Merge branch 'master' into david/fix-ssh-reject

gravitational · Apr 15, 2022 · de9f064 · de9f064
2 parents a59074c + cabfcdb
commit de9f064
Show file tree

Hide file tree

Showing 35 changed files with 4,023 additions and 2,042 deletions.
diff --git a/api/client/client.go b/api/client/client.go
@@ -2489,6 +2489,7 @@ func GetResourcesWithFilters(ctx context.Context, clt ListResourcesClient, req p
 			Labels:              req.Labels,
 			SearchKeywords:      req.SearchKeywords,
 			PredicateExpression: req.PredicateExpression,
+			UseSearchAsRoles:    req.UseSearchAsRoles,
 		})
 		if err != nil {
 			if trace.IsLimitExceeded(err) {

diff --git a/api/client/proto/authservice.pb.go b/api/client/proto/authservice.pb.go
diff --git a/api/client/proto/authservice.proto b/api/client/proto/authservice.proto
@@ -1505,6 +1505,9 @@ message ListResourcesRequest {
     // WindowsDesktopFilter specifies windows desktop specific filters.
     types.WindowsDesktopFilter WindowsDesktopFilter = 10
         [ (gogoproto.nullable) = false, (gogoproto.jsontag) = "windows_desktop_filter,omitempty" ];
+    // UseSearchAsRoles indicates that the response should include all resources
+    // the caller is able to request access to using search_as_roles
+    bool UseSearchAsRoles = 11 [ (gogoproto.jsontag) = "use_search_as_roles,omitempty" ];
 }
 
 // ListResourceResponse response of ListResources.

diff --git a/api/types/constants.go b/api/types/constants.go
@@ -402,3 +402,6 @@ const (
 	// BotGenerationLabel is a label used to record the certificate generation counter.
 	BotGenerationLabel = "teleport.internal/bot-generation"
 )
+
+// ResourceKinds lists all Teleport resource kinds users can request access to.
+var ResourceKinds = []string{KindNode, KindDatabaseServer, KindAppServer, KindKubeService, KindWindowsDesktop}
diff --git a/api/types/events/events.pb.go b/api/types/events/events.pb.go
diff --git a/api/types/events/events.proto b/api/types/events/events.proto
@@ -1891,6 +1891,7 @@ message OneOf {
         events.MySQLProcessKill MySQLProcessKill = 85;
         events.MySQLDebug MySQLDebug = 86;
         events.MySQLRefresh MySQLRefresh = 87;
+        events.AccessRequestResourceSearch AccessRequestResourceSearch = 88;
     }
 }
 
@@ -2015,6 +2016,29 @@ message RouteToDatabase {
     string Database = 4 [ (gogoproto.jsontag) = "database,omitempty" ];
 }
 
+// AccessRequestResourceSearch is emitted when a user searches for resources as
+// part of a search-based access request
+message AccessRequestResourceSearch {
+    // Metadata is common event metadata.
+    Metadata Metadata = 1
+        [ (gogoproto.nullable) = false, (gogoproto.embed) = true, (gogoproto.jsontag) = "" ];
+    // User is common user metadata.
+    UserMetadata User = 2
+        [ (gogoproto.nullable) = false, (gogoproto.embed) = true, (gogoproto.jsontag) = "" ];
+    // SearchAsRoles is the list of roles the search was performed as.
+    repeated string SearchAsRoles = 3 [ (gogoproto.jsontag) = "search_as_roles" ];
+    // ResourceType is the type of resource being searched for.
+    string ResourceType = 4 [ (gogoproto.jsontag) = "resource_type,omitempty" ];
+    // Namespace is the namespace of resources.
+    string Namespace = 5 [ (gogoproto.jsontag) = "namespace,omitempty" ];
+    // Labels is the label-based matcher used for the search.
+    map<string, string> Labels = 6 [ (gogoproto.jsontag) = "labels,omitempty" ];
+    // PredicateExpression is the list of boolean conditions that were used for the search.
+    string PredicateExpression = 7 [ (gogoproto.jsontag) = "predicate_expression,omitempty" ];
+    // SearchKeywords is the list of search keywords used to match against resource field values.
+    repeated string SearchKeywords = 8 [ (gogoproto.jsontag) = "search_keywords,omitempty" ];
+}
+
 // MySQLStatementPrepare is emitted when a MySQL client creates a prepared
 // statement using the prepared statement protocol.
 message MySQLStatementPrepare {

diff --git a/api/types/events/oneof.go b/api/types/events/oneof.go
@@ -131,6 +131,10 @@ func ToOneOf(in AuditEvent) (*OneOf, error) {
 		out.Event = &OneOf_AccessRequestCreate{
 			AccessRequestCreate: e,
 		}
+	case *AccessRequestResourceSearch:
+		out.Event = &OneOf_AccessRequestResourceSearch{
+			AccessRequestResourceSearch: e,
+		}
 	case *RoleCreate:
 		out.Event = &OneOf_RoleCreate{
 			RoleCreate: e,

diff --git a/api/types/role.go b/api/types/role.go
@@ -157,6 +157,15 @@ type Role interface {
 	SetSessionJoinPolicies([]*SessionJoinPolicy)
 	// GetSessionPolicySet returns the RBAC policy set for a role.
 	GetSessionPolicySet() SessionTrackerPolicySet
+
+	// GetSearchAsRoles returns the list of roles which the user should be able
+	// to "assume" while searching for resources, and should be able to request
+	// with a search-based access request.
+	GetSearchAsRoles() []string
+	// SetSearchAsRoles sets the list of roles which the user should be able
+	// to "assume" while searching for resources, and should be able to request
+	// with a search-based access request.
+	SetSearchAsRoles([]string)
 }
 
 // NewRole constructs new standard V5 role.
@@ -1140,3 +1149,23 @@ func (r *RoleV5) GetSessionJoinPolicies() []*SessionJoinPolicy {
 func (r *RoleV5) SetSessionJoinPolicies(policies []*SessionJoinPolicy) {
 	r.Spec.Allow.JoinSessions = policies
 }
+
+// GetSearchAsRoles returns the list of roles which the user should be able to
+// "assume" while searching for resources, and should be able to request with a
+// search-based access request.
+func (r *RoleV5) GetSearchAsRoles() []string {
+	if r.Spec.Allow.Request == nil {
+		return nil
+	}
+	return r.Spec.Allow.Request.SearchAsRoles
+}
+
+// SetSearchAsRoles sets the list of roles which the user should be able to
+// "assume" while searching for resources, and should be able to request with a
+// search-based access request.
+func (r *RoleV5) SetSearchAsRoles(roles []string) {
+	if r.Spec.Allow.Request == nil {
+		r.Spec.Allow.Request = &AccessRequestConditions{}
+	}
+	r.Spec.Allow.Request.SearchAsRoles = roles
+}