diff --git a/api/client/client.go b/api/client/client.go index f0b04ec8a25b2..f69903807b00d 100644 --- a/api/client/client.go +++ b/api/client/client.go @@ -38,6 +38,7 @@ import ( "google.golang.org/grpc/credentials" ggzip "google.golang.org/grpc/encoding/gzip" "google.golang.org/grpc/keepalive" + "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/emptypb" "google.golang.org/protobuf/types/known/timestamppb" @@ -4317,6 +4318,30 @@ func (c *Client) UpsertCertAuthority(ctx context.Context, ca types.CertAuthority return out, trace.Wrap(err) } +// RotateCertAuthority updates or inserts new cert authority +func (c *Client) RotateCertAuthority(ctx context.Context, rr types.RotateRequest) error { + req := &trustpb.RotateCertAuthorityRequest{ + Type: string(rr.Type), + TargetPhase: rr.TargetPhase, + Mode: rr.Mode, + } + + if rr.GracePeriod != nil { + req.GracePeriod = durationpb.New(*rr.GracePeriod) + } + + if rr.Schedule != nil { + req.Schedule = &trustpb.RotationSchedule{ + UpdateClients: timestamppb.New(rr.Schedule.UpdateClients), + UpdateServers: timestamppb.New(rr.Schedule.UpdateServers), + Standby: timestamppb.New(rr.Schedule.Standby), + } + } + + _, err := c.TrustClient().RotateCertAuthority(ctx, req) + return trace.Wrap(err) +} + // UpdateHeadlessAuthenticationState updates a headless authentication state. func (c *Client) UpdateHeadlessAuthenticationState(ctx context.Context, id string, state types.HeadlessAuthenticationState, mfaResponse *proto.MFAAuthenticateResponse) error { _, err := c.grpc.UpdateHeadlessAuthenticationState(ctx, &proto.UpdateHeadlessAuthenticationStateRequest{ diff --git a/api/gen/proto/go/teleport/trust/v1/trust_service.pb.go b/api/gen/proto/go/teleport/trust/v1/trust_service.pb.go index bea6c3f6f7bbc..54741dbd54235 100644 --- a/api/gen/proto/go/teleport/trust/v1/trust_service.pb.go +++ b/api/gen/proto/go/teleport/trust/v1/trust_service.pb.go @@ -26,6 +26,7 @@ import ( protoimpl "google.golang.org/protobuf/runtime/protoimpl" durationpb "google.golang.org/protobuf/types/known/durationpb" emptypb "google.golang.org/protobuf/types/known/emptypb" + timestamppb "google.golang.org/protobuf/types/known/timestamppb" reflect "reflect" sync "sync" ) @@ -318,6 +319,207 @@ func (x *UpsertCertAuthorityRequest) GetCertAuthority() *types.CertAuthorityV2 { return nil } +// Request for RotateCertAuthority. +type RotateCertAuthorityRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Type is a certificate authority type, if omitted, both user and host CA + // will be rotated. + Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"` + // GracePeriod is used to generate cert rotation schedule that defines + // times at which different rotation phases will be applied by the auth server + // in auto mode. It is not used in manual rotation mode. + // If omitted, default value is set, if 0 is supplied, it is interpreted as + // forcing rotation of all certificate authorities with no grace period, + // all existing users and hosts will have to re-login and re-added + // into the cluster. + GracePeriod *durationpb.Duration `protobuf:"bytes,2,opt,name=grace_period,json=gracePeriod,proto3" json:"grace_period,omitempty"` + // TargetPhase sets desired rotation phase to move to, if not set + // will be set automatically, it is a required argument + // for manual rotation. + TargetPhase string `protobuf:"bytes,3,opt,name=target_phase,json=targetPhase,proto3" json:"target_phase,omitempty"` + // Mode sets manual or auto rotation mode. + Mode string `protobuf:"bytes,4,opt,name=mode,proto3" json:"mode,omitempty"` + // Schedule is an optional rotation schedule, + // autogenerated based on GracePeriod parameter if not set. + Schedule *RotationSchedule `protobuf:"bytes,5,opt,name=schedule,proto3" json:"schedule,omitempty"` +} + +func (x *RotateCertAuthorityRequest) Reset() { + *x = RotateCertAuthorityRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *RotateCertAuthorityRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RotateCertAuthorityRequest) ProtoMessage() {} + +func (x *RotateCertAuthorityRequest) ProtoReflect() protoreflect.Message { + mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[5] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RotateCertAuthorityRequest.ProtoReflect.Descriptor instead. +func (*RotateCertAuthorityRequest) Descriptor() ([]byte, []int) { + return file_teleport_trust_v1_trust_service_proto_rawDescGZIP(), []int{5} +} + +func (x *RotateCertAuthorityRequest) GetType() string { + if x != nil { + return x.Type + } + return "" +} + +func (x *RotateCertAuthorityRequest) GetGracePeriod() *durationpb.Duration { + if x != nil { + return x.GracePeriod + } + return nil +} + +func (x *RotateCertAuthorityRequest) GetTargetPhase() string { + if x != nil { + return x.TargetPhase + } + return "" +} + +func (x *RotateCertAuthorityRequest) GetMode() string { + if x != nil { + return x.Mode + } + return "" +} + +func (x *RotateCertAuthorityRequest) GetSchedule() *RotationSchedule { + if x != nil { + return x.Schedule + } + return nil +} + +// RotationSchedule is a rotation schedule setting time switches for different phases. +type RotationSchedule struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // UpdateClients specifies time to switch to the "Update clients" phase + UpdateClients *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=update_clients,json=updateClients,proto3" json:"update_clients,omitempty"` + // UpdateServers specifies time to switch to the "Update servers" phase. + UpdateServers *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=update_servers,json=updateServers,proto3" json:"update_servers,omitempty"` + // Standby specifies time to switch to the "Standby" phase. + Standby *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=standby,proto3" json:"standby,omitempty"` +} + +func (x *RotationSchedule) Reset() { + *x = RotationSchedule{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *RotationSchedule) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RotationSchedule) ProtoMessage() {} + +func (x *RotationSchedule) ProtoReflect() protoreflect.Message { + mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[6] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RotationSchedule.ProtoReflect.Descriptor instead. +func (*RotationSchedule) Descriptor() ([]byte, []int) { + return file_teleport_trust_v1_trust_service_proto_rawDescGZIP(), []int{6} +} + +func (x *RotationSchedule) GetUpdateClients() *timestamppb.Timestamp { + if x != nil { + return x.UpdateClients + } + return nil +} + +func (x *RotationSchedule) GetUpdateServers() *timestamppb.Timestamp { + if x != nil { + return x.UpdateServers + } + return nil +} + +func (x *RotationSchedule) GetStandby() *timestamppb.Timestamp { + if x != nil { + return x.Standby + } + return nil +} + +// Response for RotateCertAuthority. +type RotateCertAuthorityResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields +} + +func (x *RotateCertAuthorityResponse) Reset() { + *x = RotateCertAuthorityResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *RotateCertAuthorityResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RotateCertAuthorityResponse) ProtoMessage() {} + +func (x *RotateCertAuthorityResponse) ProtoReflect() protoreflect.Message { + mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[7] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RotateCertAuthorityResponse.ProtoReflect.Descriptor instead. +func (*RotateCertAuthorityResponse) Descriptor() ([]byte, []int) { + return file_teleport_trust_v1_trust_service_proto_rawDescGZIP(), []int{7} +} + // GenerateHostCertRequest is the request for GenerateHostCert. type GenerateHostCertRequest struct { state protoimpl.MessageState @@ -343,7 +545,7 @@ type GenerateHostCertRequest struct { func (x *GenerateHostCertRequest) Reset() { *x = GenerateHostCertRequest{} if protoimpl.UnsafeEnabled { - mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[5] + mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -356,7 +558,7 @@ func (x *GenerateHostCertRequest) String() string { func (*GenerateHostCertRequest) ProtoMessage() {} func (x *GenerateHostCertRequest) ProtoReflect() protoreflect.Message { - mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[5] + mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[8] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -369,7 +571,7 @@ func (x *GenerateHostCertRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use GenerateHostCertRequest.ProtoReflect.Descriptor instead. func (*GenerateHostCertRequest) Descriptor() ([]byte, []int) { - return file_teleport_trust_v1_trust_service_proto_rawDescGZIP(), []int{5} + return file_teleport_trust_v1_trust_service_proto_rawDescGZIP(), []int{8} } func (x *GenerateHostCertRequest) GetKey() []byte { @@ -434,7 +636,7 @@ type GenerateHostCertResponse struct { func (x *GenerateHostCertResponse) Reset() { *x = GenerateHostCertResponse{} if protoimpl.UnsafeEnabled { - mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[6] + mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -447,7 +649,7 @@ func (x *GenerateHostCertResponse) String() string { func (*GenerateHostCertResponse) ProtoMessage() {} func (x *GenerateHostCertResponse) ProtoReflect() protoreflect.Message { - mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[6] + mi := &file_teleport_trust_v1_trust_service_proto_msgTypes[9] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -460,7 +662,7 @@ func (x *GenerateHostCertResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use GenerateHostCertResponse.ProtoReflect.Descriptor instead. func (*GenerateHostCertResponse) Descriptor() ([]byte, []int) { - return file_teleport_trust_v1_trust_service_proto_rawDescGZIP(), []int{6} + return file_teleport_trust_v1_trust_service_proto_rawDescGZIP(), []int{9} } func (x *GenerateHostCertResponse) GetSshCertificate() []byte { @@ -480,82 +682,121 @@ var file_teleport_trust_v1_trust_service_proto_rawDesc = []byte{ 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1b, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x65, 0x6d, 0x70, 0x74, - 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x21, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, - 0x74, 0x2f, 0x6c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x74, - 0x79, 0x70, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x66, 0x0a, 0x17, 0x47, 0x65, - 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, 0x6d, - 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, - 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x6b, 0x65, 0x79, - 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x4b, - 0x65, 0x79, 0x22, 0x50, 0x0a, 0x19, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, - 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, - 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, - 0x79, 0x70, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x6b, - 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, - 0x65, 0x4b, 0x65, 0x79, 0x22, 0x64, 0x0a, 0x1a, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, - 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, - 0x73, 0x65, 0x12, 0x46, 0x0a, 0x13, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x6f, - 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x5f, 0x76, 0x32, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x16, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, - 0x6f, 0x72, 0x69, 0x74, 0x79, 0x56, 0x32, 0x52, 0x11, 0x63, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, - 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x56, 0x32, 0x22, 0x48, 0x0a, 0x1a, 0x44, 0x65, - 0x6c, 0x65, 0x74, 0x65, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, - 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, - 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, - 0x6d, 0x61, 0x69, 0x6e, 0x22, 0x5b, 0x0a, 0x1a, 0x55, 0x70, 0x73, 0x65, 0x72, 0x74, 0x43, 0x65, - 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x12, 0x3d, 0x0a, 0x0e, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x6f, - 0x72, 0x69, 0x74, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x74, 0x79, 0x70, - 0x65, 0x73, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, - 0x56, 0x32, 0x52, 0x0d, 0x63, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, - 0x79, 0x22, 0xe5, 0x01, 0x0a, 0x17, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x48, 0x6f, - 0x73, 0x74, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, - 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, - 0x17, 0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x06, 0x68, 0x6f, 0x73, 0x74, 0x49, 0x64, 0x12, 0x1b, 0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, - 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6e, 0x6f, 0x64, - 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, - 0x61, 0x6c, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, - 0x69, 0x70, 0x61, 0x6c, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, - 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, - 0x73, 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x72, 0x6f, 0x6c, 0x65, - 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x72, 0x6f, 0x6c, 0x65, 0x12, 0x2b, 0x0a, 0x03, - 0x74, 0x74, 0x6c, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, - 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x03, 0x74, 0x74, 0x6c, 0x22, 0x43, 0x0a, 0x18, 0x47, 0x65, 0x6e, - 0x65, 0x72, 0x61, 0x74, 0x65, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x27, 0x0a, 0x0f, 0x73, 0x73, 0x68, 0x5f, 0x63, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0e, - 0x73, 0x73, 0x68, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x32, 0x82, - 0x04, 0x0a, 0x0c, 0x54, 0x72, 0x75, 0x73, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, - 0x56, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, - 0x69, 0x74, 0x79, 0x12, 0x2a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, - 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, - 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x16, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, - 0x6f, 0x72, 0x69, 0x74, 0x79, 0x56, 0x32, 0x12, 0x71, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x43, 0x65, - 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x2c, 0x2e, + 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, + 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x21, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2f, 0x6c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, + 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x66, 0x0a, 0x17, 0x47, + 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x6f, + 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, + 0x69, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x6b, 0x65, + 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, + 0x4b, 0x65, 0x79, 0x22, 0x50, 0x0a, 0x19, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, + 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, + 0x74, 0x79, 0x70, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, + 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x69, 0x6e, 0x63, 0x6c, 0x75, + 0x64, 0x65, 0x4b, 0x65, 0x79, 0x22, 0x64, 0x0a, 0x1a, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, + 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x46, 0x0a, 0x13, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, + 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x5f, 0x76, 0x32, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x16, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, + 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x56, 0x32, 0x52, 0x11, 0x63, 0x65, 0x72, 0x74, 0x41, 0x75, + 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x56, 0x32, 0x22, 0x48, 0x0a, 0x1a, 0x44, + 0x65, 0x6c, 0x65, 0x74, 0x65, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x74, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, + 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x16, 0x0a, + 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, + 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x22, 0x5b, 0x0a, 0x1a, 0x55, 0x70, 0x73, 0x65, 0x72, 0x74, 0x43, + 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x12, 0x3d, 0x0a, 0x0e, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, + 0x6f, 0x72, 0x69, 0x74, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x74, 0x79, + 0x70, 0x65, 0x73, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, + 0x79, 0x56, 0x32, 0x52, 0x0d, 0x63, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x74, 0x79, 0x22, 0xe6, 0x01, 0x0a, 0x1a, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x43, 0x65, 0x72, + 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x3c, 0x0a, 0x0c, 0x67, 0x72, 0x61, 0x63, 0x65, 0x5f, 0x70, + 0x65, 0x72, 0x69, 0x6f, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, + 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, + 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0b, 0x67, 0x72, 0x61, 0x63, 0x65, 0x50, 0x65, 0x72, + 0x69, 0x6f, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70, 0x68, + 0x61, 0x73, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, + 0x74, 0x50, 0x68, 0x61, 0x73, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x3f, 0x0a, 0x08, 0x73, 0x63, + 0x68, 0x65, 0x64, 0x75, 0x6c, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x74, + 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, + 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x63, 0x68, 0x65, 0x64, 0x75, 0x6c, + 0x65, 0x52, 0x08, 0x73, 0x63, 0x68, 0x65, 0x64, 0x75, 0x6c, 0x65, 0x22, 0xce, 0x01, 0x0a, 0x10, + 0x52, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x63, 0x68, 0x65, 0x64, 0x75, 0x6c, 0x65, + 0x12, 0x41, 0x0a, 0x0e, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, + 0x74, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, + 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, + 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0d, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x43, 0x6c, 0x69, 0x65, + 0x6e, 0x74, 0x73, 0x12, 0x41, 0x0a, 0x0e, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x73, 0x65, + 0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, + 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, + 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0d, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x53, + 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x34, 0x0a, 0x07, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x62, + 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, + 0x61, 0x6d, 0x70, 0x52, 0x07, 0x73, 0x74, 0x61, 0x6e, 0x64, 0x62, 0x79, 0x22, 0x1d, 0x0a, 0x1b, + 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, + 0x69, 0x74, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0xe5, 0x01, 0x0a, 0x17, + 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x65, 0x72, 0x74, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x68, 0x6f, 0x73, + 0x74, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x6f, 0x73, 0x74, + 0x49, 0x64, 0x12, 0x1b, 0x0a, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6e, 0x6f, 0x64, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, + 0x1e, 0x0a, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x18, 0x04, 0x20, + 0x03, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x12, + 0x21, 0x0a, 0x0c, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, + 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x4e, 0x61, + 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x72, 0x6f, 0x6c, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x04, 0x72, 0x6f, 0x6c, 0x65, 0x12, 0x2b, 0x0a, 0x03, 0x74, 0x74, 0x6c, 0x18, 0x07, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x03, + 0x74, 0x74, 0x6c, 0x22, 0x43, 0x0a, 0x18, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x48, + 0x6f, 0x73, 0x74, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, + 0x27, 0x0a, 0x0f, 0x73, 0x73, 0x68, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0e, 0x73, 0x73, 0x68, 0x43, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x32, 0xf8, 0x04, 0x0a, 0x0c, 0x54, 0x72, 0x75, + 0x73, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x56, 0x0a, 0x10, 0x47, 0x65, 0x74, + 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x2a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, - 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2d, 0x2e, 0x74, 0x65, + 0x74, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x74, 0x79, 0x70, 0x65, + 0x73, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x56, + 0x32, 0x12, 0x71, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, + 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x2c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x43, + 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, + 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5c, 0x0a, 0x13, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x43, 0x65, + 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, - 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, - 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5c, 0x0a, 0x13, 0x44, 0x65, - 0x6c, 0x65, 0x74, 0x65, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, - 0x79, 0x12, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, 0x72, 0x75, - 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x43, 0x65, 0x72, 0x74, - 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, - 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x5c, 0x0a, 0x13, 0x55, 0x70, 0x73, 0x65, - 0x72, 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, - 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, - 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x70, 0x73, 0x65, 0x72, 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, - 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, - 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, - 0x72, 0x69, 0x74, 0x79, 0x56, 0x32, 0x12, 0x6b, 0x0a, 0x10, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, + 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, + 0x69, 0x74, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, + 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, + 0x74, 0x79, 0x12, 0x5c, 0x0a, 0x13, 0x55, 0x70, 0x73, 0x65, 0x72, 0x74, 0x43, 0x65, 0x72, 0x74, + 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, + 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x70, + 0x73, 0x65, 0x72, 0x74, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, + 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, + 0x2e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x56, 0x32, + 0x12, 0x74, 0x0a, 0x13, 0x52, 0x6f, 0x74, 0x61, 0x74, 0x65, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, + 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, + 0x72, 0x74, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x6f, 0x74, 0x61, + 0x74, 0x65, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, + 0x74, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x6f, 0x74, 0x61, 0x74, + 0x65, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x6b, 0x0a, 0x10, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x65, 0x72, 0x74, 0x12, 0x2a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x65, 0x72, 0x74, 0x52, @@ -582,38 +823,49 @@ func file_teleport_trust_v1_trust_service_proto_rawDescGZIP() []byte { return file_teleport_trust_v1_trust_service_proto_rawDescData } -var file_teleport_trust_v1_trust_service_proto_msgTypes = make([]protoimpl.MessageInfo, 7) +var file_teleport_trust_v1_trust_service_proto_msgTypes = make([]protoimpl.MessageInfo, 10) var file_teleport_trust_v1_trust_service_proto_goTypes = []interface{}{ - (*GetCertAuthorityRequest)(nil), // 0: teleport.trust.v1.GetCertAuthorityRequest - (*GetCertAuthoritiesRequest)(nil), // 1: teleport.trust.v1.GetCertAuthoritiesRequest - (*GetCertAuthoritiesResponse)(nil), // 2: teleport.trust.v1.GetCertAuthoritiesResponse - (*DeleteCertAuthorityRequest)(nil), // 3: teleport.trust.v1.DeleteCertAuthorityRequest - (*UpsertCertAuthorityRequest)(nil), // 4: teleport.trust.v1.UpsertCertAuthorityRequest - (*GenerateHostCertRequest)(nil), // 5: teleport.trust.v1.GenerateHostCertRequest - (*GenerateHostCertResponse)(nil), // 6: teleport.trust.v1.GenerateHostCertResponse - (*types.CertAuthorityV2)(nil), // 7: types.CertAuthorityV2 - (*durationpb.Duration)(nil), // 8: google.protobuf.Duration - (*emptypb.Empty)(nil), // 9: google.protobuf.Empty + (*GetCertAuthorityRequest)(nil), // 0: teleport.trust.v1.GetCertAuthorityRequest + (*GetCertAuthoritiesRequest)(nil), // 1: teleport.trust.v1.GetCertAuthoritiesRequest + (*GetCertAuthoritiesResponse)(nil), // 2: teleport.trust.v1.GetCertAuthoritiesResponse + (*DeleteCertAuthorityRequest)(nil), // 3: teleport.trust.v1.DeleteCertAuthorityRequest + (*UpsertCertAuthorityRequest)(nil), // 4: teleport.trust.v1.UpsertCertAuthorityRequest + (*RotateCertAuthorityRequest)(nil), // 5: teleport.trust.v1.RotateCertAuthorityRequest + (*RotationSchedule)(nil), // 6: teleport.trust.v1.RotationSchedule + (*RotateCertAuthorityResponse)(nil), // 7: teleport.trust.v1.RotateCertAuthorityResponse + (*GenerateHostCertRequest)(nil), // 8: teleport.trust.v1.GenerateHostCertRequest + (*GenerateHostCertResponse)(nil), // 9: teleport.trust.v1.GenerateHostCertResponse + (*types.CertAuthorityV2)(nil), // 10: types.CertAuthorityV2 + (*durationpb.Duration)(nil), // 11: google.protobuf.Duration + (*timestamppb.Timestamp)(nil), // 12: google.protobuf.Timestamp + (*emptypb.Empty)(nil), // 13: google.protobuf.Empty } var file_teleport_trust_v1_trust_service_proto_depIdxs = []int32{ - 7, // 0: teleport.trust.v1.GetCertAuthoritiesResponse.cert_authorities_v2:type_name -> types.CertAuthorityV2 - 7, // 1: teleport.trust.v1.UpsertCertAuthorityRequest.cert_authority:type_name -> types.CertAuthorityV2 - 8, // 2: teleport.trust.v1.GenerateHostCertRequest.ttl:type_name -> google.protobuf.Duration - 0, // 3: teleport.trust.v1.TrustService.GetCertAuthority:input_type -> teleport.trust.v1.GetCertAuthorityRequest - 1, // 4: teleport.trust.v1.TrustService.GetCertAuthorities:input_type -> teleport.trust.v1.GetCertAuthoritiesRequest - 3, // 5: teleport.trust.v1.TrustService.DeleteCertAuthority:input_type -> teleport.trust.v1.DeleteCertAuthorityRequest - 4, // 6: teleport.trust.v1.TrustService.UpsertCertAuthority:input_type -> teleport.trust.v1.UpsertCertAuthorityRequest - 5, // 7: teleport.trust.v1.TrustService.GenerateHostCert:input_type -> teleport.trust.v1.GenerateHostCertRequest - 7, // 8: teleport.trust.v1.TrustService.GetCertAuthority:output_type -> types.CertAuthorityV2 - 2, // 9: teleport.trust.v1.TrustService.GetCertAuthorities:output_type -> teleport.trust.v1.GetCertAuthoritiesResponse - 9, // 10: teleport.trust.v1.TrustService.DeleteCertAuthority:output_type -> google.protobuf.Empty - 7, // 11: teleport.trust.v1.TrustService.UpsertCertAuthority:output_type -> types.CertAuthorityV2 - 6, // 12: teleport.trust.v1.TrustService.GenerateHostCert:output_type -> teleport.trust.v1.GenerateHostCertResponse - 8, // [8:13] is the sub-list for method output_type - 3, // [3:8] is the sub-list for method input_type - 3, // [3:3] is the sub-list for extension type_name - 3, // [3:3] is the sub-list for extension extendee - 0, // [0:3] is the sub-list for field type_name + 10, // 0: teleport.trust.v1.GetCertAuthoritiesResponse.cert_authorities_v2:type_name -> types.CertAuthorityV2 + 10, // 1: teleport.trust.v1.UpsertCertAuthorityRequest.cert_authority:type_name -> types.CertAuthorityV2 + 11, // 2: teleport.trust.v1.RotateCertAuthorityRequest.grace_period:type_name -> google.protobuf.Duration + 6, // 3: teleport.trust.v1.RotateCertAuthorityRequest.schedule:type_name -> teleport.trust.v1.RotationSchedule + 12, // 4: teleport.trust.v1.RotationSchedule.update_clients:type_name -> google.protobuf.Timestamp + 12, // 5: teleport.trust.v1.RotationSchedule.update_servers:type_name -> google.protobuf.Timestamp + 12, // 6: teleport.trust.v1.RotationSchedule.standby:type_name -> google.protobuf.Timestamp + 11, // 7: teleport.trust.v1.GenerateHostCertRequest.ttl:type_name -> google.protobuf.Duration + 0, // 8: teleport.trust.v1.TrustService.GetCertAuthority:input_type -> teleport.trust.v1.GetCertAuthorityRequest + 1, // 9: teleport.trust.v1.TrustService.GetCertAuthorities:input_type -> teleport.trust.v1.GetCertAuthoritiesRequest + 3, // 10: teleport.trust.v1.TrustService.DeleteCertAuthority:input_type -> teleport.trust.v1.DeleteCertAuthorityRequest + 4, // 11: teleport.trust.v1.TrustService.UpsertCertAuthority:input_type -> teleport.trust.v1.UpsertCertAuthorityRequest + 5, // 12: teleport.trust.v1.TrustService.RotateCertAuthority:input_type -> teleport.trust.v1.RotateCertAuthorityRequest + 8, // 13: teleport.trust.v1.TrustService.GenerateHostCert:input_type -> teleport.trust.v1.GenerateHostCertRequest + 10, // 14: teleport.trust.v1.TrustService.GetCertAuthority:output_type -> types.CertAuthorityV2 + 2, // 15: teleport.trust.v1.TrustService.GetCertAuthorities:output_type -> teleport.trust.v1.GetCertAuthoritiesResponse + 13, // 16: teleport.trust.v1.TrustService.DeleteCertAuthority:output_type -> google.protobuf.Empty + 10, // 17: teleport.trust.v1.TrustService.UpsertCertAuthority:output_type -> types.CertAuthorityV2 + 7, // 18: teleport.trust.v1.TrustService.RotateCertAuthority:output_type -> teleport.trust.v1.RotateCertAuthorityResponse + 9, // 19: teleport.trust.v1.TrustService.GenerateHostCert:output_type -> teleport.trust.v1.GenerateHostCertResponse + 14, // [14:20] is the sub-list for method output_type + 8, // [8:14] is the sub-list for method input_type + 8, // [8:8] is the sub-list for extension type_name + 8, // [8:8] is the sub-list for extension extendee + 0, // [0:8] is the sub-list for field type_name } func init() { file_teleport_trust_v1_trust_service_proto_init() } @@ -683,7 +935,7 @@ func file_teleport_trust_v1_trust_service_proto_init() { } } file_teleport_trust_v1_trust_service_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*GenerateHostCertRequest); i { + switch v := v.(*RotateCertAuthorityRequest); i { case 0: return &v.state case 1: @@ -695,6 +947,42 @@ func file_teleport_trust_v1_trust_service_proto_init() { } } file_teleport_trust_v1_trust_service_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*RotationSchedule); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_teleport_trust_v1_trust_service_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*RotateCertAuthorityResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_teleport_trust_v1_trust_service_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GenerateHostCertRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_teleport_trust_v1_trust_service_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*GenerateHostCertResponse); i { case 0: return &v.state @@ -713,7 +1001,7 @@ func file_teleport_trust_v1_trust_service_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_teleport_trust_v1_trust_service_proto_rawDesc, NumEnums: 0, - NumMessages: 7, + NumMessages: 10, NumExtensions: 0, NumServices: 1, }, diff --git a/api/gen/proto/go/teleport/trust/v1/trust_service_grpc.pb.go b/api/gen/proto/go/teleport/trust/v1/trust_service_grpc.pb.go index 5ee555b7324e2..84d24c7f33e71 100644 --- a/api/gen/proto/go/teleport/trust/v1/trust_service_grpc.pb.go +++ b/api/gen/proto/go/teleport/trust/v1/trust_service_grpc.pb.go @@ -39,6 +39,7 @@ const ( TrustService_GetCertAuthorities_FullMethodName = "/teleport.trust.v1.TrustService/GetCertAuthorities" TrustService_DeleteCertAuthority_FullMethodName = "/teleport.trust.v1.TrustService/DeleteCertAuthority" TrustService_UpsertCertAuthority_FullMethodName = "/teleport.trust.v1.TrustService/UpsertCertAuthority" + TrustService_RotateCertAuthority_FullMethodName = "/teleport.trust.v1.TrustService/RotateCertAuthority" TrustService_GenerateHostCert_FullMethodName = "/teleport.trust.v1.TrustService/GenerateHostCert" ) @@ -54,6 +55,8 @@ type TrustServiceClient interface { DeleteCertAuthority(ctx context.Context, in *DeleteCertAuthorityRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) // UpsertCertAuthority creates or updates the provided cert authority. UpsertCertAuthority(ctx context.Context, in *UpsertCertAuthorityRequest, opts ...grpc.CallOption) (*types.CertAuthorityV2, error) + // RotateCertAuthority is a request to start rotation of the certificate authority. + RotateCertAuthority(ctx context.Context, in *RotateCertAuthorityRequest, opts ...grpc.CallOption) (*RotateCertAuthorityResponse, error) // GenerateHostCert takes a public key in the OpenSSH `authorized_keys` format and returns // a SSH certificate signed by the Host CA. GenerateHostCert(ctx context.Context, in *GenerateHostCertRequest, opts ...grpc.CallOption) (*GenerateHostCertResponse, error) @@ -103,6 +106,15 @@ func (c *trustServiceClient) UpsertCertAuthority(ctx context.Context, in *Upsert return out, nil } +func (c *trustServiceClient) RotateCertAuthority(ctx context.Context, in *RotateCertAuthorityRequest, opts ...grpc.CallOption) (*RotateCertAuthorityResponse, error) { + out := new(RotateCertAuthorityResponse) + err := c.cc.Invoke(ctx, TrustService_RotateCertAuthority_FullMethodName, in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + func (c *trustServiceClient) GenerateHostCert(ctx context.Context, in *GenerateHostCertRequest, opts ...grpc.CallOption) (*GenerateHostCertResponse, error) { out := new(GenerateHostCertResponse) err := c.cc.Invoke(ctx, TrustService_GenerateHostCert_FullMethodName, in, out, opts...) @@ -124,6 +136,8 @@ type TrustServiceServer interface { DeleteCertAuthority(context.Context, *DeleteCertAuthorityRequest) (*emptypb.Empty, error) // UpsertCertAuthority creates or updates the provided cert authority. UpsertCertAuthority(context.Context, *UpsertCertAuthorityRequest) (*types.CertAuthorityV2, error) + // RotateCertAuthority is a request to start rotation of the certificate authority. + RotateCertAuthority(context.Context, *RotateCertAuthorityRequest) (*RotateCertAuthorityResponse, error) // GenerateHostCert takes a public key in the OpenSSH `authorized_keys` format and returns // a SSH certificate signed by the Host CA. GenerateHostCert(context.Context, *GenerateHostCertRequest) (*GenerateHostCertResponse, error) @@ -146,6 +160,9 @@ func (UnimplementedTrustServiceServer) DeleteCertAuthority(context.Context, *Del func (UnimplementedTrustServiceServer) UpsertCertAuthority(context.Context, *UpsertCertAuthorityRequest) (*types.CertAuthorityV2, error) { return nil, status.Errorf(codes.Unimplemented, "method UpsertCertAuthority not implemented") } +func (UnimplementedTrustServiceServer) RotateCertAuthority(context.Context, *RotateCertAuthorityRequest) (*RotateCertAuthorityResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method RotateCertAuthority not implemented") +} func (UnimplementedTrustServiceServer) GenerateHostCert(context.Context, *GenerateHostCertRequest) (*GenerateHostCertResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method GenerateHostCert not implemented") } @@ -234,6 +251,24 @@ func _TrustService_UpsertCertAuthority_Handler(srv interface{}, ctx context.Cont return interceptor(ctx, in, info, handler) } +func _TrustService_RotateCertAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(RotateCertAuthorityRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(TrustServiceServer).RotateCertAuthority(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: TrustService_RotateCertAuthority_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(TrustServiceServer).RotateCertAuthority(ctx, req.(*RotateCertAuthorityRequest)) + } + return interceptor(ctx, in, info, handler) +} + func _TrustService_GenerateHostCert_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(GenerateHostCertRequest) if err := dec(in); err != nil { @@ -275,6 +310,10 @@ var TrustService_ServiceDesc = grpc.ServiceDesc{ MethodName: "UpsertCertAuthority", Handler: _TrustService_UpsertCertAuthority_Handler, }, + { + MethodName: "RotateCertAuthority", + Handler: _TrustService_RotateCertAuthority_Handler, + }, { MethodName: "GenerateHostCert", Handler: _TrustService_GenerateHostCert_Handler, diff --git a/api/proto/teleport/trust/v1/trust_service.proto b/api/proto/teleport/trust/v1/trust_service.proto index 3c93010a69aea..7d4d1c79bf8fb 100644 --- a/api/proto/teleport/trust/v1/trust_service.proto +++ b/api/proto/teleport/trust/v1/trust_service.proto @@ -18,6 +18,7 @@ package teleport.trust.v1; import "google/protobuf/duration.proto"; import "google/protobuf/empty.proto"; +import "google/protobuf/timestamp.proto"; import "teleport/legacy/types/types.proto"; option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/trust/v1;trustv1"; @@ -32,6 +33,8 @@ service TrustService { rpc DeleteCertAuthority(DeleteCertAuthorityRequest) returns (google.protobuf.Empty); // UpsertCertAuthority creates or updates the provided cert authority. rpc UpsertCertAuthority(UpsertCertAuthorityRequest) returns (types.CertAuthorityV2); + // RotateCertAuthority is a request to start rotation of the certificate authority. + rpc RotateCertAuthority(RotateCertAuthorityRequest) returns (RotateCertAuthorityResponse); // GenerateHostCert takes a public key in the OpenSSH `authorized_keys` format and returns // a SSH certificate signed by the Host CA. rpc GenerateHostCert(GenerateHostCertRequest) returns (GenerateHostCertResponse); @@ -75,6 +78,43 @@ message UpsertCertAuthorityRequest { types.CertAuthorityV2 cert_authority = 1; } +// Request for RotateCertAuthority. +message RotateCertAuthorityRequest { + // Type is a certificate authority type, if omitted, both user and host CA + // will be rotated. + string type = 1; + // GracePeriod is used to generate cert rotation schedule that defines + // times at which different rotation phases will be applied by the auth server + // in auto mode. It is not used in manual rotation mode. + // If omitted, default value is set, if 0 is supplied, it is interpreted as + // forcing rotation of all certificate authorities with no grace period, + // all existing users and hosts will have to re-login and re-added + // into the cluster. + google.protobuf.Duration grace_period = 2; + // TargetPhase sets desired rotation phase to move to, if not set + // will be set automatically, it is a required argument + // for manual rotation. + string target_phase = 3; + // Mode sets manual or auto rotation mode. + string mode = 4; + // Schedule is an optional rotation schedule, + // autogenerated based on GracePeriod parameter if not set. + RotationSchedule schedule = 5; +} + +// RotationSchedule is a rotation schedule setting time switches for different phases. +message RotationSchedule { + // UpdateClients specifies time to switch to the "Update clients" phase + google.protobuf.Timestamp update_clients = 1; + // UpdateServers specifies time to switch to the "Update servers" phase. + google.protobuf.Timestamp update_servers = 2; + // Standby specifies time to switch to the "Standby" phase. + google.protobuf.Timestamp standby = 3; +} + +// Response for RotateCertAuthority. +message RotateCertAuthorityResponse {} + // GenerateHostCertRequest is the request for GenerateHostCert. message GenerateHostCertRequest { // key is the SSH public key that the certificate should include. diff --git a/api/types/trust.go b/api/types/trust.go index 934619ad56c3e..0f5b06ee44640 100644 --- a/api/types/trust.go +++ b/api/types/trust.go @@ -19,11 +19,14 @@ package types import ( "fmt" "strings" + "time" "github.com/coreos/go-semver/semver" "github.com/gravitational/trace" + "github.com/jonboulle/clockwork" "github.com/gravitational/teleport/api" + "github.com/gravitational/teleport/api/defaults" ) // CertAuthType specifies certificate authority type. New variants should be @@ -107,3 +110,59 @@ func (c *CertAuthID) Check() error { } return nil } + +type RotateRequest struct { + // Type is a certificate authority type, if omitted, both user and host CA + // will be rotated. + Type CertAuthType `json:"type"` + // GracePeriod is used to generate cert rotation schedule that defines + // times at which different rotation phases will be applied by the auth server + // in auto mode. It is not used in manual rotation mode. + // If omitted, default value is set, if 0 is supplied, it is interpreted as + // forcing rotation of all certificate authorities with no grace period, + // all existing users and hosts will have to re-login and re-added + // into the cluster. + GracePeriod *time.Duration `json:"grace_period,omitempty"` + // TargetPhase sets desired rotation phase to move to, if not set + // will be set automatically, it is a required argument + // for manual rotation. + TargetPhase string `json:"target_phase,omitempty"` + // Mode sets manual or auto rotation mode. + Mode string `json:"mode"` + // Schedule is an optional rotation schedule, + // autogenerated based on GracePeriod parameter if not set. + Schedule *RotationSchedule `json:"schedule"` +} + +// CheckAndSetDefaults checks and sets default values. +func (r *RotateRequest) CheckAndSetDefaults(clock clockwork.Clock) error { + if r.TargetPhase == "" { + // if phase is not set, imply that the first meaningful phase + // is set as a target phase + r.TargetPhase = RotationPhaseInit + } + // if mode is not set, default to manual (as it's safer) + if r.Mode == "" { + r.Mode = RotationModeManual + } + + if err := r.Type.Check(); err != nil { + return trace.Wrap(err) + } + if r.GracePeriod == nil { + period := defaults.MaxCertDuration + r.GracePeriod = &period + } + if r.Schedule == nil { + var err error + r.Schedule, err = GenerateSchedule(clock.Now(), *r.GracePeriod) + if err != nil { + return trace.Wrap(err) + } + } else { + if err := r.Schedule.CheckAndSetDefaults(clock.Now()); err != nil { + return trace.Wrap(err) + } + } + return nil +} diff --git a/integration/db/db_integration_test.go b/integration/db/db_integration_test.go index 0330e8b9bc932..dfacd38aa701e 100644 --- a/integration/db/db_integration_test.go +++ b/integration/db/db_integration_test.go @@ -298,7 +298,7 @@ func (p *DatabasePack) testRotateTrustedCluster(t *testing.T) { go func() { errChan <- pw.waitForPhase(phase, func() error { - return authServer.RotateCertAuthority(ctx, auth.RotateRequest{ + return authServer.RotateCertAuthority(ctx, types.RotateRequest{ Type: types.DatabaseCA, TargetPhase: phase, Mode: types.RotationModeManual, diff --git a/integration/hsm/hsm_test.go b/integration/hsm/hsm_test.go index df242ca230635..5e9d99d416797 100644 --- a/integration/hsm/hsm_test.go +++ b/integration/hsm/hsm_test.go @@ -157,7 +157,7 @@ func TestHSMRotation(t *testing.T) { allServices = append(allServices, proxy) log.Debug("TestHSMRotation: sending rotation request init") - err := auth1.process.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err := auth1.process.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseInit, Mode: types.RotationModeManual, @@ -166,7 +166,7 @@ func TestHSMRotation(t *testing.T) { require.NoError(t, allServices.waitForPhaseChange(ctx)) log.Debug("TestHSMRotation: sending rotation request update_clients") - err = auth1.process.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = auth1.process.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseUpdateClients, Mode: types.RotationModeManual, @@ -175,7 +175,7 @@ func TestHSMRotation(t *testing.T) { require.NoError(t, allServices.waitForRestart(ctx)) log.Debug("TestHSMRotation: sending rotation request update_servers") - err = auth1.process.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = auth1.process.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseUpdateServers, Mode: types.RotationModeManual, @@ -184,7 +184,7 @@ func TestHSMRotation(t *testing.T) { require.NoError(t, allServices.waitForRestart(ctx)) log.Debug("TestHSMRotation: sending rotation request standby") - err = auth1.process.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = auth1.process.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseStandby, Mode: types.RotationModeManual, @@ -334,7 +334,7 @@ func TestHSMDualAuthRotation(t *testing.T) { // do a full rotation for _, stage := range stages { log.Debugf("TestHSMDualAuthRotation: Sending rotate request %s", stage.targetPhase) - require.NoError(t, auth1.process.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + require.NoError(t, auth1.process.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: stage.targetPhase, Mode: types.RotationModeManual, @@ -353,7 +353,7 @@ func TestHSMDualAuthRotation(t *testing.T) { // Do another full rotation from the new auth server for _, stage := range stages { log.Debugf("TestHSMDualAuthRotation: Sending rotate request %s", stage.targetPhase) - require.NoError(t, auth2.process.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + require.NoError(t, auth2.process.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: stage.targetPhase, Mode: types.RotationModeManual, @@ -456,7 +456,7 @@ func TestHSMDualAuthRotation(t *testing.T) { } for _, stage := range stages { log.Debugf("TestHSMDualAuthRotation: Sending rotate request %s", stage.targetPhase) - require.NoError(t, auth1.process.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + require.NoError(t, auth1.process.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: stage.targetPhase, Mode: types.RotationModeManual, @@ -563,7 +563,7 @@ func TestHSMMigrate(t *testing.T) { // do a full rotation for _, stage := range stages { log.Debugf("TestHSMMigrate: Sending rotate request %s", stage.targetPhase) - require.NoError(t, auth1.process.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + require.NoError(t, auth1.process.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: stage.targetPhase, Mode: types.RotationModeManual, @@ -590,7 +590,7 @@ func TestHSMMigrate(t *testing.T) { // do a full rotation for _, stage := range stages { log.Debugf("TestHSMMigrate: Sending rotate request %s", stage.targetPhase) - require.NoError(t, auth1.process.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + require.NoError(t, auth1.process.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: stage.targetPhase, Mode: types.RotationModeManual, diff --git a/integration/integration_test.go b/integration/integration_test.go index a31ad14928360..7d26579ac905c 100644 --- a/integration/integration_test.go +++ b/integration/integration_test.go @@ -5190,7 +5190,7 @@ func testRotateSuccess(t *testing.T, suite *integrationTestSuite) { t.Logf("Service started. Setting rotation state to %v", types.RotationPhaseUpdateClients) // start rotation - err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseInit, Mode: types.RotationModeManual, @@ -5206,7 +5206,7 @@ func testRotateSuccess(t *testing.T, suite *integrationTestSuite) { require.NoError(t, err) // update clients - err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseUpdateClients, Mode: types.RotationModeManual, @@ -5234,7 +5234,7 @@ func testRotateSuccess(t *testing.T, suite *integrationTestSuite) { t.Logf("Service reloaded. Setting rotation state to %v", types.RotationPhaseUpdateServers) // move to the next phase - err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseUpdateServers, Mode: types.RotationModeManual, @@ -5264,7 +5264,7 @@ func testRotateSuccess(t *testing.T, suite *integrationTestSuite) { t.Logf("Service reloaded. Setting rotation state to %v.", types.RotationPhaseStandby) // complete rotation - err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseStandby, Mode: types.RotationModeManual, @@ -5358,7 +5358,7 @@ func testRotateRollback(t *testing.T, s *integrationTestSuite) { t.Logf("Service started. Setting rotation state to %q.", types.RotationPhaseInit) // start rotation - err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseInit, Mode: types.RotationModeManual, @@ -5371,7 +5371,7 @@ func testRotateRollback(t *testing.T, s *integrationTestSuite) { t.Logf("Setting rotation state to %q.", types.RotationPhaseUpdateClients) // start rotation - err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseUpdateClients, Mode: types.RotationModeManual, @@ -5399,7 +5399,7 @@ func testRotateRollback(t *testing.T, s *integrationTestSuite) { t.Logf("Service reloaded. Setting rotation state to %q.", types.RotationPhaseUpdateServers) // move to the next phase - err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseUpdateServers, Mode: types.RotationModeManual, @@ -5413,7 +5413,7 @@ func testRotateRollback(t *testing.T, s *integrationTestSuite) { t.Logf("Service reloaded. Setting rotation state to %q.", types.RotationPhaseRollback) // complete rotation - err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseRollback, Mode: types.RotationModeManual, @@ -5550,7 +5550,7 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { t.Logf("Setting rotation state to %v", types.RotationPhaseInit) // start rotation - err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseInit, Mode: types.RotationModeManual, @@ -5585,7 +5585,7 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { waitForPhase(types.RotationPhaseInit) // update clients - err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseUpdateClients, Mode: types.RotationModeManual, @@ -5605,7 +5605,7 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { t.Logf("Service reloaded. Setting rotation state to %v", types.RotationPhaseUpdateServers) // move to the next phase - err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseUpdateServers, Mode: types.RotationModeManual, @@ -5632,7 +5632,7 @@ func testRotateTrustedClusters(t *testing.T, suite *integrationTestSuite) { t.Logf("Service reloaded. Setting rotation state to %v.", types.RotationPhaseStandby) // complete rotation - err = svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err = svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, TargetPhase: types.RotationPhaseStandby, Mode: types.RotationModeManual, diff --git a/lib/auth/apiserver.go b/lib/auth/apiserver.go index 9b86c86d82164..87424b9c0cd5c 100644 --- a/lib/auth/apiserver.go +++ b/lib/auth/apiserver.go @@ -92,6 +92,7 @@ func NewAPIServer(config *APIConfig) (http.Handler, error) { // Kubernetes extensions srv.POST("/:version/kube/csr", srv.WithAuth(srv.processKubeCSR)) + // TODO(Joerger): DELETE IN 16.0.0, migrated to gRPC. srv.POST("/:version/authorities/:type/rotate", srv.WithAuth(srv.rotateCertAuthority)) srv.POST("/:version/authorities/:type/rotate/external", srv.WithAuth(srv.rotateExternalCertAuthority)) @@ -574,8 +575,9 @@ func (s *APIServer) registerUsingToken(auth *ServerWithRoles, w http.ResponseWri return certs, nil } +// TODO(Joerger): DELETE IN 16.0.0, migrated to gRPC. func (s *APIServer) rotateCertAuthority(auth *ServerWithRoles, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error) { - var req RotateRequest + var req types.RotateRequest if err := httplib.ReadJSON(r, &req); err != nil { return nil, trace.Wrap(err) } diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index c86931c0545af..8e0c19c7a99ca 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -680,7 +680,8 @@ func (a *ServerWithRoles) GenerateOpenSSHCert(ctx context.Context, req *proto.Op } // RotateCertAuthority starts or restarts certificate authority rotation process. -func (a *ServerWithRoles) RotateCertAuthority(ctx context.Context, req RotateRequest) error { +// TODO(Joerger): DELETE IN 16.0.0, replaced by Trust service. +func (a *ServerWithRoles) RotateCertAuthority(ctx context.Context, req types.RotateRequest) error { if err := req.CheckAndSetDefaults(a.authServer.clock); err != nil { return trace.Wrap(err) } diff --git a/lib/auth/clt.go b/lib/auth/clt.go index adfa7b6fc5a9c..cd9072a17600c 100644 --- a/lib/auth/clt.go +++ b/lib/auth/clt.go @@ -796,7 +796,7 @@ type ClientI interface { NewKeepAliver(ctx context.Context) (types.KeepAliver, error) // RotateCertAuthority starts or restarts certificate authority rotation process. - RotateCertAuthority(ctx context.Context, req RotateRequest) error + RotateCertAuthority(ctx context.Context, req types.RotateRequest) error // RotateExternalCertAuthority rotates external certificate authority, // this method is used to update only public keys and certificates of the diff --git a/lib/auth/http_client.go b/lib/auth/http_client.go index b8267b09da916..5093da6865b06 100644 --- a/lib/auth/http_client.go +++ b/lib/auth/http_client.go @@ -338,12 +338,6 @@ func (c *HTTPClient) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error) { return &re, nil } -// RotateCertAuthority starts or restarts certificate authority rotation process. -func (c *HTTPClient) RotateCertAuthority(ctx context.Context, req RotateRequest) error { - _, err := c.PostJSON(ctx, c.Endpoint("authorities", string(req.Type), "rotate"), req) - return trace.Wrap(err) -} - // RotateExternalCertAuthority rotates external certificate authority, // this method is used to update only public keys and certificates of the // the certificate authorities of trusted clusters. diff --git a/lib/auth/httpfallback.go b/lib/auth/httpfallback.go index d3ecfa5e3cd01..69093081e1f90 100644 --- a/lib/auth/httpfallback.go +++ b/lib/auth/httpfallback.go @@ -99,3 +99,14 @@ func (c *Client) generateHostCertHTTP( } return []byte(cert), nil } + +// TODO(Joerger): DELETE IN 16.0.0 +func (c *Client) RotateCertAuthority(ctx context.Context, req types.RotateRequest) error { + err := c.APIClient.RotateCertAuthority(ctx, req) + if trace.IsNotImplemented(err) { + // Fall back to HTTP implementation. + _, err := c.PostJSON(ctx, c.Endpoint("authorities", string(req.Type), "rotate"), req) + return trace.Wrap(err) + } + return trace.Wrap(err) +} diff --git a/lib/auth/rotate.go b/lib/auth/rotate.go index 111692cf2b9b4..bc660f77bf1ad 100644 --- a/lib/auth/rotate.go +++ b/lib/auth/rotate.go @@ -38,61 +38,6 @@ import ( ) // RotateRequest is a request to start rotation of the certificate authority. -type RotateRequest struct { - // Type is a certificate authority type, if omitted, both user and host CA - // will be rotated. - Type types.CertAuthType `json:"type"` - // GracePeriod is used to generate cert rotation schedule that defines - // times at which different rotation phases will be applied by the auth server - // in auto mode. It is not used in manual rotation mode. - // If omitted, default value is set, if 0 is supplied, it is interpreted as - // forcing rotation of all certificate authorities with no grace period, - // all existing users and hosts will have to re-login and re-added - // into the cluster. - GracePeriod *time.Duration `json:"grace_period,omitempty"` - // TargetPhase sets desired rotation phase to move to, if not set - // will be set automatically, it is a required argument - // for manual rotation. - TargetPhase string `json:"target_phase,omitempty"` - // Mode sets manual or auto rotation mode. - Mode string `json:"mode"` - // Schedule is an optional rotation schedule, - // autogenerated based on GracePeriod parameter if not set. - Schedule *types.RotationSchedule `json:"schedule"` -} - -// CheckAndSetDefaults checks and sets default values. -func (r *RotateRequest) CheckAndSetDefaults(clock clockwork.Clock) error { - if r.TargetPhase == "" { - // if phase is not set, imply that the first meaningful phase - // is set as a target phase - r.TargetPhase = types.RotationPhaseInit - } - // if mode is not set, default to manual (as it's safer) - if r.Mode == "" { - r.Mode = types.RotationModeManual - } - - if err := r.Type.Check(); err != nil { - return trace.Wrap(err) - } - if r.GracePeriod == nil { - period := defaults.RotationGracePeriod - r.GracePeriod = &period - } - if r.Schedule == nil { - var err error - r.Schedule, err = types.GenerateSchedule(clock.Now(), *r.GracePeriod) - if err != nil { - return trace.Wrap(err) - } - } else { - if err := r.Schedule.CheckAndSetDefaults(clock.Now()); err != nil { - return trace.Wrap(err) - } - } - return nil -} // rotationReq is an internal rotation request type rotationReq struct { @@ -184,7 +129,7 @@ type rotationReq struct { // // It is possible to switch from automatic to manual by setting the phase // to the rollback phase. -func (a *Server) RotateCertAuthority(ctx context.Context, req RotateRequest) error { +func (a *Server) RotateCertAuthority(ctx context.Context, req types.RotateRequest) error { if err := req.CheckAndSetDefaults(a.clock); err != nil { return trace.Wrap(err) } diff --git a/lib/auth/tls_test.go b/lib/auth/tls_test.go index 7f6ff9d255cf4..dec1af7cc4f12 100644 --- a/lib/auth/tls_test.go +++ b/lib/auth/tls_test.go @@ -214,7 +214,7 @@ func TestRemoteRotation(t *testing.T) { gracePeriod := time.Hour remoteServer.AuthServer.privateKey, ok = fixtures.PEMBytes["rsa"] require.True(t, ok) - err = remoteServer.AuthServer.RotateCertAuthority(ctx, RotateRequest{ + err = remoteServer.AuthServer.RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseInit, @@ -223,7 +223,7 @@ func TestRemoteRotation(t *testing.T) { require.NoError(t, err) // moves to update clients - err = remoteServer.AuthServer.RotateCertAuthority(ctx, RotateRequest{ + err = remoteServer.AuthServer.RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseUpdateClients, @@ -349,7 +349,7 @@ func TestAutoRotation(t *testing.T) { testSrv.Auth().privateKey, ok = fixtures.PEMBytes["rsa"] require.True(t, ok) gracePeriod := time.Hour - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, Mode: types.RotationModeAuto, @@ -450,7 +450,7 @@ func TestAutoFallback(t *testing.T) { testSrv.Auth().privateKey, ok = fixtures.PEMBytes["rsa"] require.True(t, ok) gracePeriod := time.Hour - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, Mode: types.RotationModeAuto, @@ -471,7 +471,7 @@ func TestAutoFallback(t *testing.T) { require.Equal(t, types.RotationModeAuto, ca.GetRotation().Mode) // rollback rotation - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseRollback, @@ -510,7 +510,7 @@ func TestManualRotation(t *testing.T) { gracePeriod := time.Hour testSrv.Auth().privateKey, ok = fixtures.PEMBytes["rsa"] require.True(t, ok) - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseUpdateServers, @@ -519,7 +519,7 @@ func TestManualRotation(t *testing.T) { require.True(t, trace.IsBadParameter(err)) // starts rotation - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseInit, @@ -532,7 +532,7 @@ func TestManualRotation(t *testing.T) { require.NoError(t, err) // clients reconnect - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseUpdateClients, @@ -552,7 +552,7 @@ func TestManualRotation(t *testing.T) { require.NoError(t, err) // can't jump to standy - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseStandby, @@ -561,7 +561,7 @@ func TestManualRotation(t *testing.T) { require.True(t, trace.IsBadParameter(err)) // advance rotation: - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseUpdateServers, @@ -578,7 +578,7 @@ func TestManualRotation(t *testing.T) { require.NoError(t, err) // complete rotation - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseStandby, @@ -620,7 +620,7 @@ func TestRollback(t *testing.T) { gracePeriod := time.Hour testSrv.Auth().privateKey, ok = fixtures.PEMBytes["rsa"] require.True(t, ok) - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseInit, @@ -629,7 +629,7 @@ func TestRollback(t *testing.T) { require.NoError(t, err) // move to update clients phase - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseUpdateClients, @@ -645,7 +645,7 @@ func TestRollback(t *testing.T) { require.NoError(t, err) // advance rotation: - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseUpdateServers, @@ -654,7 +654,7 @@ func TestRollback(t *testing.T) { require.NoError(t, err) // rollback rotation - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseRollback, @@ -668,7 +668,7 @@ func TestRollback(t *testing.T) { require.NoError(t, err) // can't jump to other phases - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseUpdateClients, @@ -677,7 +677,7 @@ func TestRollback(t *testing.T) { require.True(t, trace.IsBadParameter(err)) // complete rollback - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseStandby, @@ -741,7 +741,7 @@ func TestAppTokenRotation(t *testing.T) { // Start rotation and move to initial phase. A new CA will be added (for // verification), but requests will continue to be signed by the old CA. gracePeriod := time.Hour - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.JWTSigner, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseInit, @@ -764,7 +764,7 @@ func TestAppTokenRotation(t *testing.T) { // Move rotation into the update client phase. In this phase, requests will // be signed by the new CA, but the old CA will be around to verify requests. - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.JWTSigner, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseUpdateClients, @@ -803,7 +803,7 @@ func TestAppTokenRotation(t *testing.T) { require.NoError(t, err) // Move rotation into update servers phase. - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.JWTSigner, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseUpdateServers, @@ -827,7 +827,7 @@ func TestAppTokenRotation(t *testing.T) { require.NoError(t, err) // Complete rotation. The old CA will be removed. - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.JWTSigner, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseStandby, @@ -895,7 +895,7 @@ func TestOIDCIdPTokenRotation(t *testing.T) { // Start rotation and move to initial phase. A new CA will be added (for // verification), but requests will continue to be signed by the old CA. gracePeriod := time.Hour - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.OIDCIdPCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseInit, @@ -918,7 +918,7 @@ func TestOIDCIdPTokenRotation(t *testing.T) { // Move rotation into the update client phase. In this phase, requests will // be signed by the new CA, but the old CA will be around to verify requests. - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.OIDCIdPCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseUpdateClients, @@ -950,7 +950,7 @@ func TestOIDCIdPTokenRotation(t *testing.T) { require.NoError(t, err) // Move rotation into update servers phase. - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.OIDCIdPCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseUpdateServers, @@ -974,7 +974,7 @@ func TestOIDCIdPTokenRotation(t *testing.T) { require.NoError(t, err) // Complete rotation. The old CA will be removed. - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.OIDCIdPCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseStandby, @@ -3605,7 +3605,7 @@ func TestEventsPermissions(t *testing.T) { // start rotation gracePeriod := time.Hour - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseInit, @@ -3838,7 +3838,7 @@ func TestEventsClusterConfig(t *testing.T) { // start rotation gracePeriod := time.Hour - err = testSrv.Auth().RotateCertAuthority(ctx, RotateRequest{ + err = testSrv.Auth().RotateCertAuthority(ctx, types.RotateRequest{ Type: types.HostCA, GracePeriod: &gracePeriod, TargetPhase: types.RotationPhaseInit, diff --git a/lib/auth/trust/trustv1/service.go b/lib/auth/trust/trustv1/service.go index da3a793525467..670680bf90bcd 100644 --- a/lib/auth/trust/trustv1/service.go +++ b/lib/auth/trust/trustv1/service.go @@ -37,6 +37,9 @@ type authServer interface { // the host (along with metadata like host ID, node name, roles, and ttl) // to generate a host certificate. GenerateHostCert(ctx context.Context, hostPublicKey []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration) ([]byte, error) + + // RotateCertAuthority starts or restarts certificate authority rotation process. + RotateCertAuthority(ctx context.Context, req types.RotateRequest) error } // ServiceConfig holds configuration options for @@ -203,6 +206,43 @@ func (s *Service) UpsertCertAuthority(ctx context.Context, req *trustpb.UpsertCe return req.CertAuthority, nil } +// RotateCertAuthority rotates a cert authority. +func (s *Service) RotateCertAuthority(ctx context.Context, req *trustpb.RotateCertAuthorityRequest) (*trustpb.RotateCertAuthorityResponse, error) { + authzCtx, err := authz.AuthorizeWithVerbs(ctx, s.logger, s.authorizer, false, types.KindCertAuthority, types.VerbCreate, types.VerbUpdate) + if err != nil { + return nil, trace.Wrap(err) + } + + if err := authz.AuthorizeAdminAction(ctx, authzCtx); err != nil { + return nil, trace.Wrap(err) + } + + rotateRequest := types.RotateRequest{ + Type: types.CertAuthType(req.Type), + TargetPhase: req.TargetPhase, + Mode: req.Mode, + } + + if req.GracePeriod != nil { + duration := req.GracePeriod.AsDuration() + rotateRequest.GracePeriod = &duration + } + + if req.Schedule != nil { + rotateRequest.Schedule = &types.RotationSchedule{ + UpdateClients: req.Schedule.UpdateClients.AsTime(), + UpdateServers: req.Schedule.UpdateServers.AsTime(), + Standby: req.Schedule.Standby.AsTime(), + } + } + + if err := s.authServer.RotateCertAuthority(ctx, rotateRequest); err != nil { + return nil, trace.Wrap(err) + } + + return &trustpb.RotateCertAuthorityResponse{}, nil +} + // GenerateHostCert takes a public key in the OpenSSH `authorized_keys` format // and returns a SSH certificate signed by the Host CA. func (s *Service) GenerateHostCert( diff --git a/lib/auth/trust/trustv1/service_test.go b/lib/auth/trust/trustv1/service_test.go index cadd1e8f673af..294824b70c872 100644 --- a/lib/auth/trust/trustv1/service_test.go +++ b/lib/auth/trust/trustv1/service_test.go @@ -73,18 +73,23 @@ func (f *fakeAuthorizer) Authorize(ctx context.Context) (*authz.Context, error) }, nil } -type fakeHostCertSigner struct { - data map[string]struct { +type fakeAuthServer struct { + generateHostCertData map[string]struct { cert []byte err error } + rotateCertAuthorityData map[string]error } -func (f *fakeHostCertSigner) GenerateHostCert(ctx context.Context, hostPublicKey []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration) ([]byte, error) { - data := f.data[hostID] +func (f *fakeAuthServer) GenerateHostCert(ctx context.Context, hostPublicKey []byte, hostID, nodeName string, principals []string, clusterName string, role types.SystemRole, ttl time.Duration) ([]byte, error) { + data := f.generateHostCertData[hostID] return data.cert, data.err } +func (f *fakeAuthServer) RotateCertAuthority(ctx context.Context, req types.RotateRequest) error { + return f.rotateCertAuthorityData[string(req.Type)] +} + type fakeChecker struct { services.AccessChecker allow map[check]bool @@ -399,7 +404,7 @@ func TestRBAC(t *testing.T) { Cache: trust, Backend: trust, Authorizer: &test.authorizer, - AuthServer: &fakeHostCertSigner{}, + AuthServer: &fakeAuthServer{}, } service, err := NewService(cfg) @@ -433,7 +438,7 @@ func TestGetCertAuthority(t *testing.T) { Cache: trust, Backend: trust, Authorizer: authorizer, - AuthServer: &fakeHostCertSigner{}, + AuthServer: &fakeAuthServer{}, } service, err := NewService(cfg) @@ -522,7 +527,7 @@ func TestGetCertAuthorities(t *testing.T) { Cache: trust, Backend: trust, Authorizer: authorizer, - AuthServer: &fakeHostCertSigner{}, + AuthServer: &fakeAuthServer{}, } service, err := NewService(cfg) @@ -616,7 +621,7 @@ func TestDeleteCertAuthority(t *testing.T) { Cache: trust, Backend: trust, Authorizer: authorizer, - AuthServer: &fakeHostCertSigner{}, + AuthServer: &fakeAuthServer{}, } service, err := NewService(cfg) @@ -685,7 +690,7 @@ func TestUpsertCertAuthority(t *testing.T) { Cache: trust, Backend: trust, Authorizer: authorizer, - AuthServer: &fakeHostCertSigner{}, + AuthServer: &fakeAuthServer{}, } service, err := NewService(cfg) @@ -742,6 +747,72 @@ func TestUpsertCertAuthority(t *testing.T) { } } +func TestRotateCertAuthority(t *testing.T) { + t.Parallel() + + ctx := context.Background() + p := newTestPack(t) + + authorizer := &fakeAuthorizer{ + checker: &fakeChecker{ + allow: map[check]bool{ + {types.KindCertAuthority, types.VerbCreate}: true, + {types.KindCertAuthority, types.VerbUpdate}: true, + }, + }, + } + + fakeErr := trace.BadParameter("bad thing happened") + authServer := &fakeAuthServer{ + rotateCertAuthorityData: map[string]error{ + "success": nil, + "fail": fakeErr, + }, + } + + trust := local.NewCAService(p.mem) + cfg := &ServiceConfig{ + Cache: trust, + Backend: trust, + Authorizer: authorizer, + AuthServer: authServer, + } + + tests := []struct { + name string + req *trustpb.RotateCertAuthorityRequest + wantErr error + }{ + { + name: "success", + req: &trustpb.RotateCertAuthorityRequest{ + Type: "success", + }, + }, + { + name: "fail", + req: &trustpb.RotateCertAuthorityRequest{ + Type: "fail", + }, + wantErr: fakeErr, + }, + } + + service, err := NewService(cfg) + require.NoError(t, err) + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + _, err := service.RotateCertAuthority(ctx, test.req) + if test.wantErr != nil { + require.ErrorIs(t, err, test.wantErr) + } else { + require.NoError(t, err) + } + }) + } +} + func TestGenerateHostCert(t *testing.T) { t.Parallel() @@ -756,8 +827,8 @@ func TestGenerateHostCert(t *testing.T) { }, } - hostCertSigner := &fakeHostCertSigner{ - data: map[string]struct { + hostCertSigner := &fakeAuthServer{ + generateHostCertData: map[string]struct { cert []byte err error }{ diff --git a/lib/srv/db/auth_test.go b/lib/srv/db/auth_test.go index e4eb959736f00..365977b3959ea 100644 --- a/lib/srv/db/auth_test.go +++ b/lib/srv/db/auth_test.go @@ -356,7 +356,7 @@ func TestDBCertSigning(t *testing.T) { // Set rotation to init phase. New CA will be generated. // DB service should still use old key to sign certificates. // tctl should use new key to sign certificates. - err = authServer.AuthServer.RotateCertAuthority(ctx, auth.RotateRequest{ + err = authServer.AuthServer.RotateCertAuthority(ctx, types.RotateRequest{ Type: types.DatabaseCA, TargetPhase: types.RotationPhaseInit, Mode: types.RotationModeManual, diff --git a/lib/tbot/service_ca_rotation_test.go b/lib/tbot/service_ca_rotation_test.go index ca31710758d61..4195e8318f8a7 100644 --- a/lib/tbot/service_ca_rotation_test.go +++ b/lib/tbot/service_ca_rotation_test.go @@ -181,7 +181,7 @@ func rotate( //nolint:unused // used in skipped test ) { t.Helper() log.Infof("Triggering rotation: %s", phase) - err := svc.GetAuthServer().RotateCertAuthority(ctx, auth.RotateRequest{ + err := svc.GetAuthServer().RotateCertAuthority(ctx, types.RotateRequest{ // only rotate Host CA as to avoid race condition serverside when // multiple CAs are rotated at once and the database closes off. Type: types.HostCA, diff --git a/tool/tctl/common/auth_command.go b/tool/tctl/common/auth_command.go index 110470bca686a..c5abda2cab896 100644 --- a/tool/tctl/common/auth_command.go +++ b/tool/tctl/common/auth_command.go @@ -389,7 +389,7 @@ func (a *AuthCommand) generateSnowflakeKey(ctx context.Context, clusterAPI auth. // RotateCertAuthority starts or restarts certificate authority rotation process func (a *AuthCommand) RotateCertAuthority(ctx context.Context, client auth.ClientI) error { - req := auth.RotateRequest{ + req := types.RotateRequest{ Type: types.CertAuthType(a.rotateType), GracePeriod: &a.rotateGracePeriod, TargetPhase: a.rotateTargetPhase,