Adding resource backend for scoped join tokens

api/proto/teleport/scopes/joining/v1/service.proto

@@ -53,17 +53,23 @@ message GetScopedTokenResponse {
 
 // ListScopedTokensRequest is the request to list scoped tokens.
 message ListScopedTokensRequest {
-  // ResourceScope filters tokens by their resource scope if specified.
+  // Filter tokens by their resource scope.
   teleport.scopes.v1.Filter resource_scope = 1;
 
-  // AssignedScope filters tokens by their assigned scope if specified.
+  // Filter tokens by their assigned scope.
   teleport.scopes.v1.Filter assigned_scope = 2;
 
-  // Cursor is the pagination cursor.
+  // The pagination cursor.
   string cursor = 3;
 
-  // Limit is the maximum number of results to return.
+  // The maximum number of results to return.
   uint32 limit = 4;
+
+  // Filter tokens that apply at least one of the provided roles.
+  repeated string roles = 5;
+
+  // Filter tokens that match all provided labels.
+  map<string, string> labels = 6;
 }
 
 // ListScopedTokensResponse is the response to list scoped tokens.

api/proto/teleport/scopes/joining/v1/token.proto

@@ -46,8 +46,15 @@ message ScopedToken {
 
 // ScopedTokenSpec is the specification of a scoped token.
 message ScopedTokenSpec {
-  // AssignedScope is the scope to which this token is assigned.
+  // The scope to which this token is assigned.
   string assigned_scope = 1;
 
-  // TODO(fspmarshall): port relevant token features to scoped tokens.
+  // The list of roles associated with the token. They will be converted
+  // to metadata in the SSH and X509 certificates issued to the user of the
+  // token.
+  repeated string roles = 2;
+
+  // The joining method required in order to use this token.
+  // Supported joining methods for scoped tokens only include 'token'.
+  string join_method = 3;
 }

api/types/constants.go

@@ -286,6 +286,9 @@ const (
 	// KindToken is a provisioning token resource
 	KindToken = "token"
 
+	// KindScopedToken is a provisioning token resource
+	KindScopedToken = "scoped_token"
+
 	// KindCertAuthority is a certificate authority resource
 	KindCertAuthority = "cert_authority"
 

lib/auth/auth.go

@@ -569,6 +569,13 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (as *Server, err error) {
 		}
 	}
 
+	if cfg.ScopedTokenService == nil {
+		cfg.ScopedTokenService, err = local.NewScopedTokenService(cfg.Backend)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+	}
+
 	scopedAccessCache, err := scopedaccesscache.NewCache(scopedaccesscache.CacheConfig{
 		Events: cfg.Events,
 		Reader: cfg.ScopedAccess,
@@ -635,6 +642,7 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (as *Server, err error) {
 		RecordingEncryptionManager:      cfg.RecordingEncryption,
 		MultipartHandler:                cfg.MultipartHandler,
 		Summarizer:                      cfg.Summarizer,
+		ScopedTokenService:              cfg.ScopedTokenService,
 	}
 
 	as = &Server{
@@ -903,6 +911,7 @@ type Services struct {
 	RecordingEncryptionManager
 	events.MultipartHandler
 	services.Summarizer
+	services.ScopedTokenService
 }
 
 // GetWebSession returns existing web session described by req.

lib/auth/grpcserver.go

@@ -5812,6 +5812,8 @@ func NewGRPCServer(cfg GRPCServerConfig) (*GRPCServer, error) {
 
 	scopedJoining, err := scopedjoining.New(scopedjoining.Config{
 		Authorizer: cfg.Authorizer,
+		Backend:    cfg.AuthServer,
+		Logger:     logger,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err, "creating scoped provisioning service")

lib/auth/init.go

@@ -413,6 +413,9 @@ type InitConfig struct {
 	// It allows for late initialization of the summarizer in the enterprise
 	// plugin. The summarizer itself summarizes session recordings.
 	SessionSummarizerProvider *summarizer.SessionSummarizerProvider
+
+	// ScopedTokenService is a service that manages scoped join token resources.
+	ScopedTokenService services.ScopedTokenService
 }
 
 // Init instantiates and configures an instance of AuthServer