From d922958b60fed2f30d521e5d50d251084054137d Mon Sep 17 00:00:00 2001 From: Jakub Nyckowski Date: Wed, 31 Jul 2024 00:10:41 -0400 Subject: [PATCH] Add Query field to CrownJewel specifications Introduced a Query field to the CrownJewelSpec to facilitate Access Graph queries. Updated corresponding protobuf definitions, validation logic, and tests to support the new field. --- .../teleport/crownjewel/v1/crownjewel.pb.go | 72 +++++++++++-------- .../teleport/crownjewel/v1/crownjewel.proto | 4 ++ lib/auth/crownjewel/object.go | 2 +- lib/auth/crownjewel/object_test.go | 12 ++++ lib/services/crown_jewels_test.go | 2 + 5 files changed, 61 insertions(+), 31 deletions(-) diff --git a/api/gen/proto/go/teleport/crownjewel/v1/crownjewel.pb.go b/api/gen/proto/go/teleport/crownjewel/v1/crownjewel.pb.go index a5ed1ffa34534..6ddfa5028e2d7 100644 --- a/api/gen/proto/go/teleport/crownjewel/v1/crownjewel.pb.go +++ b/api/gen/proto/go/teleport/crownjewel/v1/crownjewel.pb.go @@ -132,9 +132,13 @@ type CrownJewelSpec struct { unknownFields protoimpl.UnknownFields // TeleportMatchers is a list of teleport matchers. + // DEPRECATED: Use query instead. TeleportMatchers []*TeleportMatcher `protobuf:"bytes,1,rep,name=teleport_matchers,json=teleportMatchers,proto3" json:"teleport_matchers,omitempty"` // AWSMatchers is a list of AWS matchers. + // DEPRECATED: Use query instead. AwsMatchers []*AWSMatcher `protobuf:"bytes,2,rep,name=aws_matchers,json=awsMatchers,proto3" json:"aws_matchers,omitempty"` + // Query is a Access Graph query to match resources. + Query string `protobuf:"bytes,3,opt,name=query,proto3" json:"query,omitempty"` } func (x *CrownJewelSpec) Reset() { @@ -183,6 +187,13 @@ func (x *CrownJewelSpec) GetAwsMatchers() []*AWSMatcher { return nil } +func (x *CrownJewelSpec) GetQuery() string { + if x != nil { + return x.Query + } + return "" +} + // TeleportMatcher represents a matcher for Teleport resources. type TeleportMatcher struct { state protoimpl.MessageState @@ -415,7 +426,7 @@ var file_teleport_crownjewel_v1_crownjewel_proto_rawDesc = []byte{ 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x63, 0x72, 0x6f, 0x77, 0x6e, 0x6a, 0x65, 0x77, 0x65, 0x6c, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x6f, 0x77, 0x6e, 0x4a, 0x65, 0x77, 0x65, 0x6c, 0x53, 0x70, 0x65, 0x63, 0x52, 0x04, 0x73, 0x70, 0x65, - 0x63, 0x22, 0xad, 0x01, 0x0a, 0x0e, 0x43, 0x72, 0x6f, 0x77, 0x6e, 0x4a, 0x65, 0x77, 0x65, 0x6c, + 0x63, 0x22, 0xc3, 0x01, 0x0a, 0x0e, 0x43, 0x72, 0x6f, 0x77, 0x6e, 0x4a, 0x65, 0x77, 0x65, 0x6c, 0x53, 0x70, 0x65, 0x63, 0x12, 0x54, 0x0a, 0x11, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x63, 0x72, 0x6f, 0x77, 0x6e, @@ -426,35 +437,36 @@ var file_teleport_crownjewel_v1_crownjewel_proto_rawDesc = []byte{ 0x32, 0x22, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x63, 0x72, 0x6f, 0x77, 0x6e, 0x6a, 0x65, 0x77, 0x65, 0x6c, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x57, 0x53, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x52, 0x0b, 0x61, 0x77, 0x73, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, - 0x73, 0x22, 0x7b, 0x0a, 0x0f, 0x54, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x4d, 0x61, 0x74, - 0x63, 0x68, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x6b, 0x69, 0x6e, 0x64, 0x73, 0x18, 0x02, 0x20, - 0x03, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x69, 0x6e, 0x64, 0x73, 0x12, 0x30, 0x0a, 0x06, 0x6c, 0x61, - 0x62, 0x65, 0x6c, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x74, 0x65, 0x6c, - 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x2e, 0x76, 0x31, 0x2e, 0x4c, - 0x61, 0x62, 0x65, 0x6c, 0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x12, 0x14, 0x0a, 0x05, - 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x6e, 0x61, 0x6d, - 0x65, 0x73, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x8f, - 0x01, 0x0a, 0x0a, 0x41, 0x57, 0x53, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x12, 0x14, 0x0a, - 0x05, 0x74, 0x79, 0x70, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x74, 0x79, - 0x70, 0x65, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, - 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x32, 0x0a, - 0x04, 0x74, 0x61, 0x67, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x74, 0x65, - 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x63, 0x72, 0x6f, 0x77, 0x6e, 0x6a, 0x65, 0x77, 0x65, - 0x6c, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x57, 0x53, 0x54, 0x61, 0x67, 0x52, 0x04, 0x74, 0x61, 0x67, - 0x73, 0x12, 0x12, 0x0a, 0x04, 0x61, 0x72, 0x6e, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, - 0x04, 0x61, 0x72, 0x6e, 0x73, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x52, 0x03, 0x61, 0x72, 0x6e, - 0x22, 0x50, 0x0a, 0x06, 0x41, 0x57, 0x53, 0x54, 0x61, 0x67, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, - 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x34, 0x0a, 0x06, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, - 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, - 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, - 0x65, 0x73, 0x42, 0x58, 0x5a, 0x56, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, - 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, - 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, - 0x74, 0x2f, 0x63, 0x72, 0x6f, 0x77, 0x6e, 0x6a, 0x65, 0x77, 0x65, 0x6c, 0x2f, 0x76, 0x31, 0x3b, - 0x63, 0x72, 0x6f, 0x77, 0x6e, 0x6a, 0x65, 0x77, 0x65, 0x6c, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x73, 0x12, 0x14, 0x0a, 0x05, 0x71, 0x75, 0x65, 0x72, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x05, 0x71, 0x75, 0x65, 0x72, 0x79, 0x22, 0x7b, 0x0a, 0x0f, 0x54, 0x65, 0x6c, 0x65, 0x70, + 0x6f, 0x72, 0x74, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x6b, 0x69, + 0x6e, 0x64, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x69, 0x6e, 0x64, 0x73, + 0x12, 0x30, 0x0a, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x18, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x61, 0x62, 0x65, + 0x6c, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, + 0x6c, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, + 0x09, 0x52, 0x05, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x52, 0x04, + 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x8f, 0x01, 0x0a, 0x0a, 0x41, 0x57, 0x53, 0x4d, 0x61, 0x74, 0x63, + 0x68, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x79, 0x70, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, + 0x28, 0x09, 0x52, 0x05, 0x74, 0x79, 0x70, 0x65, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x72, 0x65, 0x67, + 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x72, 0x65, 0x67, 0x69, + 0x6f, 0x6e, 0x73, 0x12, 0x32, 0x0a, 0x04, 0x74, 0x61, 0x67, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, + 0x0b, 0x32, 0x1e, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x63, 0x72, 0x6f, + 0x77, 0x6e, 0x6a, 0x65, 0x77, 0x65, 0x6c, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x57, 0x53, 0x54, 0x61, + 0x67, 0x52, 0x04, 0x74, 0x61, 0x67, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x61, 0x72, 0x6e, 0x73, 0x18, + 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x04, 0x61, 0x72, 0x6e, 0x73, 0x4a, 0x04, 0x08, 0x04, 0x10, + 0x05, 0x52, 0x03, 0x61, 0x72, 0x6e, 0x22, 0x50, 0x0a, 0x06, 0x41, 0x57, 0x53, 0x54, 0x61, 0x67, + 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, + 0x65, 0x79, 0x12, 0x34, 0x0a, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, + 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x52, 0x06, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x42, 0x58, 0x5a, 0x56, 0x67, 0x69, 0x74, 0x68, + 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, + 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, + 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x63, 0x72, 0x6f, 0x77, 0x6e, 0x6a, 0x65, 0x77, + 0x65, 0x6c, 0x2f, 0x76, 0x31, 0x3b, 0x63, 0x72, 0x6f, 0x77, 0x6e, 0x6a, 0x65, 0x77, 0x65, 0x6c, + 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/api/proto/teleport/crownjewel/v1/crownjewel.proto b/api/proto/teleport/crownjewel/v1/crownjewel.proto index 170a7da8d8ea6..55c453a913e18 100644 --- a/api/proto/teleport/crownjewel/v1/crownjewel.proto +++ b/api/proto/teleport/crownjewel/v1/crownjewel.proto @@ -42,9 +42,13 @@ message CrownJewel { // CrownJewelSpec is the specification of a Crown Jewel. message CrownJewelSpec { // TeleportMatchers is a list of teleport matchers. + // DEPRECATED: Use query instead. repeated TeleportMatcher teleport_matchers = 1; // AWSMatchers is a list of AWS matchers. + // DEPRECATED: Use query instead. repeated AWSMatcher aws_matchers = 2; + // Query is a Access Graph query to match resources. + string query = 3; } // TeleportMatcher represents a matcher for Teleport resources. diff --git a/lib/auth/crownjewel/object.go b/lib/auth/crownjewel/object.go index 8dd3d99506678..2d7b4f5d55318 100644 --- a/lib/auth/crownjewel/object.go +++ b/lib/auth/crownjewel/object.go @@ -60,7 +60,7 @@ func ValidateCrownJewel(jewel *crownjewelv1.CrownJewel) error { return trace.BadParameter("crown jewel name is empty") case jewel.Spec == nil: return trace.BadParameter("crown jewel spec is nil") - case len(jewel.Spec.TeleportMatchers) == 0 && len(jewel.Spec.AwsMatchers) == 0: + case len(jewel.Spec.TeleportMatchers) == 0 && len(jewel.Spec.AwsMatchers) == 0 && jewel.Spec.Query == "": return trace.BadParameter("crown jewel must have at least one matcher") } diff --git a/lib/auth/crownjewel/object_test.go b/lib/auth/crownjewel/object_test.go index 748b0890b5cec..db1c23bbb2687 100644 --- a/lib/auth/crownjewel/object_test.go +++ b/lib/auth/crownjewel/object_test.go @@ -78,6 +78,18 @@ func TestValidateCrownJewel(t *testing.T) { }, wantErr: require.NoError, }, + { + name: "ValidCrownJewelWithQuery", + jewel: &crownjewelv1.CrownJewel{ + Metadata: &headerv1.Metadata{ + Name: "test", + }, + Spec: &crownjewelv1.CrownJewelSpec{ + Query: "SELECT * FROM nodes", + }, + }, + wantErr: require.NoError, + }, { name: "MissingMatchers", jewel: &crownjewelv1.CrownJewel{ diff --git a/lib/services/crown_jewels_test.go b/lib/services/crown_jewels_test.go index 62f579ea11f47..4b9347ea61d01 100644 --- a/lib/services/crown_jewels_test.go +++ b/lib/services/crown_jewels_test.go @@ -65,6 +65,7 @@ func TestUnmarshalCrownJewel(t *testing.T) { }, }, Spec: &crownjewelv1.CrownJewelSpec{ + Query: "SELECT * FROM nodes", TeleportMatchers: []*crownjewelv1.TeleportMatcher{ { Kinds: []string{"node"}, @@ -106,6 +107,7 @@ metadata: env: example name: example-crown-jewel spec: + query: "SELECT * FROM nodes" aws_matchers: - regions: - us-west-1