adding cache for RecordingEncryption

Author: eriktate

api/client/events.go

@@ -30,6 +30,7 @@ import (
 	notificationsv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/notifications/v1"
 	presencev1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/presence/v1"
 	provisioningv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/provisioning/v1"
+	recordingencryptionv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/recordingencryption/v1"
 	accessv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/scopes/access/v1"
 	userprovisioningpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/userprovisioning/v2"
 	usertasksv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/usertasks/v1"
@@ -157,6 +158,10 @@ func EventToGRPC(in types.Event) (*proto.Event, error) {
 		out.Resource = &proto.Event_WorkloadIdentityX509Revocation{
 			WorkloadIdentityX509Revocation: r.UnwrapT(),
 		}
+	case types.Resource153UnwrapperT[*recordingencryptionv1.RecordingEncryption]:
+		out.Resource = &proto.Event_RecordingEncryption{
+			RecordingEncryption: r.UnwrapT(),
+		}
 	case types.Resource153UnwrapperT[*healthcheckconfigv1.HealthCheckConfig]:
 		out.Resource = &proto.Event_HealthCheckConfig{
 			HealthCheckConfig: r.UnwrapT(),
@@ -660,6 +665,9 @@ func EventFromGRPC(in *proto.Event) (*types.Event, error) {
 	} else if r := in.GetRelayServer(); r != nil {
 		out.Resource = types.ProtoResource153ToLegacy(r)
 		return &out, nil
+	} else if r := in.GetRecordingEncryption(); r != nil {
+		out.Resource = types.ProtoResource153ToLegacy(r)
+		return &out, nil
 	} else {
 		return nil, trace.BadParameter("received unsupported resource %T", in.Resource)
 	}

api/client/proto/event.pb.go

@@ -32,6 +32,7 @@ import "teleport/machineid/v1/federation.proto";
 import "teleport/notifications/v1/notifications.proto";
 import "teleport/presence/v1/relay_server.proto";
 import "teleport/provisioning/v1/provisioning.proto";
+import "teleport/recordingencryption/v1/recording_encryption.proto";
 import "teleport/scopes/access/v1/assignment.proto";
 import "teleport/scopes/access/v1/role.proto";
 import "teleport/secreports/v1/secreports.proto";
@@ -227,5 +228,7 @@ message Event {
     // ScopedRoleAssignment is an assignment of one or more scoped roles to a user.
     teleport.scopes.access.v1.ScopedRoleAssignment ScopedRoleAssignment = 81;
     teleport.presence.v1.RelayServer relay_server = 82;
+    // RecordingEncryption is a resource for controlling session recording encryption.
+    teleport.recordingencryption.v1.RecordingEncryption RecordingEncryption = 83;
   }
 }

api/proto/teleport/legacy/client/proto/event.proto

@@ -112,6 +112,7 @@ type Config struct {
 	PluginStaticCredentials services.PluginStaticCredentials
 	GitServers              services.GitServers
 	HealthCheckConfig       services.HealthCheckConfigReader
+	RecordingEncryption     services.RecordingEncryption
 }
 
 func (c *Config) CheckAndSetDefaults() error {
@@ -213,6 +214,7 @@ func NewCache(cfg Config) (*cache.Cache, error) {
 		GitServers:              cfg.GitServers,
 		HealthCheckConfig:       cfg.HealthCheckConfig,
 		BotInstanceService:      cfg.BotInstance,
+		RecordingEncryption:     cfg.RecordingEncryption,
 	}
 
 	return cache.New(cfg.Setup(cacheCfg))

lib/auth/accesspoint/accesspoint.go

@@ -91,6 +91,7 @@ type VersionStorage interface {
 type RecordingEncryptionManager interface {
 	services.RecordingEncryption
 	recordingencryption.DecryptionKeyFinder
+	SetCache(cache recordingencryption.Cache)
 }
 
 // InitConfig is auth server init config

lib/auth/init.go

@@ -46,17 +46,24 @@ type KeyStore interface {
 	GetDecrypter(ctx context.Context, keyPair *types.EncryptionKeyPair) (crypto.Decrypter, error)
 }
 
+// A Cache fetches a cached *recordingencryptionv1.RecordingEncryption
+type Cache interface {
+	GetRecordingEncryption(context.Context) (*recordingencryptionv1.RecordingEncryption, error)
+}
+
 // ManagerConfig captures all of the dependencies required to instantiate a Manager.
 type ManagerConfig struct {
 	Backend       services.RecordingEncryption
 	ClusterConfig services.ClusterConfigurationInternal
 	KeyStore      KeyStore
+	Cache         Cache
 	Logger        *slog.Logger
 	LockConfig    backend.RunWhileLockedConfig
 }
 
 // NewManager returns a new Manager using the given ManagerConfig.
 func NewManager(cfg ManagerConfig) (*Manager, error) {
+
 	switch {
 	case cfg.Backend == nil:
 		return nil, trace.BadParameter("backend is required")
@@ -70,10 +77,15 @@ func NewManager(cfg ManagerConfig) (*Manager, error) {
 		cfg.Logger = slog.With(teleport.ComponentKey, "recording-encryption-manager")
 	}
 
+	if cfg.Cache == nil {
+		cfg.Cache = cfg.Backend
+	}
+
 	return &Manager{
 		RecordingEncryption:          cfg.Backend,
 		ClusterConfigurationInternal: cfg.ClusterConfig,
 
+		cache:      cfg.Cache,
 		keyStore:   cfg.KeyStore,
 		lockConfig: cfg.LockConfig,
 		logger:     cfg.Logger,
@@ -87,6 +99,7 @@ type Manager struct {
 	services.RecordingEncryption
 	services.ClusterConfigurationInternal
 
+	cache      Cache
 	logger     *slog.Logger
 	lockConfig backend.RunWhileLockedConfig
 	keyStore   KeyStore
@@ -164,6 +177,11 @@ func (m *Manager) UpsertSessionRecordingConfig(ctx context.Context, cfg types.Se
 	return sessionRecordingConfig, trace.Wrap(err)
 }
 
+// SetCache overwrites the configured Cache implementation
+func (m *Manager) SetCache(cache Cache) {
+	m.cache = cache
+}
+
 // ensureActiveRecordingEncryption returns the configured RecordingEncryption resource if it exists with active keys. If it does not,
 // then the resource will be created or updated with a new active keypair. The bool return value indicates whether or not
 // a new pair was provisioned.
@@ -367,7 +385,7 @@ func (m *Manager) searchActiveKeys(ctx context.Context, activeKeys []*recordinge
 
 // FindDecryptionKey returns the first accessible decryption key that matches one of the given public keys.
 func (m *Manager) FindDecryptionKey(ctx context.Context, publicKeys ...[]byte) (*types.EncryptionKeyPair, error) {
-	encryption, err := m.RecordingEncryption.GetRecordingEncryption(ctx)
+	encryption, err := m.cache.GetRecordingEncryption(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

lib/auth/recordingencryption/manager.go

@@ -134,6 +134,7 @@ func newManagerConfig(t *testing.T, bk backend.Backend, keyType types.PrivateKey
 
 	return recordingencryption.ManagerConfig{
 		Backend:       recordingEncryptionService,
+		Cache:         recordingEncryptionService,
 		ClusterConfig: clusterConfigService,
 		KeyStore:      &fakeKeyStore{keyType: keyType},
 		Logger:        utils.NewSlogLoggerForTests(),

lib/auth/recordingencryption/manager_test.go

@@ -211,6 +211,7 @@ func ForAuth(cfg Config) Config {
 		{Kind: types.KindHealthCheckConfig},
 		{Kind: types.KindRelayServer},
 		{Kind: types.KindBotInstance},
+		{Kind: types.KindRecordingEncryption},
 	}
 	cfg.QueueSize = defaults.AuthQueueSize
 	// We don't want to enable partial health for auth cache because auth uses an event stream
@@ -747,6 +748,8 @@ type Config struct {
 	HealthCheckConfig services.HealthCheckConfigReader
 	// BotInstanceService is the upstream service that we're caching
 	BotInstanceService services.BotInstance
+	// RecordingEncryption manages state surrounding session recording encryption
+	RecordingEncryption services.RecordingEncryption
 }
 
 // CheckAndSetDefaults checks parameters and sets default values

lib/cache/cache.go

@@ -55,6 +55,7 @@ import (
 	notificationsv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/notifications/v1"
 	presencev1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/presence/v1"
 	provisioningv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/provisioning/v1"
+	recordingencryptionv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/recordingencryption/v1"
 	accessv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/scopes/access/v1"
 	userprovisioningpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/userprovisioning/v2"
 	usertasksv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/usertasks/v1"
@@ -150,6 +151,7 @@ type testPack struct {
 	workloadIdentity        *local.WorkloadIdentityService
 	healthCheckConfig       *local.HealthCheckConfigService
 	botInstanceService      *local.BotInstanceService
+	recordingEncryption     *local.RecordingEncryptionService
 }
 
 // testFuncs are functions to support testing an object in a cache.
@@ -433,6 +435,11 @@ func newPackWithoutCache(dir string, opts ...packOption) (*testPack, error) {
 		return nil, trace.Wrap(err)
 	}
 
+	p.recordingEncryption, err = local.NewRecordingEncryptionService(p.backend)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	return p, nil
 }
 
@@ -490,6 +497,7 @@ func newPack(dir string, setupConfig func(c Config) Config, opts ...packOption)
 		HealthCheckConfig:       p.healthCheckConfig,
 		WorkloadIdentity:        p.workloadIdentity,
 		BotInstanceService:      p.botInstanceService,
+		RecordingEncryption:     p.recordingEncryption,
 		MaxRetryPeriod:          200 * time.Millisecond,
 		EventsC:                 p.eventsC,
 	}))
@@ -759,6 +767,7 @@ func TestCompletenessInit(t *testing.T) {
 			AutoUpdateService:       p.autoUpdateService,
 			ProvisioningStates:      p.provisioningStates,
 			WorkloadIdentity:        p.workloadIdentity,
+			RecordingEncryption:     p.recordingEncryption,
 			MaxRetryPeriod:          200 * time.Millisecond,
 			IdentityCenter:          p.identityCenter,
 			PluginStaticCredentials: p.pluginStaticCredentials,
@@ -849,6 +858,7 @@ func TestCompletenessReset(t *testing.T) {
 		IdentityCenter:          p.identityCenter,
 		PluginStaticCredentials: p.pluginStaticCredentials,
 		WorkloadIdentity:        p.workloadIdentity,
+		RecordingEncryption:     p.recordingEncryption,
 		MaxRetryPeriod:          200 * time.Millisecond,
 		EventsC:                 p.eventsC,
 		GitServers:              p.gitServers,
@@ -1007,6 +1017,7 @@ func TestListResources_NodesTTLVariant(t *testing.T) {
 		IdentityCenter:          p.identityCenter,
 		PluginStaticCredentials: p.pluginStaticCredentials,
 		WorkloadIdentity:        p.workloadIdentity,
+		RecordingEncryption:     p.recordingEncryption,
 		MaxRetryPeriod:          200 * time.Millisecond,
 		EventsC:                 p.eventsC,
 		neverOK:                 true, // ensure reads are never healthy
@@ -1106,6 +1117,7 @@ func initStrategy(t *testing.T) {
 		IdentityCenter:          p.identityCenter,
 		PluginStaticCredentials: p.pluginStaticCredentials,
 		WorkloadIdentity:        p.workloadIdentity,
+		RecordingEncryption:     p.recordingEncryption,
 		MaxRetryPeriod:          200 * time.Millisecond,
 		EventsC:                 p.eventsC,
 		GitServers:              p.gitServers,
@@ -1867,6 +1879,7 @@ func TestCacheWatchKindExistsInEvents(t *testing.T) {
 		types.KindPluginStaticCredentials:           &types.PluginStaticCredentialsV1{},
 		types.KindGitServer:                         &types.ServerV2{},
 		types.KindWorkloadIdentity:                  types.Resource153ToLegacy(newWorkloadIdentity("some_identifier")),
+		types.KindRecordingEncryption:               types.Resource153ToLegacy(newRecordingEncryption()),
 		types.KindHealthCheckConfig:                 types.Resource153ToLegacy(newHealthCheckConfig(t, "some-name")),
 		scopedrole.KindScopedRole:                   types.Resource153ToLegacy(&accessv1.ScopedRole{}),
 		scopedrole.KindScopedRoleAssignment:         types.Resource153ToLegacy(&accessv1.ScopedRoleAssignment{}),
@@ -1911,6 +1924,8 @@ func TestCacheWatchKindExistsInEvents(t *testing.T) {
 					require.Empty(t, cmp.Diff(resource.(types.Resource153UnwrapperT[*autoupdate.AutoUpdateVersion]).UnwrapT(), uw.UnwrapT(), protocmp.Transform()))
 				case types.Resource153UnwrapperT[*autoupdate.AutoUpdateConfig]:
 					require.Empty(t, cmp.Diff(resource.(types.Resource153UnwrapperT[*autoupdate.AutoUpdateConfig]).UnwrapT(), uw.UnwrapT(), protocmp.Transform()))
+				case types.Resource153UnwrapperT[*recordingencryptionv1.RecordingEncryption]:
+					require.Empty(t, cmp.Diff(resource.(types.Resource153UnwrapperT[*recordingencryptionv1.RecordingEncryption]).UnwrapT(), uw.UnwrapT(), protocmp.Transform()))
 				case types.Resource153UnwrapperT[*userprovisioningpb.StaticHostUser]:
 					require.Empty(t, cmp.Diff(resource.(types.Resource153UnwrapperT[*userprovisioningpb.StaticHostUser]).UnwrapT(), uw.UnwrapT(), protocmp.Transform()))
 				case types.Resource153UnwrapperT[*machineidv1.SPIFFEFederation]: