diff --git a/api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go b/api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go index 2051586609f9c..94a6ce6c481d2 100644 --- a/api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go +++ b/api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go @@ -508,6 +508,62 @@ func (x *WorkloadAttrsDockerContainer) GetLabels() map[string]string { return nil } +// Attributes sourced from the Systemd workload attestor. +type WorkloadAttrsSystemd struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Whether the workload passed Systemd attestation. + Attested bool `protobuf:"varint,1,opt,name=attested,proto3" json:"attested,omitempty"` + // The systemd service name. + Service string `protobuf:"bytes,2,opt,name=service,proto3" json:"service,omitempty"` +} + +func (x *WorkloadAttrsSystemd) Reset() { + *x = WorkloadAttrsSystemd{} + mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *WorkloadAttrsSystemd) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*WorkloadAttrsSystemd) ProtoMessage() {} + +func (x *WorkloadAttrsSystemd) ProtoReflect() protoreflect.Message { + mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[7] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use WorkloadAttrsSystemd.ProtoReflect.Descriptor instead. +func (*WorkloadAttrsSystemd) Descriptor() ([]byte, []int) { + return file_teleport_workloadidentity_v1_attrs_proto_rawDescGZIP(), []int{7} +} + +func (x *WorkloadAttrsSystemd) GetAttested() bool { + if x != nil { + return x.Attested + } + return false +} + +func (x *WorkloadAttrsSystemd) GetService() string { + if x != nil { + return x.Service + } + return "" +} + // The attributes provided by `tbot` regarding the workload's attestation. // This will be mostly unset if the workload has not requested credentials via // the SPIFFE Workload API. @@ -524,11 +580,13 @@ type WorkloadAttrs struct { Podman *WorkloadAttrsPodman `protobuf:"bytes,3,opt,name=podman,proto3" json:"podman,omitempty"` // The Docker-specific attributes. Docker *WorkloadAttrsDocker `protobuf:"bytes,4,opt,name=docker,proto3" json:"docker,omitempty"` + // The Systemd-specific attributes. + Systemd *WorkloadAttrsSystemd `protobuf:"bytes,5,opt,name=systemd,proto3" json:"systemd,omitempty"` } func (x *WorkloadAttrs) Reset() { *x = WorkloadAttrs{} - mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[7] + mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -540,7 +598,7 @@ func (x *WorkloadAttrs) String() string { func (*WorkloadAttrs) ProtoMessage() {} func (x *WorkloadAttrs) ProtoReflect() protoreflect.Message { - mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[7] + mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[8] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -553,7 +611,7 @@ func (x *WorkloadAttrs) ProtoReflect() protoreflect.Message { // Deprecated: Use WorkloadAttrs.ProtoReflect.Descriptor instead. func (*WorkloadAttrs) Descriptor() ([]byte, []int) { - return file_teleport_workloadidentity_v1_attrs_proto_rawDescGZIP(), []int{7} + return file_teleport_workloadidentity_v1_attrs_proto_rawDescGZIP(), []int{8} } func (x *WorkloadAttrs) GetUnix() *WorkloadAttrsUnix { @@ -584,6 +642,13 @@ func (x *WorkloadAttrs) GetDocker() *WorkloadAttrsDocker { return nil } +func (x *WorkloadAttrs) GetSystemd() *WorkloadAttrsSystemd { + if x != nil { + return x.Systemd + } + return nil +} + // Attributes related to the user/bot making the request for a workload // identity. type UserAttrs struct { @@ -607,7 +672,7 @@ type UserAttrs struct { func (x *UserAttrs) Reset() { *x = UserAttrs{} - mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[8] + mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -619,7 +684,7 @@ func (x *UserAttrs) String() string { func (*UserAttrs) ProtoMessage() {} func (x *UserAttrs) ProtoReflect() protoreflect.Message { - mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[8] + mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[9] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -632,7 +697,7 @@ func (x *UserAttrs) ProtoReflect() protoreflect.Message { // Deprecated: Use UserAttrs.ProtoReflect.Descriptor instead. func (*UserAttrs) Descriptor() ([]byte, []int) { - return file_teleport_workloadidentity_v1_attrs_proto_rawDescGZIP(), []int{8} + return file_teleport_workloadidentity_v1_attrs_proto_rawDescGZIP(), []int{9} } func (x *UserAttrs) GetName() string { @@ -697,7 +762,7 @@ type Attrs struct { func (x *Attrs) Reset() { *x = Attrs{} - mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[9] + mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[10] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -709,7 +774,7 @@ func (x *Attrs) String() string { func (*Attrs) ProtoMessage() {} func (x *Attrs) ProtoReflect() protoreflect.Message { - mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[9] + mi := &file_teleport_workloadidentity_v1_attrs_proto_msgTypes[10] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -722,7 +787,7 @@ func (x *Attrs) ProtoReflect() protoreflect.Message { // Deprecated: Use Attrs.ProtoReflect.Descriptor instead. func (*Attrs) Descriptor() ([]byte, []int) { - return file_teleport_workloadidentity_v1_attrs_proto_rawDescGZIP(), []int{9} + return file_teleport_workloadidentity_v1_attrs_proto_rawDescGZIP(), []int{10} } func (x *Attrs) GetWorkload() *WorkloadAttrs { @@ -849,66 +914,76 @@ var file_teleport_workloadidentity_v1_attrs_proto_rawDesc = []byte{ 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xc1, 0x02, 0x0a, 0x0d, 0x57, 0x6f, 0x72, 0x6b, - 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x12, 0x43, 0x0a, 0x04, 0x75, 0x6e, 0x69, - 0x78, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, - 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, - 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, - 0x74, 0x74, 0x72, 0x73, 0x55, 0x6e, 0x69, 0x78, 0x52, 0x04, 0x75, 0x6e, 0x69, 0x78, 0x12, 0x55, - 0x0a, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, - 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, - 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x4b, - 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x72, - 0x6e, 0x65, 0x74, 0x65, 0x73, 0x12, 0x49, 0x0a, 0x06, 0x70, 0x6f, 0x64, 0x6d, 0x61, 0x6e, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, + 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x4c, 0x0a, 0x14, 0x57, 0x6f, 0x72, 0x6b, 0x6c, + 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x12, + 0x1a, 0x0a, 0x08, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x08, 0x52, 0x08, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x65, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x73, + 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x22, 0x8f, 0x03, 0x0a, 0x0d, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, + 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x12, 0x43, 0x0a, 0x04, 0x75, 0x6e, 0x69, 0x78, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, - 0x72, 0x73, 0x50, 0x6f, 0x64, 0x6d, 0x61, 0x6e, 0x52, 0x06, 0x70, 0x6f, 0x64, 0x6d, 0x61, 0x6e, - 0x12, 0x49, 0x0a, 0x06, 0x64, 0x6f, 0x63, 0x6b, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x31, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, + 0x72, 0x73, 0x55, 0x6e, 0x69, 0x78, 0x52, 0x04, 0x75, 0x6e, 0x69, 0x78, 0x12, 0x55, 0x0a, 0x0a, + 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x35, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, - 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x44, 0x6f, 0x63, - 0x6b, 0x65, 0x72, 0x52, 0x06, 0x64, 0x6f, 0x63, 0x6b, 0x65, 0x72, 0x22, 0xb3, 0x02, 0x0a, 0x09, - 0x55, 0x73, 0x65, 0x72, 0x41, 0x74, 0x74, 0x72, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, - 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x15, 0x0a, - 0x06, 0x69, 0x73, 0x5f, 0x62, 0x6f, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x69, - 0x73, 0x42, 0x6f, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x62, 0x6f, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, - 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x62, 0x6f, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, - 0x26, 0x0a, 0x0f, 0x62, 0x6f, 0x74, 0x5f, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, - 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x62, 0x6f, 0x74, 0x49, 0x6e, 0x73, - 0x74, 0x61, 0x6e, 0x63, 0x65, 0x49, 0x64, 0x12, 0x4b, 0x0a, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, - 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, - 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, - 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x41, 0x74, 0x74, 0x72, 0x73, - 0x2e, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x6c, 0x61, - 0x62, 0x65, 0x6c, 0x73, 0x12, 0x30, 0x0a, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x18, 0x06, - 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, - 0x74, 0x72, 0x61, 0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69, 0x74, 0x52, 0x06, - 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x1a, 0x39, 0x0a, 0x0b, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, - 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, - 0x01, 0x22, 0xca, 0x01, 0x0a, 0x05, 0x41, 0x74, 0x74, 0x72, 0x73, 0x12, 0x47, 0x0a, 0x08, 0x77, - 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, - 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, - 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, - 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x52, 0x08, 0x77, 0x6f, 0x72, 0x6b, - 0x6c, 0x6f, 0x61, 0x64, 0x12, 0x3b, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, - 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, - 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x41, 0x74, 0x74, 0x72, 0x73, 0x52, 0x04, 0x75, 0x73, 0x65, - 0x72, 0x12, 0x3b, 0x0a, 0x04, 0x6a, 0x6f, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, - 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, - 0x6f, 0x69, 0x6e, 0x41, 0x74, 0x74, 0x72, 0x73, 0x52, 0x04, 0x6a, 0x6f, 0x69, 0x6e, 0x42, 0x64, - 0x5a, 0x62, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, - 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, - 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, - 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, - 0x31, 0x3b, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, - 0x74, 0x79, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x4b, 0x75, 0x62, + 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x52, 0x0a, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, + 0x74, 0x65, 0x73, 0x12, 0x49, 0x0a, 0x06, 0x70, 0x6f, 0x64, 0x6d, 0x61, 0x6e, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, + 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, + 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, + 0x50, 0x6f, 0x64, 0x6d, 0x61, 0x6e, 0x52, 0x06, 0x70, 0x6f, 0x64, 0x6d, 0x61, 0x6e, 0x12, 0x49, + 0x0a, 0x06, 0x64, 0x6f, 0x63, 0x6b, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31, + 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, + 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, + 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x44, 0x6f, 0x63, 0x6b, 0x65, + 0x72, 0x52, 0x06, 0x64, 0x6f, 0x63, 0x6b, 0x65, 0x72, 0x12, 0x4c, 0x0a, 0x07, 0x73, 0x79, 0x73, + 0x74, 0x65, 0x6d, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x74, 0x65, 0x6c, + 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, + 0x61, 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x52, 0x07, + 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x64, 0x22, 0xb3, 0x02, 0x0a, 0x09, 0x55, 0x73, 0x65, 0x72, + 0x41, 0x74, 0x74, 0x72, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x15, 0x0a, 0x06, 0x69, 0x73, 0x5f, + 0x62, 0x6f, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x69, 0x73, 0x42, 0x6f, 0x74, + 0x12, 0x19, 0x0a, 0x08, 0x62, 0x6f, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x07, 0x62, 0x6f, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x62, + 0x6f, 0x74, 0x5f, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x62, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, + 0x65, 0x49, 0x64, 0x12, 0x4b, 0x0a, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x18, 0x05, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, + 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, + 0x76, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x41, 0x74, 0x74, 0x72, 0x73, 0x2e, 0x4c, 0x61, 0x62, + 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, + 0x12, 0x30, 0x0a, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x18, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, 0x72, 0x61, 0x69, + 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69, 0x74, 0x52, 0x06, 0x74, 0x72, 0x61, 0x69, + 0x74, 0x73, 0x1a, 0x39, 0x0a, 0x0b, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, + 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, + 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xca, 0x01, + 0x0a, 0x05, 0x41, 0x74, 0x74, 0x72, 0x73, 0x12, 0x47, 0x0a, 0x08, 0x77, 0x6f, 0x72, 0x6b, 0x6c, + 0x6f, 0x61, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, + 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, + 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, + 0x64, 0x41, 0x74, 0x74, 0x72, 0x73, 0x52, 0x08, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, + 0x12, 0x3b, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, + 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, + 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x73, + 0x65, 0x72, 0x41, 0x74, 0x74, 0x72, 0x73, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72, 0x12, 0x3b, 0x0a, + 0x04, 0x6a, 0x6f, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, + 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, + 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x6f, 0x69, 0x6e, 0x41, + 0x74, 0x74, 0x72, 0x73, 0x52, 0x04, 0x6a, 0x6f, 0x69, 0x6e, 0x42, 0x64, 0x5a, 0x62, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, + 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, + 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, + 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x3b, 0x77, 0x6f, + 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x76, 0x31, + 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -923,7 +998,7 @@ func file_teleport_workloadidentity_v1_attrs_proto_rawDescGZIP() []byte { return file_teleport_workloadidentity_v1_attrs_proto_rawDescData } -var file_teleport_workloadidentity_v1_attrs_proto_msgTypes = make([]protoimpl.MessageInfo, 15) +var file_teleport_workloadidentity_v1_attrs_proto_msgTypes = make([]protoimpl.MessageInfo, 16) var file_teleport_workloadidentity_v1_attrs_proto_goTypes = []any{ (*WorkloadAttrsKubernetes)(nil), // 0: teleport.workloadidentity.v1.WorkloadAttrsKubernetes (*WorkloadAttrsUnix)(nil), // 1: teleport.workloadidentity.v1.WorkloadAttrsUnix @@ -932,39 +1007,41 @@ var file_teleport_workloadidentity_v1_attrs_proto_goTypes = []any{ (*WorkloadAttrsPodmanPod)(nil), // 4: teleport.workloadidentity.v1.WorkloadAttrsPodmanPod (*WorkloadAttrsDocker)(nil), // 5: teleport.workloadidentity.v1.WorkloadAttrsDocker (*WorkloadAttrsDockerContainer)(nil), // 6: teleport.workloadidentity.v1.WorkloadAttrsDockerContainer - (*WorkloadAttrs)(nil), // 7: teleport.workloadidentity.v1.WorkloadAttrs - (*UserAttrs)(nil), // 8: teleport.workloadidentity.v1.UserAttrs - (*Attrs)(nil), // 9: teleport.workloadidentity.v1.Attrs - nil, // 10: teleport.workloadidentity.v1.WorkloadAttrsKubernetes.LabelsEntry - nil, // 11: teleport.workloadidentity.v1.WorkloadAttrsPodmanContainer.LabelsEntry - nil, // 12: teleport.workloadidentity.v1.WorkloadAttrsPodmanPod.LabelsEntry - nil, // 13: teleport.workloadidentity.v1.WorkloadAttrsDockerContainer.LabelsEntry - nil, // 14: teleport.workloadidentity.v1.UserAttrs.LabelsEntry - (*v1.Trait)(nil), // 15: teleport.trait.v1.Trait - (*JoinAttrs)(nil), // 16: teleport.workloadidentity.v1.JoinAttrs + (*WorkloadAttrsSystemd)(nil), // 7: teleport.workloadidentity.v1.WorkloadAttrsSystemd + (*WorkloadAttrs)(nil), // 8: teleport.workloadidentity.v1.WorkloadAttrs + (*UserAttrs)(nil), // 9: teleport.workloadidentity.v1.UserAttrs + (*Attrs)(nil), // 10: teleport.workloadidentity.v1.Attrs + nil, // 11: teleport.workloadidentity.v1.WorkloadAttrsKubernetes.LabelsEntry + nil, // 12: teleport.workloadidentity.v1.WorkloadAttrsPodmanContainer.LabelsEntry + nil, // 13: teleport.workloadidentity.v1.WorkloadAttrsPodmanPod.LabelsEntry + nil, // 14: teleport.workloadidentity.v1.WorkloadAttrsDockerContainer.LabelsEntry + nil, // 15: teleport.workloadidentity.v1.UserAttrs.LabelsEntry + (*v1.Trait)(nil), // 16: teleport.trait.v1.Trait + (*JoinAttrs)(nil), // 17: teleport.workloadidentity.v1.JoinAttrs } var file_teleport_workloadidentity_v1_attrs_proto_depIdxs = []int32{ - 10, // 0: teleport.workloadidentity.v1.WorkloadAttrsKubernetes.labels:type_name -> teleport.workloadidentity.v1.WorkloadAttrsKubernetes.LabelsEntry + 11, // 0: teleport.workloadidentity.v1.WorkloadAttrsKubernetes.labels:type_name -> teleport.workloadidentity.v1.WorkloadAttrsKubernetes.LabelsEntry 3, // 1: teleport.workloadidentity.v1.WorkloadAttrsPodman.container:type_name -> teleport.workloadidentity.v1.WorkloadAttrsPodmanContainer 4, // 2: teleport.workloadidentity.v1.WorkloadAttrsPodman.pod:type_name -> teleport.workloadidentity.v1.WorkloadAttrsPodmanPod - 11, // 3: teleport.workloadidentity.v1.WorkloadAttrsPodmanContainer.labels:type_name -> teleport.workloadidentity.v1.WorkloadAttrsPodmanContainer.LabelsEntry - 12, // 4: teleport.workloadidentity.v1.WorkloadAttrsPodmanPod.labels:type_name -> teleport.workloadidentity.v1.WorkloadAttrsPodmanPod.LabelsEntry + 12, // 3: teleport.workloadidentity.v1.WorkloadAttrsPodmanContainer.labels:type_name -> teleport.workloadidentity.v1.WorkloadAttrsPodmanContainer.LabelsEntry + 13, // 4: teleport.workloadidentity.v1.WorkloadAttrsPodmanPod.labels:type_name -> teleport.workloadidentity.v1.WorkloadAttrsPodmanPod.LabelsEntry 6, // 5: teleport.workloadidentity.v1.WorkloadAttrsDocker.container:type_name -> teleport.workloadidentity.v1.WorkloadAttrsDockerContainer - 13, // 6: teleport.workloadidentity.v1.WorkloadAttrsDockerContainer.labels:type_name -> teleport.workloadidentity.v1.WorkloadAttrsDockerContainer.LabelsEntry + 14, // 6: teleport.workloadidentity.v1.WorkloadAttrsDockerContainer.labels:type_name -> teleport.workloadidentity.v1.WorkloadAttrsDockerContainer.LabelsEntry 1, // 7: teleport.workloadidentity.v1.WorkloadAttrs.unix:type_name -> teleport.workloadidentity.v1.WorkloadAttrsUnix 0, // 8: teleport.workloadidentity.v1.WorkloadAttrs.kubernetes:type_name -> teleport.workloadidentity.v1.WorkloadAttrsKubernetes 2, // 9: teleport.workloadidentity.v1.WorkloadAttrs.podman:type_name -> teleport.workloadidentity.v1.WorkloadAttrsPodman 5, // 10: teleport.workloadidentity.v1.WorkloadAttrs.docker:type_name -> teleport.workloadidentity.v1.WorkloadAttrsDocker - 14, // 11: teleport.workloadidentity.v1.UserAttrs.labels:type_name -> teleport.workloadidentity.v1.UserAttrs.LabelsEntry - 15, // 12: teleport.workloadidentity.v1.UserAttrs.traits:type_name -> teleport.trait.v1.Trait - 7, // 13: teleport.workloadidentity.v1.Attrs.workload:type_name -> teleport.workloadidentity.v1.WorkloadAttrs - 8, // 14: teleport.workloadidentity.v1.Attrs.user:type_name -> teleport.workloadidentity.v1.UserAttrs - 16, // 15: teleport.workloadidentity.v1.Attrs.join:type_name -> teleport.workloadidentity.v1.JoinAttrs - 16, // [16:16] is the sub-list for method output_type - 16, // [16:16] is the sub-list for method input_type - 16, // [16:16] is the sub-list for extension type_name - 16, // [16:16] is the sub-list for extension extendee - 0, // [0:16] is the sub-list for field type_name + 7, // 11: teleport.workloadidentity.v1.WorkloadAttrs.systemd:type_name -> teleport.workloadidentity.v1.WorkloadAttrsSystemd + 15, // 12: teleport.workloadidentity.v1.UserAttrs.labels:type_name -> teleport.workloadidentity.v1.UserAttrs.LabelsEntry + 16, // 13: teleport.workloadidentity.v1.UserAttrs.traits:type_name -> teleport.trait.v1.Trait + 8, // 14: teleport.workloadidentity.v1.Attrs.workload:type_name -> teleport.workloadidentity.v1.WorkloadAttrs + 9, // 15: teleport.workloadidentity.v1.Attrs.user:type_name -> teleport.workloadidentity.v1.UserAttrs + 17, // 16: teleport.workloadidentity.v1.Attrs.join:type_name -> teleport.workloadidentity.v1.JoinAttrs + 17, // [17:17] is the sub-list for method output_type + 17, // [17:17] is the sub-list for method input_type + 17, // [17:17] is the sub-list for extension type_name + 17, // [17:17] is the sub-list for extension extendee + 0, // [0:17] is the sub-list for field type_name } func init() { file_teleport_workloadidentity_v1_attrs_proto_init() } @@ -980,7 +1057,7 @@ func file_teleport_workloadidentity_v1_attrs_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_teleport_workloadidentity_v1_attrs_proto_rawDesc, NumEnums: 0, - NumMessages: 15, + NumMessages: 16, NumExtensions: 0, NumServices: 0, }, diff --git a/api/proto/teleport/workloadidentity/v1/attrs.proto b/api/proto/teleport/workloadidentity/v1/attrs.proto index 70dab943cae94..4635ed23cd903 100644 --- a/api/proto/teleport/workloadidentity/v1/attrs.proto +++ b/api/proto/teleport/workloadidentity/v1/attrs.proto @@ -95,6 +95,14 @@ message WorkloadAttrsDockerContainer { map labels = 3; } +// Attributes sourced from the Systemd workload attestor. +message WorkloadAttrsSystemd { + // Whether the workload passed Systemd attestation. + bool attested = 1; + // The systemd service name. + string service = 2; +} + // The attributes provided by `tbot` regarding the workload's attestation. // This will be mostly unset if the workload has not requested credentials via // the SPIFFE Workload API. @@ -107,6 +115,8 @@ message WorkloadAttrs { WorkloadAttrsPodman podman = 3; // The Docker-specific attributes. WorkloadAttrsDocker docker = 4; + // The Systemd-specific attributes. + WorkloadAttrsSystemd systemd = 5; } // Attributes related to the user/bot making the request for a workload diff --git a/go.mod b/go.mod index f91b2d360a910..0054c59ed0a1e 100644 --- a/go.mod +++ b/go.mod @@ -84,7 +84,8 @@ require ( github.com/coreos/go-oidc v2.2.1+incompatible // replaced github.com/coreos/go-oidc/v3 v3.11.0 github.com/coreos/go-semver v0.3.1 - github.com/creack/pty v1.1.23 + github.com/coreos/go-systemd/v22 v22.5.0 + github.com/creack/pty v1.1.24 github.com/crewjam/saml v0.4.14 github.com/datastax/go-cassandra-native-protocol v0.0.0-20220706104457-5e8aad05cf90 github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 @@ -310,8 +311,7 @@ require ( github.com/containerd/errdefs v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v0.2.1 // indirect - github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect - github.com/coreos/go-systemd/v22 v22.5.0 // indirect + github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf // indirect github.com/crewjam/httperr v0.2.0 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect @@ -372,6 +372,7 @@ require ( github.com/gobwas/pool v0.2.1 // indirect github.com/goccy/go-json v0.10.3 // indirect github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect + github.com/godbus/dbus/v5 v5.1.0 // indirect github.com/golang-jwt/jwt/v5 v5.2.2 // indirect github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect github.com/golang-sql/sqlexp v0.1.0 // indirect @@ -424,7 +425,7 @@ require ( github.com/josharian/native v1.1.0 // indirect github.com/joshlf/testutil v0.0.0-20170608050642-b5d8aa79d93d // indirect github.com/kelseyhightower/envconfig v1.4.0 // indirect - github.com/klauspost/compress v1.17.9 // indirect + github.com/klauspost/compress v1.17.11 // indirect github.com/klauspost/cpuid/v2 v2.2.8 // indirect github.com/kr/fs v0.1.0 // indirect github.com/kr/pretty v0.3.1 // indirect @@ -522,7 +523,7 @@ require ( github.com/tklauser/go-sysconf v0.3.12 // indirect github.com/tklauser/numcpus v0.6.1 // indirect github.com/transparency-dev/merkle v0.0.2 // indirect - github.com/vbatts/tar-split v0.11.5 // indirect + github.com/vbatts/tar-split v0.11.6 // indirect github.com/weppos/publicsuffix-go v0.30.3-0.20240510084413-5f1d03393b3d // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xdg-go/pbkdf2 v1.0.0 // indirect diff --git a/go.sum b/go.sum index 9703091e6ee10..ec52804aa2550 100644 --- a/go.sum +++ b/go.sum @@ -1073,8 +1073,8 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= -github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k= -github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o= +github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8= +github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU= github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI= github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0= github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= @@ -1089,8 +1089,8 @@ github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf/go.mod h1:E3G3o1h8I7cfc github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0= -github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= +github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= +github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo= github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4= github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc= @@ -1751,8 +1751,8 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE= github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= -github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= -github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM= github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws= @@ -2214,8 +2214,8 @@ github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= github.com/ucarion/urlpath v0.0.0-20200424170820-7ccc79b76bbb h1:Ywfo8sUltxogBpFuMOFRrrSifO788kAFxmvVw31PtQQ= github.com/ucarion/urlpath v0.0.0-20200424170820-7ccc79b76bbb/go.mod h1:ikPs9bRWicNw3S7XpJ8sK/smGwU9WcSVU3dy9qahYBM= -github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts= -github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= +github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs= +github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI= github.com/weppos/publicsuffix-go v0.13.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k= github.com/weppos/publicsuffix-go v0.30.2-0.20230730094716-a20f9abcc222/go.mod h1:s41lQh6dIsDWIC1OWh7ChWJXLH0zkJ9KHZVqA7vHyuQ= github.com/weppos/publicsuffix-go v0.30.3-0.20240510084413-5f1d03393b3d h1:q80YKUcDWRNvvQcziH63e3ammTWARwrhohBCunHaYAg= diff --git a/integrations/event-handler/go.mod b/integrations/event-handler/go.mod index 40eaea25aca7b..bb615006da023 100644 --- a/integrations/event-handler/go.mod +++ b/integrations/event-handler/go.mod @@ -202,7 +202,7 @@ require ( github.com/julienschmidt/httprouter v1.3.0 // indirect github.com/kelseyhightower/envconfig v1.4.0 // indirect github.com/keys-pub/go-libfido2 v1.5.3-0.20220306005615-8ab03fb1ec27 // indirect - github.com/klauspost/compress v1.17.9 // indirect + github.com/klauspost/compress v1.17.11 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/kr/text v0.2.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect diff --git a/integrations/event-handler/go.sum b/integrations/event-handler/go.sum index 22c7e03a2b971..64942c5875a7a 100644 --- a/integrations/event-handler/go.sum +++ b/integrations/event-handler/go.sum @@ -248,8 +248,8 @@ github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf h1:GOPo6vn/vTN+3IwZBvXX github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0= -github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= +github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= +github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo= github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4= github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c= @@ -562,8 +562,8 @@ github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dv github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= -github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= diff --git a/integrations/terraform/go.mod b/integrations/terraform/go.mod index 3b34d78f0b352..16ddc22cff3e1 100644 --- a/integrations/terraform/go.mod +++ b/integrations/terraform/go.mod @@ -129,6 +129,7 @@ require ( github.com/coreos/go-oidc v2.2.1+incompatible // indirect github.com/coreos/go-oidc/v3 v3.11.0 // indirect github.com/coreos/go-semver v0.3.1 // indirect + github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf // indirect github.com/crewjam/httperr v0.2.0 // indirect github.com/crewjam/saml v0.4.14 // indirect @@ -177,6 +178,7 @@ require ( github.com/gobwas/httphead v0.1.0 // indirect github.com/gobwas/pool v0.2.1 // indirect github.com/gobwas/ws v1.4.0 // indirect + github.com/godbus/dbus/v5 v5.1.0 // indirect github.com/gofrs/flock v0.12.1 // indirect github.com/golang-jwt/jwt/v4 v4.5.2 // indirect github.com/golang-jwt/jwt/v5 v5.2.2 // indirect @@ -245,7 +247,7 @@ require ( github.com/julienschmidt/httprouter v1.3.0 // indirect github.com/kelseyhightower/envconfig v1.4.0 // indirect github.com/keys-pub/go-libfido2 v1.5.3-0.20220306005615-8ab03fb1ec27 // indirect - github.com/klauspost/compress v1.17.9 // indirect + github.com/klauspost/compress v1.17.11 // indirect github.com/kr/fs v0.1.0 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/kr/text v0.2.0 // indirect diff --git a/integrations/terraform/go.sum b/integrations/terraform/go.sum index de1a27f8460f0..956982953854d 100644 --- a/integrations/terraform/go.sum +++ b/integrations/terraform/go.sum @@ -364,8 +364,8 @@ github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf h1:GOPo6vn/vTN+3IwZBvXX github.com/coreos/pkg v0.0.0-20220810130054-c7d1c02cb6cf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0= -github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= +github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= +github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo= github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4= github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c= @@ -531,6 +531,9 @@ github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA= github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= github.com/gocql/gocql v1.7.0 h1:O+7U7/1gSN7QTEAaMEsJc1Oq2QHXvCWoF3DFK9HDHus= github.com/gocql/gocql v1.7.0/go.mod h1:vnlvXyFZeLBF0Wy+RS8hrOdbn0UWsWtdg07XJnFxZ+4= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= +github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= @@ -866,8 +869,8 @@ github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.11.2/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= -github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= -github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8= github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= diff --git a/lib/tbot/config/testdata/TestBotConfig_YAML/standard_config.golden b/lib/tbot/config/testdata/TestBotConfig_YAML/standard_config.golden index 2e20bfa9c9385..4c7d1df84baec 100644 --- a/lib/tbot/config/testdata/TestBotConfig_YAML/standard_config.golden +++ b/lib/tbot/config/testdata/TestBotConfig_YAML/standard_config.golden @@ -48,6 +48,8 @@ services: enabled: false docker: enabled: false + systemd: + enabled: false credential_ttl: 30s renewal_interval: 15s - type: example @@ -84,6 +86,8 @@ services: enabled: false docker: enabled: false + systemd: + enabled: false selector: name: my-workload-identity credential_ttl: 30s diff --git a/lib/tbot/config/testdata/TestSPIFFEWorkloadAPIService_YAML/full.golden b/lib/tbot/config/testdata/TestSPIFFEWorkloadAPIService_YAML/full.golden index ed2d61a725937..1d26f24f5b50c 100644 --- a/lib/tbot/config/testdata/TestSPIFFEWorkloadAPIService_YAML/full.golden +++ b/lib/tbot/config/testdata/TestSPIFFEWorkloadAPIService_YAML/full.golden @@ -34,6 +34,8 @@ attestors: enabled: false docker: enabled: false + systemd: + enabled: false jwt_svid_ttl: 5m0s credential_ttl: 1m0s renewal_interval: 30s diff --git a/lib/tbot/config/testdata/TestSPIFFEWorkloadAPIService_YAML/minimal.golden b/lib/tbot/config/testdata/TestSPIFFEWorkloadAPIService_YAML/minimal.golden index f75c725912e2f..053f664554039 100644 --- a/lib/tbot/config/testdata/TestSPIFFEWorkloadAPIService_YAML/minimal.golden +++ b/lib/tbot/config/testdata/TestSPIFFEWorkloadAPIService_YAML/minimal.golden @@ -9,3 +9,5 @@ attestors: enabled: false docker: enabled: false + systemd: + enabled: false diff --git a/lib/tbot/config/testdata/TestWorkloadIdentityAPIService_YAML/full.golden b/lib/tbot/config/testdata/TestWorkloadIdentityAPIService_YAML/full.golden index dc7209304521f..19a51383c5ff5 100644 --- a/lib/tbot/config/testdata/TestWorkloadIdentityAPIService_YAML/full.golden +++ b/lib/tbot/config/testdata/TestWorkloadIdentityAPIService_YAML/full.golden @@ -13,6 +13,8 @@ attestors: enabled: false docker: enabled: false + systemd: + enabled: false selector: name: my-workload-identity credential_ttl: 1m0s diff --git a/lib/tbot/config/testdata/TestWorkloadIdentityAPIService_YAML/minimal.golden b/lib/tbot/config/testdata/TestWorkloadIdentityAPIService_YAML/minimal.golden index 333a6467de11e..1e456b4fb2729 100644 --- a/lib/tbot/config/testdata/TestWorkloadIdentityAPIService_YAML/minimal.golden +++ b/lib/tbot/config/testdata/TestWorkloadIdentityAPIService_YAML/minimal.golden @@ -7,5 +7,7 @@ attestors: enabled: false docker: enabled: false + systemd: + enabled: false selector: name: my-workload-identity diff --git a/lib/tbot/workloadidentity/workloadattest/attest.go b/lib/tbot/workloadidentity/workloadattest/attest.go index a1899d895030f..32c994841d39a 100644 --- a/lib/tbot/workloadidentity/workloadattest/attest.go +++ b/lib/tbot/workloadidentity/workloadattest/attest.go @@ -38,6 +38,7 @@ type Attestor struct { kubernetes attestor[*workloadidentityv1pb.WorkloadAttrsKubernetes] podman attestor[*workloadidentityv1pb.WorkloadAttrsPodman] docker attestor[*workloadidentityv1pb.WorkloadAttrsDocker] + systemd attestor[*workloadidentityv1pb.WorkloadAttrsSystemd] unix attestor[*workloadidentityv1pb.WorkloadAttrsUnix] } @@ -46,6 +47,7 @@ type Config struct { Kubernetes KubernetesAttestorConfig `yaml:"kubernetes"` Podman PodmanAttestorConfig `yaml:"podman"` Docker DockerAttestorConfig `yaml:"docker"` + Systemd SystemdAttestorConfig `yaml:"systemd"` } func (c *Config) CheckAndSetDefaults() error { @@ -76,6 +78,9 @@ func NewAttestor(log *slog.Logger, cfg Config) (*Attestor, error) { if cfg.Docker.Enabled { att.docker = NewDockerAttestor(cfg.Docker, log) } + if cfg.Systemd.Enabled { + att.systemd = NewSystemdAttestor(cfg.Systemd, log) + } return att, nil } @@ -112,6 +117,12 @@ func (a *Attestor) Attest(ctx context.Context, pid int) (*workloadidentityv1pb.W a.log.WarnContext(ctx, "Failed to perform Docker workload attestation", "error", err) } } + if a.systemd != nil { + attrs.Systemd, err = a.systemd.Attest(ctx, pid) + if err != nil { + a.log.WarnContext(ctx, "Failed to perform Systemd workload attestation", "error", err) + } + } return attrs, nil } diff --git a/lib/tbot/workloadidentity/workloadattest/systemd.go b/lib/tbot/workloadidentity/workloadattest/systemd.go new file mode 100644 index 0000000000000..c7920145a3fc5 --- /dev/null +++ b/lib/tbot/workloadidentity/workloadattest/systemd.go @@ -0,0 +1,25 @@ +/* + * Teleport + * Copyright (C) 2025 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package workloadattest + +// SystemdAttestorConfig holds the configuration for the Systemd workload attestor. +type SystemdAttestorConfig struct { + // Enabled determines whether Systemd workload attestation will be performed. + Enabled bool `yaml:"enabled"` +} diff --git a/lib/tbot/workloadidentity/workloadattest/systemd_linux.go b/lib/tbot/workloadidentity/workloadattest/systemd_linux.go new file mode 100644 index 0000000000000..5b351313ae316 --- /dev/null +++ b/lib/tbot/workloadidentity/workloadattest/systemd_linux.go @@ -0,0 +1,85 @@ +//go:build linux + +/* + * Teleport + * Copyright (C) 2025 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package workloadattest + +import ( + "context" + "log/slog" + "strings" + "time" + + "github.com/coreos/go-systemd/v22/dbus" + "github.com/gravitational/trace" + + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" +) + +// SystemdAttestor attests the identity of a Systemd service. +type SystemdAttestor struct { + log *slog.Logger + dbusDialer func(context.Context) (dbusConn, error) +} + +// NewSystemdAttestor creates a SystemdAttestor with the given configuration. +func NewSystemdAttestor(_ SystemdAttestorConfig, log *slog.Logger) *SystemdAttestor { + return &SystemdAttestor{ + log: log, + dbusDialer: func(ctx context.Context) (dbusConn, error) { + return dbus.NewWithContext(ctx) + }, + } +} + +// Attest the identity of the given systemd workload. +func (a *SystemdAttestor) Attest(ctx context.Context, pid int) (*workloadidentityv1pb.WorkloadAttrsSystemd, error) { + a.log.DebugContext(ctx, "Starting Systemd workload attestation", "pid", pid) + + ctx, cancel := context.WithTimeout(ctx, 30*time.Second) + defer cancel() + + conn, err := a.dbusDialer(ctx) + if err != nil { + return nil, trace.Wrap(err, "creating dbus connection") + } + defer conn.Close() + + unit, err := conn.GetUnitNameByPID(ctx, uint32(pid)) + if err != nil { + return nil, trace.Wrap(err, "getting unit name") + } + + service, isService := strings.CutSuffix(unit, ".service") + if !isService { + return nil, trace.Errorf("unit %q is not a service", unit) + } + + return &workloadidentityv1pb.WorkloadAttrsSystemd{ + Attested: true, + Service: service, + }, nil +} + +type dbusConn interface { + GetUnitNameByPID(context.Context, uint32) (string, error) + Close() +} + +var _ dbusConn = (*dbus.Conn)(nil) diff --git a/lib/tbot/workloadidentity/workloadattest/systemd_linux_test.go b/lib/tbot/workloadidentity/workloadattest/systemd_linux_test.go new file mode 100644 index 0000000000000..e2ec800006d17 --- /dev/null +++ b/lib/tbot/workloadidentity/workloadattest/systemd_linux_test.go @@ -0,0 +1,82 @@ +//go:build linux + +/* + * Teleport + * Copyright (C) 2025 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package workloadattest + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/require" + "google.golang.org/protobuf/testing/protocmp" + + workloadidentityv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" + "github.com/gravitational/teleport/lib/utils" +) + +func TestSystemdAttestor_Success(t *testing.T) { + attestor := NewSystemdAttestor( + SystemdAttestorConfig{ + Enabled: true, + }, + utils.NewSlogLoggerForTests(), + ) + + attestor.dbusDialer = func(context.Context) (dbusConn, error) { + return testDbusConn{unit: "foo.service"}, nil + } + + attrs, err := attestor.Attest(context.Background(), 1) + require.NoError(t, err) + + expected := &workloadidentityv1.WorkloadAttrsSystemd{ + Attested: true, + Service: "foo", + } + require.Empty(t, cmp.Diff(expected, attrs, protocmp.Transform())) +} + +func TestSystemdAttestor_NonService(t *testing.T) { + attestor := NewSystemdAttestor( + SystemdAttestorConfig{ + Enabled: true, + }, + utils.NewSlogLoggerForTests(), + ) + + attestor.dbusDialer = func(context.Context) (dbusConn, error) { + return testDbusConn{unit: "user.scope"}, nil + } + + _, err := attestor.Attest(context.Background(), 1) + require.ErrorContains(t, err, "not a service") +} + +type testDbusConn struct { + unit string + err error +} + +func (testDbusConn) Close() {} + +func (t testDbusConn) GetUnitNameByPID(context.Context, uint32) (string, error) { + return t.unit, t.err +} diff --git a/lib/tbot/workloadidentity/workloadattest/systemd_other.go b/lib/tbot/workloadidentity/workloadattest/systemd_other.go new file mode 100644 index 0000000000000..0e5734e741989 --- /dev/null +++ b/lib/tbot/workloadidentity/workloadattest/systemd_other.go @@ -0,0 +1,43 @@ +//go:build !linux + +/* + * Teleport + * Copyright (C) 2025 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package workloadattest + +import ( + "context" + "log/slog" + + "github.com/gravitational/trace" + + workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1" +) + +// UnsupportedSystemdAttestor is the non-linux stub for SystemdAttestor. +type UnsupportedSystemdAttestor struct{} + +// NewSystemdAttestor creates a new SystemdAttestor with the given configuration. +func NewSystemdAttestor(_ SystemdAttestorConfig, _ *slog.Logger) *UnsupportedSystemdAttestor { + return &UnsupportedSystemdAttestor{} +} + +// Attest the identity of the given systemd workload. +func (a *UnsupportedSystemdAttestor) Attest(_ context.Context, _ int) (*workloadidentityv1pb.WorkloadAttrsSystemd, error) { + return nil, trace.NotImplemented("systemd attestation is only supported on linux") +}