Add renewable certificate generation checks

api/client/client.go

@@ -723,17 +723,6 @@ func (c *Client) GetBotUsers(ctx context.Context) ([]types.User, error) {
 	return users, nil
 }
 
-// GenerateInitialRenewableUserCerts exchanges a bot token for a set of
-// renewable user certificates.
-func (c *Client) GenerateInitialRenewableUserCerts(ctx context.Context, req *proto.RenewableCertsRequest) (*proto.Certs, error) {
-	certs, err := c.grpc.GenerateInitialRenewableUserCerts(ctx, req, c.callOpts...)
-	if err != nil {
-		return nil, trail.FromGRPC(err)
-	}
-
-	return certs, nil
-}
-
 // GetAccessRequests retrieves a list of all access requests matching the provided filter.
 func (c *Client) GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error) {
 	rsp, err := c.grpc.GetAccessRequests(ctx, &filter, c.callOpts...)

api/client/proto/authservice.proto

@@ -1668,9 +1668,6 @@ service AuthService {
     rpc DeleteBot(DeleteBotRequest) returns (google.protobuf.Empty);
     // GetBotUsers gets all users with bot labels.
     rpc GetBotUsers(GetBotUsersRequest) returns (stream types.UserV2);
-    // GenerateInitialRenewableUserCerts generates an initial set of renewable
-    // certificates using a bot token.
-    rpc GenerateInitialRenewableUserCerts(RenewableCertsRequest) returns (Certs);
 
     // GetUser gets a user resource by name.
     rpc GetUser(GetUserRequest) returns (types.UserV2);

api/types/events/events.proto

@@ -1769,6 +1769,19 @@ message CertificateCreate {
     Identity Identity = 3 [ (gogoproto.jsontag) = "identity" ];
 }
 
+// RenewableCertificateGenerationMismatch is emitted when a renewable
+// certificiate's generation counter fails to validate, possibly indicating a
+// stolen certificate and an invalid renewal attempt.
+message RenewableCertificateGenerationMismatch {
+    // Metadata is a common event metadata.
+    Metadata Metadata = 1
+        [ (gogoproto.nullable) = false, (gogoproto.embed) = true, (gogoproto.jsontag) = "" ];
+
+    // UserMetadata is a common user event metadata.
+    UserMetadata UserMetadata = 2
+        [ (gogoproto.nullable) = false, (gogoproto.embed) = true, (gogoproto.jsontag) = "" ];
+}
+
 // OneOf is a union of one of audit events submitted to the auth service
 message OneOf {
     // Event is one of the audit events
@@ -1851,6 +1864,7 @@ message OneOf {
         events.MySQLStatementReset MySQLStatementReset = 76;
         events.MySQLStatementFetch MySQLStatementFetch = 77;
         events.MySQLStatementBulkExecute MySQLStatementBulkExecute = 78;
+        events.RenewableCertificateGenerationMismatch RenewableCertificateGenerationMismatch = 79;
     }
 }
 

api/types/events/oneof.go

@@ -349,6 +349,10 @@ func ToOneOf(in AuditEvent) (*OneOf, error) {
 		out.Event = &OneOf_MySQLStatementBulkExecute{
 			MySQLStatementBulkExecute: e,
 		}
+	case *RenewableCertificateGenerationMismatch:
+		out.Event = &OneOf_RenewableCertificateGenerationMismatch{
+			RenewableCertificateGenerationMismatch: e,
+		}
 	default:
 		return nil, trace.BadParameter("event type %T is not supported", in)
 	}

api/types/provisioning.go

@@ -56,6 +56,8 @@ type ProvisionToken interface {
 	GetAWSIIDTTL() Duration
 	// GetJoinMethod returns joining method that must be used with this token.
 	GetJoinMethod() JoinMethod
+	// GetBotName returns the BotName field which must be set for joining bots.
+	GetBotName() string
 	// V1 returns V1 version of the resource
 	V1() *ProvisionTokenV1
 	// String returns user friendly representation of the resource
@@ -114,6 +116,14 @@ func (p *ProvisionTokenV2) CheckAndSetDefaults() error {
 		return trace.Wrap(err)
 	}
 
+	if SystemRoles(p.Spec.Roles).Include(RoleBot) && p.Spec.BotName == "" {
+		return trace.BadParameter("token with role %q must set bot_name", RoleBot)
+	}
+
+	if p.Spec.BotName != "" && !SystemRoles(p.Spec.Roles).Include(RoleBot) {
+		return trace.BadParameter("can only set bot_name on token with role %q", RoleBot)
+	}
+
 	hasAllowRules := len(p.Spec.Allow) > 0
 	if p.Spec.JoinMethod == JoinMethodUnspecified {
 		// Default to the ec2 join method if any allow rules were specified,
@@ -200,6 +210,11 @@ func (p *ProvisionTokenV2) GetJoinMethod() JoinMethod {
 	return p.Spec.JoinMethod
 }
 
+// GetBotName returns the BotName field which must be set for joining bots.
+func (p *ProvisionTokenV2) GetBotName() string {
+	return p.Spec.BotName
+}
+
 // GetKind returns resource kind
 func (p *ProvisionTokenV2) GetKind() string {
 	return p.Kind

api/types/register.go

@@ -20,7 +20,7 @@ import "github.com/gravitational/trace"
 
 // CheckAndSetDefaults checks for errors and sets defaults
 func (r *RegisterUsingTokenRequest) CheckAndSetDefaults() error {
-	if r.HostID == "" {
+	if r.HostID == "" && r.Role != RoleBot {
 		return trace.BadParameter("missing parameter HostID")
 	}
 	if r.Token == "" {

api/types/system_role.go

@@ -58,6 +58,8 @@ const (
 	RoleDatabase SystemRole = "Db"
 	// RoleWindowsDesktop is a role for a Windows desktop service.
 	RoleWindowsDesktop SystemRole = "WindowsDesktop"
+	// RoleBot is a role for a bot.
+	RoleBot SystemRole = "Bot"
 )
 
 // roleMappings maps a set of allowed lowercase system role names
@@ -79,6 +81,7 @@ var roleMappings = map[string]SystemRole{
 	"db":              RoleDatabase,
 	"windowsdesktop":  RoleWindowsDesktop,
 	"windows_desktop": RoleWindowsDesktop,
+	"bot":             RoleBot,
 }
 
 // NewTeleportRoles return a list of teleport roles from slice of strings