.JoinAttrs{} + } + attrs.Meta = &workloadidentityv1pb.JoinAttrsMeta{ + JoinMethod: string(joinMethod), + } + if joinMethod != types.JoinMethodToken { + attrs.Meta.JoinTokenName = provisionToken.GetName() + } auth := &machineidv1pb.BotInstanceStatusAuthentication{ AuthenticatedAt: timestamppb.New(a.GetClock().Now()), @@ -393,22 +416,12 @@ func (a *Server) generateCertsBot( // TODO(nklaassen): consider logging the SSH public key as well, for now // the SSH and TLS public keys are still identical for tbot. PublicKey: req.PublicTLSKey, + JoinAttrs: attrs, } - - if joinAttributeSrc != nil { - attributes, err := joinAttributeSrc.JoinAuditAttributes() - if err != nil { - log.WithError(err).Warn("Unable to fetch join attributes from join method.") - } - joinEvent.Attributes, err = apievents.EncodeMap(attributes) - if err != nil { - log.WithError(err).Warn("Unable to encode join attributes for audit event.") - } - - auth.Metadata, err = structpb.NewStruct(attributes) - if err != nil { - log.WithError(err).Warn("Unable to encode struct value for join metadata.") - } + // TODO(noah): In v18, we can drop writing to the deprecated Metadata field. + auth.Metadata, err = rawJoinAttrsToGoogleStruct(rawJoinClaims) + if err != nil { + log.WithError(err).Warn("Unable to encode join attributes for bot instance authentication event.") } certs, botInstanceID, err := a.generateInitialBotCerts( @@ -423,6 +436,7 @@ func (a *Server) generateCertsBot( auth, req.BotInstanceID, req.BotGeneration, + attrs, ) if err != nil { return nil, trace.Wrap(err) @@ -450,7 +464,7 @@ func (a *Server) generateCerts( ctx context.Context, provisionToken types.ProvisionToken, req *types.RegisterUsingTokenRequest, - joinAttributeSrc joinAttributeSourcer, + rawJoinClaims any, ) (*proto.Certs, error) { if req.Expires != nil { return nil, trace.BadParameter("'expires' cannot be set on join for non-bot certificates") @@ -510,15 +524,9 @@ func (a *Server) generateCerts( RemoteAddr: req.RemoteAddr, }, } - if joinAttributeSrc != nil { - attributes, err := joinAttributeSrc.JoinAuditAttributes() - if err != nil { - log.WithError(err).Warn("Unable to fetch join attributes from join method.") - } - joinEvent.Attributes, err = apievents.EncodeMap(attributes) - if err != nil { - log.WithError(err).Warn("Unable to encode join attributes for audit event.") - } + joinEvent.Attributes, err = rawJoinAttrsToStruct(rawJoinClaims) + if err != nil { + log.WithError(err).Warn("Unable to encode join attributes for audit event.") } if err := a.emitter.EmitAuditEvent(ctx, joinEvent); err != nil { log.WithError(err).Warn("Failed to emit instance join event.") @@ -526,6 +534,36 @@ func (a *Server) generateCerts( return certs, nil } +func rawJoinAttrsToStruct(in any) (*apievents.Struct, error) { + if in == nil { + return nil, nil + } + attrBytes, err := json.Marshal(in) + if err != nil { + return nil, trace.Wrap(err, "marshaling join attributes") + } + out := &apievents.Struct{} + if err := out.UnmarshalJSON(attrBytes); err != nil { + return nil, trace.Wrap(err, "unmarshaling join attributes") + } + return out, nil +} + +func rawJoinAttrsToGoogleStruct(in any) (*structpb.Struct, error) { + if in == nil { + return nil, nil + } + attrBytes, err := json.Marshal(in) + if err != nil { + return nil, trace.Wrap(err, "marshaling join attributes") + } + out := &structpb.Struct{} + if err := out.UnmarshalJSON(attrBytes); err != nil { + return nil, trace.Wrap(err, "unmarshaling join attributes") + } + return out, nil +} + func generateChallenge(encoding *base64.Encoding, length int) (string, error) { // read crypto-random bytes to generate the challenge challengeRawBytes := make([]byte, length) diff --git a/lib/auth/join_azure.go b/lib/auth/join_azure.go index 721a53ff2d7fa..8605dd280483c 100644 --- a/lib/auth/join_azure.go +++ b/lib/auth/join_azure.go @@ -38,6 +38,7 @@ import ( "github.com/gravitational/teleport/api/client" "github.com/gravitational/teleport/api/client/proto" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/cloud/azure" "github.com/gravitational/teleport/lib/utils" @@ -312,37 +313,49 @@ func azureResourceGroupIsAllowed(allowedResourceGroups []string, vmResourceGroup return false } -func (a *Server) checkAzureRequest(ctx context.Context, challenge string, req *proto.RegisterUsingAzureMethodRequest, cfg *azureRegisterConfig) error { +func azureJoinToAttrs(vm *azure.VirtualMachine) *workloadidentityv1pb.JoinAttrsAzure { + return &workloadidentityv1pb.JoinAttrsAzure{ + Subscription: vm.Subscription, + ResourceGroup: vm.ResourceGroup, + } +} + +func (a *Server) checkAzureRequest( + ctx context.Context, + challenge string, + req *proto.RegisterUsingAzureMethodRequest, + cfg *azureRegisterConfig, +) (*workloadidentityv1pb.JoinAttrsAzure, error) { requestStart := a.clock.Now() tokenName := req.RegisterUsingTokenRequest.Token provisionToken, err := a.GetToken(ctx, tokenName) if err != nil { - return trace.Wrap(err) + return nil, trace.Wrap(err) } if provisionToken.GetJoinMethod() != types.JoinMethodAzure { - return trace.AccessDenied("this token does not support the Azure join method") + return nil, trace.AccessDenied("this token does not support the Azure join method") + } + token, ok := provisionToken.(*types.ProvisionTokenV2) + if !ok { + return nil, trace.BadParameter("azure join method only supports ProvisionTokenV2, '%T' was provided", provisionToken) } subID, vmID, err := parseAndVerifyAttestedData(ctx, req.AttestedData, challenge, cfg.certificateAuthorities) if err != nil { - return trace.Wrap(err) + return nil, trace.Wrap(err) } vm, err := verifyVMIdentity(ctx, cfg, req.AccessToken, subID, vmID, requestStart) if err != nil { - return trace.Wrap(err) - } - - token, ok := provisionToken.(*types.ProvisionTokenV2) - if !ok { - return trace.BadParameter("azure join method only supports ProvisionTokenV2, '%T' was provided", provisionToken) + return nil, trace.Wrap(err) } + attrs := azureJoinToAttrs(vm) if err := checkAzureAllowRules(vm, token.GetName(), token.Spec.Azure.Allow); err != nil { - return trace.Wrap(err) + return attrs, trace.Wrap(err) } - return nil + return attrs, nil } func generateAzureChallenge() (string, error) { @@ -399,7 +412,8 @@ func (a *Server) RegisterUsingAzureMethodWithOpts( return nil, trace.Wrap(err) } - if err := a.checkAzureRequest(ctx, challenge, req, cfg); err != nil { + joinAttrs, err := a.checkAzureRequest(ctx, challenge, req, cfg) + if err != nil { return nil, trace.Wrap(err) } @@ -409,6 +423,9 @@ func (a *Server) RegisterUsingAzureMethodWithOpts( provisionToken, req.RegisterUsingTokenRequest, nil, + &workloadidentityv1pb.JoinAttrs{ + Azure: joinAttrs, + }, ) return certs, trace.Wrap(err) } diff --git a/lib/auth/join_iam.go b/lib/auth/join_iam.go index ba2209105c7c0..ee8c97857ee1f 100644 --- a/lib/auth/join_iam.go +++ b/lib/auth/join_iam.go @@ -34,6 +34,7 @@ import ( "github.com/gravitational/teleport" "github.com/gravitational/teleport/api/client" "github.com/gravitational/teleport/api/client/proto" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/auth/join/iam" "github.com/gravitational/teleport/lib/utils" @@ -172,6 +173,18 @@ type awsIdentity struct { Arn string `json:"Arn"` } +// JoinAttrs returns the protobuf representation of the attested identity. +// This is used for auditing and for evaluation of WorkloadIdentity rules and +// templating. +func (c *awsIdentity) JoinAttrs() *workloadidentityv1pb.JoinAttrsAWSIAM { + attrs := &workloadidentityv1pb.JoinAttrsAWSIAM{ + Account: c.Account, + Arn: c.Arn, + } + + return attrs +} + // getCallerIdentityReponse is used for JSON parsing type getCallerIdentityResponse struct { GetCallerIdentityResult awsIdentity `json:"GetCallerIdentityResult"` @@ -260,41 +273,41 @@ func checkIAMAllowRules(identity *awsIdentity, token string, allowRules []*types // checkIAMRequest checks if the given request satisfies the token rules and // included the required challenge. -func (a *Server) checkIAMRequest(ctx context.Context, challenge string, req *proto.RegisterUsingIAMMethodRequest, cfg *iamRegisterConfig) error { +func (a *Server) checkIAMRequest(ctx context.Context, challenge string, req *proto.RegisterUsingIAMMethodRequest, cfg *iamRegisterConfig) (*awsIdentity, error) { tokenName := req.RegisterUsingTokenRequest.Token provisionToken, err := a.GetToken(ctx, tokenName) if err != nil { - return trace.Wrap(err, "getting token") + return nil, trace.Wrap(err, "getting token") } if provisionToken.GetJoinMethod() != types.JoinMethodIAM { - return trace.AccessDenied("this token does not support the IAM join method") + return nil, trace.AccessDenied("this token does not support the IAM join method") } // parse the incoming http request to the sts:GetCallerIdentity endpoint identityRequest, err := parseSTSRequest(req.StsIdentityRequest) if err != nil { - return trace.Wrap(err, "parsing STS request") + return nil, trace.Wrap(err, "parsing STS request") } // validate that the host, method, and headers are correct and the expected // challenge is included in the signed portion of the request if err := validateSTSIdentityRequest(identityRequest, challenge, cfg); err != nil { - return trace.Wrap(err, "validating STS request") + return nil, trace.Wrap(err, "validating STS request") } // send the signed request to the public AWS API and get the node identity // from the response identity, err := executeSTSIdentityRequest(ctx, a.httpClientForAWSSTS, identityRequest) if err != nil { - return trace.Wrap(err, "executing STS request") + return nil, trace.Wrap(err, "executing STS request") } // check that the node identity matches an allow rule for this token if err := checkIAMAllowRules(identity, provisionToken.GetName(), provisionToken.GetAllowRules()); err != nil { - return trace.Wrap(err, "checking allow rules") + return identity, trace.Wrap(err, "checking allow rules") } - return nil + return identity, nil } func generateIAMChallenge() (string, error) { @@ -341,11 +354,12 @@ func (a *Server) RegisterUsingIAMMethodWithOpts( ) (certs *proto.Certs, err error) { var provisionToken types.ProvisionToken var joinRequest *types.RegisterUsingTokenRequest + var joinFailureMetadata any defer func() { // Emit a log message and audit event on join failure. if err != nil { a.handleJoinFailure( - err, provisionToken, nil, joinRequest, + err, provisionToken, joinFailureMetadata, joinRequest, ) } }() @@ -377,15 +391,27 @@ func (a *Server) RegisterUsingIAMMethodWithOpts( } // check that the GetCallerIdentity request is valid and matches the token - if err := a.checkIAMRequest(ctx, challenge, req, cfg); err != nil { + verifiedIdentity, err := a.checkIAMRequest(ctx, challenge, req, cfg) + if verifiedIdentity != nil { + joinFailureMetadata = verifiedIdentity + } + if err != nil { return nil, trace.Wrap(err, "checking iam request") } if req.RegisterUsingTokenRequest.Role == types.RoleBot { - certs, err := a.generateCertsBot(ctx, provisionToken, req.RegisterUsingTokenRequest, nil) + certs, err := a.generateCertsBot( + ctx, + provisionToken, + req.RegisterUsingTokenRequest, + verifiedIdentity, + &workloadidentityv1pb.JoinAttrs{ + Iam: verifiedIdentity.JoinAttrs(), + }, + ) return certs, trace.Wrap(err, "generating bot certs") } - certs, err = a.generateCerts(ctx, provisionToken, req.RegisterUsingTokenRequest, nil) + certs, err = a.generateCerts(ctx, provisionToken, req.RegisterUsingTokenRequest, verifiedIdentity) return certs, trace.Wrap(err, "generating certs") } diff --git a/lib/auth/join_tpm.go b/lib/auth/join_tpm.go index 05bf9e3c35a54..cdfad3e680350 100644 --- a/lib/auth/join_tpm.go +++ b/lib/auth/join_tpm.go @@ -28,6 +28,7 @@ import ( "github.com/gravitational/teleport/api/client" "github.com/gravitational/teleport/api/client/proto" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/modules" "github.com/gravitational/teleport/lib/tpm" @@ -39,12 +40,12 @@ func (a *Server) RegisterUsingTPMMethod( solveChallenge client.RegisterTPMChallengeResponseFunc, ) (_ *proto.Certs, err error) { var provisionToken types.ProvisionToken - var attributeSrc joinAttributeSourcer + var joinFailureMetadata any defer func() { // Emit a log message and audit event on join failure. if err != nil { a.handleJoinFailure( - err, provisionToken, attributeSrc, initReq.JoinRequest, + err, provisionToken, joinFailureMetadata, initReq.JoinRequest, ) } }() @@ -99,10 +100,12 @@ func (a *Server) RegisterUsingTPMMethod( return solution.Solution, nil }, }) + if validatedEK != nil { + joinFailureMetadata = validatedEK + } if err != nil { return nil, trace.Wrap(err, "validating TPM EK") } - attributeSrc = validatedEK if err := checkTPMAllowRules(validatedEK, ptv2.Spec.TPM.Allow); err != nil { return nil, trace.Wrap(err) @@ -110,7 +113,13 @@ func (a *Server) RegisterUsingTPMMethod( if initReq.JoinRequest.Role == types.RoleBot { certs, err := a.generateCertsBot( - ctx, ptv2, initReq.JoinRequest, validatedEK, + ctx, + ptv2, + initReq.JoinRequest, + validatedEK, + &workloadidentityv1pb.JoinAttrs{ + Tpm: validatedEK.JoinAttrs(), + }, ) return certs, trace.Wrap(err, "generating certs for bot") } diff --git a/lib/bitbucket/bitbucket.go b/lib/bitbucket/bitbucket.go index ee9923337f9e8..653d724c1a971 100644 --- a/lib/bitbucket/bitbucket.go +++ b/lib/bitbucket/bitbucket.go @@ -19,8 +19,7 @@ package bitbucket import ( - "github.com/gravitational/trace" - "github.com/mitchellh/mapstructure" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" ) // IDTokenClaims @@ -60,19 +59,17 @@ type IDTokenClaims struct { BranchName string `json:"branchName"` } -// JoinAuditAttributes returns a series of attributes that can be inserted into -// audit events related to a specific join. -func (c *IDTokenClaims) JoinAuditAttributes() (map[string]any, error) { - res := map[string]any{} - d, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{ - TagName: "json", - Result: &res, - }) - if err != nil { - return nil, trace.Wrap(err) +// JoinAttrs returns the protobuf representation of the attested identity. +// This is used for auditing and for evaluation of WorkloadIdentity rules and +// templating. +func (c *IDTokenClaims) JoinAttrs() *workloadidentityv1pb.JoinAttrsBitbucket { + return &workloadidentityv1pb.JoinAttrsBitbucket{ + Sub: c.Sub, + StepUuid: c.StepUUID, + RepositoryUuid: c.RepositoryUUID, + PipelineUuid: c.PipelineUUID, + WorkspaceUuid: c.WorkspaceUUID, + DeploymentEnvironmentUuid: c.DeploymentEnvironmentUUID, + BranchName: c.BranchName, } - if err := d.Decode(c); err != nil { - return nil, trace.Wrap(err) - } - return res, nil } diff --git a/lib/circleci/circleci.go b/lib/circleci/circleci.go index 0f0c351c5eae3..ef796322d5220 100644 --- a/lib/circleci/circleci.go +++ b/lib/circleci/circleci.go @@ -32,8 +32,7 @@ package circleci import ( "fmt" - "github.com/gravitational/trace" - "github.com/mitchellh/mapstructure" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" ) const IssuerURLTemplate = "https://oidc.circleci.com/org/%s" @@ -55,20 +54,13 @@ type IDTokenClaims struct { ProjectID string `json:"oidc.circleci.com/project-id"` } -// JoinAuditAttributes returns a series of attributes that can be inserted into -// audit events related to a specific join. -func (c *IDTokenClaims) JoinAuditAttributes() (map[string]interface{}, error) { - res := map[string]interface{}{} - d, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{ - TagName: "json", - Result: &res, - }) - if err != nil { - return nil, trace.Wrap(err) +// JoinAttrs returns the protobuf representation of the attested identity. +// This is used for auditing and for evaluation of WorkloadIdentity rules and +// templating. +func (c *IDTokenClaims) JoinAttrs() *workloadidentityv1pb.JoinAttrsCircleCI { + return &workloadidentityv1pb.JoinAttrsCircleCI{ + Sub: c.Sub, + ContextIds: c.ContextIDs, + ProjectId: c.ProjectID, } - - if err := d.Decode(c); err != nil { - return nil, trace.Wrap(err) - } - return res, nil } diff --git a/lib/gcp/gcp.go b/lib/gcp/gcp.go index 4fd77ca6a4f52..a1ab7eb9daafa 100644 --- a/lib/gcp/gcp.go +++ b/lib/gcp/gcp.go @@ -19,8 +19,7 @@ package gcp import ( - "github.com/gravitational/trace" - "github.com/mitchellh/mapstructure" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" ) // defaultIssuerHost is the issuer for GCP ID tokens. @@ -52,20 +51,21 @@ type IDTokenClaims struct { Google Google `json:"google"` } -// JoinAuditAttributes returns a series of attributes that can be inserted into -// audit events related to a specific join. -func (c *IDTokenClaims) JoinAuditAttributes() (map[string]interface{}, error) { - res := map[string]interface{}{} - d, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{ - TagName: "json", - Result: &res, - }) - if err != nil { - return nil, trace.Wrap(err) +// JoinAttrs returns the protobuf representation of the attested identity. +// This is used for auditing and for evaluation of WorkloadIdentity rules and +// templating. +func (c *IDTokenClaims) JoinAttrs() *workloadidentityv1pb.JoinAttrsGCP { + attrs := &workloadidentityv1pb.JoinAttrsGCP{ + ServiceAccount: c.Email, } - - if err := d.Decode(c); err != nil { - return nil, trace.Wrap(err) + if c.Google.ComputeEngine.InstanceName != "" { + attrs.Gce = &workloadidentityv1pb.JoinAttrsGCPGCE{ + Project: c.Google.ComputeEngine.ProjectID, + Zone: c.Google.ComputeEngine.Zone, + Id: c.Google.ComputeEngine.InstanceID, + Name: c.Google.ComputeEngine.InstanceName, + } } - return res, nil + + return attrs } diff --git a/lib/githubactions/githubactions.go b/lib/githubactions/githubactions.go index f2921a9636d18..52b143e9811a8 100644 --- a/lib/githubactions/githubactions.go +++ b/lib/githubactions/githubactions.go @@ -21,6 +21,8 @@ package githubactions import ( "github.com/gravitational/trace" "github.com/mitchellh/mapstructure" + + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" ) // GitHub Workload Identity @@ -118,3 +120,24 @@ func (c *IDTokenClaims) JoinAuditAttributes() (map[string]interface{}, error) { } return res, nil } + +// JoinAttrs returns the protobuf representation of the attested identity. +// This is used for auditing and for evaluation of WorkloadIdentity rules and +// templating. +func (c *IDTokenClaims) JoinAttrs() *workloadidentityv1pb.JoinAttrsGitHub { + attrs := &workloadidentityv1pb.JoinAttrsGitHub{ + Sub: c.Sub, + Actor: c.Actor, + Environment: c.Environment, + Ref: c.Ref, + RefType: c.RefType, + Repository: c.Repository, + RepositoryOwner: c.RepositoryOwner, + Workflow: c.Workflow, + EventName: c.EventName, + Sha: c.SHA, + RunId: c.RunID, + } + + return attrs +} diff --git a/lib/gitlab/gitlab.go b/lib/gitlab/gitlab.go index 1129e6509d6c3..9daf1c4a68d8d 100644 --- a/lib/gitlab/gitlab.go +++ b/lib/gitlab/gitlab.go @@ -19,8 +19,7 @@ package gitlab import ( - "github.com/gravitational/trace" - "github.com/mitchellh/mapstructure" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" ) // GitLab Workload Identity @@ -112,20 +111,28 @@ type IDTokenClaims struct { ProjectVisibility string `json:"project_visibility"` } -// JoinAuditAttributes returns a series of attributes that can be inserted into -// audit events related to a specific join. -func (c *IDTokenClaims) JoinAuditAttributes() (map[string]interface{}, error) { - res := map[string]interface{}{} - d, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{ - TagName: "json", - Result: &res, - }) - if err != nil { - return nil, trace.Wrap(err) +// JoinAttrs returns the protobuf representation of the attested identity. +// This is used for auditing and for evaluation of WorkloadIdentity rules and +// templating. +func (c *IDTokenClaims) JoinAttrs() *workloadidentityv1pb.JoinAttrsGitLab { + attrs := &workloadidentityv1pb.JoinAttrsGitLab{ + Sub: c.Sub, + Ref: c.Ref, + RefType: c.RefType, + RefProtected: c.RefProtected == "true", + NamespacePath: c.NamespacePath, + ProjectPath: c.ProjectPath, + UserLogin: c.UserLogin, + UserEmail: c.UserEmail, + PipelineId: c.PipelineID, + Environment: c.Environment, + EnvironmentProtected: c.EnvironmentProtected == "true", + RunnerId: int64(c.RunnerID), + RunnerEnvironment: c.RunnerEnvironment, + Sha: c.SHA, + CiConfigRefUri: c.CIConfigRefURI, + CiConfigSha: c.CIConfigSHA, } - if err := d.Decode(c); err != nil { - return nil, trace.Wrap(err) - } - return res, nil + return attrs } diff --git a/lib/kube/token/validator.go b/lib/kube/token/validator.go index 056b5ee1def0d..d7c870f326c06 100644 --- a/lib/kube/token/validator.go +++ b/lib/kube/token/validator.go @@ -29,13 +29,13 @@ import ( "github.com/go-jose/go-jose/v3" josejwt "github.com/go-jose/go-jose/v3/jwt" "github.com/gravitational/trace" - "github.com/mitchellh/mapstructure" v1 "k8s.io/api/authentication/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/version" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/api/utils" ) @@ -60,24 +60,14 @@ type ValidationResult struct { // This will be prepended with `system:serviceaccount:` for service // accounts. Username string `json:"username"` + attrs *workloadidentityv1pb.JoinAttrsKubernetes } -// JoinAuditAttributes returns a series of attributes that can be inserted into -// audit events related to a specific join. -func (c *ValidationResult) JoinAuditAttributes() (map[string]interface{}, error) { - res := map[string]interface{}{} - d, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{ - TagName: "json", - Result: &res, - Squash: true, - }) - if err != nil { - return nil, trace.Wrap(err) - } - if err := d.Decode(c); err != nil { - return nil, trace.Wrap(err) - } - return res, nil +// JoinAttrs returns the protobuf representation of the attested identity. +// This is used for auditing and for evaluation of WorkloadIdentity rules and +// templating. +func (c *ValidationResult) JoinAttrs() *workloadidentityv1pb.JoinAttrsKubernetes { + return c.attrs } // TokenReviewValidator validates a Kubernetes Service Account JWT using the @@ -180,8 +170,11 @@ func (v *TokenReviewValidator) Validate(ctx context.Context, token, clusterName // Check the Username is a service account. // A user token would not match rules anyway, but we can produce a more relevant error message here. - if !strings.HasPrefix(reviewResult.Status.User.Username, ServiceAccountNamePrefix) { - return nil, trace.BadParameter("token user is not a service account: %s", reviewResult.Status.User.Username) + namespace, serviceAccount, err := serviceAccountFromUsername( + reviewResult.Status.User.Username, + ) + if err != nil { + return nil, trace.Wrap(err) } if !slices.Contains(reviewResult.Status.User.Groups, serviceAccountGroup) { @@ -203,20 +196,47 @@ func (v *TokenReviewValidator) Validate(ctx context.Context, token, clusterName // We know if the token is bound to a pod if its name is in the Extra userInfo. // If the token is not bound while Kubernetes supports bound tokens we abort. - if _, ok := reviewResult.Status.User.Extra[extraDataPodNameField]; !ok && boundTokenSupport { + podName, podNamePresent := reviewResult.Status.User.Extra[extraDataPodNameField] + if !podNamePresent && boundTokenSupport { return nil, trace.BadParameter( "legacy SA tokens are not accepted as kubernetes version %s supports bound tokens", kubeVersion.String(), ) } + attrs := &workloadidentityv1pb.JoinAttrsKubernetes{ + Subject: reviewResult.Status.User.Username, + ServiceAccount: &workloadidentityv1pb.JoinAttrsKubernetesServiceAccount{ + Name: serviceAccount, + Namespace: namespace, + }, + } + if podNamePresent && len(podName) == 1 { + attrs.Pod = &workloadidentityv1pb.JoinAttrsKubernetesPod{ + Name: podName[0], + } + } + return &ValidationResult{ Raw: reviewResult.Status, Type: types.KubernetesJoinTypeInCluster, Username: reviewResult.Status.User.Username, + attrs: attrs, }, nil } +func serviceAccountFromUsername(username string) (namespace, name string, err error) { + cut, hasPrefix := strings.CutPrefix(username, ServiceAccountNamePrefix) + if !hasPrefix { + return "", "", trace.BadParameter("token user is not a service account: %s", username) + } + parts := strings.Split(cut, ":") + if len(parts) != 2 { + return "", "", trace.BadParameter("token user has malformed service account name: %s", username) + } + return parts[1], parts[2], nil +} + func kubernetesSupportsBoundTokens(gitVersion string) (bool, error) { kubeVersion, err := version.ParseSemantic(gitVersion) if err != nil { @@ -319,5 +339,15 @@ func ValidateTokenWithJWKS( Raw: claims, Type: types.KubernetesJoinTypeStaticJWKS, Username: claims.Subject, + attrs: &workloadidentityv1pb.JoinAttrsKubernetes{ + Subject: claims.Subject, + Pod: &workloadidentityv1pb.JoinAttrsKubernetesPod{ + Name: claims.Kubernetes.Pod.Name, + }, + ServiceAccount: &workloadidentityv1pb.JoinAttrsKubernetesServiceAccount{ + Name: claims.Kubernetes.ServiceAccount.Name, + Namespace: claims.Kubernetes.Namespace, + }, + }, }, nil } diff --git a/lib/spacelift/spacelift.go b/lib/spacelift/spacelift.go index ddaba2f11cfd2..289e074fcb3b0 100644 --- a/lib/spacelift/spacelift.go +++ b/lib/spacelift/spacelift.go @@ -21,6 +21,8 @@ package spacelift import ( "github.com/gravitational/trace" "github.com/mitchellh/mapstructure" + + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" ) // IDTokenClaims @@ -49,6 +51,21 @@ type IDTokenClaims struct { Scope string `json:"scope"` } +// JoinAttrs returns the protobuf representation of the attested identity. +// This is used for auditing and for evaluation of WorkloadIdentity rules and +// templating. +func (c *IDTokenClaims) JoinAttrs() *workloadidentityv1pb.JoinAttrsSpacelift { + return &workloadidentityv1pb.JoinAttrsSpacelift{ + Sub: c.Sub, + SpaceId: c.SpaceID, + CallerType: c.CallerType, + CallerId: c.CallerID, + RunType: c.RunType, + RunId: c.RunID, + Scope: c.Scope, + } +} + // JoinAuditAttributes returns a series of attributes that can be inserted into // audit events related to a specific join. func (c *IDTokenClaims) JoinAuditAttributes() (map[string]interface{}, error) { diff --git a/lib/terraformcloud/terraform.go b/lib/terraformcloud/terraform.go index ded2340c2e5d1..c9db802130ae2 100644 --- a/lib/terraformcloud/terraform.go +++ b/lib/terraformcloud/terraform.go @@ -19,8 +19,7 @@ package terraformcloud import ( - "github.com/gravitational/trace" - "github.com/mitchellh/mapstructure" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" ) // IDTokenClaims @@ -52,20 +51,17 @@ type IDTokenClaims struct { RunPhase string `json:"terraform_run_phase"` } -// JoinAuditAttributes returns a series of attributes that can be inserted into -// audit events related to a specific join. -func (c *IDTokenClaims) JoinAuditAttributes() (map[string]interface{}, error) { - res := map[string]interface{}{} - d, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{ - TagName: "json", - Result: &res, - }) - if err != nil { - return nil, trace.Wrap(err) +// JoinAttrs returns the protobuf representation of the attested identity. +// This is used for auditing and for evaluation of WorkloadIdentity rules and +// templating. +func (c *IDTokenClaims) JoinAttrs() *workloadidentityv1pb.JoinAttrsTerraformCloud { + return &workloadidentityv1pb.JoinAttrsTerraformCloud{ + Sub: c.Sub, + OrganizationName: c.OrganizationName, + ProjectName: c.ProjectName, + WorkspaceName: c.WorkspaceName, + FullWorkspace: c.FullWorkspace, + RunId: c.RunID, + RunPhase: c.RunPhase, } - - if err := d.Decode(c); err != nil { - return nil, trace.Wrap(err) - } - return res, nil } diff --git a/lib/tlsca/ca.go b/lib/tlsca/ca.go index 3edde794e5860..202ca94fd609e 100644 --- a/lib/tlsca/ca.go +++ b/lib/tlsca/ca.go @@ -36,8 +36,10 @@ import ( "github.com/gravitational/trace" "github.com/jonboulle/clockwork" + "google.golang.org/protobuf/encoding/protojson" "github.com/gravitational/teleport" + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/api/types/events" "github.com/gravitational/teleport/api/types/wrappers" @@ -203,6 +205,10 @@ type Identity struct { // UserType indicates if the User was created by an SSO Provider or locally. UserType types.UserType + + // JoinAttributes holds the attributes that resulted from the + // Bot/Agent join process. + JoinAttributes *workloadidentityv1pb.JoinAttrs } // RouteToApp holds routing information for applications. @@ -556,6 +562,10 @@ var ( // BotInstanceASN1ExtensionOID is an extension that encodes a unique bot // instance identifier into a certificate. BotInstanceASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 20} + + // JoinAttributesASN1ExtensionOID is an extension that encodes the + // attributes that resulted from the Bot/Agent join process. + JoinAttributesASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 21} ) // Device Trust OIDs. @@ -895,6 +905,19 @@ func (id *Identity) Subject() (pkix.Name, error) { ) } + if id.JoinAttributes != nil { + encoded, err := protojson.Marshal(id.JoinAttributes) + if err != nil { + return pkix.Name{}, trace.Wrap(err, "encoding join attributes as protojson") + } + subject.ExtraNames = append(subject.ExtraNames, + pkix.AttributeTypeAndValue{ + Type: JoinAttributesASN1ExtensionOID, + Value: string(encoded), + }, + ) + } + // Device extensions. if devID := id.DeviceExtensions.DeviceID; devID != "" { subject.ExtraNames = append(subject.ExtraNames, pkix.AttributeTypeAndValue{ @@ -1158,6 +1181,19 @@ func FromSubject(subject pkix.Name, expires time.Time) (*Identity, error) { if val, ok := attr.Value.(string); ok { id.UserType = types.UserType(val) } + case attr.Type.Equal(JoinAttributesASN1ExtensionOID): + if val, ok := attr.Value.(string); ok { + id.JoinAttributes = &workloadidentityv1pb.JoinAttrs{} + unmarshaler := protojson.UnmarshalOptions{ + // We specifically want to DiscardUnknown or unmarshaling + // will fail if the proto message was issued by a newer + // auth server w/ new fields. + DiscardUnknown: true, + } + if err := unmarshaler.Unmarshal([]byte(val), id.JoinAttributes); err != nil { + return nil, trace.Wrap(err) + } + } } } diff --git a/lib/tpm/validate.go b/lib/tpm/validate.go index 268857d35e4ff..126133d31e644 100644 --- a/lib/tpm/validate.go +++ b/lib/tpm/validate.go @@ -27,6 +27,8 @@ import ( "github.com/google/go-attestation/attest" "github.com/gravitational/trace" + + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" ) // ValidateParams are the parameters required to validate a TPM. @@ -63,14 +65,17 @@ type ValidatedTPM struct { EKCertVerified bool `json:"ek_cert_verified"` } -// JoinAuditAttributes returns a series of attributes that can be inserted into -// audit events related to a specific join. -func (c *ValidatedTPM) JoinAuditAttributes() (map[string]interface{}, error) { - return map[string]interface{}{ - "ek_pub_hash": c.EKPubHash, - "ek_cert_serial": c.EKCertSerial, - "ek_cert_verified": c.EKCertVerified, - }, nil +// JoinAttrs returns the protobuf representation of the attested identity. +// This is used for auditing and for evaluation of WorkloadIdentity rules and +// templating. +func (c *ValidatedTPM) JoinAttrs() *workloadidentityv1pb.JoinAttrsTPM { + attrs := &workloadidentityv1pb.JoinAttrsTPM{ + EkPubHash: c.EKPubHash, + EkCertSerial: c.EKCertSerial, + EkCertVerified: c.EKCertVerified, + } + + return attrs } // Validate takes the parameters from a remote TPM and performs the necessary diff --git a/tool/tctl/common/bots_command.go b/tool/tctl/common/bots_command.go index 306969eec1f26..a24d33cd4854a 100644 --- a/tool/tctl/common/bots_command.go +++ b/tool/tctl/common/bots_command.go @@ -579,7 +579,10 @@ func (c *BotsCommand) ListBotInstances(ctx context.Context, client *authclient.C ) joined := i.Status.InitialAuthentication.AuthenticatedAt.AsTime().Format(time.RFC3339) - initialJoinMethod := i.Status.InitialAuthentication.JoinMethod + initialJoinMethod := cmp.Or( + i.Status.InitialAuthentication.GetJoinAttrs().GetMeta().GetJoinMethod(), + i.Status.InitialAuthentication.JoinMethod, + ) lastSeen := i.Status.InitialAuthentication.AuthenticatedAt.AsTime() @@ -590,8 +593,12 @@ func (c *BotsCommand) ListBotInstances(ctx context.Context, client *authclient.C generation = fmt.Sprint(auth.Generation) - if auth.JoinMethod == initialJoinMethod { - joinMethod = auth.JoinMethod + authJM := cmp.Or( + auth.GetJoinAttrs().GetMeta().GetJoinMethod(), + auth.JoinMethod, + ) + if authJM == initialJoinMethod { + joinMethod = authJM } else { // If the join method changed, show the original method and latest joinMethod = fmt.Sprintf("%s (%s)", auth.JoinMethod, initialJoinMethod) @@ -835,9 +842,13 @@ func splitEntries(flag string) []string { func formatBotInstanceAuthentication(record *machineidv1pb.BotInstanceStatusAuthentication) string { table := asciitable.MakeHeadlessTable(2) table.AddRow([]string{"Authenticated At:", record.AuthenticatedAt.AsTime().Format(time.RFC3339)}) - table.AddRow([]string{"Join Method:", record.JoinMethod}) - table.AddRow([]string{"Join Token:", record.JoinToken}) - table.AddRow([]string{"Join Metadata:", record.Metadata.String()}) + table.AddRow([]string{"Join Method:", cmp.Or(record.GetJoinAttrs().GetMeta().GetJoinMethod(), record.JoinMethod)}) + table.AddRow([]string{"Join Token:", cmp.Or(record.GetJoinAttrs().GetMeta().GetJoinTokenName(), record.JoinToken)}) + var meta fmt.Stringer = record.GetJoinAttrs() + if meta == nil { + meta = record.Metadata + } + table.AddRow([]string{"Join Metadata:", meta.String()}) table.AddRow([]string{"Generation:", fmt.Sprint(record.Generation)}) table.AddRow([]string{"Public Key:", fmt.Sprintf("<%d bytes>", len(record.PublicKey))})