Security Reports

api/client/client.go

@@ -47,6 +47,7 @@ import (
 	"github.com/gravitational/teleport/api/client/externalcloudaudit"
 	"github.com/gravitational/teleport/api/client/okta"
 	"github.com/gravitational/teleport/api/client/proto"
+	"github.com/gravitational/teleport/api/client/secreport"
 	"github.com/gravitational/teleport/api/client/userloginstate"
 	"github.com/gravitational/teleport/api/constants"
 	"github.com/gravitational/teleport/api/defaults"
@@ -63,6 +64,7 @@ import (
 	pluginspb "github.com/gravitational/teleport/api/gen/proto/go/teleport/plugins/v1"
 	resourceusagepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/resourceusage/v1"
 	samlidppb "github.com/gravitational/teleport/api/gen/proto/go/teleport/samlidp/v1"
+	secreportsv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/secreports/v1"
 	trustpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/trust/v1"
 	userloginstatev1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/userloginstate/v1"
 	userpreferencespb "github.com/gravitational/teleport/api/gen/proto/go/userpreferences/v1"
@@ -787,6 +789,11 @@ func (c *Client) LoginRuleClient() loginrulepb.LoginRuleServiceClient {
 	return loginrulepb.NewLoginRuleServiceClient(c.conn)
 }
 
+// SecReportsClient returns Security client that can be used to fetch security reports.
+func (c *Client) SecReportsClient() *secreport.Client {
+	return secreport.NewClient(secreportsv1.NewSecReportsServiceClient(c.conn))
+}
+
 // SAMLIdPClient returns an unadorned SAML IdP client, using the underlying
 // Auth gRPC connection.
 // Clients connecting to non-Enterprise clusters, or older Teleport versions,

api/client/events.go

@@ -25,6 +25,8 @@ import (
 	discoveryconfigv1conv "github.com/gravitational/teleport/api/types/discoveryconfig/convert/v1"
 	"github.com/gravitational/teleport/api/types/externalcloudaudit"
 	externalcloudauditv1conv "github.com/gravitational/teleport/api/types/externalcloudaudit/convert/v1"
+	"github.com/gravitational/teleport/api/types/secreports"
+	secreprotsv1conv "github.com/gravitational/teleport/api/types/secreports/convert/v1"
 	"github.com/gravitational/teleport/api/types/userloginstate"
 	userloginstatev1conv "github.com/gravitational/teleport/api/types/userloginstate/convert/v1"
 )
@@ -238,6 +240,18 @@ func EventToGRPC(in types.Event) (*proto.Event, error) {
 		out.Resource = &proto.Event_DiscoveryConfig{
 			DiscoveryConfig: discoveryconfigv1conv.ToProto(r),
 		}
+	case *secreports.AuditQuery:
+		out.Resource = &proto.Event_AuditQuery{
+			AuditQuery: secreprotsv1conv.ToProtoAuditQuery(r),
+		}
+	case *secreports.Report:
+		out.Resource = &proto.Event_Report{
+			Report: secreprotsv1conv.ToProtoReport(r),
+		}
+	case *secreports.ReportState:
+		out.Resource = &proto.Event_ReportState{
+			ReportState: secreprotsv1conv.ToProtoReportState(r),
+		}
 	default:
 		return nil, trace.BadParameter("resource type %T is not supported", in.Resource)
 	}
@@ -417,6 +431,24 @@ func EventFromGRPC(in *proto.Event) (*types.Event, error) {
 			return nil, trace.Wrap(err)
 		}
 		return &out, nil
+	} else if r := in.GetAuditQuery(); r != nil {
+		out.Resource, err = secreprotsv1conv.FromProtoAuditQuery(r)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		return &out, nil
+	} else if r := in.GetReport(); r != nil {
+		out.Resource, err = secreprotsv1conv.FromProtoReport(r)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		return &out, nil
+	} else if r := in.GetReportState(); r != nil {
+		out.Resource, err = secreprotsv1conv.FromProtoReportState(r)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		return &out, nil
 	} else {
 		return nil, trace.BadParameter("received unsupported resource %T", in.Resource)
 	}

api/client/secreport/crud.go

@@ -0,0 +1,155 @@
+/*
+Copyright 2023 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secreport
+
+import (
+	"context"
+
+	"github.com/gravitational/trace"
+	"github.com/gravitational/trace/trail"
+
+	pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/secreports/v1"
+	"github.com/gravitational/teleport/api/types/secreports"
+	v1 "github.com/gravitational/teleport/api/types/secreports/convert/v1"
+)
+
+// GetSecurityAuditQuery returns audit query by name
+func (c *Client) GetSecurityAuditQuery(ctx context.Context, name string) (*secreports.AuditQuery, error) {
+	resp, err := c.grpcClient.GetAuditQuery(ctx, &pb.GetAuditQueryRequest{Name: name})
+	if err != nil {
+		return nil, trail.FromGRPC(err)
+	}
+	out, err := v1.FromProtoAuditQuery(resp)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return out, nil
+}
+
+// UpsertSecurityAuditQuery upsets audit query.
+func (c *Client) UpsertSecurityAuditQuery(ctx context.Context, in *secreports.AuditQuery) error {
+	_, err := c.grpcClient.UpsertAuditQuery(ctx, &pb.UpsertAuditQueryRequest{AuditQuery: v1.ToProtoAuditQuery(in)})
+	if err != nil {
+		return trail.FromGRPC(err)
+	}
+	return nil
+}
+
+// DeleteSecurityAuditQuery deletes audit query by name.
+func (c *Client) DeleteSecurityAuditQuery(ctx context.Context, name string) error {
+	_, err := c.grpcClient.DeleteAuditQuery(ctx, &pb.DeleteAuditQueryRequest{Name: name})
+	if err != nil {
+		return trail.FromGRPC(err)
+	}
+	return nil
+}
+
+// UpsertSecurityReport upsets security report.
+func (c *Client) UpsertSecurityReport(ctx context.Context, item *secreports.Report) error {
+	_, err := c.grpcClient.UpsertReport(ctx, &pb.UpsertReportRequest{Report: v1.ToProtoReport(item)})
+	if err != nil {
+		return trail.FromGRPC(err)
+	}
+	return nil
+}
+
+// GetSecurityReport returns security report by name.
+func (c *Client) GetSecurityReport(ctx context.Context, name string) (*secreports.Report, error) {
+	resp, err := c.grpcClient.GetReport(ctx, &pb.GetReportRequest{Name: name})
+	if err != nil {
+		return nil, trail.FromGRPC(err)
+	}
+
+	out, err := v1.FromProtoReport(resp)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return out, nil
+}
+
+// GetSecurityReportResult returns security report details by name.
+func (c *Client) GetSecurityReportResult(ctx context.Context, name string, days int) (*pb.ReportResult, error) {
+	resp, err := c.grpcClient.GetReportResult(ctx, &pb.GetReportResultRequest{
+		Name: name,
+		Days: uint32(days),
+	})
+	if err != nil {
+		return nil, trail.FromGRPC(err)
+	}
+	return resp.GetResult(), nil
+}
+
+// RunSecurityReport runs security report by name.
+func (c *Client) RunSecurityReport(ctx context.Context, name string, days int) error {
+	_, err := c.grpcClient.RunReport(ctx, &pb.RunReportRequest{Name: name, Days: uint32(days)})
+	if err != nil {
+		return trail.FromGRPC(err)
+	}
+	return nil
+}
+
+// GetSecurityAuditQueryResult returns audit query result by id.
+func (c *Client) GetSecurityAuditQueryResult(ctx context.Context, resultID, nextToken string, maxResults int32) (*pb.GetAuditQueryResultResponse, error) {
+	resp, err := c.grpcClient.GetAuditQueryResult(ctx, &pb.GetAuditQueryResultRequest{
+		ResultId:   resultID,
+		NextToken:  nextToken,
+		MaxResults: maxResults,
+	})
+	if err != nil {
+		return nil, trail.FromGRPC(err)
+	}
+	return resp, nil
+}
+
+// GetSecurityReportsStates returns all security reports states.
+func (c *Client) GetSecurityReportsStates(ctx context.Context) ([]*secreports.ReportState, error) {
+	return nil, trace.NotImplemented("GetSecurityReportsStates is not supported in the gRPC client")
+}
+
+// ListSecurityReportsStates returns all security reports states.
+func (c *Client) ListSecurityReportsStates(ctx context.Context, i int, s string) ([]*secreports.ReportState, string, error) {
+	return nil, "", trace.NotImplemented("ListSecurityReportsStates is not supported in the gRPC client")
+}
+
+// UpsertSecurityReportsState upserts security reports state.
+func (c *Client) UpsertSecurityReportsState(ctx context.Context, item *secreports.ReportState) error {
+	return trace.NotImplemented("UpsertSecurityReportsState is not supported in the gRPC client")
+}
+
+// DeleteSecurityReportsState deletes security reports state by name.
+func (c *Client) DeleteSecurityReportsState(ctx context.Context, name string) error {
+	return trace.NotImplemented("DeleteSecurityReportsState is not supported in the gRPC client")
+}
+
+// DeleteAllSecurityReportsStates deletes all security reports states.
+func (c *Client) DeleteAllSecurityReportsStates(ctx context.Context) error {
+	return trace.NotImplemented("DeleteAllSecurityReportsStates is not supported in the gRPC client")
+}
+
+// DeleteAllSecurityReports deletes all security reports.
+func (c *Client) DeleteAllSecurityReports(ctx context.Context) error {
+	return trace.NotImplemented("DeleteAllSecurityReportsStates is not supported in the gRPC client")
+}
+
+// DeleteAllSecurityAuditQueries deletes all security audit queries.
+func (c *Client) DeleteAllSecurityAuditQueries(ctx context.Context) error {
+	return trace.NotImplemented("DeleteAllSecurityAuditQueries is not supported in the gRPC client")
+}
+
+func (c *Client) GetSecurityReportState(ctx context.Context, name string) (*secreports.ReportState, error) {
+	return nil, trace.NotImplemented("GetSecurityReportState is not supported in the gRPC client")
+}