adding KeyStoreConfig fallback if KeyStore isn't directly provided

Author: eriktate

integrations/event-handler/go.mod

@@ -33,6 +33,7 @@ require (
 	cloud.google.com/go/resourcemanager v1.10.6 // indirect
 	connectrpc.com/connect v1.18.1 // indirect
 	dario.cat/mergo v1.0.1 // indirect
+	filippo.io/age v1.2.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect

integrations/event-handler/go.sum

@@ -1,3 +1,5 @@
+c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805 h1:u2qwJeEvnypw+OCPUHmoZE3IqwfuN5kgDfo5MLzpNM0=
+c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805/go.mod h1:FomMrUJ2Lxt5jCLmZkG3FHa72zUprnhd3v/Z18Snm4w=
 cloud.google.com/go v0.121.1 h1:S3kTQSydxmu1JfLRLpKtxRPA7rSrYPRPEUmL/PavVUw=
 cloud.google.com/go v0.121.1/go.mod h1:nRFlrHq39MNVWu+zESP2PosMWA0ryJw8KUBZ2iZpxbw=
 cloud.google.com/go/auth v0.16.1 h1:XrXauHMd30LhQYVRHLGvJiYeczweKQXZxsTbV9TiguU=
@@ -22,6 +24,8 @@ connectrpc.com/connect v1.18.1 h1:PAg7CjSAGvscaf6YZKUefjoih5Z/qYkyaTrBW8xvYPw=
 connectrpc.com/connect v1.18.1/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2prWDO8=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
+filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=

integrations/terraform/go.mod

@@ -34,6 +34,7 @@ require (
 	code.dny.dev/ssrf v0.2.0 // indirect
 	connectrpc.com/connect v1.18.1 // indirect
 	dario.cat/mergo v1.0.1 // indirect
+	filippo.io/age v1.2.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect

integrations/terraform/go.sum

@@ -1,3 +1,5 @@
+c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805 h1:u2qwJeEvnypw+OCPUHmoZE3IqwfuN5kgDfo5MLzpNM0=
+c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805/go.mod h1:FomMrUJ2Lxt5jCLmZkG3FHa72zUprnhd3v/Z18Snm4w=
 cel.dev/expr v0.23.1 h1:K4KOtPCJQjVggkARsjG9RWXP6O4R73aHeJMa/dmCQQg=
 cel.dev/expr v0.23.1/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
@@ -68,6 +70,8 @@ connectrpc.com/connect v1.18.1/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2pr
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
+filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=

lib/auth/auth.go

@@ -120,6 +120,7 @@ import (
 	"github.com/gravitational/teleport/lib/observability/tracing"
 	"github.com/gravitational/teleport/lib/release"
 	"github.com/gravitational/teleport/lib/resourceusage"
+	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/services/local"
 	"github.com/gravitational/teleport/lib/services/readonly"
@@ -194,9 +195,6 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 	if cfg.VersionStorage == nil {
 		return nil, trace.BadParameter("version storage is not set")
 	}
-	if cfg.KeyStore == nil {
-		return nil, trace.BadParameter("key store is not set")
-	}
 	if cfg.Trust == nil {
 		cfg.Trust = local.NewCAService(cfg.Backend)
 	}
@@ -218,6 +216,38 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 	if cfg.DynamicAccessExt == nil {
 		cfg.DynamicAccessExt = local.NewDynamicAccessService(cfg.Backend)
 	}
+	if cfg.ClusterConfiguration == nil {
+		clusterConfig, err := local.NewClusterConfigurationService(cfg.Backend)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		cfg.ClusterConfiguration = recordingencryption.NewClusterConfigService(clusterConfig, cfg.RecordingEncryption)
+	}
+	if cfg.KeyStore == nil {
+		keystoreOpts := &keystore.Options{
+			HostUUID:             cfg.HostUUID,
+			ClusterName:          cfg.ClusterName,
+			AuthPreferenceGetter: cfg.ClusterConfiguration,
+			FIPS:                 cfg.FIPS,
+		}
+		if cfg.KeyStoreConfig.PKCS11 != (servicecfg.PKCS11Config{}) {
+			if !modules.GetModules().Features().GetEntitlement(entitlements.HSM).Enabled {
+				return nil, fmt.Errorf("PKCS11 HSM support requires a license with the HSM feature enabled: %w", ErrRequiresEnterprise)
+			}
+		} else if cfg.KeyStoreConfig.GCPKMS != (servicecfg.GCPKMSConfig{}) {
+			if !modules.GetModules().Features().GetEntitlement(entitlements.HSM).Enabled {
+				return nil, fmt.Errorf("GCP KMS support requires a license with the HSM feature enabled: %w", ErrRequiresEnterprise)
+			}
+		} else if cfg.KeyStoreConfig.AWSKMS != nil {
+			if !modules.GetModules().Features().GetEntitlement(entitlements.HSM).Enabled {
+				return nil, fmt.Errorf("AWS KMS support requires a license with the HSM feature enabled: %w", ErrRequiresEnterprise)
+			}
+		}
+		cfg.KeyStore, err = keystore.NewManager(context.Background(), &cfg.KeyStoreConfig, keystoreOpts)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+	}
 	if cfg.RecordingEncryption == nil {
 		localRecordingEncryption, err := local.NewRecordingEncryptionService(cfg.Backend)
 		if err != nil {
@@ -234,13 +264,7 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
 		}
 
 		cfg.RecordingEncryption = recordingEncryptionManager
-	}
-	if cfg.ClusterConfiguration == nil {
-		clusterConfig, err := local.NewClusterConfigurationService(cfg.Backend)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
-		cfg.ClusterConfiguration = recordingencryption.NewClusterConfigService(clusterConfig, cfg.RecordingEncryption)
+		cfg.ClusterConfiguration = recordingencryption.NewClusterConfigService(cfg.ClusterConfiguration, recordingEncryptionManager)
 	}
 	if cfg.AutoUpdateService == nil {
 		cfg.AutoUpdateService, err = local.NewAutoUpdateService(cfg.Backend)

lib/auth/init.go

@@ -63,6 +63,7 @@ import (
 	"github.com/gravitational/teleport/lib/cryptosuites"
 	"github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/modules"
+	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/services/local"
 	"github.com/gravitational/teleport/lib/srv/db/common/databaseobjectimportrule"
@@ -104,6 +105,10 @@ type InitConfig struct {
 	// Authority is key generator that we use
 	Authority sshca.Authority
 
+	// KeyStoreConfig is the config for the KeyStore which handles private CA
+	// keys that may be held in an HSM.
+	KeyStoreConfig servicecfg.KeystoreConfig
+
 	// KeyStore which handles private CA keys and encryption keys that may be
 	// held in an HSM.
 	KeyStore *keystore.Manager

lib/backend/buffer.go

@@ -20,6 +20,7 @@ package backend
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"log/slog"
 	"sort"
@@ -240,13 +241,15 @@ func RemoveRedundantPrefixes(prefixes []Key) []Key {
 	return prefixes[:j+1]
 }
 
+var ErrBufferClosed = errors.New("cannot register watcher, buffer is closed")
+
 // NewWatcher adds a new watcher to the events buffer
 func (c *CircularBuffer) NewWatcher(ctx context.Context, watch Watch) (Watcher, error) {
 	c.Lock()
 	defer c.Unlock()
 
 	if c.closed {
-		return nil, trace.Errorf("cannot register watcher, buffer is closed")
+		return nil, trace.Wrap(ErrBufferClosed)
 	}
 
 	if watch.QueueSize == 0 {

lib/events/filesessions/fileasync_chaos_test.go

@@ -122,7 +122,7 @@ func TestChaosUpload(t *testing.T) {
 	go uploader.Serve(ctx)
 	defer uploader.Close()
 
-	fileStreamer, err := NewStreamer(scanDir)
+	fileStreamer, err := NewStreamer(scanDir, nil)
 	require.NoError(t, err)
 
 	parallelStreams := 20

lib/events/filesessions/fileasync_test.go

@@ -47,7 +47,7 @@ func TestUploadOK(t *testing.T) {
 	// wait until uploader blocks on the clock
 	p.clock.BlockUntil(1)
 
-	fileStreamer, err := NewStreamer(p.scanDir)
+	fileStreamer, err := NewStreamer(p.scanDir, nil)
 	require.NoError(t, err)
 
 	inEvents := eventstest.GenerateTestSession(eventstest.SessionParams{PrintEvents: 1024})
@@ -85,7 +85,7 @@ func TestUploadParallel(t *testing.T) {
 	sessions := make(map[string][]apievents.AuditEvent)
 
 	for i := 0; i < 5; i++ {
-		fileStreamer, err := NewStreamer(p.scanDir)
+		fileStreamer, err := NewStreamer(p.scanDir, nil)
 		require.NoError(t, err)
 
 		sessionEvents := eventstest.GenerateTestSession(eventstest.SessionParams{PrintEvents: 1024})
@@ -382,7 +382,7 @@ func TestUploadBackoff(t *testing.T) {
 	// wait until uploader blocks on the clock before creating the stream
 	p.clock.BlockUntil(1)
 
-	fileStreamer, err := NewStreamer(p.scanDir)
+	fileStreamer, err := NewStreamer(p.scanDir, nil)
 	require.NoError(t, err)
 
 	inEvents := eventstest.GenerateTestSession(eventstest.SessionParams{PrintEvents: 4096})
@@ -589,7 +589,7 @@ func runResume(t *testing.T, testCase resumeTestCase) {
 
 	defer uploader.Close()
 
-	fileStreamer, err := NewStreamer(scanDir)
+	fileStreamer, err := NewStreamer(scanDir, nil)
 	require.NoError(t, err)
 
 	inEvents := eventstest.GenerateTestSession(eventstest.SessionParams{PrintEvents: 1024})

lib/events/stream_test.go

@@ -237,7 +237,7 @@ func TestEncryptedRecordingIO(t *testing.T) {
 	streamer, err := events.NewProtoStreamer(events.ProtoStreamerConfig{
 		Uploader: uploader,
 
-		EncryptedIO: encryptedIO,
+		Encrypter: encryptedIO,
 	})
 	require.NoError(t, err)
 
@@ -329,7 +329,7 @@ func (f *fakeEncrypter) Close() error {
 	return f.inner.Close()
 }
 
-func (f *fakeEncryptedIO) WithEncryption(writer io.WriteCloser) (io.WriteCloser, error) {
+func (f *fakeEncryptedIO) WithEncryption(ctx context.Context, writer io.WriteCloser) (io.WriteCloser, error) {
 	hexWriter := hex.NewEncoder(writer)
 	return &fakeEncrypter{
 		inner:  writer,

lib/service/service.go

@@ -2110,7 +2110,6 @@ func (process *TeleportProcess) initAuthService() error {
 
 	recordingEncryptionManager, err := recordingencryption.NewManager(recordingencryption.ManagerConfig{
 		Backend:  localRecordingEncryption,
-		Cache:    localRecordingEncryption,
 		KeyStore: keyStore,
 		Logger:   logger,
 	})
@@ -2660,7 +2659,7 @@ func (process *TeleportProcess) initAuthService() error {
 	})
 
 	recordingEncryptionWatchCfg := recordingencryption.WatchConfig{
-		Events:        authServer,
+		Events:        authServer.Services,
 		Resolver:      authServer,
 		ClusterConfig: authServer,
 		LockConfig: &backend.RunWhileLockedConfig{
@@ -2786,7 +2785,6 @@ func (process *TeleportProcess) newAccessCacheForServices(cfg accesspoint.Config
 	cfg.PluginStaticCredentials = services.PluginStaticCredentials
 	cfg.GitServers = services.GitServers
 	cfg.HealthCheckConfig = services.HealthCheckConfig
-	cfg.RecordingEncryption = services.RecordingEncryptionManager
 
 	return accesspoint.NewCache(cfg)
 }

lib/services/local/recording_encryption.go

@@ -67,6 +67,7 @@ func (s *RecordingEncryptionService) CreateRecordingEncryption(ctx context.Conte
 		encryption.Metadata = &headerv1.Metadata{}
 	}
 	encryption.Metadata.Name = types.MetaNameRecordingEncryption
+	encryption.Kind = types.KindRecordingEncryption
 	created, err := s.encryption.CreateResource(ctx, encryption)
 	return created, trace.Wrap(err)
 }
@@ -77,6 +78,7 @@ func (s *RecordingEncryptionService) UpdateRecordingEncryption(ctx context.Conte
 		encryption.Metadata = &headerv1.Metadata{}
 	}
 	encryption.Metadata.Name = types.MetaNameRecordingEncryption
+	encryption.Kind = types.KindRecordingEncryption
 	updated, err := s.encryption.ConditionalUpdateResource(ctx, encryption)
 	return updated, trace.Wrap(err)
 }