gravitational · Joerger · Oct 18, 2023 · Oct 13, 2023
diff --git a/gen/proto/go/prehog/v1alpha/teleport.pb.go b/gen/proto/go/prehog/v1alpha/teleport.pb.go
diff --git a/gen/proto/js/prehog/v1alpha/teleport_pb.d.ts b/gen/proto/js/prehog/v1alpha/teleport_pb.d.ts
diff --git a/gen/proto/js/prehog/v1alpha/teleport_pb.js b/gen/proto/js/prehog/v1alpha/teleport_pb.js
diff --git a/lib/auth/auth.go b/lib/auth/auth.go
@@ -2255,7 +2255,7 @@ func (a *Server) AugmentContextUserCertificates(
 
 // submitCertificateIssuedEvent submits a certificate issued usage event to the
 // usage reporting service.
-func (a *Server) submitCertificateIssuedEvent(req *certRequest) {
+func (a *Server) submitCertificateIssuedEvent(req *certRequest, params services.UserCertParams) {
 	var database, app, kubernetes, desktop bool
 
 	if req.dbService != "" {
@@ -2291,13 +2291,14 @@ func (a *Server) submitCertificateIssuedEvent(req *certRequest) {
 	}
 
 	a.AnonymizeAndSubmit(&usagereporter.UserCertificateIssuedEvent{
-		UserName:        user,
-		Ttl:             durationpb.New(req.ttl),
-		IsBot:           bot,
-		UsageDatabase:   database,
-		UsageApp:        app,
-		UsageKubernetes: kubernetes,
-		UsageDesktop:    desktop,
+		UserName:         user,
+		Ttl:              durationpb.New(req.ttl),
+		IsBot:            bot,
+		UsageDatabase:    database,
+		UsageApp:         app,
+		UsageKubernetes:  kubernetes,
+		UsageDesktop:     desktop,
+		PrivateKeyPolicy: string(params.PrivateKeyPolicy),
 	})
 }
 
@@ -2649,7 +2650,7 @@ func generateCert(a *Server, req certRequest, caType types.CertAuthType) (*proto
 		certs.SSHCACerts = append(certs.SSHCACerts, services.GetSSHCheckingKeys(ca)...)
 	}
 
-	a.submitCertificateIssuedEvent(&req)
+	a.submitCertificateIssuedEvent(&req, params)
 
 	userCertificatesGeneratedMetric.WithLabelValues(string(attestedKeyPolicy)).Inc()
 

diff --git a/lib/usagereporter/teleport/audit.go b/lib/usagereporter/teleport/audit.go
@@ -58,9 +58,10 @@ func ConvertAuditEvent(event apievents.AuditEvent) Anonymizable {
 		// SSO) if desired, but we currently only care about connector type /
 		// method
 		return &UserLoginEvent{
-			UserName:      e.User,
-			ConnectorType: e.Method,
-			DeviceId:      deviceID,
+			UserName:                 e.User,
+			ConnectorType:            e.Method,
+			DeviceId:                 deviceID,
+			RequiredPrivateKeyPolicy: e.RequiredPrivateKeyPolicy,
 		}
 
 	case *apievents.SessionStart:

diff --git a/lib/usagereporter/teleport/types.go b/lib/usagereporter/teleport/types.go
@@ -46,9 +46,10 @@ func (u *UserLoginEvent) Anonymize(a utils.Anonymizer) prehogv1a.SubmitEventRequ
 	return prehogv1a.SubmitEventRequest{
 		Event: &prehogv1a.SubmitEventRequest_UserLogin{
 			UserLogin: &prehogv1a.UserLoginEvent{
-				UserName:      a.AnonymizeString(u.UserName),
-				ConnectorType: u.ConnectorType,
-				DeviceId:      deviceID,
+				UserName:                 a.AnonymizeString(u.UserName),
+				ConnectorType:            u.ConnectorType,
+				DeviceId:                 deviceID,
+				RequiredPrivateKeyPolicy: u.RequiredPrivateKeyPolicy,
 			},
 		},
 	}

diff --git a/proto/prehog/v1alpha/teleport.proto b/proto/prehog/v1alpha/teleport.proto
@@ -41,6 +41,9 @@ message UserLoginEvent {
   //
   // PostHog property: tp.device_id
   string device_id = 3;
+
+  // the required private key policy for this login.
+  string required_private_key_policy = 4;
 }
 
 message SSOCreateEvent {
@@ -224,6 +227,9 @@ message UserCertificateIssuedEvent {
   // If true, the certificate usage is restricted to desktop access.
   // PostHog property: tp.usage_desktop
   bool usage_desktop = 7;
+
+  // the private key policy associated with these user certificates.
+  string private_key_policy = 8;
 }
 
 // UIBannerClickEvent is a usage event sent by the UI when the upgrade