Documentation ¶
Overview ¶
Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.
* Local services are implemented in local package * Package suite contains the set of acceptance tests for services
Package services implements API services exposed by Teleport: * presence service that takes care of heartbeats * web service that takes care of web logins * ca service - certificate authorities
Index ¶
- Constants
- Variables
- func AccessRequestsToLockTargets(accessRequests []string) []types.LockTarget
- func AcquireSemaphoreWithRetry(ctx context.Context, req AcquireSemaphoreWithRetryConfig) (*types.SemaphoreLease, error)
- func AddDefaultAllowRules(role types.Role) types.Role
- func ApplyAccessReview(req types.AccessRequest, rev types.AccessReview, author types.User) error
- func ApplyTraits(r types.Role, traits map[string][]string) types.Role
- func ApplyValueTraits(val string, traits map[string][]string) ([]string, error)
- func CalculateAccessCapabilities(ctx context.Context, clt RequestValidatorGetter, ...) (*types.AccessCapabilities, error)
- func CertAuthoritiesEquivalent(lhs, rhs types.CertAuthority) bool
- func CertPool(ca types.CertAuthority) (*x509.CertPool, error)
- func CertPoolFromCertAuthorities(cas []types.CertAuthority) (*x509.CertPool, int, error)
- func CheckSAMLEntityDescriptor(entityDescriptor string) ([]*x509.Certificate, error)
- func ClusterAuditConfigSpecFromObject(in interface{}) (*types.ClusterAuditConfigSpecV2, error)
- func CompareResources(resA, resB types.Resource) int
- func CompareRuleScore(r *types.Rule, o *types.Rule) bool
- func CompareServers(a, b types.Resource) int
- func DowngradeRoleToV4(r *types.RoleV5) (*types.RoleV5, error)
- func ExtraElastiCacheLabels(cluster *elasticache.ReplicationGroup, tags []*elasticache.Tag, ...) map[string]string
- func ExtraMemoryDBLabels(cluster *memorydb.Cluster, tags []*memorydb.Tag, ...) map[string]string
- func ExtractAllowedResourcesFromCert(cert *ssh.Certificate) ([]types.ResourceID, error)
- func ExtractFromCertificate(cert *ssh.Certificate) ([]string, wrappers.Traits, error)
- func ExtractFromIdentity(access UserGetter, identity tlsca.Identity) ([]string, wrappers.Traits, error)
- func ExtractRolesFromCert(cert *ssh.Certificate) ([]string, error)
- func ExtractTraitsFromCert(cert *ssh.Certificate) (wrappers.Traits, error)
- func GetAccessRequest(ctx context.Context, acc DynamicAccess, reqID string) (types.AccessRequest, error)
- func GetAttributeNames(attributes map[string]samltypes.Attribute) []string
- func GetClaimNames(claims jose.Claims) []string
- func GetJWTSigner(signer crypto.Signer, clusterName string, clock clockwork.Clock) (*jwt.Key, error)
- func GetMySQLEngineVersion(labels map[string]string) string
- func GetRedirectURL(conn types.OIDCConnector, proxyAddr string) (string, error)
- func GetResourceMarshalerKinds() []string
- func GetResourcesByResourceIDs(ctx context.Context, lister ResourceLister, resourceIDs []types.ResourceID, ...) ([]types.ResourceWithLabels, error)
- func GetSAMLServiceProvider(sc types.SAMLConnector, clock clockwork.Clock) (*saml2.SAMLServiceProvider, error)
- func GetSSHCheckingKeys(ca types.CertAuthority) [][]byte
- func GetStringMapValue(mapVal, keyVal interface{}) (interface{}, error)
- func GetTLSCerts(ca types.CertAuthority) [][]byte
- func GetTraitMappings(cms []types.ClaimMapping) types.TraitMappingSet
- func GuessProxyHostAndVersion(proxies []types.Server) (string, string, error)
- func IsElastiCacheClusterAvailable(cluster *elasticache.ReplicationGroup) bool
- func IsElastiCacheClusterSupported(cluster *elasticache.ReplicationGroup) bool
- func IsMemoryDBClusterAvailable(cluster *memorydb.Cluster) bool
- func IsMemoryDBClusterSupported(cluster *memorydb.Cluster) bool
- func IsRDSClusterAvailable(cluster *rds.DBCluster) bool
- func IsRDSClusterSupported(cluster *rds.DBCluster) bool
- func IsRDSInstanceAvailable(instance *rds.DBInstance) bool
- func IsRDSInstanceSupported(instance *rds.DBInstance) bool
- func IsRDSProxyAvailable(dbProxy *rds.DBProxy) bool
- func IsRDSProxyCustomEndpointAvailable(customEndpoint *rds.DBProxyEndpoint) bool
- func IsRecordAtProxy(mode string) bool
- func IsRecordSync(mode string) bool
- func IsRedshiftClusterAvailable(cluster *redshift.Cluster) bool
- func LastFailed(x int, attempts []LoginAttempt) bool
- func LatestTunnelConnection(conns []types.TunnelConnection) (types.TunnelConnection, error)
- func LockInForceAccessDenied(lock types.Lock) error
- func LockTargetsFromTLSIdentity(id tlsca.Identity) []types.LockTarget
- func MapListResourcesResultToLeafResource(resource types.ResourceWithLabels, hint string) (types.ResourcesWithLabels, error)
- func MapResourceKindToListResourcesType(kind string) string
- func MapRoles(r types.RoleMap, remoteRoles []string) ([]string, error)
- func MarshalAccessRequest(accessRequest types.AccessRequest, opts ...MarshalOption) ([]byte, error)
- func MarshalApp(app types.Application, opts ...MarshalOption) ([]byte, error)
- func MarshalAppServer(appServer types.AppServer, opts ...MarshalOption) ([]byte, error)
- func MarshalAuthPreference(c types.AuthPreference, opts ...MarshalOption) ([]byte, error)
- func MarshalCertAuthority(certAuthority types.CertAuthority, opts ...MarshalOption) ([]byte, error)
- func MarshalCertRoles(roles []string) (string, error)
- func MarshalClusterAuditConfig(auditConfig types.ClusterAuditConfig, opts ...MarshalOption) ([]byte, error)
- func MarshalClusterName(clusterName types.ClusterName, opts ...MarshalOption) ([]byte, error)
- func MarshalClusterNetworkingConfig(netConfig types.ClusterNetworkingConfig, opts ...MarshalOption) ([]byte, error)
- func MarshalConnectionDiagnostic(s types.ConnectionDiagnostic, opts ...MarshalOption) ([]byte, error)
- func MarshalDatabase(database types.Database, opts ...MarshalOption) ([]byte, error)
- func MarshalDatabaseServer(databaseServer types.DatabaseServer, opts ...MarshalOption) ([]byte, error)
- func MarshalGithubConnector(githubConnector types.GithubConnector, opts ...MarshalOption) ([]byte, error)
- func MarshalInstaller(installer types.Installer, opts ...MarshalOption) ([]byte, error)
- func MarshalKubeCluster(kubeCluster types.KubeCluster, opts ...MarshalOption) ([]byte, error)
- func MarshalKubeServer(kubeServer types.KubeServer, opts ...MarshalOption) ([]byte, error)
- func MarshalLicense(license types.License, opts ...MarshalOption) ([]byte, error)
- func MarshalLock(lock types.Lock, opts ...MarshalOption) ([]byte, error)
- func MarshalNamespace(resource types.Namespace, opts ...MarshalOption) ([]byte, error)
- func MarshalNetworkRestrictions(restrictions types.NetworkRestrictions, opts ...MarshalOption) ([]byte, error)
- func MarshalOIDCConnector(oidcConnector types.OIDCConnector, opts ...MarshalOption) ([]byte, error)
- func MarshalPluginData(pluginData types.PluginData, opts ...MarshalOption) ([]byte, error)
- func MarshalProvisionToken(provisionToken types.ProvisionToken, opts ...MarshalOption) ([]byte, error)
- func MarshalRemoteCluster(remoteCluster types.RemoteCluster, opts ...MarshalOption) ([]byte, error)
- func MarshalResource(resource types.Resource, opts ...MarshalOption) ([]byte, error)
- func MarshalReverseTunnel(reverseTunnel types.ReverseTunnel, opts ...MarshalOption) ([]byte, error)
- func MarshalRole(role types.Role, opts ...MarshalOption) ([]byte, error)
- func MarshalSAMLConnector(samlConnector types.SAMLConnector, opts ...MarshalOption) ([]byte, error)
- func MarshalSemaphore(semaphore types.Semaphore, opts ...MarshalOption) ([]byte, error)
- func MarshalServer(server types.Server, opts ...MarshalOption) ([]byte, error)
- func MarshalServers(s []types.Server) ([]byte, error)
- func MarshalSessionRecordingConfig(recConfig types.SessionRecordingConfig, opts ...MarshalOption) ([]byte, error)
- func MarshalSessionTracker(session types.SessionTracker) ([]byte, error)
- func MarshalStaticTokens(staticToken types.StaticTokens, opts ...MarshalOption) ([]byte, error)
- func MarshalTrustedCluster(trustedCluster types.TrustedCluster, opts ...MarshalOption) ([]byte, error)
- func MarshalTunnelConnection(tunnelConnection types.TunnelConnection, opts ...MarshalOption) ([]byte, error)
- func MarshalUser(user types.User, opts ...MarshalOption) ([]byte, error)
- func MarshalUserToken(token types.UserToken, opts ...MarshalOption) ([]byte, error)
- func MarshalUserTokenSecrets(secrets types.UserTokenSecrets, opts ...MarshalOption) ([]byte, error)
- func MarshalWebSession(webSession types.WebSession, opts ...MarshalOption) ([]byte, error)
- func MarshalWebToken(webToken types.WebToken, opts ...MarshalOption) ([]byte, error)
- func MarshalWindowsDesktop(s types.WindowsDesktop, opts ...MarshalOption) ([]byte, error)
- func MarshalWindowsDesktopService(s types.WindowsDesktopService, opts ...MarshalOption) ([]byte, error)
- func MatchAWSRoleARN(selectors []string, roleARN string) (bool, string)
- func MatchDatabaseName(selectors []string, name string) (bool, string)
- func MatchDatabaseUser(selectors []string, user string) (bool, string)
- func MatchLabels(selector types.Labels, target map[string]string) (bool, string, error)
- func MatchNamespace(selectors []string, namespace string) (bool, string)
- func MatchResourceByFilters(resource types.ResourceWithLabels, filter MatchResourceFilter, ...) (bool, error)
- func MatchResourceLabels(matchers []ResourceMatcher, resource types.ResourceWithLabels) bool
- func MetadataFromElastiCacheCluster(cluster *elasticache.ReplicationGroup, endpointType string) (*types.AWS, error)
- func MetadataFromMemoryDBCluster(cluster *memorydb.Cluster, endpointType string) (*types.AWS, error)
- func MetadataFromRDSCluster(rdsCluster *rds.DBCluster) (*types.AWS, error)
- func MetadataFromRDSInstance(rdsInstance *rds.DBInstance) (*types.AWS, error)
- func MetadataFromRDSProxy(rdsProxy *rds.DBProxy) (*types.AWS, error)
- func MetadataFromRDSProxyCustomEndpoint(rdsProxy *rds.DBProxy, customEndpoint *rds.DBProxyEndpoint) (*types.AWS, error)
- func MetadataFromRedshiftCluster(cluster *redshift.Cluster) (*types.AWS, error)
- func MustCreateProvisionToken(token string, roles types.SystemRoles, expires time.Time) types.ProvisionToken
- func NewAccessRequest(user string, roles ...string) (types.AccessRequest, error)
- func NewAccessRequestWithResources(user string, roles []string, resourceIDs []types.ResourceID) (types.AccessRequest, error)
- func NewActionsParser(ctx RuleContext) (predicate.Parser, error)
- func NewClusterNameWithRandomID(spec types.ClusterNameSpecV2) (types.ClusterName, error)
- func NewDatabaseFromAzureRedis(server *armredis.ResourceInfo) (types.Database, error)
- func NewDatabaseFromAzureRedisEnterprise(cluster *armredisenterprise.Cluster, database *armredisenterprise.Database) (types.Database, error)
- func NewDatabaseFromAzureServer(server *azure.DBServer) (types.Database, error)
- func NewDatabaseFromElastiCacheConfigurationEndpoint(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Database, error)
- func NewDatabaseFromMemoryDBCluster(cluster *memorydb.Cluster, extraLabels map[string]string) (types.Database, error)
- func NewDatabaseFromRDSCluster(cluster *rds.DBCluster) (types.Database, error)
- func NewDatabaseFromRDSClusterReaderEndpoint(cluster *rds.DBCluster) (types.Database, error)
- func NewDatabaseFromRDSInstance(instance *rds.DBInstance) (types.Database, error)
- func NewDatabaseFromRDSProxy(dbProxy *rds.DBProxy, port int64, tags []*rds.Tag) (types.Database, error)
- func NewDatabaseFromRDSProxyCustomEndpoint(dbProxy *rds.DBProxy, customEndpoint *rds.DBProxyEndpoint, port int64, ...) (types.Database, error)
- func NewDatabaseFromRedshiftCluster(cluster *redshift.Cluster) (types.Database, error)
- func NewDatabasesFromElastiCacheNodeGroups(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Databases, error)
- func NewDatabasesFromRDSClusterCustomEndpoints(cluster *rds.DBCluster) (types.Databases, error)
- func NewImplicitRole() types.Role
- func NewKubeClusterFromAWSEKS(cluster *eks.Cluster) (types.KubeCluster, error)
- func NewKubeClusterFromAzureAKS(cluster *azure.AKSCluster) (types.KubeCluster, error)
- func NewLogActionFn(ctx RuleContext) interface{}
- func NewPresetAccessRole() types.Role
- func NewPresetAuditorRole() types.Role
- func NewPresetEditorRole() types.Role
- func NewTOTPDevice(name, key string, addedAt time.Time) (*types.MFADevice, error)
- func NewWhereParser(ctx RuleContext) (predicate.Parser, error)
- func NodeHasMissedKeepAlives(s types.Server) bool
- func OIDCClaimsToTraits(claims jose.Claims) map[string][]string
- func ParseShortcut(in string) (string, error)
- func RO() []string
- func RW() []string
- func ReadNoSecrets() []string
- func RegisterResourceMarshaler(kind string, marshaler ResourceMarshaler)
- func RegisterResourceUnmarshaler(kind string, unmarshaler ResourceUnmarshaler)
- func RoleForCertAuthority(ca types.CertAuthority) types.Role
- func RoleForUser(u types.User) types.Role
- func RoleFromSpec(name string, spec types.RoleSpecV5) (types.Role, error)
- func RoleMapToString(r types.RoleMap) string
- func RoleNameForCertAuthority(name string) string
- func RoleNameForUser(name string) string
- func RolesToLockTargets(roles []string) []types.LockTarget
- func SAMLAssertionsToTraits(assertions saml2.AssertionInfo) map[string][]string
- func TraitsToRoleMatchers(ms types.TraitMappingSet, traits map[string][]string) ([]parse.Matcher, error)
- func TraitsToRoles(ms types.TraitMappingSet, traits map[string][]string) (warnings []string, roles []string)
- func TunnelConnectionStatus(clock clockwork.Clock, conn types.TunnelConnection, ...) string
- func UnmarshalAccessRequest(data []byte, opts ...MarshalOption) (types.AccessRequest, error)
- func UnmarshalApp(data []byte, opts ...MarshalOption) (types.Application, error)
- func UnmarshalAppServer(data []byte, opts ...MarshalOption) (types.AppServer, error)
- func UnmarshalAuthPreference(bytes []byte, opts ...MarshalOption) (types.AuthPreference, error)
- func UnmarshalCertAuthority(bytes []byte, opts ...MarshalOption) (types.CertAuthority, error)
- func UnmarshalCertRoles(data string) ([]string, error)
- func UnmarshalClusterAuditConfig(bytes []byte, opts ...MarshalOption) (types.ClusterAuditConfig, error)
- func UnmarshalClusterName(bytes []byte, opts ...MarshalOption) (types.ClusterName, error)
- func UnmarshalClusterNetworkingConfig(bytes []byte, opts ...MarshalOption) (types.ClusterNetworkingConfig, error)
- func UnmarshalConnectionDiagnostic(data []byte, opts ...MarshalOption) (types.ConnectionDiagnostic, error)
- func UnmarshalDatabase(data []byte, opts ...MarshalOption) (types.Database, error)
- func UnmarshalDatabaseServer(data []byte, opts ...MarshalOption) (types.DatabaseServer, error)
- func UnmarshalGithubConnector(bytes []byte) (types.GithubConnector, error)
- func UnmarshalInstaller(data []byte, opts ...MarshalOption) (types.Installer, error)
- func UnmarshalKubeCluster(data []byte, opts ...MarshalOption) (types.KubeCluster, error)
- func UnmarshalKubeServer(data []byte, opts ...MarshalOption) (types.KubeServer, error)
- func UnmarshalLicense(bytes []byte) (types.License, error)
- func UnmarshalLock(bytes []byte, opts ...MarshalOption) (types.Lock, error)
- func UnmarshalNamespace(data []byte, opts ...MarshalOption) (*types.Namespace, error)
- func UnmarshalNetworkRestrictions(bytes []byte, opts ...MarshalOption) (types.NetworkRestrictions, error)
- func UnmarshalOIDCConnector(bytes []byte, opts ...MarshalOption) (types.OIDCConnector, error)
- func UnmarshalPluginData(raw []byte, opts ...MarshalOption) (types.PluginData, error)
- func UnmarshalProvisionToken(data []byte, opts ...MarshalOption) (types.ProvisionToken, error)
- func UnmarshalRemoteCluster(bytes []byte, opts ...MarshalOption) (types.RemoteCluster, error)
- func UnmarshalResource(kind string, raw []byte, opts ...MarshalOption) (types.Resource, error)
- func UnmarshalReverseTunnel(bytes []byte, opts ...MarshalOption) (types.ReverseTunnel, error)
- func UnmarshalRole(bytes []byte, opts ...MarshalOption) (types.Role, error)
- func UnmarshalSAMLConnector(bytes []byte, opts ...MarshalOption) (types.SAMLConnector, error)
- func UnmarshalSemaphore(bytes []byte, opts ...MarshalOption) (types.Semaphore, error)
- func UnmarshalServer(bytes []byte, kind string, opts ...MarshalOption) (types.Server, error)
- func UnmarshalServers(bytes []byte) ([]types.Server, error)
- func UnmarshalSessionRecordingConfig(bytes []byte, opts ...MarshalOption) (types.SessionRecordingConfig, error)
- func UnmarshalSessionTracker(bytes []byte) (types.SessionTracker, error)
- func UnmarshalStaticTokens(bytes []byte, opts ...MarshalOption) (types.StaticTokens, error)
- func UnmarshalTrustedCluster(bytes []byte, opts ...MarshalOption) (types.TrustedCluster, error)
- func UnmarshalTunnelConnection(data []byte, opts ...MarshalOption) (types.TunnelConnection, error)
- func UnmarshalUser(bytes []byte, opts ...MarshalOption) (types.User, error)
- func UnmarshalUserToken(bytes []byte, opts ...MarshalOption) (types.UserToken, error)
- func UnmarshalUserTokenSecrets(bytes []byte, opts ...MarshalOption) (types.UserTokenSecrets, error)
- func UnmarshalWebSession(bytes []byte, opts ...MarshalOption) (types.WebSession, error)
- func UnmarshalWebToken(bytes []byte, opts ...MarshalOption) (types.WebToken, error)
- func UnmarshalWindowsDesktop(data []byte, opts ...MarshalOption) (types.WindowsDesktop, error)
- func UnmarshalWindowsDesktopService(data []byte, opts ...MarshalOption) (types.WindowsDesktopService, error)
- func UsersEquals(u types.User, other types.User) bool
- func ValidateAccessPredicates(role types.Role) error
- func ValidateAccessRequest(ar types.AccessRequest) error
- func ValidateAccessRequestForUser(ctx context.Context, getter RequestValidatorGetter, req types.AccessRequest, ...) error
- func ValidateCertAuthority(ca types.CertAuthority) (err error)
- func ValidateLocalAuthSecrets(l *types.LocalAuthSecrets) error
- func ValidateNetworkRestrictions(nr *types.NetworkRestrictionsV4) error
- func ValidateReverseTunnel(rt types.ReverseTunnel) error
- func ValidateRole(r types.Role) error
- func ValidateRoleName(role types.Role) error
- func ValidateSAMLConnector(sc types.SAMLConnector, rg RoleGetter) error
- func ValidateTrustedCluster(tc types.TrustedCluster, allowEmptyRolesOpts ...bool) error
- func ValidateUser(u types.User) error
- func ValidateUserRoles(ctx context.Context, u types.User, roleGetter RoleGetter) error
- func VerifyPassword(password []byte) error
- type AWSMatcher
- type AWSRoleARNMatcher
- type AWSSSM
- type Access
- type AccessCheckable
- type AccessChecker
- type AccessInfo
- func AccessInfoFromLocalCertificate(cert *ssh.Certificate) (*AccessInfo, error)
- func AccessInfoFromLocalIdentity(identity tlsca.Identity, access UserGetter) (*AccessInfo, error)
- func AccessInfoFromRemoteCertificate(cert *ssh.Certificate, roleMap types.RoleMap) (*AccessInfo, error)
- func AccessInfoFromRemoteIdentity(identity tlsca.Identity, roleMap types.RoleMap) (*AccessInfo, error)
- func AccessInfoFromUser(user types.User) *AccessInfo
- type AccessMFAParams
- type AcquireSemaphoreWithRetryConfig
- type AppGetter
- type AppSession
- type AppWatcher
- type AppWatcherConfig
- type Apps
- type AuthorityGetter
- type AzureMatcher
- type BoolPredicateParser
- type CertAuthorityWatcher
- func (p CertAuthorityWatcher) Close()
- func (p CertAuthorityWatcher) Done() <-chan struct{}
- func (p CertAuthorityWatcher) IsInitialized() bool
- func (c CertAuthorityWatcher) Subscribe(ctx context.Context, filter types.CertAuthorityFilter) (types.Watcher, error)
- func (p CertAuthorityWatcher) WaitInitialization() error
- type CertAuthorityWatcherConfig
- type ChangePasswordReq
- type ClusterConfiguration
- type CommandLabels
- type ConnectionDiagnosticTraceAppender
- type ConnectionsDiagnostic
- type Context
- type CurrentUserRoleGetter
- type DatabaseGetter
- type DatabaseNameMatcher
- type DatabaseUserMatcher
- type DatabaseWatcher
- type DatabaseWatcherConfig
- type Databases
- type DynamicAccess
- type DynamicAccessCore
- type DynamicAccessExt
- type DynamicAccessOracle
- type EmptyResource
- func (r *EmptyResource) CheckAndSetDefaults() error
- func (r *EmptyResource) Expiry() time.Time
- func (r *EmptyResource) GetKind() string
- func (r *EmptyResource) GetMetadata() types.Metadata
- func (r *EmptyResource) GetName() string
- func (r *EmptyResource) GetResourceID() int64
- func (r *EmptyResource) GetSubKind() string
- func (r *EmptyResource) GetVersion() string
- func (r *EmptyResource) SetExpiry(expires time.Time)
- func (r *EmptyResource) SetName(s string)
- func (r *EmptyResource) SetResourceID(id int64)
- func (r *EmptyResource) SetSubKind(s string)
- type Enforcer
- type EnumerationResult
- type Fanout
- type FanoutEvent
- type FanoutSet
- type HostCertContext
- type HostCertParams
- type HostUsersInfo
- type Identity
- type InstallerParams
- type KubeClusterWatcher
- type KubeClusterWatcherConfig
- type Kubernetes
- type KubernetesGetter
- type ListResourcesRequestOption
- type LockGetter
- type LockWatcher
- func (p LockWatcher) CheckLockInForce(mode constants.LockingMode, targets ...types.LockTarget) error
- func (p LockWatcher) Close()
- func (p LockWatcher) Done() <-chan struct{}
- func (p LockWatcher) GetCurrent() []types.Lock
- func (p LockWatcher) IsInitialized() bool
- func (p LockWatcher) Subscribe(ctx context.Context, targets ...types.LockTarget) (types.Watcher, error)
- func (p LockWatcher) WaitInitialization() error
- type LockWatcherConfig
- type LogAction
- type LoginAttempt
- type MFARequired
- type MarshalConfig
- type MarshalOption
- type MatchResourceFilter
- type Matcher
- type Node
- type NodeWatcher
- type NodeWatcherConfig
- type NodesGetter
- type Presence
- type Provisioner
- type ProxyGetter
- type ProxyWatcher
- type ProxyWatcherConfig
- type RDSEndpointType
- type Reconciler
- type ReconcilerConfig
- type Ref
- type Refs
- type RequestIDs
- type RequestValidator
- func (m *RequestValidator) CanRequestRole(name string) bool
- func (m *RequestValidator) CanSearchAsRole(name string) bool
- func (m *RequestValidator) GetRequestableRoles() ([]string, error)
- func (m *RequestValidator) SystemAnnotations() map[string][]string
- func (m *RequestValidator) Validate(ctx context.Context, req types.AccessRequest) error
- type RequestValidatorGetter
- type ResourceLister
- type ResourceMarshaler
- type ResourceMatcher
- type ResourceSeenKey
- type ResourceUnmarshaler
- type ResourceWatcherConfig
- type Restrictions
- type ReviewPermissionChecker
- type RoleGetter
- type RoleMatcher
- type RoleMatchers
- type RoleSet
- func FetchAllClusterRoles(ctx context.Context, access CurrentUserRoleGetter, defaultRoleNames []string, ...) (RoleSet, error)
- func FetchRoleList(roleNames []string, access RoleGetter, traits map[string][]string) (RoleSet, error)
- func FetchRoles(roleNames []string, access RoleGetter, traits map[string][]string) (RoleSet, error)
- func NewRoleSet(roles ...types.Role) RoleSet
- func RoleSetFromSpec(name string, spec types.RoleSpecV5) (RoleSet, error)
- func (set RoleSet) AdjustClientIdleTimeout(timeout time.Duration) time.Duration
- func (set RoleSet) AdjustDisconnectExpiredCert(disconnect bool) bool
- func (set RoleSet) AdjustSessionTTL(ttl time.Duration) time.Duration
- func (set RoleSet) CanCopyFiles() bool
- func (set RoleSet) CanForwardAgents() bool
- func (set RoleSet) CanImpersonateSomeone() bool
- func (set RoleSet) CanPortForward() bool
- func (set RoleSet) CertificateExtensions() []*types.CertExtension
- func (set RoleSet) CertificateFormat() string
- func (set RoleSet) CheckAWSRoleARNs(ttl time.Duration, overrideTTL bool) ([]string, error)
- func (set RoleSet) CheckAccessToRemoteCluster(rc types.RemoteCluster) error
- func (set RoleSet) CheckAccessToRule(ctx RuleContext, namespace string, resource string, verb string, silent bool) error
- func (set RoleSet) CheckAgentForward(login string) error
- func (set RoleSet) CheckDatabaseNamesAndUsers(ttl time.Duration, overrideTTL bool) ([]string, []string, error)
- func (set RoleSet) CheckImpersonate(currentUser, impersonateUser types.User, impersonateRoles []types.Role) error
- func (set RoleSet) CheckImpersonateRoles(currentUser types.User, impersonateRoles []types.Role) error
- func (set RoleSet) CheckKubeGroupsAndUsers(ttl time.Duration, overrideTTL bool, matchers ...RoleMatcher) ([]string, []string, error)
- func (set RoleSet) CheckLoginDuration(ttl time.Duration) ([]string, error)
- func (set RoleSet) DesktopClipboard() bool
- func (set RoleSet) DesktopDirectorySharing() bool
- func (set RoleSet) EnhancedRecordingSet() map[string]bool
- func (set RoleSet) EnumerateDatabaseUsers(database types.Database, extraUsers ...string) EnumerationResult
- func (set RoleSet) EnumerateServerLogins(server types.Server) EnumerationResult
- func (set RoleSet) ExtractConditionForIdentifier(ctx RuleContext, namespace, resource, verb, identifier string) (*types.WhereExpr, error)
- func (set RoleSet) GetAllLogins() []string
- func (set RoleSet) GetAllowedPreviewAsRoles() []string
- func (set RoleSet) GetAllowedSearchAsRoles() []string
- func (set RoleSet) GetLoginsForTTL(ttl time.Duration) (logins []string, matchedTTL bool)
- func (set RoleSet) GuessIfAccessIsPossible(ctx RuleContext, namespace string, resource string, verb string, silent bool) error
- func (set RoleSet) HasRole(role string) bool
- func (set RoleSet) HostUsers(s types.Server) (*HostUsersInfo, error)
- func (set RoleSet) LockingMode(defaultMode constants.LockingMode) constants.LockingMode
- func (set RoleSet) MFAParams(authPrefRequirement types.RequireMFAType) (params AccessMFAParams)
- func (set RoleSet) MaxConnections() int64
- func (set RoleSet) MaxKubernetesConnections() int64
- func (set RoleSet) MaxSessions() int64
- func (set RoleSet) MaybeCanReviewRequests() bool
- func (set RoleSet) PermitX11Forwarding() bool
- func (set RoleSet) PinSourceIP() bool
- func (set RoleSet) PrivateKeyPolicy(defaultPolicy keys.PrivateKeyPolicy) keys.PrivateKeyPolicy
- func (set RoleSet) RecordDesktopSession() bool
- func (set RoleSet) RoleNames() []string
- func (set RoleSet) Roles() []types.Role
- func (set RoleSet) SessionPolicySets() []*types.SessionTrackerPolicySet
- func (set RoleSet) SessionRecordingMode(service constants.SessionRecordingService) constants.SessionRecordingMode
- func (set RoleSet) String() string
- func (set RoleSet) WithoutImplicit() (out RoleSet)
- type RotationGetter
- type RuleContext
- type RuleSet
- type SemaphoreLock
- type SemaphoreLockConfig
- type Services
- type SessionTrackerService
- type SnowflakeSession
- type SortedLoginAttempts
- type SortedReverseTunnels
- type SortedRoles
- type SortedServers
- type Status
- type StatusInternal
- type Trust
- type UnknownResource
- type UserCertParams
- type UserGetter
- type Users
- type UsersService
- type ValidateRequestOption
- type WindowsDesktops
Constants ¶
const ( // RDSEngineMySQL is RDS engine name for MySQL instances. RDSEngineMySQL = "mysql" // RDSEnginePostgres is RDS engine name for Postgres instances. RDSEnginePostgres = "postgres" // RDSEngineMariaDB is RDS engine name for MariaDB instances. RDSEngineMariaDB = "mariadb" // RDSEngineAurora is RDS engine name for Aurora MySQL 5.6 compatible clusters. RDSEngineAurora = "aurora" // RDSEngineAuroraMySQL is RDS engine name for Aurora MySQL 5.7 compatible clusters. RDSEngineAuroraMySQL = "aurora-mysql" // RDSEngineAuroraPostgres is RDS engine name for Aurora Postgres clusters. RDSEngineAuroraPostgres = "aurora-postgresql" )
const ( // RDSEngineModeProvisioned is the RDS engine mode for provisioned Aurora clusters RDSEngineModeProvisioned = "provisioned" // RDSEngineModeServerless is the RDS engine mode for Aurora Serverless DB clusters RDSEngineModeServerless = "serverless" // RDSEngineModeParallelQuery is the RDS engine mode for Aurora MySQL clusters with parallel query enabled RDSEngineModeParallelQuery = "parallelquery" // RDSEngineModeGlobal is the RDS engine mode for Aurora Global databases RDSEngineModeGlobal = "global" // RDSEngineModeMultiMaster is the RDS engine mode for Multi-master clusters RDSEngineModeMultiMaster = "multimaster" )
const ( // AzureEngineMySQL is the Azure engine name for MySQL single-server instances AzureEngineMySQL = "Microsoft.DBforMySQL/servers" // AzureEnginePostgres is the Azure engine name for PostgreSQL single-server instances AzureEnginePostgres = "Microsoft.DBforPostgreSQL/servers" )
const ( // AWSMatcherRDS is the AWS matcher type for RDS databases. AWSMatcherRDS = "rds" // AWSMatcherRDSProxy is the AWS matcher type for RDS Proxy databases. AWSMatcherRDSProxy = "rdsproxy" // AWSMatcherRedshift is the AWS matcher type for Redshift databases. AWSMatcherRedshift = "redshift" // AWSMatcherElastiCache is the AWS matcher type for ElastiCache databases. AWSMatcherElastiCache = "elasticache" // AWSMatcherMemoryDB is the AWS matcher type for MemoryDB databases. AWSMatcherMemoryDB = "memorydb" // AWSMatcherEC2 is the AWS matcher type for EC2 instances. AWSMatcherEC2 = "ec2" // AzureMatcherMySQL is the Azure matcher type for Azure MySQL databases. AzureMatcherMySQL = "mysql" // AzureMatcherPostgres is the Azure matcher type for Azure Postgres databases. AzureMatcherPostgres = "postgres" // AzureMatcherRedis is the Azure matcher type for Azure Cache for Redis databases. AzureMatcherRedis = "redis" )
const ( // UserIdentifier represents user registered identifier in the rules UserIdentifier = "user" // ResourceIdentifier represents resource registered identifier in the rules ResourceIdentifier = "resource" // ResourceLabelsIdentifier refers to the static and dynamic labels in a resource. ResourceLabelsIdentifier = "labels" // ResourceNameIdentifier refers to two different fields depending on the kind of resource: // - KindNode will refer to its resource.spec.hostname field // - All other kinds will refer to its resource.metadata.name field // It refers to two different fields because the way this shorthand is being used, // implies it will return the name of the resource where users identifies nodes // by its hostname and all other resources that can be `ls` queried is identified // by its metadata name. ResourceNameIdentifier = "name" // SessionIdentifier refers to a session (recording) in the rules. SessionIdentifier = "session" // SSHSessionIdentifier refers to an (active) SSH session in the rules. SSHSessionIdentifier = "ssh_session" // ImpersonateRoleIdentifier is a role to impersonate ImpersonateRoleIdentifier = "impersonate_role" // ImpersonateUserIdentifier is a user to impersonate ImpersonateUserIdentifier = "impersonate_user" // HostCertIdentifier refers to a host certificate being created. HostCertIdentifier = "host_cert" // SessionTrackerIdentifier refers to a session tracker in the rules. SessionTrackerIdentifier = "session_tracker" )
const ( // Equal means two objects are equal Equal = iota // OnlyTimestampsDifferent is true when only timestamps are different OnlyTimestampsDifferent = iota // Different means that some fields are different Different = iota )
const ( // EventWatcherRemoved is emitted when event watcher has been removed EventWatcherRemoved = iota )
Variables ¶
var ( // ResourceNameExpr is the identifier that specifies resource name. ResourceNameExpr = builder.Identifier("resource.metadata.name") // CertAuthorityTypeExpr is a function call that returns // cert authority type. CertAuthorityTypeExpr = builder.Identifier(`system.catype()`) )
var DefaultCertAuthorityRules = []types.Rule{ types.NewRule(types.KindSession, RO()), types.NewRule(types.KindNode, RO()), types.NewRule(types.KindAuthServer, RO()), types.NewRule(types.KindReverseTunnel, RO()), types.NewRule(types.KindCertAuthority, ReadNoSecrets()), }
DefaultCertAuthorityRules provides access the minimal set of resources needed for a certificate authority to function.
var DefaultImplicitRules = []types.Rule{ types.NewRule(types.KindNode, RO()), types.NewRule(types.KindProxy, RO()), types.NewRule(types.KindAuthServer, RO()), types.NewRule(types.KindReverseTunnel, RO()), types.NewRule(types.KindCertAuthority, ReadNoSecrets()), types.NewRule(types.KindClusterAuthPreference, RO()), types.NewRule(types.KindClusterName, RO()), types.NewRule(types.KindSSHSession, RO()), types.NewRule(types.KindAppServer, RO()), types.NewRule(types.KindRemoteCluster, RO()), types.NewRule(types.KindKubeService, RO()), types.NewRule(types.KindKubeServer, RO()), types.NewRule(types.KindDatabaseServer, RO()), types.NewRule(types.KindDatabase, RO()), types.NewRule(types.KindApp, RO()), types.NewRule(types.KindWindowsDesktopService, RO()), types.NewRule(types.KindWindowsDesktop, RO()), types.NewRule(types.KindKubernetesCluster, RO()), }
DefaultImplicitRules provides access to the default set of implicit rules assigned to all roles.
var ErrSessionMFARequired = trace.AccessDenied("access to resource requires MFA")
ErrSessionMFARequired is returned by AccessChecker when access to a resource requires an MFA check.
var StrictLockingModeAccessDenied = trace.AccessDenied("preventive lock-out due to local lock view becoming unreliable")
StrictLockingModeAccessDenied is an AccessDenied error returned when strict locking mode causes all interactions to be blocked.
Functions ¶
func AccessRequestsToLockTargets ¶
func AccessRequestsToLockTargets(accessRequests []string) []types.LockTarget
AccessRequestsToLockTargets converts a list of access requests to a list of LockTargets (one LockTarget per access request)
func AcquireSemaphoreWithRetry ¶
func AcquireSemaphoreWithRetry(ctx context.Context, req AcquireSemaphoreWithRetryConfig) (*types.SemaphoreLease, error)
AcquireSemaphoreWithRetry tries to acquire the semaphore according to the retry schedule until it succeeds or context expires.
func AddDefaultAllowRules ¶
AddDefaultAllowRules adds default rules to a preset role. Only rules whose resources are not already defined (either allowing or denying) are added.
func ApplyAccessReview ¶
func ApplyAccessReview(req types.AccessRequest, rev types.AccessReview, author types.User) error
ApplyAccessReview attempts to apply the specified access review to the specified request.
func ApplyTraits ¶
ApplyTraits applies the passed in traits to any variables within the role and returns itself.
func ApplyValueTraits ¶
ApplyValueTraits applies the passed in traits to the variable, returns BadParameter in case if referenced variable is unsupported, returns NotFound in case if referenced trait is missing, mapped list of values otherwise, the function guarantees to return at least one value in case if return value is nil
func CalculateAccessCapabilities ¶
func CalculateAccessCapabilities(ctx context.Context, clt RequestValidatorGetter, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)
CalculateAccessCapabilities aggregates the requested capabilities using the supplied getter to load relevant resources.
func CertAuthoritiesEquivalent ¶
func CertAuthoritiesEquivalent(lhs, rhs types.CertAuthority) bool
CertAuthoritiesEquivalent checks if a pair of certificate authority resources are equivalent. This differs from normal equality only in that resource IDs are ignored.
func CertPool ¶
func CertPool(ca types.CertAuthority) (*x509.CertPool, error)
CertPool returns certificate pools from TLS certificates set up in the certificate authority
func CertPoolFromCertAuthorities ¶
CertPoolFromCertAuthorities returns a certificate pool from the TLS certificates set up in the certificate authorities list, as well as the number of certificates that were added to the pool.
func CheckSAMLEntityDescriptor ¶
func CheckSAMLEntityDescriptor(entityDescriptor string) ([]*x509.Certificate, error)
CheckSAMLEntityDescriptor checks if the entity descriptor XML is valid and has at least one valid certificate.
func ClusterAuditConfigSpecFromObject ¶
func ClusterAuditConfigSpecFromObject(in interface{}) (*types.ClusterAuditConfigSpecV2, error)
ClusterAuditConfigSpecFromObject returns audit config spec from object.
func CompareResources ¶
CompareResources compares two resources by all significant fields.
func CompareRuleScore ¶
CompareRuleScore returns true if the first rule is more specific than the other.
* nRule matching wildcard resource is less specific than same rule matching specific resource. * Rule that has wildcard verbs is less specific than the same rules matching specific verb. * Rule that has where section is more specific than the same rule without where section. * Rule that has actions list is more specific than rule without actions list.
func CompareServers ¶
CompareServers compares two provided servers.
func DowngradeRoleToV4 ¶
DowngradeToV4 converts a V5 role to V4 so that it will be compatible with older instances. Makes a shallow copy if the conversion is necessary. The passed in role will not be mutated. DELETE IN 10.0.0
func ExtraElastiCacheLabels ¶
func ExtraElastiCacheLabels(cluster *elasticache.ReplicationGroup, tags []*elasticache.Tag, allNodes []*elasticache.CacheCluster, allSubnetGroups []*elasticache.CacheSubnetGroup) map[string]string
ExtraElastiCacheLabels returns a list of extra labels for provided ElastiCache cluster.
func ExtraMemoryDBLabels ¶
func ExtraMemoryDBLabels(cluster *memorydb.Cluster, tags []*memorydb.Tag, allSubnetGroups []*memorydb.SubnetGroup) map[string]string
ExtraMemoryDBLabels returns a list of extra labels for provided MemoryDB cluster.
func ExtractAllowedResourcesFromCert ¶
func ExtractAllowedResourcesFromCert(cert *ssh.Certificate) ([]types.ResourceID, error)
func ExtractFromCertificate ¶
ExtractFromCertificate will extract roles and traits from a *ssh.Certificate.
func ExtractFromIdentity ¶
func ExtractFromIdentity(access UserGetter, identity tlsca.Identity) ([]string, wrappers.Traits, error)
ExtractFromIdentity will extract roles and traits from the *x509.Certificate which Teleport passes along as a *tlsca.Identity. If roles and traits do not exist in the certificates, they are extracted from the backend.
func ExtractRolesFromCert ¶
func ExtractRolesFromCert(cert *ssh.Certificate) ([]string, error)
ExtractRolesFromCert extracts roles from certificate metadata extensions.
func ExtractTraitsFromCert ¶
func ExtractTraitsFromCert(cert *ssh.Certificate) (wrappers.Traits, error)
ExtractTraitsFromCert extracts traits from the certificate extensions.
func GetAccessRequest ¶
func GetAccessRequest(ctx context.Context, acc DynamicAccess, reqID string) (types.AccessRequest, error)
GetAccessRequest is a helper function assists with loading a specific request by ID.
func GetAttributeNames ¶
GetAttributeNames returns a list of claim names from the claim values
func GetClaimNames ¶
GetClaimNames returns a list of claim names from the claim values
func GetJWTSigner ¶
func GetJWTSigner(signer crypto.Signer, clusterName string, clock clockwork.Clock) (*jwt.Key, error)
GetJWTSigner returns the active JWT key used to sign tokens.
func GetMySQLEngineVersion ¶
GetMySQLEngineVersion returns MySQL engine version from provided metadata labels. An empty string is returned if label doesn't exist.
func GetRedirectURL ¶
func GetRedirectURL(conn types.OIDCConnector, proxyAddr string) (string, error)
GetRedirectURL gets a redirect URL for the given connector. If the connector has a redirect URL which matches the host of the given Proxy address, then that one will be returned. Otherwise, the first URL in the list will be returned.
func GetResourceMarshalerKinds ¶
func GetResourceMarshalerKinds() []string
GetResourceMarshalerKinds lists all registered resource marshalers by kind.
func GetResourcesByResourceIDs ¶
func GetResourcesByResourceIDs(ctx context.Context, lister ResourceLister, resourceIDs []types.ResourceID, opts ...ListResourcesRequestOption) ([]types.ResourceWithLabels, error)
func GetSAMLServiceProvider ¶
func GetSAMLServiceProvider(sc types.SAMLConnector, clock clockwork.Clock) (*saml2.SAMLServiceProvider, error)
GetSAMLServiceProvider gets the SAMLConnector's service provider
func GetSSHCheckingKeys ¶
func GetSSHCheckingKeys(ca types.CertAuthority) [][]byte
GetSSHCheckingKeys returns SSH public keys from CA
func GetStringMapValue ¶
func GetStringMapValue(mapVal, keyVal interface{}) (interface{}, error)
GetStringMapValue is a helper function that returns property from map[string]string or map[string][]string the function returns empty value in case if key not found In case if map is nil, returns empty value as well
func GetTLSCerts ¶
func GetTLSCerts(ca types.CertAuthority) [][]byte
GetTLSCerts returns TLS certificates from CA
func GetTraitMappings ¶
func GetTraitMappings(cms []types.ClaimMapping) types.TraitMappingSet
GetTraitMappings gets the AccessRequestConditions' claims as a TraitMappingsSet
func GuessProxyHostAndVersion ¶
GuessProxyHostAndVersion tries to find the first proxy with a public address configured and return that public addr and version. If no proxies are configured, it will return a guessed value by concatenating the first proxy's hostname with default port number, and the first proxy's version will also be returned.
Returns empty value if there are no proxies.
func IsElastiCacheClusterAvailable ¶
func IsElastiCacheClusterAvailable(cluster *elasticache.ReplicationGroup) bool
IsElastiCacheClusterAvailable checks if the ElastiCache cluster is available.
func IsElastiCacheClusterSupported ¶
func IsElastiCacheClusterSupported(cluster *elasticache.ReplicationGroup) bool
IsElastiCacheClusterSupported checks whether the ElastiCache cluster is supported.
func IsMemoryDBClusterAvailable ¶
IsMemoryDBClusterAvailable checks if the MemoryDB cluster is available.
func IsMemoryDBClusterSupported ¶
IsMemoryDBClusterSupported checks whether the MemoryDB cluster is supported.
func IsRDSClusterAvailable ¶
IsRDSClusterAvailable checks if the RDS cluster is available.
func IsRDSClusterSupported ¶
IsRDSClusterSupported checks whether the Aurora cluster is supported.
func IsRDSInstanceAvailable ¶
func IsRDSInstanceAvailable(instance *rds.DBInstance) bool
IsRDSInstanceAvailable checks if the RDS instance is available.
func IsRDSInstanceSupported ¶
func IsRDSInstanceSupported(instance *rds.DBInstance) bool
IsRDSInstanceSupported returns true if database supports IAM authentication. Currently, only MariaDB is being checked.
func IsRDSProxyAvailable ¶
IsRDSProxyAvailable checks if the RDS Proxy is available.
func IsRDSProxyCustomEndpointAvailable ¶
func IsRDSProxyCustomEndpointAvailable(customEndpoint *rds.DBProxyEndpoint) bool
IsRDSProxyCustomEndpointAvailable checks if the RDS Proxy custom endpoint is available.
func IsRecordAtProxy ¶
IsRecordAtProxy returns true if recording is sync or async at proxy.
func IsRecordSync ¶
IsRecordSync returns true if recording is sync for proxy or node.
func IsRedshiftClusterAvailable ¶
IsRedshiftClusterAvailable checks if the Redshift cluster is available.
func LastFailed ¶
func LastFailed(x int, attempts []LoginAttempt) bool
LastFailed calculates last x successive attempts are failed
func LatestTunnelConnection ¶
func LatestTunnelConnection(conns []types.TunnelConnection) (types.TunnelConnection, error)
LatestTunnelConnection returns latest tunnel connection from the list of tunnel connections, if no connections found, returns NotFound error
func LockInForceAccessDenied ¶
LockInForceAccessDenied is an AccessDenied error returned when a lock is in force.
func LockTargetsFromTLSIdentity ¶
func LockTargetsFromTLSIdentity(id tlsca.Identity) []types.LockTarget
LockTargetsFromTLSIdentity infers a list of LockTargets from tlsca.Identity.
func MapListResourcesResultToLeafResource ¶
func MapListResourcesResultToLeafResource(resource types.ResourceWithLabels, hint string) (types.ResourcesWithLabels, error)
MapListResourcesResultToLeafResource is the inverse of MapResourceKindToListResourcesType, after the ListResources call it maps the result back to the kind we really want. `hint` should be the name of the desired resource kind, used to disambiguate normal SSH nodes and kubernetes services which are both returned as `types.Server`.
func MapResourceKindToListResourcesType ¶
MapResourceKindToListResourcesType returns the value to use for ResourceType in a ListResourcesRequest based on the kind of resource you're searching for. Necessary because some resource kinds don't support ListResources directly, so you have to list the parent kind. Use MapListResourcesResultToLeafResource to map back to the given kind.
func MarshalAccessRequest ¶
func MarshalAccessRequest(accessRequest types.AccessRequest, opts ...MarshalOption) ([]byte, error)
MarshalAccessRequest marshals the AccessRequest resource to JSON.
func MarshalApp ¶
func MarshalApp(app types.Application, opts ...MarshalOption) ([]byte, error)
MarshalApp marshals Application resource to JSON.
func MarshalAppServer ¶
func MarshalAppServer(appServer types.AppServer, opts ...MarshalOption) ([]byte, error)
MarshalAppServer marshals the AppServer resource to JSON.
func MarshalAuthPreference ¶
func MarshalAuthPreference(c types.AuthPreference, opts ...MarshalOption) ([]byte, error)
MarshalAuthPreference marshals the AuthPreference resource to JSON.
func MarshalCertAuthority ¶
func MarshalCertAuthority(certAuthority types.CertAuthority, opts ...MarshalOption) ([]byte, error)
MarshalCertAuthority marshals the CertAuthority resource to JSON.
func MarshalCertRoles ¶
MarshalCertRoles marshal roles list to OpenSSH
func MarshalClusterAuditConfig ¶
func MarshalClusterAuditConfig(auditConfig types.ClusterAuditConfig, opts ...MarshalOption) ([]byte, error)
MarshalClusterAuditConfig marshals the ClusterAuditConfig resource to JSON.
func MarshalClusterName ¶
func MarshalClusterName(clusterName types.ClusterName, opts ...MarshalOption) ([]byte, error)
MarshalClusterName marshals the ClusterName resource to JSON.
func MarshalClusterNetworkingConfig ¶
func MarshalClusterNetworkingConfig(netConfig types.ClusterNetworkingConfig, opts ...MarshalOption) ([]byte, error)
MarshalClusterNetworkingConfig marshals the ClusterNetworkingConfig resource to JSON.
func MarshalConnectionDiagnostic ¶
func MarshalConnectionDiagnostic(s types.ConnectionDiagnostic, opts ...MarshalOption) ([]byte, error)
MarshalConnectionDiagnostic marshals the ConnectionDiagnostic resource to JSON.
func MarshalDatabase ¶
func MarshalDatabase(database types.Database, opts ...MarshalOption) ([]byte, error)
MarshalDatabase marshals the database resource to JSON.
func MarshalDatabaseServer ¶
func MarshalDatabaseServer(databaseServer types.DatabaseServer, opts ...MarshalOption) ([]byte, error)
MarshalDatabaseServer marshals the DatabaseServer resource to JSON.
func MarshalGithubConnector ¶
func MarshalGithubConnector(githubConnector types.GithubConnector, opts ...MarshalOption) ([]byte, error)
MarshalGithubConnector marshals the GithubConnector resource to JSON.
func MarshalInstaller ¶
func MarshalInstaller(installer types.Installer, opts ...MarshalOption) ([]byte, error)
MarshalInstaller marshals the Installer resource to JSON.
func MarshalKubeCluster ¶
func MarshalKubeCluster(kubeCluster types.KubeCluster, opts ...MarshalOption) ([]byte, error)
MarshalKubeCluster marshals the KubeCluster resource to JSON.
func MarshalKubeServer ¶
func MarshalKubeServer(kubeServer types.KubeServer, opts ...MarshalOption) ([]byte, error)
MarshalKubeServer marshals the KubeServer resource to JSON.
func MarshalLicense ¶
func MarshalLicense(license types.License, opts ...MarshalOption) ([]byte, error)
MarshalLicense marshals the License resource to JSON.
func MarshalLock ¶
func MarshalLock(lock types.Lock, opts ...MarshalOption) ([]byte, error)
MarshalLock marshals the Lock resource to JSON.
func MarshalNamespace ¶
func MarshalNamespace(resource types.Namespace, opts ...MarshalOption) ([]byte, error)
MarshalNamespace marshals the Namespace resource to JSON.
func MarshalNetworkRestrictions ¶
func MarshalNetworkRestrictions(restrictions types.NetworkRestrictions, opts ...MarshalOption) ([]byte, error)
MarshalNetworkRestrictions marshals the NetworkRestrictions resource to JSON.
func MarshalOIDCConnector ¶
func MarshalOIDCConnector(oidcConnector types.OIDCConnector, opts ...MarshalOption) ([]byte, error)
MarshalOIDCConnector marshals the OIDCConnector resource to JSON.
func MarshalPluginData ¶
func MarshalPluginData(pluginData types.PluginData, opts ...MarshalOption) ([]byte, error)
MarshalPluginData marshals the PluginData resource to JSON.
func MarshalProvisionToken ¶
func MarshalProvisionToken(provisionToken types.ProvisionToken, opts ...MarshalOption) ([]byte, error)
MarshalProvisionToken marshals the ProvisionToken resource to JSON.
func MarshalRemoteCluster ¶
func MarshalRemoteCluster(remoteCluster types.RemoteCluster, opts ...MarshalOption) ([]byte, error)
MarshalRemoteCluster marshals the RemoteCluster resource to JSON.
func MarshalResource ¶
func MarshalResource(resource types.Resource, opts ...MarshalOption) ([]byte, error)
MarshalResource attempts to marshal a resource dynamically, returning NotImplementedError if no marshaler has been registered.
NOTE: This function only supports the subset of resources which may be imported/exported by users (e.g. via `tctl get`).
func MarshalReverseTunnel ¶
func MarshalReverseTunnel(reverseTunnel types.ReverseTunnel, opts ...MarshalOption) ([]byte, error)
MarshalReverseTunnel marshals the ReverseTunnel resource to JSON.
func MarshalRole ¶
func MarshalRole(role types.Role, opts ...MarshalOption) ([]byte, error)
MarshalRole marshals the Role resource to JSON.
func MarshalSAMLConnector ¶
func MarshalSAMLConnector(samlConnector types.SAMLConnector, opts ...MarshalOption) ([]byte, error)
MarshalSAMLConnector marshals the SAMLConnector resource to JSON.
func MarshalSemaphore ¶
func MarshalSemaphore(semaphore types.Semaphore, opts ...MarshalOption) ([]byte, error)
MarshalSemaphore marshals the Semaphore resource to JSON.
func MarshalServer ¶
func MarshalServer(server types.Server, opts ...MarshalOption) ([]byte, error)
MarshalServer marshals the Server resource to JSON.
func MarshalServers ¶
MarshalServers marshals a list of Server resources.
func MarshalSessionRecordingConfig ¶
func MarshalSessionRecordingConfig(recConfig types.SessionRecordingConfig, opts ...MarshalOption) ([]byte, error)
MarshalSessionRecordingConfig marshals the SessionRecordingConfig resource to JSON.
func MarshalSessionTracker ¶
func MarshalSessionTracker(session types.SessionTracker) ([]byte, error)
MarshalSessionTracker marshals the Session resource to JSON.
func MarshalStaticTokens ¶
func MarshalStaticTokens(staticToken types.StaticTokens, opts ...MarshalOption) ([]byte, error)
MarshalStaticTokens marshals the StaticTokens resource to JSON.
func MarshalTrustedCluster ¶
func MarshalTrustedCluster(trustedCluster types.TrustedCluster, opts ...MarshalOption) ([]byte, error)
MarshalTrustedCluster marshals the TrustedCluster resource to JSON.
func MarshalTunnelConnection ¶
func MarshalTunnelConnection(tunnelConnection types.TunnelConnection, opts ...MarshalOption) ([]byte, error)
MarshalTunnelConnection marshals the TunnelConnection resource to JSON.
func MarshalUser ¶
func MarshalUser(user types.User, opts ...MarshalOption) ([]byte, error)
MarshalUser marshals the User resource to JSON.
func MarshalUserToken ¶
func MarshalUserToken(token types.UserToken, opts ...MarshalOption) ([]byte, error)
MarshalUserToken marshals the UserToken resource to JSON.
func MarshalUserTokenSecrets ¶
func MarshalUserTokenSecrets(secrets types.UserTokenSecrets, opts ...MarshalOption) ([]byte, error)
MarshalUserTokenSecrets marshals the ResetPasswordTokenSecrets resource to JSON.
func MarshalWebSession ¶
func MarshalWebSession(webSession types.WebSession, opts ...MarshalOption) ([]byte, error)
MarshalWebSession marshals the WebSession resource to JSON.
func MarshalWebToken ¶
func MarshalWebToken(webToken types.WebToken, opts ...MarshalOption) ([]byte, error)
MarshalWebToken serializes the web token as JSON-encoded payload
func MarshalWindowsDesktop ¶
func MarshalWindowsDesktop(s types.WindowsDesktop, opts ...MarshalOption) ([]byte, error)
MarshalWindowsDesktop marshals the WindowsDesktop resource to JSON.
func MarshalWindowsDesktopService ¶
func MarshalWindowsDesktopService(s types.WindowsDesktopService, opts ...MarshalOption) ([]byte, error)
MarshalWindowsDesktopService marshals the WindowsDesktopService resource to JSON.
func MatchAWSRoleARN ¶
MatchAWSRoleARN returns true if provided role ARN matches selectors.
func MatchDatabaseName ¶
MatchDatabaseName returns true if provided database name matches selectors.
func MatchDatabaseUser ¶
MatchDatabaseUser returns true if provided database user matches selectors.
func MatchLabels ¶
MatchLabels matches selector against target. Empty selector matches nothing, wildcard matches everything.
func MatchNamespace ¶
MatchNamespace returns true if given list of namespace matches target namespace, wildcard matches everything.
func MatchResourceByFilters ¶
func MatchResourceByFilters(resource types.ResourceWithLabels, filter MatchResourceFilter, seenMap map[ResourceSeenKey]struct{}) (bool, error)
MatchResourceByFilters returns true if all filter values given matched against the resource.
If no filters were provided, we will treat that as a match.
If a `seenMap` is provided, this will be treated as a request to filter out duplicate matches. The map will be modified in place as it adds new keys. Seen keys will return match as false.
Resource KubeService is handled differently b/c of its 1-N relationhip with service-clusters, it filters out the non-matched clusters on the kube service and the kube service is modified in place with only the matched clusters. Deduplication for resource `KubeService` is not provided but is provided for kind `KubernetesCluster`.
func MatchResourceLabels ¶
func MatchResourceLabels(matchers []ResourceMatcher, resource types.ResourceWithLabels) bool
MatchResourceLabels returns true if any of the provided selectors matches the provided database.
func MetadataFromElastiCacheCluster ¶
func MetadataFromElastiCacheCluster(cluster *elasticache.ReplicationGroup, endpointType string) (*types.AWS, error)
MetadataFromElastiCacheCluster creates AWS metadata for the provided ElastiCache cluster.
func MetadataFromMemoryDBCluster ¶
func MetadataFromMemoryDBCluster(cluster *memorydb.Cluster, endpointType string) (*types.AWS, error)
MetadataFromMemoryDBCluster creates AWS metadata for the providec MemoryDB cluster.
func MetadataFromRDSCluster ¶
MetadataFromRDSCluster creates AWS metadata from the provided RDS cluster.
func MetadataFromRDSInstance ¶
func MetadataFromRDSInstance(rdsInstance *rds.DBInstance) (*types.AWS, error)
MetadataFromRDSInstance creates AWS metadata from the provided RDS instance.
func MetadataFromRDSProxy ¶
MetadataFromRDSProxy creates AWS metadata from the provided RDS Proxy.
func MetadataFromRDSProxyCustomEndpoint ¶
func MetadataFromRDSProxyCustomEndpoint(rdsProxy *rds.DBProxy, customEndpoint *rds.DBProxyEndpoint) (*types.AWS, error)
MetadataFromRDSProxyCustomEndpoint creates AWS metadata from the provided RDS Proxy custom endpoint.
func MetadataFromRedshiftCluster ¶
MetadataFromRedshiftCluster creates AWS metadata from the provided Redshift cluster.
func MustCreateProvisionToken ¶
func MustCreateProvisionToken(token string, roles types.SystemRoles, expires time.Time) types.ProvisionToken
MustCreateProvisionToken returns a new valid provision token or panics, used in tests
func NewAccessRequest ¶
func NewAccessRequest(user string, roles ...string) (types.AccessRequest, error)
NewAccessRequest assembles an AccessRequest resource.
func NewAccessRequestWithResources ¶
func NewAccessRequestWithResources(user string, roles []string, resourceIDs []types.ResourceID) (types.AccessRequest, error)
NewAccessRequestWithResources assembles an AccessRequest resource with requested resources.
func NewActionsParser ¶
func NewActionsParser(ctx RuleContext) (predicate.Parser, error)
NewActionsParser returns standard parser for 'actions' section in access rules
func NewClusterNameWithRandomID ¶
func NewClusterNameWithRandomID(spec types.ClusterNameSpecV2) (types.ClusterName, error)
NewClusterNameWithRandomID creates a ClusterName, supplying a random ClusterID if the field is not provided in spec.
func NewDatabaseFromAzureRedis ¶
NewDatabaseFromAzureRedis creates a database resource from an Azure Redis server.
func NewDatabaseFromAzureRedisEnterprise ¶
func NewDatabaseFromAzureRedisEnterprise(cluster *armredisenterprise.Cluster, database *armredisenterprise.Database) (types.Database, error)
NewDatabaseFromAzureRedisEnterprise creates a database resource from an Azure Redis Enterprise database and its parent cluster.
func NewDatabaseFromAzureServer ¶
NewDatabaseFromAzureServer creates a database resource from an AzureDB server.
func NewDatabaseFromElastiCacheConfigurationEndpoint ¶
func NewDatabaseFromElastiCacheConfigurationEndpoint(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Database, error)
NewDatabaseFromElastiCacheConfigurationEndpoint creates a database resource from ElastiCache configuration endpoint.
func NewDatabaseFromMemoryDBCluster ¶
func NewDatabaseFromMemoryDBCluster(cluster *memorydb.Cluster, extraLabels map[string]string) (types.Database, error)
NewDatabaseFromMemoryDBCluster creates a database resource from a MemoryDB cluster.
func NewDatabaseFromRDSCluster ¶
NewDatabaseFromRDSCluster creates a database resource from an RDS cluster (Aurora).
func NewDatabaseFromRDSClusterReaderEndpoint ¶
NewDatabaseFromRDSClusterReaderEndpoint creates a database resource from an RDS cluster reader endpoint (Aurora).
func NewDatabaseFromRDSInstance ¶
func NewDatabaseFromRDSInstance(instance *rds.DBInstance) (types.Database, error)
NewDatabaseFromRDSInstance creates a database resource from an RDS instance.
func NewDatabaseFromRDSProxy ¶
func NewDatabaseFromRDSProxy(dbProxy *rds.DBProxy, port int64, tags []*rds.Tag) (types.Database, error)
NewDatabaseFromRDSProxy creates database resource from RDS Proxy.
func NewDatabaseFromRDSProxyCustomEndpoint ¶
func NewDatabaseFromRDSProxyCustomEndpoint(dbProxy *rds.DBProxy, customEndpoint *rds.DBProxyEndpoint, port int64, tags []*rds.Tag) (types.Database, error)
NewDatabaseFromRDSProxyCustomEndpiont creates database resource from RDS Proxy custom endpoint.
func NewDatabaseFromRedshiftCluster ¶
NewDatabaseFromRedshiftCluster creates a database resource from a Redshift cluster.
func NewDatabasesFromElastiCacheNodeGroups ¶
func NewDatabasesFromElastiCacheNodeGroups(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Databases, error)
NewDatabasesFromElastiCacheNodeGroups creates database resources from ElastiCache node groups.
func NewDatabasesFromRDSClusterCustomEndpoints ¶
NewDatabasesFromRDSClusterCustomEndpoints creates database resources from RDS cluster custom endpoints (Aurora).
func NewImplicitRole ¶
NewImplicitRole is the default implicit role that gets added to all RoleSets.
func NewKubeClusterFromAWSEKS ¶
func NewKubeClusterFromAWSEKS(cluster *eks.Cluster) (types.KubeCluster, error)
NewKubeClusterFromAWSEKS creates a database resource from an EKS cluster.
func NewKubeClusterFromAzureAKS ¶
func NewKubeClusterFromAzureAKS(cluster *azure.AKSCluster) (types.KubeCluster, error)
NewKubeClusterFromAzureAKS creates a kube_cluster resource from an AKSCluster.
func NewLogActionFn ¶
func NewLogActionFn(ctx RuleContext) interface{}
NewLogActionFn creates logger functions
func NewPresetAccessRole ¶
NewPresetAccessRole creates a role for users who are allowed to initiate interactive sessions.
func NewPresetAuditorRole ¶
NewPresetAuditorRole returns a new pre-defined role for cluster auditor - someone who can review cluster events and replay sessions, but can't initiate interactive sessions or modify configuration.
func NewPresetEditorRole ¶
NewPresetEditorRole returns a new pre-defined role for cluster editors who can edit cluster configuration resources.
func NewTOTPDevice ¶
NewTOTPDevice creates a TOTP MFADevice from the given key.
func NewWhereParser ¶
func NewWhereParser(ctx RuleContext) (predicate.Parser, error)
NewWhereParser returns standard parser for `where` section in access rules.
func NodeHasMissedKeepAlives ¶
NodeHasMissedKeepAlives checks if node has missed its keep alive
func OIDCClaimsToTraits ¶
OIDCClaimsToTraits converts OIDC-style claims into teleport-specific trait format
func ParseShortcut ¶
ParseShortcut parses resource shortcut
func RO ¶
func RO() []string
RO is a shortcut that returns read only verbs that provide access to secrets.
func ReadNoSecrets ¶
func ReadNoSecrets() []string
ReadNoSecrets is a shortcut that returns read only verbs that do not provide access to secrets.
func RegisterResourceMarshaler ¶
func RegisterResourceMarshaler(kind string, marshaler ResourceMarshaler)
RegisterResourceMarshaler registers a marshaler for resources of a specific kind.
func RegisterResourceUnmarshaler ¶
func RegisterResourceUnmarshaler(kind string, unmarshaler ResourceUnmarshaler)
RegisterResourceUnmarshaler registers an unmarshaler for resources of a specific kind.
func RoleForCertAuthority ¶
func RoleForCertAuthority(ca types.CertAuthority) types.Role
RoleForCertAuthority creates role using types.CertAuthority.
func RoleFromSpec ¶
RoleFromSpec returns new Role created from spec
func RoleMapToString ¶
RoleMapToString prints user friendly representation of role mapping
func RoleNameForCertAuthority ¶
RoleNameForCertAuthority returns role name associated with a certificate authority.
func RoleNameForUser ¶
RoleNameForUser returns role name associated with a user.
func RolesToLockTargets ¶
func RolesToLockTargets(roles []string) []types.LockTarget
RolesToLockTargets converts a list of roles to a list of LockTargets (one LockTarget per role).
func SAMLAssertionsToTraits ¶
func SAMLAssertionsToTraits(assertions saml2.AssertionInfo) map[string][]string
SAMLAssertionsToTraits converts saml assertions to traits
func TraitsToRoleMatchers ¶
func TraitsToRoleMatchers(ms types.TraitMappingSet, traits map[string][]string) ([]parse.Matcher, error)
TraitsToRoleMatchers maps the supplied traits to a list of role matchers. Prefer calling this function directly rather than calling TraitsToRoles and then building matchers from the resulting list since this function forces any roles which include substitutions to be literal matchers.
func TraitsToRoles ¶
func TraitsToRoles(ms types.TraitMappingSet, traits map[string][]string) (warnings []string, roles []string)
TraitsToRoles maps the supplied traits to a list of teleport role names. Returns the list of roles mapped from traits. `warnings` optionally contains the list of warnings potentially interesting to the user.
func TunnelConnectionStatus ¶
func TunnelConnectionStatus(clock clockwork.Clock, conn types.TunnelConnection, offlineThreshold time.Duration) string
TunnelConnectionStatus returns tunnel connection status based on the last heartbeat time recorded for a connection
func UnmarshalAccessRequest ¶
func UnmarshalAccessRequest(data []byte, opts ...MarshalOption) (types.AccessRequest, error)
UnmarshalAccessRequest unmarshals the AccessRequest resource from JSON.
func UnmarshalApp ¶
func UnmarshalApp(data []byte, opts ...MarshalOption) (types.Application, error)
UnmarshalApp unmarshals Application resource from JSON.
func UnmarshalAppServer ¶
func UnmarshalAppServer(data []byte, opts ...MarshalOption) (types.AppServer, error)
UnmarshalAppServer unmarshals AppServer resource from JSON.
func UnmarshalAuthPreference ¶
func UnmarshalAuthPreference(bytes []byte, opts ...MarshalOption) (types.AuthPreference, error)
UnmarshalAuthPreference unmarshals the AuthPreference resource from JSON.
func UnmarshalCertAuthority ¶
func UnmarshalCertAuthority(bytes []byte, opts ...MarshalOption) (types.CertAuthority, error)
UnmarshalCertAuthority unmarshals the CertAuthority resource to JSON.
func UnmarshalCertRoles ¶
UnmarshalCertRoles marshals roles list to OpenSSH format
func UnmarshalClusterAuditConfig ¶
func UnmarshalClusterAuditConfig(bytes []byte, opts ...MarshalOption) (types.ClusterAuditConfig, error)
UnmarshalClusterAuditConfig unmarshals the ClusterAuditConfig resource from JSON.
func UnmarshalClusterName ¶
func UnmarshalClusterName(bytes []byte, opts ...MarshalOption) (types.ClusterName, error)
UnmarshalClusterName unmarshals the ClusterName resource from JSON.
func UnmarshalClusterNetworkingConfig ¶
func UnmarshalClusterNetworkingConfig(bytes []byte, opts ...MarshalOption) (types.ClusterNetworkingConfig, error)
UnmarshalClusterNetworkingConfig unmarshals the ClusterNetworkingConfig resource from JSON.
func UnmarshalConnectionDiagnostic ¶
func UnmarshalConnectionDiagnostic(data []byte, opts ...MarshalOption) (types.ConnectionDiagnostic, error)
UnmarshalConnectionDiagnostic unmarshals the ConnectionDiagnostic resource from JSON.
func UnmarshalDatabase ¶
func UnmarshalDatabase(data []byte, opts ...MarshalOption) (types.Database, error)
UnmarshalDatabase unmarshals the database resource from JSON.
func UnmarshalDatabaseServer ¶
func UnmarshalDatabaseServer(data []byte, opts ...MarshalOption) (types.DatabaseServer, error)
UnmarshalDatabaseServer unmarshals the DatabaseServer resource from JSON.
func UnmarshalGithubConnector ¶
func UnmarshalGithubConnector(bytes []byte) (types.GithubConnector, error)
UnmarshalGithubConnector unmarshals the GithubConnector resource from JSON.
func UnmarshalInstaller ¶
func UnmarshalInstaller(data []byte, opts ...MarshalOption) (types.Installer, error)
UnmarshalInstaller unmarshals the installer resource from JSON.
func UnmarshalKubeCluster ¶
func UnmarshalKubeCluster(data []byte, opts ...MarshalOption) (types.KubeCluster, error)
UnmarshalKubeCluster unmarshals KubeCluster resource from JSON.
func UnmarshalKubeServer ¶
func UnmarshalKubeServer(data []byte, opts ...MarshalOption) (types.KubeServer, error)
UnmarshalKubeServer unmarshals KubeServer resource from JSON.
func UnmarshalLicense ¶
UnmarshalLicense unmarshals the License resource from JSON.
func UnmarshalLock ¶
func UnmarshalLock(bytes []byte, opts ...MarshalOption) (types.Lock, error)
UnmarshalLock unmarshals the Lock resource from JSON.
func UnmarshalNamespace ¶
func UnmarshalNamespace(data []byte, opts ...MarshalOption) (*types.Namespace, error)
UnmarshalNamespace unmarshals the Namespace resource from JSON.
func UnmarshalNetworkRestrictions ¶
func UnmarshalNetworkRestrictions(bytes []byte, opts ...MarshalOption) (types.NetworkRestrictions, error)
UnmarshalReverseTunnel unmarshals the ReverseTunnel resource from JSON.
func UnmarshalOIDCConnector ¶
func UnmarshalOIDCConnector(bytes []byte, opts ...MarshalOption) (types.OIDCConnector, error)
UnmarshalOIDCConnector unmarshals the OIDCConnector resource from JSON.
func UnmarshalPluginData ¶
func UnmarshalPluginData(raw []byte, opts ...MarshalOption) (types.PluginData, error)
UnmarshalPluginData unmarshals the PluginData resource from JSON.
func UnmarshalProvisionToken ¶
func UnmarshalProvisionToken(data []byte, opts ...MarshalOption) (types.ProvisionToken, error)
UnmarshalProvisionToken unmarshals the ProvisionToken resource from JSON.
func UnmarshalRemoteCluster ¶
func UnmarshalRemoteCluster(bytes []byte, opts ...MarshalOption) (types.RemoteCluster, error)
UnmarshalRemoteCluster unmarshals the RemoteCluster resource from JSON.
func UnmarshalResource ¶
UnmarshalResource attempts to unmarshal a resource dynamically, returning NotImplementedError if no unmarshaler has been registered.
NOTE: This function only supports the subset of resources which may be imported/exported by users (e.g. via `tctl get`).
func UnmarshalReverseTunnel ¶
func UnmarshalReverseTunnel(bytes []byte, opts ...MarshalOption) (types.ReverseTunnel, error)
UnmarshalReverseTunnel unmarshals the ReverseTunnel resource from JSON.
func UnmarshalRole ¶
func UnmarshalRole(bytes []byte, opts ...MarshalOption) (types.Role, error)
UnmarshalRole unmarshals the Role resource from JSON.
func UnmarshalSAMLConnector ¶
func UnmarshalSAMLConnector(bytes []byte, opts ...MarshalOption) (types.SAMLConnector, error)
UnmarshalSAMLConnector unmarshals the SAMLConnector resource from JSON.
func UnmarshalSemaphore ¶
func UnmarshalSemaphore(bytes []byte, opts ...MarshalOption) (types.Semaphore, error)
UnmarshalSemaphore unmarshals the Semaphore resource from JSON.
func UnmarshalServer ¶
UnmarshalServer unmarshals the Server resource from JSON.
func UnmarshalServers ¶
UnmarshalServers unmarshals a list of Server resources.
func UnmarshalSessionRecordingConfig ¶
func UnmarshalSessionRecordingConfig(bytes []byte, opts ...MarshalOption) (types.SessionRecordingConfig, error)
UnmarshalSessionRecordingConfig unmarshals the SessionRecordingConfig resource from JSON.
func UnmarshalSessionTracker ¶
func UnmarshalSessionTracker(bytes []byte) (types.SessionTracker, error)
UnmarshalSessionTracker unmarshals the Session resource from JSON.
func UnmarshalStaticTokens ¶
func UnmarshalStaticTokens(bytes []byte, opts ...MarshalOption) (types.StaticTokens, error)
UnmarshalStaticTokens unmarshals the StaticTokens resource from JSON.
func UnmarshalTrustedCluster ¶
func UnmarshalTrustedCluster(bytes []byte, opts ...MarshalOption) (types.TrustedCluster, error)
UnmarshalTrustedCluster unmarshals the TrustedCluster resource from JSON.
func UnmarshalTunnelConnection ¶
func UnmarshalTunnelConnection(data []byte, opts ...MarshalOption) (types.TunnelConnection, error)
UnmarshalTunnelConnection unmarshals TunnelConnection resource from JSON or YAML, sets defaults and checks the schema
func UnmarshalUser ¶
func UnmarshalUser(bytes []byte, opts ...MarshalOption) (types.User, error)
UnmarshalUser unmarshals the User resource from JSON.
func UnmarshalUserToken ¶
func UnmarshalUserToken(bytes []byte, opts ...MarshalOption) (types.UserToken, error)
UnmarshalUserToken unmarshals the UserToken resource from JSON.
func UnmarshalUserTokenSecrets ¶
func UnmarshalUserTokenSecrets(bytes []byte, opts ...MarshalOption) (types.UserTokenSecrets, error)
UnmarshalUserTokenSecrets unmarshals the ResetPasswordTokenSecrets resource from JSON.
func UnmarshalWebSession ¶
func UnmarshalWebSession(bytes []byte, opts ...MarshalOption) (types.WebSession, error)
UnmarshalWebSession unmarshals the WebSession resource from JSON.
func UnmarshalWebToken ¶
func UnmarshalWebToken(bytes []byte, opts ...MarshalOption) (types.WebToken, error)
UnmarshalWebToken interprets bytes as JSON-encoded web token value
func UnmarshalWindowsDesktop ¶
func UnmarshalWindowsDesktop(data []byte, opts ...MarshalOption) (types.WindowsDesktop, error)
UnmarshalWindowsDesktop unmarshals the WindowsDesktop resource from JSON.
func UnmarshalWindowsDesktopService ¶
func UnmarshalWindowsDesktopService(data []byte, opts ...MarshalOption) (types.WindowsDesktopService, error)
UnmarshalWindowsDesktopService unmarshals the WindowsDesktopService resource from JSON.
func UsersEquals ¶
UsersEquals checks if the users are equal
func ValidateAccessPredicates ¶
ValidateAccessPredicates checks request & review permission predicates for syntax errors. Used to help prevent users from accidentally writing incorrect predicates. This function should only be called by the auth server prior to storing new/updated roles. Normal role validation deliberately omits these checks in order to allow us to extend the available namespaces without breaking backwards compatibility with older nodes/proxies (which never need to evaluate these predicates).
func ValidateAccessRequest ¶
func ValidateAccessRequest(ar types.AccessRequest) error
ValidateAccessRequest validates the AccessRequest and sets default values
func ValidateAccessRequestForUser ¶
func ValidateAccessRequestForUser(ctx context.Context, getter RequestValidatorGetter, req types.AccessRequest, opts ...ValidateRequestOption) error
ValidateAccessRequestForUser validates an access request against the associated users's *statically assigned* roles. If expandRoles is true, it will also expand wildcard requests, setting their role list to include all roles the user is allowed to request. Expansion should be performed before an access request is initially placed in the backend.
func ValidateCertAuthority ¶
func ValidateCertAuthority(ca types.CertAuthority) (err error)
ValidateCertAuthority validates the CertAuthority
func ValidateLocalAuthSecrets ¶
func ValidateLocalAuthSecrets(l *types.LocalAuthSecrets) error
ValidateLocalAuthSecrets validates local auth secret members.
func ValidateNetworkRestrictions ¶
func ValidateNetworkRestrictions(nr *types.NetworkRestrictionsV4) error
ValidateNetworkRestrictions validates the network restrictions and sets defaults
func ValidateReverseTunnel ¶
func ValidateReverseTunnel(rt types.ReverseTunnel) error
ValidateReverseTunnel validates the OIDC connector and sets default values
func ValidateRole ¶
ValidateRole parses validates the role, and sets default values.
func ValidateRoleName ¶
ValidateRoleName checks that the role name is allowed to be created.
func ValidateSAMLConnector ¶
func ValidateSAMLConnector(sc types.SAMLConnector, rg RoleGetter) error
ValidateSAMLConnector validates the SAMLConnector and sets default values. If a remote to fetch roles is specified, roles will be validated to exist.
func ValidateTrustedCluster ¶
func ValidateTrustedCluster(tc types.TrustedCluster, allowEmptyRolesOpts ...bool) error
ValidateTrustedCluster checks and sets Trusted Cluster defaults
func ValidateUser ¶
ValidateUser validates the User and sets default values
func ValidateUserRoles ¶
ValidateUserRoles checks that all the roles in the user exist
func VerifyPassword ¶ added in v1.0.0
VerifyPassword makes sure password satisfies our requirements (relaxed), mostly to avoid putting garbage in
Types ¶
type AWSMatcher ¶
type AWSMatcher struct { // Types are AWS database types to match, "rds" or "redshift". Types []string // Regions are AWS regions to query for databases. Regions []string // Tags are AWS tags to match. Tags types.Labels // Params are passed to AWS when executing the SSM document Params InstallerParams // SSM provides options to use when sending a document command to // an EC2 node SSM *AWSSSM }
AWSMatcher matches AWS databases.
type AWSRoleARNMatcher ¶
type AWSRoleARNMatcher struct {
RoleARN string
}
AWSRoleARNMatcher matches a role against AWS role ARN.
func (*AWSRoleARNMatcher) Match ¶
func (m *AWSRoleARNMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)
Match matches database account name against provided role and condition.
func (*AWSRoleARNMatcher) String ¶
func (m *AWSRoleARNMatcher) String() string
String returns the matcher's string representation.
type AWSSSM ¶
type AWSSSM struct { // DocumentName is the name of the document to use when executing an // SSM command DocumentName string }
AWSSSM provides options to use when executing SSM documents
type Access ¶
type Access interface { // GetRoles returns a list of roles. GetRoles(ctx context.Context) ([]types.Role, error) // CreateRole creates a role. CreateRole(ctx context.Context, role types.Role) error // UpsertRole creates or updates role. UpsertRole(ctx context.Context, role types.Role) error // DeleteAllRoles deletes all roles. DeleteAllRoles() error // GetRole returns role by name. GetRole(ctx context.Context, name string) (types.Role, error) // DeleteRole deletes role by name. DeleteRole(ctx context.Context, name string) error LockGetter // UpsertLock upserts a lock. UpsertLock(context.Context, types.Lock) error // DeleteLock deletes a lock. DeleteLock(context.Context, string) error // DeleteLock deletes all/in-force locks. DeleteAllLocks(context.Context) error // ReplaceRemoteLocks replaces the set of locks associated with a remote cluster. ReplaceRemoteLocks(ctx context.Context, clusterName string, locks []types.Lock) error }
Access service manages roles and permissions.
type AccessCheckable ¶
type AccessCheckable interface { GetKind() string GetName() string GetMetadata() types.Metadata GetAllLabels() map[string]string }
AccessCheckable is the subset of types.Resource required for the RBAC checks.
type AccessChecker ¶
type AccessChecker interface { // HasRole checks if the checker includes the role HasRole(role string) bool // RoleNames returns a list of role names RoleNames() []string // Roles returns the list underlying roles this AccessChecker is based on. Roles() []types.Role // CheckAccess checks access to the specified resource. CheckAccess(r AccessCheckable, mfa AccessMFAParams, matchers ...RoleMatcher) error // CheckAccessToRemoteCluster checks access to remote cluster CheckAccessToRemoteCluster(cluster types.RemoteCluster) error // CheckAccessToRule checks access to a rule within a namespace. CheckAccessToRule(context RuleContext, namespace string, rule string, verb string, silent bool) error // CheckLoginDuration checks if role set can login up to given duration and // returns a combined list of allowed logins. CheckLoginDuration(ttl time.Duration) ([]string, error) // CheckKubeGroupsAndUsers check if role can login into kubernetes // and returns two lists of combined allowed groups and users CheckKubeGroupsAndUsers(ttl time.Duration, overrideTTL bool, matchers ...RoleMatcher) (groups []string, users []string, err error) // CheckAWSRoleARNs returns a list of AWS role ARNs role is allowed to assume. CheckAWSRoleARNs(ttl time.Duration, overrideTTL bool) ([]string, error) // AdjustSessionTTL will reduce the requested ttl to lowest max allowed TTL // for this role set, otherwise it returns ttl unchanged AdjustSessionTTL(ttl time.Duration) time.Duration // AdjustClientIdleTimeout adjusts requested idle timeout // to the lowest max allowed timeout, the most restrictive // option will be picked AdjustClientIdleTimeout(ttl time.Duration) time.Duration // AdjustDisconnectExpiredCert adjusts the value based on the role set // the most restrictive option will be picked AdjustDisconnectExpiredCert(disconnect bool) bool // CheckAgentForward checks if the role can request agent forward for this // user. CheckAgentForward(login string) error // CanForwardAgents returns true if this role set offers capability to forward // agents. CanForwardAgents() bool // CanPortForward returns true if this RoleSet can forward ports. CanPortForward() bool // DesktopClipboard returns true if the role set has enabled shared // clipboard for desktop sessions. Clipboard sharing is disabled if // one or more of the roles in the set has disabled it. DesktopClipboard() bool // RecordDesktopSession returns true if a role in the role set has enabled // desktop session recoring. RecordDesktopSession() bool // DesktopDirectorySharing returns true if the role set has directory sharing // enabled. This setting is enabled if one or more of the roles in the set has // enabled it. DesktopDirectorySharing() bool // MaybeCanReviewRequests attempts to guess if this RoleSet belongs // to a user who should be submitting access reviews. Because not all rolesets // are derived from statically assigned roles, this may return false positives. MaybeCanReviewRequests() bool // PermitX11Forwarding returns true if this RoleSet allows X11 Forwarding. PermitX11Forwarding() bool // CanCopyFiles returns true if the role set has enabled remote file // operations via SCP or SFTP. Remote file operations are disabled if // one or more of the roles in the set has disabled it. CanCopyFiles() bool // CertificateFormat returns the most permissive certificate format in a // RoleSet. CertificateFormat() string // EnhancedRecordingSet returns a set of events that will be recorded // for enhanced session recording. EnhancedRecordingSet() map[string]bool // CheckDatabaseNamesAndUsers returns database names and users this role // is allowed to use. CheckDatabaseNamesAndUsers(ttl time.Duration, overrideTTL bool) (names []string, users []string, err error) // CheckImpersonate checks whether current user is allowed to impersonate // users and roles CheckImpersonate(currentUser, impersonateUser types.User, impersonateRoles []types.Role) error // CheckImpersonateRoles checks whether the current user is allowed to // perform roles-only impersonation. CheckImpersonateRoles(currentUser types.User, impersonateRoles []types.Role) error // CanImpersonateSomeone returns true if this checker has any impersonation rules CanImpersonateSomeone() bool // LockingMode returns the locking mode to apply with this checker. LockingMode(defaultMode constants.LockingMode) constants.LockingMode // ExtractConditionForIdentifier returns a restrictive filter expression // for list queries based on the rules' `where` conditions. ExtractConditionForIdentifier(ctx RuleContext, namespace, resource, verb, identifier string) (*types.WhereExpr, error) // CertificateExtensions returns the list of extensions for each role in the RoleSet CertificateExtensions() []*types.CertExtension // GetAllowedSearchAsRoles returns all of the allowed SearchAsRoles. GetAllowedSearchAsRoles() []string // GetAllowedPreviewAsRoles returns all of the allowed PreviewAsRoles. GetAllowedPreviewAsRoles() []string // MaxConnections returns the maximum number of concurrent ssh connections // allowed. If MaxConnections is zero then no maximum was defined and the // number of concurrent connections is unconstrained. MaxConnections() int64 // MaxSessions returns the maximum number of concurrent ssh sessions per // connection. If MaxSessions is zero then no maximum was defined and the // number of sessions is unconstrained. MaxSessions() int64 // SessionPolicySets returns the list of SessionPolicySets for all roles. SessionPolicySets() []*types.SessionTrackerPolicySet // GetAllLogins returns all valid unix logins for the AccessChecker. GetAllLogins() []string // GetAllowedResourceIDs returns the list of allowed resources the identity for // the AccessChecker is allowed to access. An empty or nil list indicates that // there are no resource-specific restrictions. GetAllowedResourceIDs() []types.ResourceID // SessionRecordingMode returns the recording mode for a specific service. SessionRecordingMode(service constants.SessionRecordingService) constants.SessionRecordingMode // HostUsers returns host user information matching a server or nil if // a role disallows host user creation HostUsers(types.Server) (*HostUsersInfo, error) // PinSourceIP forces the same client IP for certificate generation and SSH usage PinSourceIP() bool // MFAParams returns MFA params for the given use given their roles, the cluster // auth preference, and whether mfa has been verified. MFAParams(authPrefMFARequirement types.RequireMFAType) AccessMFAParams // PrivateKeyPolicy returns the enforced private key policy for this role set, // or the provided defaultPolicy - whichever is stricter. PrivateKeyPolicy(defaultPolicy keys.PrivateKeyPolicy) keys.PrivateKeyPolicy }
AccessChecker interface checks access to resources based on roles, traits, and allowed resources
func NewAccessChecker ¶
func NewAccessChecker(info *AccessInfo, localCluster string, access RoleGetter) (AccessChecker, error)
NewAccessChecker returns a new AccessChecker which can be used to check access to resources. Args:
- `info *AccessInfo` should hold the roles, traits, and allowed resource IDs for the identity.
- `localCluster string` should be the name of the local cluster in which access will be checked. You cannot check for access to resources in remote clusters.
- `access RoleGetter` should be a RoleGetter which will be used to fetch the full RoleSet
func NewAccessCheckerWithRoleSet ¶
func NewAccessCheckerWithRoleSet(info *AccessInfo, localCluster string, roleSet RoleSet) AccessChecker
NewAccessCheckerWithRoleSet is similar to NewAccessChecker, but accepts the full RoleSet rather than a RoleGetter.
type AccessInfo ¶
type AccessInfo struct { // Roles is the list of cluster local roles for the identity. Roles []string // Traits is the set of traits for the identity. Traits wrappers.Traits // AllowedResourceIDs is the list of resource IDs the identity is allowed to // access. A nil or empty list indicates that no resource-specific // access restrictions should be applied. Used for search-based access // requests. AllowedResourceIDs []types.ResourceID }
AccessInfo hold information about an identity necessary to check whether that identity has access to cluster resources. This info can come from a user or host SSH certificate, TLS certificate, or user information stored in the backend.
func AccessInfoFromLocalCertificate ¶
func AccessInfoFromLocalCertificate(cert *ssh.Certificate) (*AccessInfo, error)
AccessInfoFromLocalCertificate returns a new AccessInfo populated from the given ssh certificate. Should only be used for cluster local users as roles will not be mapped.
func AccessInfoFromLocalIdentity ¶
func AccessInfoFromLocalIdentity(identity tlsca.Identity, access UserGetter) (*AccessInfo, error)
AccessInfoFromLocalIdentity returns a new AccessInfo populated from the given tlsca.Identity. Should only be used for cluster local users as roles will not be mapped.
func AccessInfoFromRemoteCertificate ¶
func AccessInfoFromRemoteCertificate(cert *ssh.Certificate, roleMap types.RoleMap) (*AccessInfo, error)
AccessInfoFromRemoteCertificate returns a new AccessInfo populated from the given remote cluster user's ssh certificate. Remote roles will be mapped to local roles based on the given roleMap.
func AccessInfoFromRemoteIdentity ¶
func AccessInfoFromRemoteIdentity(identity tlsca.Identity, roleMap types.RoleMap) (*AccessInfo, error)
AccessInfoFromRemoteIdentity returns a new AccessInfo populated from the given remote cluster user's tlsca.Identity. Remote roles will be mapped to local roles based on the given roleMap.
func AccessInfoFromUser ¶
func AccessInfoFromUser(user types.User) *AccessInfo
AccessInfoFromUser return a new AccessInfo populated from the roles and traits held be the given user. This should only be used in cases where the user does not have any active access requests (initial web login, initial tbot certs, tests).
type AccessMFAParams ¶
type AccessMFAParams struct { // Required determines whether a user's MFA requirement dynamically changes based on // their active role (per-role), or is static across all roles (always/never). Required MFARequired // Verified is set when MFA has been verified by the caller. Verified bool }
AccessMFAParams contains MFA-related parameters for methods that check access.
type AcquireSemaphoreWithRetryConfig ¶
type AcquireSemaphoreWithRetryConfig struct { Service types.Semaphores Request types.AcquireSemaphoreRequest Retry retryutils.LinearConfig }
AcquireSemaphoreWithRetryConfig contains parameters for trying to acquire a semaphore with a retry.
type AppGetter ¶
type AppGetter interface { // GetApps returns all application resources. GetApps(context.Context) ([]types.Application, error) // GetApp returns the specified application resource. GetApp(ctx context.Context, name string) (types.Application, error) }
AppGetter defines interface for fetching application resources.
type AppSession ¶
type AppSession interface { // GetAppSession gets an application web session. GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error) // GetAppSessions gets all application web sessions. GetAppSessions(context.Context) ([]types.WebSession, error) // UpsertAppSession upserts an application web session. UpsertAppSession(context.Context, types.WebSession) error // DeleteAppSession removes an application web session. DeleteAppSession(context.Context, types.DeleteAppSessionRequest) error // DeleteAllAppSessions removes all application web sessions. DeleteAllAppSessions(context.Context) error // DeleteUserAppSessions deletes all user’s application sessions. DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) error }
AppSession defines application session features.
type AppWatcher ¶
type AppWatcher struct {
// contains filtered or unexported fields
}
AppWatcher is built on top of resourceWatcher to monitor application resources.
func NewAppWatcher ¶
func NewAppWatcher(ctx context.Context, cfg AppWatcherConfig) (*AppWatcher, error)
NewAppWatcher returns a new instance of AppWatcher.
func (AppWatcher) Close ¶
func (p AppWatcher) Close()
Close closes the resource watcher and cancels all the functions.
func (AppWatcher) Done ¶
func (p AppWatcher) Done() <-chan struct{}
Done returns a channel that signals resource watcher closure.
func (AppWatcher) IsInitialized ¶
func (p AppWatcher) IsInitialized() bool
IsInitialized is a non-blocking way to check if resource watcher is already initialized.
func (AppWatcher) WaitInitialization ¶
func (p AppWatcher) WaitInitialization() error
WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.
type AppWatcherConfig ¶
type AppWatcherConfig struct { // ResourceWatcherConfig is the resource watcher configuration. ResourceWatcherConfig // AppGetter is responsible for fetching application resources. AppGetter // AppsC receives up-to-date list of all application resources. AppsC chan types.Apps }
AppWatcherConfig is an AppWatcher configuration.
func (*AppWatcherConfig) CheckAndSetDefaults ¶
func (cfg *AppWatcherConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks parameters and sets default values.
type Apps ¶
type Apps interface { // AppGetter provides methods for fetching application resources. AppGetter // CreateApp creates a new application resource. CreateApp(context.Context, types.Application) error // UpdateApp updates an existing application resource. UpdateApp(context.Context, types.Application) error // DeleteApp removes the specified application resource. DeleteApp(ctx context.Context, name string) error // DeleteAllApps removes all database resources. DeleteAllApps(context.Context) error }
Apps defines an interface for managing application resources.
type AuthorityGetter ¶
type AuthorityGetter interface { // GetCertAuthority returns cert authority by id GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool, opts ...MarshalOption) (types.CertAuthority, error) // GetCertAuthorities returns a list of cert authorities GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool, opts ...MarshalOption) ([]types.CertAuthority, error) }
AuthorityGetter defines interface for fetching cert authority resources.
type AzureMatcher ¶
type AzureMatcher struct { // Subscriptions are Azure subscriptions to query for resources. Subscriptions []string // ResourceGroups are Azure resource groups to query for resources. ResourceGroups []string // Types are Azure resource types to match, for example "mysql" or "postgres". Types []string // Regions are Azure regions to query for databases. Regions []string // ResourceTags are Azure tags to match. ResourceTags types.Labels }
AzureMatcher matches Azure databases.
type BoolPredicateParser ¶
BoolPredicateParser extends predicate.Parser with a convenience method for evaluating bool predicates.
func NewJSONBoolParser ¶
func NewJSONBoolParser(ctx interface{}) (BoolPredicateParser, error)
NewJSONBoolParser returns a generic parser for boolean expressions based on a json-serializable context.
func NewResourceParser ¶
func NewResourceParser(resource types.ResourceWithLabels) (BoolPredicateParser, error)
NewResourceParser returns a parser made for boolean expressions based on a json-serialiable resource. Customized to allow short identifiers common in all resources:
- shorthand `name` refers to `resource.spec.hostname` for node resources or it refers to `resource.metadata.name` for all other resources eg: `name == "app-name-jenkins"`
- shorthand `labels` refers to resource `resource.metadata.labels + resource.spec.dynamic_labels` eg: `labels.env == "prod"`
All other fields can be referenced by starting expression with identifier `resource` followed by the names of the json fields ie: `resource.spec.public_addr`.
type CertAuthorityWatcher ¶
type CertAuthorityWatcher struct {
// contains filtered or unexported fields
}
CertAuthorityWatcher is built on top of resourceWatcher to monitor cert authority resources.
func NewCertAuthorityWatcher ¶
func NewCertAuthorityWatcher(ctx context.Context, cfg CertAuthorityWatcherConfig) (*CertAuthorityWatcher, error)
NewCertAuthorityWatcher returns a new instance of CertAuthorityWatcher.
func (CertAuthorityWatcher) Close ¶
func (p CertAuthorityWatcher) Close()
Close closes the resource watcher and cancels all the functions.
func (CertAuthorityWatcher) Done ¶
func (p CertAuthorityWatcher) Done() <-chan struct{}
Done returns a channel that signals resource watcher closure.
func (CertAuthorityWatcher) IsInitialized ¶
func (p CertAuthorityWatcher) IsInitialized() bool
IsInitialized is a non-blocking way to check if resource watcher is already initialized.
func (CertAuthorityWatcher) Subscribe ¶
func (c CertAuthorityWatcher) Subscribe(ctx context.Context, filter types.CertAuthorityFilter) (types.Watcher, error)
Subscribe is used to subscribe to the lock updates.
func (CertAuthorityWatcher) WaitInitialization ¶
func (p CertAuthorityWatcher) WaitInitialization() error
WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.
type CertAuthorityWatcherConfig ¶
type CertAuthorityWatcherConfig struct { // ResourceWatcherConfig is the resource watcher configuration. ResourceWatcherConfig // AuthorityGetter is responsible for fetching cert authority resources. AuthorityGetter // Types restricts which cert authority types are retrieved via the AuthorityGetter. Types []types.CertAuthType }
CertAuthorityWatcherConfig is a CertAuthorityWatcher configuration.
func (*CertAuthorityWatcherConfig) CheckAndSetDefaults ¶
func (cfg *CertAuthorityWatcherConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks parameters and sets default values.
type ChangePasswordReq ¶
type ChangePasswordReq struct { // User is user ID User string // OldPassword is user current password OldPassword []byte `json:"old_password"` // NewPassword is user new password NewPassword []byte `json:"new_password"` // SecondFactorToken is user 2nd factor token SecondFactorToken string `json:"second_factor_token"` // WebauthnResponse is Webauthn sign response WebauthnResponse *wanlib.CredentialAssertionResponse `json:"webauthn_response"` }
ChangePasswordReq defines a request to change user password
type ClusterConfiguration ¶
type ClusterConfiguration interface { // SetClusterName gets services.ClusterName from the backend. GetClusterName(opts ...MarshalOption) (types.ClusterName, error) // SetClusterName sets services.ClusterName on the backend. SetClusterName(types.ClusterName) error // UpsertClusterName upserts cluster name UpsertClusterName(types.ClusterName) error // DeleteClusterName deletes cluster name resource DeleteClusterName() error // GetStaticTokens gets services.StaticTokens from the backend. GetStaticTokens() (types.StaticTokens, error) // SetStaticTokens sets services.StaticTokens on the backend. SetStaticTokens(types.StaticTokens) error // DeleteStaticTokens deletes static tokens resource DeleteStaticTokens() error // GetAuthPreference gets types.AuthPreference from the backend. GetAuthPreference(context.Context) (types.AuthPreference, error) // SetAuthPreference sets types.AuthPreference from the backend. SetAuthPreference(context.Context, types.AuthPreference) error // DeleteAuthPreference deletes types.AuthPreference from the backend. DeleteAuthPreference(ctx context.Context) error // GetSessionRecordingConfig gets SessionRecordingConfig from the backend. GetSessionRecordingConfig(context.Context, ...MarshalOption) (types.SessionRecordingConfig, error) // SetSessionRecordingConfig sets SessionRecordingConfig from the backend. SetSessionRecordingConfig(context.Context, types.SessionRecordingConfig) error // DeleteSessionRecordingConfig deletes SessionRecordingConfig from the backend. DeleteSessionRecordingConfig(ctx context.Context) error // GetClusterAuditConfig gets ClusterAuditConfig from the backend. GetClusterAuditConfig(context.Context, ...MarshalOption) (types.ClusterAuditConfig, error) // SetClusterAuditConfig sets ClusterAuditConfig from the backend. SetClusterAuditConfig(context.Context, types.ClusterAuditConfig) error // DeleteClusterAuditConfig deletes ClusterAuditConfig from the backend. DeleteClusterAuditConfig(ctx context.Context) error // GetClusterNetworkingConfig gets ClusterNetworkingConfig from the backend. GetClusterNetworkingConfig(context.Context, ...MarshalOption) (types.ClusterNetworkingConfig, error) // SetClusterNetworkingConfig sets ClusterNetworkingConfig from the backend. SetClusterNetworkingConfig(context.Context, types.ClusterNetworkingConfig) error // DeleteClusterNetworkingConfig deletes ClusterNetworkingConfig from the backend. DeleteClusterNetworkingConfig(ctx context.Context) error // GetInstallers gets all installer scripts from the backend GetInstallers(context.Context) ([]types.Installer, error) // GetInstaller gets the installer script from the backend GetInstaller(ctx context.Context, name string) (types.Installer, error) // SetInstaller sets the installer script in the backend SetInstaller(context.Context, types.Installer) error // DeleteInstaller removes the installer script from the backend DeleteInstaller(ctx context.Context, name string) error // DeleteAllInstallers removes all installer script resources from the backend DeleteAllInstallers(context.Context) error }
ClusterConfiguration stores the cluster configuration in the backend. All the resources modified by this interface can only have a single instance in the backend.
type CommandLabels ¶
type CommandLabels map[string]types.CommandLabel
CommandLabels is a set of command labels
func (*CommandLabels) Clone ¶
func (c *CommandLabels) Clone() CommandLabels
Clone returns copy of the set
func (*CommandLabels) SetEnv ¶
func (c *CommandLabels) SetEnv(v string) error
SetEnv sets the value of the label from environment variable
type ConnectionDiagnosticTraceAppender ¶
type ConnectionDiagnosticTraceAppender interface { // AppendDiagnosticTrace atomically adds a new trace into the ConnectionDiagnostic. AppendDiagnosticTrace(ctx context.Context, name string, t *types.ConnectionDiagnosticTrace) (types.ConnectionDiagnostic, error) }
ConnectionDiagnosticTraceAppender specifies methods to add Traces into a DiagnosticConnection
type ConnectionsDiagnostic ¶
type ConnectionsDiagnostic interface { // CreateConnectionDiagnostic creates a new Connection Diagnostic CreateConnectionDiagnostic(context.Context, types.ConnectionDiagnostic) error // UpdateConnectionDiagnostic updates a Connection Diagnostic UpdateConnectionDiagnostic(context.Context, types.ConnectionDiagnostic) error // GetConnectionDiagnostic receives a name and returns the Connection Diagnostic matching that name // // If not found, a `trace.NotFound` error is returned GetConnectionDiagnostic(ctx context.Context, name string) (types.ConnectionDiagnostic, error) // ConnectionDiagnosticTraceAppender adds a method to append traces into ConnectionDiagnostics. ConnectionDiagnosticTraceAppender }
ConnectionsDiagnostic defines an interface for managing Connection Diagnostics.
type Context ¶
type Context struct { // User is currently authenticated user User types.User // Resource is an optional resource, in case if the rule // checks access to the resource Resource types.Resource // Session is an optional session.end or windows.desktop.session.end event. // These events hold information about session recordings. Session events.AuditEvent // SSHSession is an optional (active) SSH session. SSHSession *session.Session // HostCert is an optional host certificate. HostCert *HostCertContext // SessionTracker is an optional session tracker, in case if the rule checks access to the tracker. SessionTracker types.SessionTracker }
Context is a default rule context used in teleport
func (*Context) GetIdentifier ¶
GetIdentifier returns identifier defined in a context
func (*Context) GetResource ¶
GetResource returns resource specified in the context, returns error if not specified.
type CurrentUserRoleGetter ¶
type CurrentUserRoleGetter interface { GetCurrentUser(context.Context) (types.User, error) GetCurrentUserRoles(context.Context) ([]types.Role, error) RoleGetter }
CurrentUserRoleGetter limits the interface of auth.ClientI to methods needed by FetchAllClusterRoles.
type DatabaseGetter ¶
type DatabaseGetter interface { // GetDatabases returns all database resources. GetDatabases(context.Context) ([]types.Database, error) // GetDatabase returns the specified database resource. GetDatabase(ctx context.Context, name string) (types.Database, error) }
DatabaseGetter defines interface for fetching database resources.
type DatabaseNameMatcher ¶
type DatabaseNameMatcher struct {
Name string
}
DatabaseNameMatcher matches a role against database name.
func (*DatabaseNameMatcher) Match ¶
func (m *DatabaseNameMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)
Match matches database name against provided role and condition.
func (*DatabaseNameMatcher) String ¶
func (m *DatabaseNameMatcher) String() string
String returns the matcher's string representation.
type DatabaseUserMatcher ¶
type DatabaseUserMatcher struct {
User string
}
DatabaseUserMatcher matches a role against database account name.
func (*DatabaseUserMatcher) Match ¶
func (m *DatabaseUserMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)
Match matches database account name against provided role and condition.
func (*DatabaseUserMatcher) String ¶
func (m *DatabaseUserMatcher) String() string
String returns the matcher's string representation.
type DatabaseWatcher ¶
type DatabaseWatcher struct {
// contains filtered or unexported fields
}
DatabaseWatcher is built on top of resourceWatcher to monitor database resources.
func NewDatabaseWatcher ¶
func NewDatabaseWatcher(ctx context.Context, cfg DatabaseWatcherConfig) (*DatabaseWatcher, error)
NewDatabaseWatcher returns a new instance of DatabaseWatcher.
func (DatabaseWatcher) Close ¶
func (p DatabaseWatcher) Close()
Close closes the resource watcher and cancels all the functions.
func (DatabaseWatcher) Done ¶
func (p DatabaseWatcher) Done() <-chan struct{}
Done returns a channel that signals resource watcher closure.
func (DatabaseWatcher) IsInitialized ¶
func (p DatabaseWatcher) IsInitialized() bool
IsInitialized is a non-blocking way to check if resource watcher is already initialized.
func (DatabaseWatcher) WaitInitialization ¶
func (p DatabaseWatcher) WaitInitialization() error
WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.
type DatabaseWatcherConfig ¶
type DatabaseWatcherConfig struct { // ResourceWatcherConfig is the resource watcher configuration. ResourceWatcherConfig // DatabaseGetter is responsible for fetching database resources. DatabaseGetter // DatabasesC receives up-to-date list of all database resources. DatabasesC chan types.Databases }
DatabaseWatcherConfig is a DatabaseWatcher configuration.
func (*DatabaseWatcherConfig) CheckAndSetDefaults ¶
func (cfg *DatabaseWatcherConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks parameters and sets default values.
type Databases ¶
type Databases interface { // DatabaseGetter provides methods for fetching database resources. DatabaseGetter // CreateDatabase creates a new database resource. CreateDatabase(context.Context, types.Database) error // UpdateDatabase updates an existing database resource. UpdateDatabase(context.Context, types.Database) error // DeleteDatabase removes the specified database resource. DeleteDatabase(ctx context.Context, name string) error // DeleteAllDatabases removes all database resources. DeleteAllDatabases(context.Context) error }
Databases defines an interface for managing database resources.
type DynamicAccess ¶
type DynamicAccess interface { DynamicAccessCore // SetAccessRequestState updates the state of an existing access request. SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error // SubmitAccessReview applies a review to a request and returns the post-application state. SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error) }
DynamicAccess is a service which manages dynamic RBAC. Specifically, this is the dynamic access interface implemented by remote clients.
type DynamicAccessCore ¶
type DynamicAccessCore interface { // CreateAccessRequest stores a new access request. CreateAccessRequest(ctx context.Context, req types.AccessRequest) error // GetAccessRequests gets all currently active access requests. GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error) // DeleteAccessRequest deletes an access request. DeleteAccessRequest(ctx context.Context, reqID string) error // GetPluginData loads all plugin data matching the supplied filter. GetPluginData(ctx context.Context, filter types.PluginDataFilter) ([]types.PluginData, error) // UpdatePluginData updates a per-resource PluginData entry. UpdatePluginData(ctx context.Context, params types.PluginDataUpdateParams) error }
DynamicAccessCore is the core functionality common to all DynamicAccess implementations.
type DynamicAccessExt ¶
type DynamicAccessExt interface { DynamicAccessCore // ApplyAccessReview applies a review to a request in the backend and returns the post-application state. ApplyAccessReview(ctx context.Context, params types.AccessReviewSubmission, checker ReviewPermissionChecker) (types.AccessRequest, error) // UpsertAccessRequest creates or updates an access request. UpsertAccessRequest(ctx context.Context, req types.AccessRequest) error // DeleteAllAccessRequests deletes all existent access requests. DeleteAllAccessRequests(ctx context.Context) error // SetAccessRequestState updates the state of an existing access request. SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) (types.AccessRequest, error) }
DynamicAccessExt is an extended dynamic access interface used to implement some auth server internals.
type DynamicAccessOracle ¶
type DynamicAccessOracle interface {
GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)
}
DynamicAccessOracle is a service capable of answering questions related to the dynamic access API. Necessary because some information (e.g. the list of roles a user is allowed to request) can not be calculated by actors with limited privileges.
type EmptyResource ¶
type EmptyResource struct { // Kind is a resource kind Kind string `json:"kind"` // SubKind is a resource sub kind SubKind string `json:"sub_kind,omitempty"` // Version is a resource version Version string `json:"version"` // Metadata is Role metadata Metadata types.Metadata `json:"metadata"` }
EmptyResource is used to represent a use case when no resource is specified in the rules matcher
func (*EmptyResource) CheckAndSetDefaults ¶
func (r *EmptyResource) CheckAndSetDefaults() error
func (*EmptyResource) Expiry ¶
func (r *EmptyResource) Expiry() time.Time
Expiry returns the expiry time for the object.
func (*EmptyResource) GetKind ¶
func (r *EmptyResource) GetKind() string
GetKind returns resource kind
func (*EmptyResource) GetMetadata ¶
func (r *EmptyResource) GetMetadata() types.Metadata
GetMetadata returns role metadata.
func (*EmptyResource) GetName ¶
func (r *EmptyResource) GetName() string
GetName gets the role name and is a shortcut for GetMetadata().Name.
func (*EmptyResource) GetResourceID ¶
func (r *EmptyResource) GetResourceID() int64
GetResourceID returns resource ID
func (*EmptyResource) GetSubKind ¶
func (r *EmptyResource) GetSubKind() string
GetSubKind returns resource sub kind
func (*EmptyResource) GetVersion ¶
func (r *EmptyResource) GetVersion() string
GetVersion returns resource version
func (*EmptyResource) SetExpiry ¶
func (r *EmptyResource) SetExpiry(expires time.Time)
SetExpiry sets expiry time for the object.
func (*EmptyResource) SetName ¶
func (r *EmptyResource) SetName(s string)
SetName sets the role name and is a shortcut for SetMetadata().Name.
func (*EmptyResource) SetResourceID ¶
func (r *EmptyResource) SetResourceID(id int64)
SetResourceID sets resource ID
func (*EmptyResource) SetSubKind ¶
func (r *EmptyResource) SetSubKind(s string)
SetSubKind sets resource subkind
type Enforcer ¶
type Enforcer interface { // GetLicenseCheckResult returns the license status in a heartbeat. GetLicenseCheckResult(ctx context.Context) (*types.Heartbeat, error) }
Enforcer defines interface for fetching license status.
type EnumerationResult ¶
type EnumerationResult struct {
// contains filtered or unexported fields
}
EnumerationResult is a result of enumerating a role set against some property, e.g. allowed names or logins.
func NewEnumerationResult ¶
func NewEnumerationResult() EnumerationResult
NewEnumerationResult returns new EnumerationResult.
func (*EnumerationResult) Allowed ¶
func (result *EnumerationResult) Allowed() []string
Allowed returns all known allowed users.
func (*EnumerationResult) Denied ¶
func (result *EnumerationResult) Denied() []string
Denied returns all explicitly denied users.
func (*EnumerationResult) WildcardAllowed ¶
func (result *EnumerationResult) WildcardAllowed() bool
WildcardAllowed is true if there * username allowed for given rule set.
func (*EnumerationResult) WildcardDenied ¶
func (result *EnumerationResult) WildcardDenied() bool
WildcardDenied is true if there * username deny for given rule set.
type Fanout ¶
type Fanout struct {
// contains filtered or unexported fields
}
Fanout is a helper which allows a stream of events to be fanned-out to many watchers. Used by the cache layer to forward events.
func NewFanout ¶
func NewFanout(eventsCh ...chan FanoutEvent) *Fanout
NewFanout creates a new Fanout instance in an uninitialized state. Until initialized, watchers will be queued but no events will be sent.
func (*Fanout) Close ¶
func (f *Fanout) Close()
Close permanently closes the fanout. Existing watchers will be closed and no new watchers will be added.
func (*Fanout) Emit ¶
Emit broadcasts events to all matching watchers that have been attached to this fanout instance.
func (*Fanout) NewWatcher ¶
NewWatcher attaches a new watcher to this fanout instance.
type FanoutEvent ¶
type FanoutEvent struct { // Kind is event kind Kind int }
FanoutEvent is used in tests
type FanoutSet ¶
type FanoutSet struct {
// contains filtered or unexported fields
}
FanoutSet is a collection of separate Fanout instances. It exposes an identical API, and "load balances" watcher registration across the enclosed instances. In very large clusters it is possible for tens of thousands of nodes to simultaneously request watchers. This can cause serious contention issues. FanoutSet is a simple but effective solution to that problem.
func NewFanoutSet ¶
func NewFanoutSet() *FanoutSet
NewFanoutSet creates a new FanoutSet instance in an uninitialized state. Until initialized, watchers will be queued but no events will be sent.
func (*FanoutSet) Close ¶
func (s *FanoutSet) Close()
Close permanently closes the fanout. Existing watchers will be closed and no new watchers will be added.
func (*FanoutSet) Emit ¶
Emit broadcasts events to all matching watchers that have been attached to this fanout set.
func (*FanoutSet) NewWatcher ¶
NewWatcher attaches a new watcher to a fanout instance.
type HostCertContext ¶
type HostCertContext struct { // HostID is the host ID in the cert request. HostID string `json:"host_id"` // NodeName is the node name in the cert request. NodeName string `json:"node_name"` // Principals is the list of requested certificate principals. Principals []string `json:"principals"` // ClusterName is the name of the cluster for which the certificate should // be issued. ClusterName string `json:"cluster_name"` // Role is the name of the Teleport role for which the cert should be // issued. Role types.SystemRole `json:"role"` // TTL is the requested certificate TTL. TTL time.Duration `json:"ttl"` }
HostCertContext is used to evaluate the `where` condition on a `host_cert` pseudo-resource. These resources only exist for RBAC purposes and do not exist in the database.
type HostCertParams ¶
type HostCertParams struct { // CASigner is the signer that will sign the public key of the host with the CA private key. CASigner ssh.Signer // PublicHostKey is the public key of the host PublicHostKey []byte // HostID is used by Teleport to uniquely identify a node within a cluster HostID string // Principals is a list of additional principals to add to the certificate. Principals []string // NodeName is the DNS name of the node NodeName string // ClusterName is the name of the cluster within which a node lives ClusterName string // Role identifies the role of a Teleport instance Role types.SystemRole // TTL defines how long a certificate is valid for TTL time.Duration }
HostCertParams defines all parameters needed to generate a host certificate
func (HostCertParams) Check ¶
func (c HostCertParams) Check() error
Check checks parameters for errors
type HostUsersInfo ¶
type HostUsersInfo struct { // Groups is the list of groups to include host users in Groups []string // Sudoers is a list of entries for a users sudoers file Sudoers []string }
HostUsersInfo keeps information about groups and sudoers entries for a particular host user
type Identity ¶ added in v1.0.0
type Identity interface { // CreateUser creates user, only if the user entry does not exist CreateUser(user types.User) error // UsersService implements most methods UsersService // AddUserLoginAttempt logs user login attempt AddUserLoginAttempt(user string, attempt LoginAttempt, ttl time.Duration) error // GetUserLoginAttempts returns user login attempts GetUserLoginAttempts(user string) ([]LoginAttempt, error) // DeleteUserLoginAttempts removes all login attempts of a user. Should be // called after successful login. DeleteUserLoginAttempts(user string) error // GetUserByOIDCIdentity returns a user by its specified OIDC Identity, returns first // user specified with this identity GetUserByOIDCIdentity(id types.ExternalIdentity) (types.User, error) // GetUserBySAMLIdentity returns a user by its specified OIDC Identity, returns first // user specified with this identity GetUserBySAMLIdentity(id types.ExternalIdentity) (types.User, error) // GetUserByGithubIdentity returns a user by its specified Github identity GetUserByGithubIdentity(id types.ExternalIdentity) (types.User, error) // UpsertPasswordHash upserts user password hash UpsertPasswordHash(user string, hash []byte) error // GetPasswordHash returns the password hash for a given user GetPasswordHash(user string) ([]byte, error) // UpsertUsedTOTPToken upserts a TOTP token to the backend so it can't be used again // during the 30 second window it's valid. UpsertUsedTOTPToken(user string, otpToken string) error // GetUsedTOTPToken returns the last successfully used TOTP token. GetUsedTOTPToken(user string) (string, error) // UpsertPassword upserts new password and OTP token UpsertPassword(user string, password []byte) error // UpsertWebauthnLocalAuth creates or updates the local auth configuration for // Webauthn. // WebauthnLocalAuth is a component of LocalAuthSecrets. // Automatically indexes the WebAuthn user ID for lookup by // GetTeleportUserByWebauthnID. UpsertWebauthnLocalAuth(ctx context.Context, user string, wla *types.WebauthnLocalAuth) error // GetWebauthnLocalAuth retrieves the existing local auth configuration for // Webauthn, if any. // WebauthnLocalAuth is a component of LocalAuthSecrets. GetWebauthnLocalAuth(ctx context.Context, user string) (*types.WebauthnLocalAuth, error) // GetTeleportUserByWebauthnID reads a Teleport username from a WebAuthn user // ID (aka user handle). // See UpsertWebauthnLocalAuth and types.WebauthnLocalAuth. GetTeleportUserByWebauthnID(ctx context.Context, webID []byte) (string, error) // UpsertWebauthnSessionData creates or updates WebAuthn session data in // storage, for the purpose of later verifying an authentication or // registration challenge. // Session data is expected to expire according to backend settings. UpsertWebauthnSessionData(ctx context.Context, user, sessionID string, sd *wantypes.SessionData) error // GetWebauthnSessionData retrieves a previously-stored session data by ID, // if it exists and has not expired. GetWebauthnSessionData(ctx context.Context, user, sessionID string) (*wantypes.SessionData, error) // DeleteWebauthnSessionData deletes session data by ID, if it exists and has // not expired. DeleteWebauthnSessionData(ctx context.Context, user, sessionID string) error // UpsertGlobalWebauthnSessionData creates or updates WebAuthn session data in // storage, for the purpose of later verifying an authentication challenge. // Session data is expected to expire according to backend settings. // Used for passwordless challenges. UpsertGlobalWebauthnSessionData(ctx context.Context, scope, id string, sd *wantypes.SessionData) error // GetGlobalWebauthnSessionData retrieves previously-stored session data by ID, // if it exists and has not expired. // Used for passwordless challenges. GetGlobalWebauthnSessionData(ctx context.Context, scope, id string) (*wantypes.SessionData, error) // DeleteGlobalWebauthnSessionData deletes session data by ID, if it exists // and has not expired. DeleteGlobalWebauthnSessionData(ctx context.Context, scope, id string) error // UpsertMFADevice upserts an MFA device for the user. UpsertMFADevice(ctx context.Context, user string, d *types.MFADevice) error // GetMFADevices gets all MFA devices for the user. GetMFADevices(ctx context.Context, user string, withSecrets bool) ([]*types.MFADevice, error) // DeleteMFADevice deletes an MFA device for the user by ID. DeleteMFADevice(ctx context.Context, user, id string) error // UpsertOIDCConnector upserts OIDC Connector UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error // DeleteOIDCConnector deletes OIDC Connector DeleteOIDCConnector(ctx context.Context, connectorID string) error // GetOIDCConnector returns OIDC connector data, withSecrets adds or removes client secret from return results GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error) // GetOIDCConnectors returns registered connectors, withSecrets adds or removes client secret from return results GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error) // CreateOIDCAuthRequest creates new auth request CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest, ttl time.Duration) error // GetOIDCAuthRequest returns OIDC auth request if found GetOIDCAuthRequest(ctx context.Context, stateToken string) (*types.OIDCAuthRequest, error) // UpsertSAMLConnector upserts SAML Connector UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) error // DeleteSAMLConnector deletes OIDC Connector DeleteSAMLConnector(ctx context.Context, connectorID string) error // GetSAMLConnector returns OIDC connector data, withSecrets adds or removes secrets from return results GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error) // GetSAMLConnectors returns registered connectors, withSecrets adds or removes secret from return results GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error) // CreateSAMLAuthRequest creates new auth request CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest, ttl time.Duration) error // GetSAMLAuthRequest returns SAML auth request if found GetSAMLAuthRequest(ctx context.Context, id string) (*types.SAMLAuthRequest, error) // CreateSSODiagnosticInfo creates new SSO diagnostic info record. CreateSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string, entry types.SSODiagnosticInfo) error // GetSSODiagnosticInfo returns SSO diagnostic info records. GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error) // UpsertGithubConnector creates or updates a new Github connector UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) error // GetGithubConnectors returns all configured Github connectors GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error) // GetGithubConnector returns a Github connector by its name GetGithubConnector(ctx context.Context, name string, withSecrets bool) (types.GithubConnector, error) // DeleteGithubConnector deletes a Github connector by its name DeleteGithubConnector(ctx context.Context, name string) error // CreateGithubAuthRequest creates a new auth request for Github OAuth2 flow CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) error // GetGithubAuthRequest retrieves Github auth request by the token GetGithubAuthRequest(ctx context.Context, stateToken string) (*types.GithubAuthRequest, error) // CreateUserToken creates a new user token. CreateUserToken(ctx context.Context, token types.UserToken) (types.UserToken, error) // DeleteUserToken deletes a user token. DeleteUserToken(ctx context.Context, tokenID string) error // GetUserTokens returns all user tokens. GetUserTokens(ctx context.Context) ([]types.UserToken, error) // GetUserToken returns a user token by id. GetUserToken(ctx context.Context, tokenID string) (types.UserToken, error) // UpsertUserTokenSecrets upserts a user token secrets. UpsertUserTokenSecrets(ctx context.Context, secrets types.UserTokenSecrets) error // GetUserTokenSecrets returns a user token secrets. GetUserTokenSecrets(ctx context.Context, tokenID string) (types.UserTokenSecrets, error) // UpsertRecoveryCodes upserts a user's new recovery codes. UpsertRecoveryCodes(ctx context.Context, user string, recovery *types.RecoveryCodesV1) error // GetRecoveryCodes gets a user's recovery codes. GetRecoveryCodes(ctx context.Context, user string, withSecrets bool) (*types.RecoveryCodesV1, error) // CreateUserRecoveryAttempt logs user recovery attempt. CreateUserRecoveryAttempt(ctx context.Context, user string, attempt *types.RecoveryAttempt) error // GetUserRecoveryAttempts returns user recovery attempts sorted by oldest to latest time. GetUserRecoveryAttempts(ctx context.Context, user string) ([]*types.RecoveryAttempt, error) // DeleteUserRecoveryAttempts removes all recovery attempts of a user. DeleteUserRecoveryAttempts(ctx context.Context, user string) error // UpsertKeyAttestationData upserts a verified public key attestation response. UpsertKeyAttestationData(ctx context.Context, attestationData *keys.AttestationData, ttl time.Duration) error // GetKeyAttestationData gets a verified public key attestation response. GetKeyAttestationData(ctx context.Context, publicKey crypto.PublicKey) (*keys.AttestationData, error) types.WebSessionsGetter types.WebTokensGetter // AppSession defines application session features. AppSession // SnowflakeSession defines Snowflake session features. SnowflakeSession }
Identity is responsible for managing user entries and external identities
type InstallerParams ¶
type InstallerParams struct { // JoinMethod is the method to use when joining the cluster JoinMethod types.JoinMethod // JoinToken is the token to use when joining the cluster JoinToken string // ScriptName is the name of the teleport script for the EC2 // instance to execute ScriptName string }
InstallerParams are passed to the AWS SSM document
type KubeClusterWatcher ¶
type KubeClusterWatcher struct {
// contains filtered or unexported fields
}
KubeClusterWatcher is built on top of resourceWatcher to monitor kube_cluster resources.
func NewKubeClusterWatcher ¶
func NewKubeClusterWatcher(ctx context.Context, cfg KubeClusterWatcherConfig) (*KubeClusterWatcher, error)
NewKubeClusterWatcher returns a new instance of KubeClusterWatcher.
func (KubeClusterWatcher) Close ¶
func (p KubeClusterWatcher) Close()
Close closes the resource watcher and cancels all the functions.
func (KubeClusterWatcher) Done ¶
func (p KubeClusterWatcher) Done() <-chan struct{}
Done returns a channel that signals resource watcher closure.
func (KubeClusterWatcher) IsInitialized ¶
func (p KubeClusterWatcher) IsInitialized() bool
IsInitialized is a non-blocking way to check if resource watcher is already initialized.
func (KubeClusterWatcher) WaitInitialization ¶
func (p KubeClusterWatcher) WaitInitialization() error
WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.
type KubeClusterWatcherConfig ¶
type KubeClusterWatcherConfig struct { // ResourceWatcherConfig is the resource watcher configuration. ResourceWatcherConfig // KubernetesGetter is responsible for fetching kube_cluster resources. KubernetesGetter // KubeClustersC receives up-to-date list of all kube_cluster resources. KubeClustersC chan types.KubeClusters }
KubeClusterWatcherConfig is an KubeClusterWatcher configuration.
func (*KubeClusterWatcherConfig) CheckAndSetDefaults ¶
func (cfg *KubeClusterWatcherConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks parameters and sets default values.
type Kubernetes ¶
type Kubernetes interface { // KubernetesGetter provides methods for fetching kubernetes resources. KubernetesGetter // CreateKubernetesCluster creates a new kubernetes cluster resource. CreateKubernetesCluster(context.Context, types.KubeCluster) error // UpdateKubernetesCluster updates an existing kubernetes cluster resource. UpdateKubernetesCluster(context.Context, types.KubeCluster) error // DeleteKubernetesCluster removes the specified kubernetes cluster resource. DeleteKubernetesCluster(ctx context.Context, name string) error // DeleteAllKubernetesClusters removes all kubernetes resources. DeleteAllKubernetesClusters(context.Context) error }
Kubernetes defines an interface for managing kubernetes clusters resources.
type KubernetesGetter ¶
type KubernetesGetter interface { // GetKubernetesClusters returns all kubernetes cluster resources. GetKubernetesClusters(context.Context) ([]types.KubeCluster, error) // GetKubernetesCluster returns the specified kubernetes cluster resource. GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error) }
KubernetesGetter defines interface for fetching kubernetes cluster resources.
type ListResourcesRequestOption ¶
type ListResourcesRequestOption func(*proto.ListResourcesRequest)
type LockGetter ¶
type LockGetter interface { // GetLock gets a lock by name. GetLock(ctx context.Context, name string) (types.Lock, error) // GetLocks gets all/in-force locks that match at least one of the targets when specified. GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error) }
LockGetter is a service that gets locks.
type LockWatcher ¶
type LockWatcher struct {
// contains filtered or unexported fields
}
LockWatcher is built on top of resourceWatcher to monitor changes to locks.
func NewLockWatcher ¶
func NewLockWatcher(ctx context.Context, cfg LockWatcherConfig) (*LockWatcher, error)
NewLockWatcher returns a new instance of LockWatcher.
func (LockWatcher) CheckLockInForce ¶
func (p LockWatcher) CheckLockInForce(mode constants.LockingMode, targets ...types.LockTarget) error
CheckLockInForce returns an AccessDenied error if there is a lock in force matching at at least one of the targets.
func (LockWatcher) Close ¶
func (p LockWatcher) Close()
Close closes the resource watcher and cancels all the functions.
func (LockWatcher) Done ¶
func (p LockWatcher) Done() <-chan struct{}
Done returns a channel that signals resource watcher closure.
func (LockWatcher) GetCurrent ¶
GetCurrent returns the currently stored locks.
func (LockWatcher) IsInitialized ¶
func (p LockWatcher) IsInitialized() bool
IsInitialized is a non-blocking way to check if resource watcher is already initialized.
func (LockWatcher) Subscribe ¶
func (p LockWatcher) Subscribe(ctx context.Context, targets ...types.LockTarget) (types.Watcher, error)
Subscribe is used to subscribe to the lock updates.
func (LockWatcher) WaitInitialization ¶
func (p LockWatcher) WaitInitialization() error
WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.
type LockWatcherConfig ¶
type LockWatcherConfig struct { ResourceWatcherConfig LockGetter }
LockWatcherConfig is a LockWatcher configuration.
func (*LockWatcherConfig) CheckAndSetDefaults ¶
func (cfg *LockWatcherConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks parameters and sets default values.
type LogAction ¶
type LogAction struct {
// contains filtered or unexported fields
}
LogAction represents action that will emit log entry when specified in the actions of a matched rule
type LoginAttempt ¶
type LoginAttempt struct { // Time is time of the attempt Time time.Time `json:"time"` // Success indicates whether attempt was successful Success bool `json:"bool"` }
LoginAttempt represents successful or unsuccessful attempt for user to login
type MFARequired ¶
type MFARequired string
MFARequired determines when MFA is required for a user to access a resource.
const ( // MFARequiredNever means that MFA is never required for any sessions started by this user. This either // means both the cluster auth preference and all roles have per-session MFA off, or at least one of // those resources has "require_session_mfa: hardware_key_touch", which overrides per-session MFA. MFARequiredNever MFARequired = "never" // MFARequiredAlways means that MFA is required for all sessions started by a user. This either // means that the cluster auth preference requires per-session MFA, or all of the user's roles require // per-session MFA MFARequiredAlways MFARequired = "always" // MFARequiredPerRole means that MFA requirement is based on which of the user's roles // provides access to the session in question. MFARequiredPerRole MFARequired = "per-role" )
type MarshalConfig ¶
type MarshalConfig struct { // Version specifies particular version we should marshal resources with Version string // ID is a record ID to assign ID int64 // PreserveResourceID preserves resource IDs in resource // specs when marshaling PreserveResourceID bool // Expires is an optional expiry time Expires time.Time }
MarshalConfig specifies marshaling options
func CollectOptions ¶
func CollectOptions(opts []MarshalOption) (*MarshalConfig, error)
CollectOptions collects all options from functional arg and returns config
func (*MarshalConfig) GetVersion ¶
func (m *MarshalConfig) GetVersion() string
GetVersion returns explicitly provided version or sets latest as default
type MarshalOption ¶
type MarshalOption func(c *MarshalConfig) error
MarshalOption sets marshaling option
func AddOptions ¶
func AddOptions(opts []MarshalOption, add ...MarshalOption) []MarshalOption
AddOptions adds marshal options and returns a new copy
func PreserveResourceID ¶
func PreserveResourceID() MarshalOption
PreserveResourceID preserves resource ID when marshaling value
func WithExpires ¶
func WithExpires(expires time.Time) MarshalOption
WithExpires assigns expiry value
func WithResourceID ¶
func WithResourceID(id int64) MarshalOption
WithResourceID assigns ID to the resource
type MatchResourceFilter ¶
type MatchResourceFilter struct { // ResourceKind is the resource kind and is used to fine tune the filtering. ResourceKind string // Labels are the labels to match. Labels map[string]string // SearchKeywords is a list of search keywords to match. SearchKeywords []string // PredicateExpression holds boolean conditions that must be matched. PredicateExpression string }
MatchResourceFilter holds the filter values to match against a resource.
type Matcher ¶
type Matcher func(types.ResourceWithLabels) bool
Matcher is used by reconciler to match resources.
type Node ¶
type Node interface { // ResourceWithLabels provides common resource headers types.ResourceWithLabels // GetTeleportVersion returns the teleport version the server is running on GetTeleportVersion() string // GetAddr return server address GetAddr() string // GetHostname returns server hostname GetHostname() string // GetNamespace returns server namespace GetNamespace() string // GetCmdLabels gets command labels GetCmdLabels() map[string]types.CommandLabel // GetPublicAddr is an optional field that returns the public address this cluster can be reached at. GetPublicAddr() string // GetRotation gets the state of certificate authority rotation. GetRotation() types.Rotation // GetUseTunnel gets if a reverse tunnel should be used to connect to this node. GetUseTunnel() bool // GetProxyID returns a list of proxy ids this server is connected to. GetProxyIDs() []string }
Node is a readonly subset of the types.Server interface which users may filter by in GetNodes.
type NodeWatcher ¶
type NodeWatcher struct {
// contains filtered or unexported fields
}
NodeWatcher is built on top of resourceWatcher to monitor additions and deletions to the set of nodes.
func NewNodeWatcher ¶
func NewNodeWatcher(ctx context.Context, cfg NodeWatcherConfig) (*NodeWatcher, error)
NewNodeWatcher returns a new instance of NodeWatcher.
func (NodeWatcher) Close ¶
func (p NodeWatcher) Close()
Close closes the resource watcher and cancels all the functions.
func (NodeWatcher) Done ¶
func (p NodeWatcher) Done() <-chan struct{}
Done returns a channel that signals resource watcher closure.
func (NodeWatcher) GetNodes ¶
GetNodes allows callers to retrieve a subset of nodes that match the filter provided. The returned servers are a copy and can be safely modified. It is intentionally hard to retrieve the full set of nodes to reduce the number of copies needed since the number of nodes can get quite large and doing so can be expensive.
func (NodeWatcher) IsInitialized ¶
func (p NodeWatcher) IsInitialized() bool
IsInitialized is a non-blocking way to check if resource watcher is already initialized.
func (NodeWatcher) WaitInitialization ¶
func (p NodeWatcher) WaitInitialization() error
WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.
type NodeWatcherConfig ¶
type NodeWatcherConfig struct { ResourceWatcherConfig // NodesGetter is used to directly fetch the list of active nodes. NodesGetter }
NodeWatcherConfig is a NodeWatcher configuration.
func (*NodeWatcherConfig) CheckAndSetDefaults ¶
func (cfg *NodeWatcherConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks parameters and sets default values.
type NodesGetter ¶
type NodesGetter interface { // GetNodes returns a list of registered servers. GetNodes(ctx context.Context, namespace string) ([]types.Server, error) }
NodesGetter is a service that gets nodes.
type Presence ¶ added in v1.0.0
type Presence interface { // Semaphores is responsible for semaphore handling types.Semaphores // GetNode returns a node by name and namespace. GetNode(ctx context.Context, namespace, name string) (types.Server, error) // NodesGetter gets nodes NodesGetter // DeleteAllNodes deletes all nodes in a namespace. DeleteAllNodes(ctx context.Context, namespace string) error // DeleteNode deletes node in a namespace DeleteNode(ctx context.Context, namespace, name string) error // UpsertNode registers node presence, permanently if TTL is 0 or for the // specified duration with second resolution if it's >= 1 second. UpsertNode(ctx context.Context, server types.Server) (*types.KeepAlive, error) // DELETE IN: 5.1.0 // // This logic has been moved to KeepAliveServer. // // KeepAliveNode updates node TTL in the storage KeepAliveNode(ctx context.Context, h types.KeepAlive) error // GetAuthServers returns a list of registered servers GetAuthServers() ([]types.Server, error) // UpsertAuthServer registers auth server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertAuthServer(server types.Server) error // DeleteAuthServer deletes auth server by name DeleteAuthServer(name string) error // DeleteAllAuthServers deletes all auth servers DeleteAllAuthServers() error // UpsertProxy registers proxy server presence, permanently if ttl is 0 or // for the specified duration with second resolution if it's >= 1 second UpsertProxy(server types.Server) error // ProxyGetter gets a list of proxies ProxyGetter // DeleteProxy deletes proxy by name DeleteProxy(name string) error // DeleteAllProxies deletes all proxies DeleteAllProxies() error // UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently UpsertReverseTunnel(tunnel types.ReverseTunnel) error // GetReverseTunnel returns reverse tunnel by name GetReverseTunnel(name string, opts ...MarshalOption) (types.ReverseTunnel, error) // GetReverseTunnels returns a list of registered servers GetReverseTunnels(ctx context.Context, opts ...MarshalOption) ([]types.ReverseTunnel, error) // DeleteReverseTunnel deletes reverse tunnel by it's domain name DeleteReverseTunnel(domainName string) error // DeleteAllReverseTunnels deletes all reverse tunnels DeleteAllReverseTunnels() error // GetNamespaces returns a list of namespaces GetNamespaces() ([]types.Namespace, error) // GetNamespace returns namespace by name GetNamespace(name string) (*types.Namespace, error) // DeleteAllNamespaces deletes all namespaces DeleteAllNamespaces() error // UpsertNamespace upserts namespace UpsertNamespace(types.Namespace) error // DeleteNamespace deletes namespace by name DeleteNamespace(name string) error // UpsertTrustedCluster creates or updates a TrustedCluster in the backend. UpsertTrustedCluster(ctx context.Context, tc types.TrustedCluster) (types.TrustedCluster, error) // GetTrustedCluster returns a single TrustedCluster by name. GetTrustedCluster(ctx context.Context, name string) (types.TrustedCluster, error) // GetTrustedClusters returns all TrustedClusters in the backend. GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error) // DeleteTrustedCluster removes a TrustedCluster from the backend by name. DeleteTrustedCluster(ctx context.Context, name string) error // UpsertTunnelConnection upserts tunnel connection UpsertTunnelConnection(types.TunnelConnection) error // GetTunnelConnections returns tunnel connections for a given cluster GetTunnelConnections(clusterName string, opts ...MarshalOption) ([]types.TunnelConnection, error) // GetAllTunnelConnections returns all tunnel connections GetAllTunnelConnections(opts ...MarshalOption) ([]types.TunnelConnection, error) // DeleteTunnelConnection deletes tunnel connection by name DeleteTunnelConnection(clusterName string, connName string) error // DeleteTunnelConnections deletes all tunnel connections for cluster DeleteTunnelConnections(clusterName string) error // DeleteAllTunnelConnections deletes all tunnel connections for cluster DeleteAllTunnelConnections() error // CreateRemoteCluster creates a remote cluster CreateRemoteCluster(types.RemoteCluster) error // UpdateRemoteCluster updates a remote cluster UpdateRemoteCluster(ctx context.Context, rc types.RemoteCluster) error // GetRemoteClusters returns a list of remote clusters GetRemoteClusters(opts ...MarshalOption) ([]types.RemoteCluster, error) // GetRemoteCluster returns a remote cluster by name GetRemoteCluster(clusterName string) (types.RemoteCluster, error) // DeleteRemoteCluster deletes remote cluster by name DeleteRemoteCluster(clusterName string) error // DeleteAllRemoteClusters deletes all remote clusters DeleteAllRemoteClusters() error // UpsertKubeService registers kubernetes service presence. // DELETE in 11.0. Deprecated, use UpsertKubeServiceV2 UpsertKubeService(context.Context, types.Server) error // UpsertKubeServiceV2 registers kubernetes service presence UpsertKubeServiceV2(context.Context, types.Server) (*types.KeepAlive, error) // GetApplicationServers returns all registered application servers. GetApplicationServers(context.Context, string) ([]types.AppServer, error) // UpsertApplicationServer registers an application server. UpsertApplicationServer(context.Context, types.AppServer) (*types.KeepAlive, error) // DeleteApplicationServer deletes specified application server. DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error // DeleteAllApplicationServers removes all registered application servers. DeleteAllApplicationServers(context.Context, string) error // GetDatabaseServers returns all registered database proxy servers. GetDatabaseServers(context.Context, string, ...MarshalOption) ([]types.DatabaseServer, error) // UpsertDatabaseServer creates or updates a new database proxy server. UpsertDatabaseServer(context.Context, types.DatabaseServer) (*types.KeepAlive, error) // DeleteDatabaseServer removes the specified database proxy server. DeleteDatabaseServer(ctx context.Context, namespace, hostID, name string) error // DeleteAllDatabaseServers removes all database proxy servers. DeleteAllDatabaseServers(context.Context, string) error // KeepAliveServer updates TTL of the server resource in the backend. KeepAliveServer(ctx context.Context, h types.KeepAlive) error // GetKubeServices returns a list of registered kubernetes services. // DELETE IN 13.0. Deprecated, use GetKubernetesServers. GetKubeServices(context.Context) ([]types.Server, error) // DeleteKubeService deletes a named kubernetes service. // DELETE IN 13.0. Deprecated, use DeleteKubernetesServer. DeleteKubeService(ctx context.Context, name string) error // DeleteAllKubeServices deletes all registered kubernetes services. // DELETE IN 13.0. Deprecated, use DeleteAllKubernetesServers. DeleteAllKubeServices(context.Context) error // GetKubernetesServers returns a list of registered kubernetes servers. GetKubernetesServers(context.Context) ([]types.KubeServer, error) // DeleteKubernetesServer deletes a named kubernetes servers. DeleteKubernetesServer(ctx context.Context, hostID, name string) error // DeleteAllKubernetesServers deletes all registered kubernetes servers. DeleteAllKubernetesServers(context.Context) error // UpsertKubernetesServer registers an kubernetes server. UpsertKubernetesServer(context.Context, types.KubeServer) (*types.KeepAlive, error) // GetWindowsDesktopServices returns all registered Windows desktop services. GetWindowsDesktopServices(context.Context) ([]types.WindowsDesktopService, error) // GetWindowsDesktopService returns a Windows desktop service by name GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error) // UpsertWindowsDesktopService creates or updates a new Windows desktop service. UpsertWindowsDesktopService(context.Context, types.WindowsDesktopService) (*types.KeepAlive, error) // DeleteWindowsDesktopService removes the specified Windows desktop service. DeleteWindowsDesktopService(ctx context.Context, name string) error // DeleteAllWindowsDesktopServices removes all Windows desktop services. DeleteAllWindowsDesktopServices(context.Context) error // ListResoures returns a paginated list of resources. ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error) }
Presence records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes
type Provisioner ¶ added in v1.0.0
type Provisioner interface { // UpsertToken adds provisioning tokens for the auth server UpsertToken(ctx context.Context, token types.ProvisionToken) error // CreateToken adds provisioning tokens for the auth server CreateToken(ctx context.Context, token types.ProvisionToken) error // GetToken finds and returns token by id GetToken(ctx context.Context, token string) (types.ProvisionToken, error) // DeleteToken deletes provisioning token // Imlementations must guarantee that this returns trace.NotFound error if the token doesn't exist DeleteToken(ctx context.Context, token string) error // DeleteAllTokens deletes all provisioning tokens DeleteAllTokens() error // GetTokens returns all non-expired tokens GetTokens(ctx context.Context) ([]types.ProvisionToken, error) }
Provisioner governs adding new nodes to the cluster
type ProxyGetter ¶
type ProxyGetter interface { // GetProxies returns a list of registered proxies. GetProxies() ([]types.Server, error) }
ProxyGetter is a service that gets proxies.
type ProxyWatcher ¶
type ProxyWatcher struct {
// contains filtered or unexported fields
}
ProxyWatcher is built on top of resourceWatcher to monitor additions and deletions to the set of proxies.
func NewProxyWatcher ¶
func NewProxyWatcher(ctx context.Context, cfg ProxyWatcherConfig) (*ProxyWatcher, error)
NewProxyWatcher returns a new instance of ProxyWatcher.
func (ProxyWatcher) Close ¶
func (p ProxyWatcher) Close()
Close closes the resource watcher and cancels all the functions.
func (ProxyWatcher) Done ¶
func (p ProxyWatcher) Done() <-chan struct{}
Done returns a channel that signals resource watcher closure.
func (ProxyWatcher) GetCurrent ¶
GetCurrent returns the currently stored proxies.
func (ProxyWatcher) IsInitialized ¶
func (p ProxyWatcher) IsInitialized() bool
IsInitialized is a non-blocking way to check if resource watcher is already initialized.
func (ProxyWatcher) WaitInitialization ¶
func (p ProxyWatcher) WaitInitialization() error
WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.
type ProxyWatcherConfig ¶
type ProxyWatcherConfig struct { ResourceWatcherConfig // ProxyGetter is used to directly fetch the list of active proxies. ProxyGetter // ProxyDiffer is used to decide whether a put operation on an existing proxy should // trigger a event. ProxyDiffer func(old, new types.Server) bool // ProxiesC is a channel used to report the current proxy set. It receives // a fresh list at startup and subsequently a list of all known proxies // whenever an addition or deletion is detected. ProxiesC chan []types.Server }
ProxyWatcherConfig is a ProxyWatcher configuration.
func (*ProxyWatcherConfig) CheckAndSetDefaults ¶
func (cfg *ProxyWatcherConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks parameters and sets default values.
type RDSEndpointType ¶
type RDSEndpointType string
RDSEndpointType specifies the endpoint type for RDS clusters.
const ( // RDSEndpointTypePrimary is the endpoint that specifies the connection for the primary instance of the RDS cluster. RDSEndpointTypePrimary RDSEndpointType = "primary" // RDSEndpointTypeReader is the endpoint that load-balances connections across the Aurora Replicas that are // available in an RDS cluster. RDSEndpointTypeReader RDSEndpointType = "reader" // RDSEndpointTypeCustom is the endpoint that specifies one of the custom endpoints associated with the RDS cluster. RDSEndpointTypeCustom RDSEndpointType = "custom" // RDSEndpointTypeInstance is the endpoint of an RDS DB instance. RDSEndpointTypeInstance RDSEndpointType = "instance" )
type Reconciler ¶
type Reconciler struct {
// contains filtered or unexported fields
}
Reconciler reconciles currently registered resources with new resources and creates/updates/deletes them appropriately.
It's used in combination with watchers by agents (app, database, desktop) to enable dynamically registered resources.
func NewReconciler ¶
func NewReconciler(cfg ReconcilerConfig) (*Reconciler, error)
NewReconciler creates a new reconciler with provided configuration.
type ReconcilerConfig ¶
type ReconcilerConfig struct { // Matcher is used to match resources. Matcher Matcher // GetCurrentResources returns currently registered resources. GetCurrentResources func() types.ResourcesWithLabelsMap // GetNewResources returns resources to compare current resources against. GetNewResources func() types.ResourcesWithLabelsMap // OnCreate is called when a new resource is detected. OnCreate func(context.Context, types.ResourceWithLabels) error // OnUpdate is called when an existing resource is updated. OnUpdate func(context.Context, types.ResourceWithLabels) error // OnDelete is called when an existing resource is deleted. OnDelete func(context.Context, types.ResourceWithLabels) error // Log is the reconciler's logger. Log logrus.FieldLogger }
ReconcilerConfig is the resource reconciler configuration.
func (*ReconcilerConfig) CheckAndSetDefaults ¶
func (c *ReconcilerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults validates the reconciler configuration and sets defaults.
type Ref ¶
Ref is a resource reference. Typically of the form kind/name, but sometimes of the form kind/subkind/name.
type Refs ¶
type Refs []Ref
Refs is a set of resource references
func ParseRefs ¶
ParseRefs parses a comma-separated string of resource references (eg "users/alice,users/bob")
type RequestIDs ¶
type RequestIDs struct {
AccessRequests []string `json:"access_requests,omitempty"`
}
RequestIDs is a collection of IDs for privilege escalation requests.
func (*RequestIDs) Check ¶
func (r *RequestIDs) Check() error
func (*RequestIDs) IsEmpty ¶
func (r *RequestIDs) IsEmpty() bool
func (*RequestIDs) Marshal ¶
func (r *RequestIDs) Marshal() ([]byte, error)
func (*RequestIDs) Unmarshal ¶
func (r *RequestIDs) Unmarshal(data []byte) error
type RequestValidator ¶
type RequestValidator struct { Roles struct { AllowRequest, DenyRequest []parse.Matcher AllowSearch, DenySearch []string } Annotations struct { Allow, Deny map[string][]string } ThresholdMatchers []struct { Matchers []parse.Matcher Thresholds []types.AccessReviewThreshold } SuggestedReviewers []string // contains filtered or unexported fields }
RequestValidator a helper for validating access requests. a user's statically assigned roles are are "added" to the validator via the push() method, which extracts all the relevant rules, peforms variable substitutions, and builds a set of simple Allow/Deny datastructures. These, in turn, are used to validate and expand the access request.
func NewRequestValidator ¶
func NewRequestValidator(ctx context.Context, getter RequestValidatorGetter, username string, opts ...ValidateRequestOption) (RequestValidator, error)
NewRequestValidator configures a new RequestValidor for the specified user.
func (*RequestValidator) CanRequestRole ¶
func (m *RequestValidator) CanRequestRole(name string) bool
CanRequestRole checks if a given role can be requested.
func (*RequestValidator) CanSearchAsRole ¶
func (m *RequestValidator) CanSearchAsRole(name string) bool
CanSearchAsRole check if a given role can be requested through a search-based access request
func (*RequestValidator) GetRequestableRoles ¶
func (m *RequestValidator) GetRequestableRoles() ([]string, error)
GetRequestableRoles gets the list of all existent roles which the user is able to request. This operation is expensive since it loads all existent roles in order to determine the role list. Prefer calling CanRequestRole when checking againt a known role list.
func (*RequestValidator) SystemAnnotations ¶
func (m *RequestValidator) SystemAnnotations() map[string][]string
SystemAnnotations calculates the system annotations for a pending access request.
func (*RequestValidator) Validate ¶
func (m *RequestValidator) Validate(ctx context.Context, req types.AccessRequest) error
Validate validates an access request and potentially modifies it depending on how the validator was configured.
type RequestValidatorGetter ¶
type RequestValidatorGetter interface { UserGetter RoleGetter ResourceLister GetRoles(ctx context.Context) ([]types.Role, error) GetClusterName(opts ...MarshalOption) (types.ClusterName, error) }
RequestValidatorGetter is the interface required by the request validation functions used to get necessary resources.
type ResourceLister ¶
type ResourceLister interface {
ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
}
ResourceLister is an interface which can list resources.
type ResourceMarshaler ¶
type ResourceMarshaler func(types.Resource, ...MarshalOption) ([]byte, error)
ResourceMarshaler handles marshaling of a specific resource type.
type ResourceMatcher ¶
ResourceMatcher matches cluster resources.
type ResourceSeenKey ¶
type ResourceSeenKey struct {
// contains filtered or unexported fields
}
ResourceSeenKey is used as a key for a map that keeps track of unique resource names and address. Currently "addr" only applies to resource Application.
type ResourceUnmarshaler ¶
type ResourceUnmarshaler func([]byte, ...MarshalOption) (types.Resource, error)
ResourceUnmarshaler handles unmarshaling of a specific resource type.
type ResourceWatcherConfig ¶
type ResourceWatcherConfig struct { // Component is a component used in logs. Component string // Log is a logger. Log logrus.FieldLogger // MaxRetryPeriod is the maximum retry period on failed watchers. MaxRetryPeriod time.Duration // Clock is used to control time. Clock clockwork.Clock // Client is used to create new watchers. Client types.Events // MaxStaleness is a maximum acceptable staleness for the locally maintained // resources, zero implies no staleness detection. MaxStaleness time.Duration // ResetC is a channel to notify of internal watcher reset (used in tests). ResetC chan time.Duration }
ResourceWatcherConfig configures resource watcher.
func (*ResourceWatcherConfig) CheckAndSetDefaults ¶
func (cfg *ResourceWatcherConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks parameters and sets default values.
type Restrictions ¶
type ReviewPermissionChecker ¶
type ReviewPermissionChecker struct { User types.User Roles struct { // allow/deny mappings sort role matches into lists based on their // constraining predicate (where) expression. AllowReview, DenyReview map[string][]parse.Matcher } }
ReviewPermissionChecker is a helper for validating whether or not a user is allowed to review specific access requests.
func NewReviewPermissionChecker ¶
func NewReviewPermissionChecker(ctx context.Context, getter RequestValidatorGetter, username string) (ReviewPermissionChecker, error)
func (*ReviewPermissionChecker) CanReviewRequest ¶
func (c *ReviewPermissionChecker) CanReviewRequest(req types.AccessRequest) (bool, error)
CanReviewRequest checks if the user is allowed to review the specified request. note that the ability to review a request does not necessarily imply that any specific approval/denial thresholds will actually match the user's review. Matching one or more thresholds is not a pre-requisite for review submission.
func (*ReviewPermissionChecker) HasAllowDirectives ¶
func (c *ReviewPermissionChecker) HasAllowDirectives() bool
HasAllowDirectives checks if any allow directives exist. A user with no allow directives will never be able to review any requests.
type RoleGetter ¶
type RoleGetter interface { // GetRole returns role by name GetRole(ctx context.Context, name string) (types.Role, error) }
RoleGetter is an interface that defines GetRole method
type RoleMatcher ¶
RoleMatcher defines an interface for a generic role matcher.
func NewKubernetesClusterLabelMatcher ¶
func NewKubernetesClusterLabelMatcher(clustersLabels map[string]string) RoleMatcher
NewKubernetesClusterLabelMatcher creates a RoleMatcher that checks whether a role's Kubernetes service labels match.
func NewLoginMatcher ¶
func NewLoginMatcher(login string) RoleMatcher
NewLoginMatcher creates a RoleMatcher that checks whether the role's logins match the specified condition.
func NewWindowsLoginMatcher ¶
func NewWindowsLoginMatcher(login string) RoleMatcher
NewWindowsLoginMatcher creates a RoleMatcher that checks whether the role's Windows desktop logins match the specified condition.
type RoleMatchers ¶
type RoleMatchers []RoleMatcher
RoleMatchers defines a list of matchers.
func (RoleMatchers) MatchAll ¶
func (m RoleMatchers) MatchAll(role types.Role, condition types.RoleConditionType) (bool, error)
MatchAll returns true if all matchers in the set match.
func (RoleMatchers) MatchAny ¶
func (m RoleMatchers) MatchAny(role types.Role, condition types.RoleConditionType) (bool, RoleMatcher, error)
MatchAny returns true if at least one of the matchers in the set matches.
If the result is true, returns matcher that matched.
type RoleSet ¶
RoleSet is a set of roles that implements access control functionality
func FetchAllClusterRoles ¶
func FetchAllClusterRoles(ctx context.Context, access CurrentUserRoleGetter, defaultRoleNames []string, defaultTraits wrappers.Traits) (RoleSet, error)
FetchAllClusterRoles fetches all roles available to the user on the specified cluster, applies traits, and adds runtime roles like the default implicit role to RoleSet.
func FetchRoleList ¶
func FetchRoleList(roleNames []string, access RoleGetter, traits map[string][]string) (RoleSet, error)
FetchRoleList fetches roles by their names, applies the traits to role variables, and returns the list
func FetchRoles ¶
FetchRoles fetches roles by their names, applies the traits to role variables, and returns the RoleSet. Adds runtime roles like the default implicit role to RoleSet.
func NewRoleSet ¶
NewRoleSet returns new RoleSet based on the roles
func RoleSetFromSpec ¶
func RoleSetFromSpec(name string, spec types.RoleSpecV5) (RoleSet, error)
RoleSetFromSpec returns a new RoleSet from spec
func (RoleSet) AdjustClientIdleTimeout ¶
AdjustClientIdleTimeout adjusts requested idle timeout to the lowest max allowed timeout, the most restrictive option will be picked, negative values will be assumed as 0
func (RoleSet) AdjustDisconnectExpiredCert ¶
AdjustDisconnectExpiredCert adjusts the value based on the role set the most restrictive option will be picked
func (RoleSet) AdjustSessionTTL ¶
AdjustSessionTTL will reduce the requested ttl to the lowest max allowed TTL for this role set, otherwise it returns ttl unchanged
func (RoleSet) CanCopyFiles ¶
CanCopyFiles returns true if the role set has enabled remote file operations via SCP or SFTP. Remote file operations are disabled if one or more of the roles in the set has disabled it.
func (RoleSet) CanForwardAgents ¶
CanForwardAgents returns true if role set allows forwarding agents.
func (RoleSet) CanImpersonateSomeone ¶
CanImpersonateSomeone returns true if this checker has any impersonation rules
func (RoleSet) CanPortForward ¶
CanPortForward returns true if a role in the RoleSet allows port forwarding.
func (RoleSet) CertificateExtensions ¶
func (set RoleSet) CertificateExtensions() []*types.CertExtension
CertificateExtensions returns the list of extensions for each role in the RoleSet
func (RoleSet) CertificateFormat ¶
CertificateFormat returns the most permissive certificate format in a RoleSet.
func (RoleSet) CheckAWSRoleARNs ¶
CheckAWSRoleARNs returns a list of AWS role ARNs this role set is allowed to assume.
func (RoleSet) CheckAccessToRemoteCluster ¶
func (set RoleSet) CheckAccessToRemoteCluster(rc types.RemoteCluster) error
CheckAccessToRemoteCluster checks if a role has access to remote cluster. Deny rules are checked first then allow rules. Access to a cluster is determined by namespaces, labels, and logins.
func (RoleSet) CheckAccessToRule ¶
func (set RoleSet) CheckAccessToRule(ctx RuleContext, namespace string, resource string, verb string, silent bool) error
CheckAccessToRule checks if the RoleSet provides access in the given namespace to the specified resource and verb. silent controls whether the access violations are logged.
func (RoleSet) CheckAgentForward ¶
CheckAgentForward checks if the role can request to forward the SSH agent for this user.
func (RoleSet) CheckDatabaseNamesAndUsers ¶
func (set RoleSet) CheckDatabaseNamesAndUsers(ttl time.Duration, overrideTTL bool) ([]string, []string, error)
CheckDatabaseNamesAndUsers checks if the role has any allowed database names or users.
func (RoleSet) CheckImpersonate ¶
func (set RoleSet) CheckImpersonate(currentUser, impersonateUser types.User, impersonateRoles []types.Role) error
CheckImpersonate returns nil if this role set can impersonate a user and their roles, returns AccessDenied otherwise CheckImpersonate checks whether current user is allowed to impersonate users and roles
func (RoleSet) CheckImpersonateRoles ¶
func (set RoleSet) CheckImpersonateRoles(currentUser types.User, impersonateRoles []types.Role) error
CheckImpersonateRoles validates that the current user can perform role-only impersonation of the given roles. Role-only impersonation requires an allow rule with roles but no users (and no user-less deny rules). All requested roles must be allowed for the check to succeed.
func (RoleSet) CheckKubeGroupsAndUsers ¶
func (set RoleSet) CheckKubeGroupsAndUsers(ttl time.Duration, overrideTTL bool, matchers ...RoleMatcher) ([]string, []string, error)
CheckKubeGroupsAndUsers check if role can login into kubernetes and returns two lists of allowed groups and users
func (RoleSet) CheckLoginDuration ¶
CheckLoginDuration checks if role set can login up to given duration and returns a combined list of allowed logins.
func (RoleSet) DesktopClipboard ¶
DesktopClipboard returns true if the role set has enabled shared clipboard for desktop sessions. Clipboard sharing is disabled if one or more of the roles in the set has disabled it.
func (RoleSet) DesktopDirectorySharing ¶
DesktopDirectorySharing returns true if the role set has directory sharing enabled. This setting is disabled if one or more of the roles in the set has disabled it.
func (RoleSet) EnhancedRecordingSet ¶
EnhancedRecordingSet returns the set of enhanced session recording events to capture for thi role set.
func (RoleSet) EnumerateDatabaseUsers ¶
func (set RoleSet) EnumerateDatabaseUsers(database types.Database, extraUsers ...string) EnumerationResult
EnumerateDatabaseUsers works on a given role set to return a minimal description of allowed set of usernames. It is biased towards *allowed* usernames; It is meant to describe what the user can do, rather than cannot do. For that reason if the user isn't allowed to pick *any* entities, the output will be empty.
In cases where * is listed in set of allowed users, it may be hard for users to figure out the expected username. For this reason the parameter extraUsers provides an extra set of users to be checked against RoleSet. This extra set of users may be sourced e.g. from user connection history.
func (RoleSet) EnumerateServerLogins ¶
func (set RoleSet) EnumerateServerLogins(server types.Server) EnumerationResult
EnumerateServerLogins works on a given role set to return a minimal description of allowed set of logins. The wildcard selector is ignored, since it is now allowed for server logins
func (RoleSet) ExtractConditionForIdentifier ¶
func (set RoleSet) ExtractConditionForIdentifier(ctx RuleContext, namespace, resource, verb, identifier string) (*types.WhereExpr, error)
ExtractConditionForIdentifier returns a restrictive filter expression for list queries based on the rules' `where` conditions.
func (RoleSet) GetAllLogins ¶
GetAllLogins returns all valid unix logins for the RoleSet.
func (RoleSet) GetAllowedPreviewAsRoles ¶
GetAllowedPreviewAsRoles returns all PreviewAsRoles for this RoleSet.
func (RoleSet) GetAllowedSearchAsRoles ¶
GetSearchAsRoles returns all SearchAsRoles for this RoleSet.
func (RoleSet) GetLoginsForTTL ¶
GetLoginsForTTL collects all logins that are valid for the given TTL. The matchedTTL value indicates whether the TTL is within scope of *any* role. This helps to distinguish between TTLs which are categorically invalid, and TTLs which are theoretically valid but happen to grant no logins.
func (RoleSet) GuessIfAccessIsPossible ¶
func (set RoleSet) GuessIfAccessIsPossible(ctx RuleContext, namespace string, resource string, verb string, silent bool) error
GuessIfAccessIsPossible guesses if access is possible for an entire category of resources. It responds the question: "is it possible that there is a resource of this kind that the current user can access?". GuessIfAccessIsPossible is used, mainly, for UI decisions ("should the tab for resource X appear"?). Most callers should use CheckAccessToRule instead.
func (RoleSet) HostUsers ¶
func (set RoleSet) HostUsers(s types.Server) (*HostUsersInfo, error)
HostUsers returns host user information matching a server or nil if a role disallows host user creation
func (RoleSet) LockingMode ¶
func (set RoleSet) LockingMode(defaultMode constants.LockingMode) constants.LockingMode
LockingMode returns the locking mode to apply with this RoleSet.
func (RoleSet) MFAParams ¶
func (set RoleSet) MFAParams(authPrefRequirement types.RequireMFAType) (params AccessMFAParams)
MFAParams returns MFA params for the given user given their roles, the cluster auth preference, and whether mfa has been verified.
func (RoleSet) MaxConnections ¶
MaxConnections returns the maximum number of concurrent ssh connections allowed. If MaxConnections is zero then no maximum was defined and the number of concurrent connections is unconstrained.
func (RoleSet) MaxKubernetesConnections ¶
MaxConnections returns the maximum number of concurrent Kubernetes connections allowed. If MaxConnections is zero then no maximum was defined and the number of concurrent connections is unconstrained.
func (RoleSet) MaxSessions ¶
MaxSessions returns the maximum number of concurrent ssh sessions per connection. If MaxSessions is zero then no maximum was defined and the number of sessions is unconstrained.
func (RoleSet) MaybeCanReviewRequests ¶
MaybeCanReviewRequests attempts to guess if this RoleSet belongs to a user who should be submitting access reviews. Because not all rolesets are derived from statically assigned roles, this may return false positives.
func (RoleSet) PermitX11Forwarding ¶
PermitX11Forwarding returns true if this RoleSet allows X11 Forwarding.
func (RoleSet) PinSourceIP ¶
PinSourceIP determines if the role set should use source IP pinning. If one or more roles in the set requires IP pinning then it will be enabled.
func (RoleSet) PrivateKeyPolicy ¶
func (set RoleSet) PrivateKeyPolicy(defaultPolicy keys.PrivateKeyPolicy) keys.PrivateKeyPolicy
PrivateKeyPolicy returns the enforced private key policy for this role set.
func (RoleSet) RecordDesktopSession ¶
RecordDesktopSession returns true if the role set has enabled desktop session recording. Recording is considered enabled if at least one role in the set has enabled it.
func (RoleSet) RoleNames ¶
RoleNames returns a slice with role names. Removes runtime roles like the default implicit role.
func (RoleSet) SessionPolicySets ¶
func (set RoleSet) SessionPolicySets() []*types.SessionTrackerPolicySet
SessionPolicySets returns the list of SessionPolicySets for all roles.
func (RoleSet) SessionRecordingMode ¶
func (set RoleSet) SessionRecordingMode(service constants.SessionRecordingService) constants.SessionRecordingMode
SessionRecordingMode returns the recording mode for a specific service.
func (RoleSet) WithoutImplicit ¶
WithoutImplicit returns this role set with default implicit role filtered out.
type RotationGetter ¶
type RotationGetter func(role types.SystemRole) (*types.Rotation, error)
RotationGetter returns the rotation state.
type RuleContext ¶
type RuleContext interface { // GetIdentifier returns identifier defined in a context GetIdentifier(fields []string) (interface{}, error) // GetResource returns resource if specified in the context, // if unspecified, returns error. GetResource() (types.Resource, error) }
RuleContext specifies context passed to the rule processing matcher, and contains information about current session, e.g. current user
type RuleSet ¶
RuleSet maps resource to a set of rules defined for it
func MakeRuleSet ¶
MakeRuleSet creates a new rule set from a list
func (RuleSet) Match ¶
func (set RuleSet) Match(whereParser predicate.Parser, actionsParser predicate.Parser, resource string, verb string) (bool, error)
Match tests if the resource name and verb are in a given list of rules. More specific rules will be matched first. See Rule.IsMoreSpecificThan for exact specs on whether the rule is more or less specific.
Specifying order solves the problem on having multiple rules, e.g. one wildcard rule can override more specific rules with 'where' sections that can have 'actions' lists with side effects that will not be triggered otherwise.
type SemaphoreLock ¶
type SemaphoreLock struct {
// contains filtered or unexported fields
}
SemaphoreLock provides a convenient interface for managing semaphore lease keepalive operations.
func AcquireSemaphoreLock ¶
func AcquireSemaphoreLock(ctx context.Context, cfg SemaphoreLockConfig) (*SemaphoreLock, error)
AcquireSemaphoreLock attempts to acquire and hold a semaphore lease. If successfully acquired, background keepalive processes are started and an associated lock handle is returned. Canceling the supplied context releases the semaphore.
func (*SemaphoreLock) Done ¶
func (l *SemaphoreLock) Done() <-chan struct{}
Done signals that lease keepalive operations have stopped.
func (*SemaphoreLock) Renewed ¶
func (l *SemaphoreLock) Renewed() <-chan struct{}
Renewed notifies on next successful lease keepalive. Used in tests to block until next renewal.
func (*SemaphoreLock) Wait ¶
func (l *SemaphoreLock) Wait() error
Wait blocks until the final result is available. Note that this method may block longer than desired since cancellation of the parent context triggers the *start* of the release operation.
type SemaphoreLockConfig ¶
type SemaphoreLockConfig struct { // Service is the service against which all semaphore // operations are performed. Service types.Semaphores // Expiry is an optional lease expiry parameter. Expiry time.Duration // TickRate is the rate at which lease renewals are attempted // and defaults to 1/2 expiry. Used to accelerate tests. TickRate time.Duration // Params holds the semaphore lease acquisition parameters. Params types.AcquireSemaphoreRequest }
func (*SemaphoreLockConfig) CheckAndSetDefaults ¶
func (l *SemaphoreLockConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default parameters
type Services ¶
type Services interface { UsersService Provisioner Trust types.Events ClusterConfiguration Access DynamicAccessCore Presence Restrictions Apps Databases Kubernetes AppSession SnowflakeSession types.WebSessionsGetter types.WebTokensGetter WindowsDesktops }
Services collects all services
type SessionTrackerService ¶
type SessionTrackerService interface { // GetActiveSessionTrackers returns a list of active session trackers. GetActiveSessionTrackers(ctx context.Context) ([]types.SessionTracker, error) // GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter. GetActiveSessionTrackersWithFilter(ctx context.Context, filter *types.SessionTrackerFilter) ([]types.SessionTracker, error) // GetSessionTracker returns the current state of a session tracker for an active session. GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error) // CreateSessionTracker creates a tracker resource for an active session. CreateSessionTracker(ctx context.Context, st types.SessionTracker) (types.SessionTracker, error) // UpdateSessionTracker updates a tracker resource for an active session. UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error // RemoveSessionTracker removes a tracker resource for an active session. RemoveSessionTracker(ctx context.Context, sessionID string) error // UpdatePresence updates the presence status of a user in a session. UpdatePresence(ctx context.Context, sessionID, user string) error }
SessionTrackerService is a realtime session service that has information about sessions that are in-flight in the cluster at the moment.
type SnowflakeSession ¶
type SnowflakeSession interface { // GetSnowflakeSession gets a Snowflake web session. GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error) // GetSnowflakeSessions gets all Snowflake web sessions. GetSnowflakeSessions(context.Context) ([]types.WebSession, error) // UpsertSnowflakeSession upserts a Snowflake web session. UpsertSnowflakeSession(context.Context, types.WebSession) error // DeleteSnowflakeSession removes a Snowflake web session. DeleteSnowflakeSession(context.Context, types.DeleteSnowflakeSessionRequest) error // DeleteAllSnowflakeSessions removes all Snowflake web sessions. DeleteAllSnowflakeSessions(context.Context) error }
SnowflakeSession defines Snowflake session features.
type SortedLoginAttempts ¶
type SortedLoginAttempts []LoginAttempt
SortedLoginAttempts sorts login attempts by time
func (SortedLoginAttempts) Len ¶
func (s SortedLoginAttempts) Len() int
Len returns length of a role list
func (SortedLoginAttempts) Less ¶
func (s SortedLoginAttempts) Less(i, j int) bool
Less stacks latest attempts to the end of the list
func (SortedLoginAttempts) Swap ¶
func (s SortedLoginAttempts) Swap(i, j int)
Swap swaps two attempts
type SortedReverseTunnels ¶
type SortedReverseTunnels []types.ReverseTunnel
SortedReverseTunnels sorts reverse tunnels by cluster name
func (SortedReverseTunnels) Len ¶
func (s SortedReverseTunnels) Len() int
func (SortedReverseTunnels) Less ¶
func (s SortedReverseTunnels) Less(i, j int) bool
func (SortedReverseTunnels) Swap ¶
func (s SortedReverseTunnels) Swap(i, j int)
type SortedRoles ¶
SortedRoles sorts roles by name
type SortedServers ¶
SortedServers is a sort wrapper that sorts servers by name
func (SortedServers) Len ¶
func (s SortedServers) Len() int
func (SortedServers) Less ¶
func (s SortedServers) Less(i, j int) bool
func (SortedServers) Swap ¶
func (s SortedServers) Swap(i, j int)
type Status ¶
type Status interface { // GetClusterAlerts loads all matching cluster alerts. GetClusterAlerts(ctx context.Context, query types.GetClusterAlertsRequest) ([]types.ClusterAlert, error) // UpsertClusterAlert creates the specified alert, overwriting any preexising alert with the same ID. UpsertClusterAlert(ctx context.Context, alert types.ClusterAlert) error }
Status defines an interface for managing cluster status info.
type StatusInternal ¶
type StatusInternal interface { Status // DeleteClusterAlert deletes the cluster alert with the specified ID. DeleteClusterAlert(ctx context.Context, alertID string) error }
StatusInternal extends Status with auth-internal methods.
type Trust ¶ added in v1.0.0
type Trust interface { // AuthorityGetter retrieves certificate authorities AuthorityGetter // CreateCertAuthority inserts a new certificate authority CreateCertAuthority(ca types.CertAuthority) error // UpsertCertAuthority updates or inserts a new certificate authority UpsertCertAuthority(ca types.CertAuthority) error // CompareAndSwapCertAuthority updates the cert authority value // if existing value matches existing parameter, // returns nil if succeeds, trace.CompareFailed otherwise CompareAndSwapCertAuthority(new, existing types.CertAuthority) error // DeleteCertAuthority deletes particular certificate authority DeleteCertAuthority(id types.CertAuthID) error // DeleteAllCertAuthorities deletes cert authorities of a certain type DeleteAllCertAuthorities(caType types.CertAuthType) error // ActivateCertAuthority moves a CertAuthority from the deactivated list to // the normal list. ActivateCertAuthority(id types.CertAuthID) error // DeactivateCertAuthority moves a CertAuthority from the normal list to // the deactivated list. DeactivateCertAuthority(id types.CertAuthID) error }
Trust is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com
There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts
Remote authorities have only public keys available, so they can be only used to validate
type UnknownResource ¶
type UnknownResource struct { types.ResourceHeader // Raw is raw representation of the resource Raw []byte }
UnknownResource is used to detect resources
func (*UnknownResource) UnmarshalJSON ¶
func (u *UnknownResource) UnmarshalJSON(raw []byte) error
UnmarshalJSON unmarshals header and captures raw state
type UserCertParams ¶
type UserCertParams struct { // CASigner is the signer that will sign the public key of the user with the CA private key CASigner ssh.Signer // PublicUserKey is the public key of the user PublicUserKey []byte // TTL defines how long a certificate is valid for TTL time.Duration // Username is teleport username Username string // Impersonator is set when a user requests certificate for another user Impersonator string // AllowedLogins is a list of SSH principals AllowedLogins []string // PermitX11Forwarding permits X11 forwarding for this cert PermitX11Forwarding bool // PermitAgentForwarding permits agent forwarding for this cert PermitAgentForwarding bool // PermitPortForwarding permits port forwarding. PermitPortForwarding bool // PermitFileCopying permits the use of SCP/SFTP. PermitFileCopying bool // Roles is a list of roles assigned to this user Roles []string // CertificateFormat is the format of the SSH certificate. CertificateFormat string // RouteToCluster specifies the target cluster // if present in the certificate, will be used // to route the requests to RouteToCluster string // Traits hold claim data used to populate a role at runtime. Traits wrappers.Traits // ActiveRequests tracks privilege escalation requests applied during // certificate construction. ActiveRequests RequestIDs // MFAVerified is the UUID of an MFA device when this Identity was // confirmed immediately after an MFA check. MFAVerified string // ClientIP is an IP of the client to embed in the certificate. ClientIP string // SourceIP is an IP that certificate should be pinned to. SourceIP string // DisallowReissue flags that any attempt to request new certificates while // authenticated with this cert should be denied. DisallowReissue bool // CertificateExtensions are user configured ssh key extensions CertificateExtensions []*types.CertExtension // Renewable indicates this certificate is renewable Renewable bool // Generation counts the number of times a certificate has been renewed. Generation uint64 // AllowedResourceIDs lists the resources the user should be able to access. AllowedResourceIDs string // ConnectionDiagnosticID references the ConnectionDiagnostic that we should use to append traces when testing a Connection. ConnectionDiagnosticID string // PrivateKeyPolicy is the private key policy supported by this certificate. PrivateKeyPolicy keys.PrivateKeyPolicy }
UserCertParams defines OpenSSH user certificate parameters
func (*UserCertParams) CheckAndSetDefaults ¶
func (c *UserCertParams) CheckAndSetDefaults() error
CheckAndSetDefaults checks the user certificate parameters
type UserGetter ¶
type UserGetter interface { // GetUser returns a user by name GetUser(user string, withSecrets bool) (types.User, error) }
UserGetter is responsible for getting users
type Users ¶ added in v1.0.0
Users represents a slice of users, makes it sort compatible (sorts by username)
type UsersService ¶
type UsersService interface { UserGetter // UpdateUser updates an existing user. UpdateUser(ctx context.Context, user types.User) error // UpsertUser updates parameters about user UpsertUser(user types.User) error // CompareAndSwapUser updates an existing user, but fails if the user does // not match an expected backend value. CompareAndSwapUser(ctx context.Context, new, existing types.User) error // DeleteUser deletes a user with all the keys from the backend DeleteUser(ctx context.Context, user string) error // GetUsers returns a list of users registered with the local auth server GetUsers(withSecrets bool) ([]types.User, error) // DeleteAllUsers deletes all users DeleteAllUsers() error }
UsersService is responsible for basic user management
type ValidateRequestOption ¶
type ValidateRequestOption func(*RequestValidator)
func ExpandVars ¶
func ExpandVars(expand bool) ValidateRequestOption
ExpandVars toggles variable expansion during request validation. Variable expansion includes expanding wildcard requests, setting system annotations, and gathering threshold information. Variable expansion should be run by the auth server prior to storing an access request for the first time.
type WindowsDesktops ¶
type WindowsDesktops interface { GetWindowsDesktops(context.Context, types.WindowsDesktopFilter) ([]types.WindowsDesktop, error) CreateWindowsDesktop(context.Context, types.WindowsDesktop) error UpdateWindowsDesktop(context.Context, types.WindowsDesktop) error UpsertWindowsDesktop(ctx context.Context, desktop types.WindowsDesktop) error DeleteWindowsDesktop(ctx context.Context, hostID, name string) error DeleteAllWindowsDesktops(context.Context) error ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error) ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error) }
WindowsDesktops defines an interface for managing Windows desktop hosts.
Source Files ¶
- access.go
- access_checker.go
- access_request.go
- app.go
- audit.go
- authentication.go
- authority.go
- clustername.go
- compare.go
- configuration.go
- connection_diagnostic.go
- database.go
- databaseserver.go
- desktop.go
- doc.go
- enforcer.go
- fanout.go
- github.go
- identity.go
- impersonate.go
- installer.go
- kubernetes.go
- license.go
- lock.go
- matchers.go
- namespace.go
- networking.go
- oidc.go
- parser.go
- plugin_data.go
- presence.go
- presets.go
- provisioning.go
- reconciler.go
- remotecluster.go
- resource.go
- restrictions.go
- role.go
- saml.go
- semaphore.go
- server.go
- services.go
- session.go
- sessionrecording.go
- sessiontracker.go
- statictokens.go
- status.go
- traits.go
- trust.go
- trustedcluster.go
- tunnel.go
- tunnelconn.go
- user.go
- usertoken.go
- usertokensecrets.go
- watcher.go
Directories ¶
Path | Synopsis |
---|---|
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
|
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd |