services

package
v1.3.3-0...-f31c912 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 9, 2024 License: AGPL-3.0 Imports: 119 Imported by: 669

Documentation

Overview

Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.

* Local services are implemented in local package * Package suite contains the set of acceptance tests for services

Package services implements API services exposed by Teleport: * presence service that takes care of heartbeats * web service that takes care of web logins * ca service - certificate authorities

Index

Constants

View Source
const (
	// RDSEngineMySQL is RDS engine name for MySQL instances.
	RDSEngineMySQL = "mysql"
	// RDSEnginePostgres is RDS engine name for Postgres instances.
	RDSEnginePostgres = "postgres"
	// RDSEngineMariaDB is RDS engine name for MariaDB instances.
	RDSEngineMariaDB = "mariadb"
	// RDSEngineAurora is RDS engine name for Aurora MySQL 5.6 compatible clusters.
	// This reached EOF on Feb 28, 2023.
	// https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.MySQL56.EOL.html
	RDSEngineAurora = "aurora"
	// RDSEngineAuroraMySQL is RDS engine name for Aurora MySQL 5.7 compatible clusters.
	RDSEngineAuroraMySQL = "aurora-mysql"
	// RDSEngineAuroraPostgres is RDS engine name for Aurora Postgres clusters.
	RDSEngineAuroraPostgres = "aurora-postgresql"
)
View Source
const (
	// RDSEngineModeProvisioned is the RDS engine mode for provisioned Aurora clusters
	RDSEngineModeProvisioned = "provisioned"
	// RDSEngineModeServerless is the RDS engine mode for Aurora Serverless DB clusters
	RDSEngineModeServerless = "serverless"
	// RDSEngineModeParallelQuery is the RDS engine mode for Aurora MySQL clusters with parallel query enabled
	RDSEngineModeParallelQuery = "parallelquery"
	// RDSEngineModeGlobal is the RDS engine mode for Aurora Global databases
	RDSEngineModeGlobal = "global"
	// RDSEngineModeMultiMaster is the RDS engine mode for Multi-master clusters
	RDSEngineModeMultiMaster = "multimaster"
)
View Source
const (
	// RDSProxyMySQLPort is the port that RDS Proxy listens on for MySQL connections.
	RDSProxyMySQLPort = 3306
	// RDSProxyPostgresPort is the port that RDS Proxy listens on for Postgres connections.
	RDSProxyPostgresPort = 5432
	// RDSProxySQLServerPort is the port that RDS Proxy listens on for SQL Server connections.
	RDSProxySQLServerPort = 1433
)
View Source
const (
	// AzureEngineMySQL is the Azure engine name for MySQL single-server instances.
	AzureEngineMySQL = "Microsoft.DBforMySQL/servers"
	// AzureEngineMySQLFlex is the Azure engine name for MySQL flexible-server instances.
	AzureEngineMySQLFlex = "Microsoft.DBforMySQL/flexibleServers"
	// AzureEnginePostgres is the Azure engine name for PostgreSQL single-server instances.
	AzureEnginePostgres = "Microsoft.DBforPostgreSQL/servers"
	// AzureEnginePostgresFlex is the Azure engine name for PostgreSQL flexible-server instances.
	AzureEnginePostgresFlex = "Microsoft.DBforPostgreSQL/flexibleServers"
)
View Source
const (
	// RedshiftServerlessWorkgroupEndpoint is the endpoint type for workgroups.
	RedshiftServerlessWorkgroupEndpoint = "workgroup"
	// RedshiftServerlessVPCEndpoint is the endpoint type for VCP endpoints.
	RedshiftServerlessVPCEndpoint = "vpc-endpoint"
)
View Source
const (
	// UserIdentifier represents user registered identifier in the rules
	UserIdentifier = "user"
	// ResourceIdentifier represents resource registered identifier in the rules
	ResourceIdentifier = "resource"
	// ResourceLabelsIdentifier refers to the static and dynamic labels in a resource.
	ResourceLabelsIdentifier = "labels"
	// ResourceNameIdentifier refers to two different fields depending on the kind of resource:
	//   - KindNode will refer to its resource.spec.hostname field
	//   - All other kinds will refer to its resource.metadata.name field
	// It refers to two different fields because the way this shorthand is being used,
	// implies it will return the name of the resource where users identifies nodes
	// by its hostname and all other resources that can be `ls` queried is identified
	// by its metadata name.
	ResourceNameIdentifier = "name"
	// SessionIdentifier refers to a session (recording) in the rules.
	SessionIdentifier = "session"
	// SSHSessionIdentifier refers to an (active) SSH session in the rules.
	SSHSessionIdentifier = "ssh_session"
	// ImpersonateRoleIdentifier is a role to impersonate
	ImpersonateRoleIdentifier = "impersonate_role"
	// ImpersonateUserIdentifier is a user to impersonate
	ImpersonateUserIdentifier = "impersonate_user"
	// HostCertIdentifier refers to a host certificate being created.
	HostCertIdentifier = "host_cert"
	// SessionTrackerIdentifier refers to a session tracker in the rules.
	SessionTrackerIdentifier = "session_tracker"
)
View Source
const (
	// Equal means two objects are equal
	Equal = iota
	// OnlyTimestampsDifferent is true when only timestamps are different
	OnlyTimestampsDifferent = iota
	// Different means that some fields are different
	Different = iota
)
View Source
const (
	SortByName string = "name"
	SortByKind string = "kind"
)
View Source
const (
	// EventWatcherRemoved is emitted when event watcher has been removed
	EventWatcherRemoved = iota
)
View Source
const HeadlessAuthenticationUserStubID = "stub"

HeadlessAuthenticationUserStubID is the ID of a headless authentication stub.

Variables

View Source
var (
	// ResourceNameExpr is the identifier that specifies resource name.
	ResourceNameExpr = builder.Identifier("resource.metadata.name")
	// CertAuthorityTypeExpr is a function call that returns
	// cert authority type.
	CertAuthorityTypeExpr = builder.Identifier(`system.catype()`)
)

DefaultCertAuthorityRules provides access the minimal set of resources needed for a certificate authority to function.

DefaultImplicitRules provides access to the default set of implicit rules assigned to all roles.

View Source
var ErrRequiresEnterprise = &trace.AccessDeniedError{Message: "this feature requires Teleport Enterprise"}

ErrRequiresEnterprise indicates that a feature requires Teleport Enterprise.

View Source
var ErrSessionMFANotRequired = &trace.AccessDeniedError{
	Message: "MFA is not required to access resource",
}

ErrSessionMFANotRequired indicates that per session mfa will not grant access to a resource.

View Source
var ErrSessionMFARequired = &trace.AccessDeniedError{
	Message: "access to resource requires MFA",
}

ErrSessionMFARequired is returned by AccessChecker when access to a resource requires an MFA check.

View Source
var ErrTrustedDeviceRequired = dtauthz.ErrTrustedDeviceRequired

ErrTrustedDeviceRequired is returned by AccessChecker when access to a resource requires a trusted device. It's an alias to dtauthz.ErrTrustedDeviceRequired.

View Source
var StrictLockingModeAccessDenied = trace.AccessDenied("preventive lock-out due to local lock view becoming unreliable")

StrictLockingModeAccessDenied is an AccessDenied error returned when strict locking mode causes all interactions to be blocked.

UnifiedResourceKinds is a list of all kinds that are stored in the unified resource cache.

Functions

func AccessExplicitlyDenied

func AccessExplicitlyDenied(inner error) error

AccessExplicitlyDenied is an error type that indicates an AccessDenied error where a deny rule matched and access is explicitly denied, in contrast to cases where there is no matching deny or allow rule and access is only implicitly denied.

func AccessRequestsToLockTargets

func AccessRequestsToLockTargets(accessRequests []string) []types.LockTarget

AccessRequestsToLockTargets converts a list of access requests to a list of LockTargets (one LockTarget per access request)

func AcquireSemaphoreWithRetry

func AcquireSemaphoreWithRetry(ctx context.Context, req AcquireSemaphoreWithRetryConfig) (*types.SemaphoreLease, error)

AcquireSemaphoreWithRetry tries to acquire the semaphore according to the retry schedule until it succeeds or context expires.

func AddRoleDefaults

func AddRoleDefaults(role types.Role) (types.Role, error)

AddRoleDefaults adds default role attributes to a preset role. Only attributes whose resources are not already defined (either allowing or denying) are added.

func ApplyAccessReview

func ApplyAccessReview(req types.AccessRequest, rev types.AccessReview, author UserState) error

ApplyAccessReview attempts to apply the specified access review to the specified request.

func ApplyTraits

func ApplyTraits(r types.Role, traits map[string][]string) (types.Role, error)

ApplyTraits applies the passed in traits to any variables within the role and returns itself.

func ApplyValueTraits

func ApplyValueTraits(val string, traits map[string][]string) ([]string, error)

ApplyValueTraits applies the passed in traits to the variable, returns BadParameter in case if referenced variable is unsupported, returns NotFound in case if referenced trait is missing, mapped list of values otherwise, the function guarantees to return at least one value in case if return value is nil

func AssumeRoleFromAWSMetadata

func AssumeRoleFromAWSMetadata(meta *types.AWS) types.AssumeRole

AssumeRoleFromAWSMetadata is a conversion helper function that extracts AWS IAM role ARN and external ID from AWS metadata.

func CalculateAccessCapabilities

CalculateAccessCapabilities aggregates the requested capabilities using the supplied getter to load relevant resources.

func CertAuthoritiesEquivalent

func CertAuthoritiesEquivalent(lhs, rhs types.CertAuthority) bool

CertAuthoritiesEquivalent checks if a pair of certificate authority resources are equivalent. This differs from normal equality only in that resource IDs are ignored.

func CertPool

func CertPool(ca types.CertAuthority) (*x509.CertPool, error)

CertPool returns certificate pools from TLS certificates set up in the certificate authority

func CertPoolFromCertAuthorities

func CertPoolFromCertAuthorities(cas []types.CertAuthority) (*x509.CertPool, int, error)

CertPoolFromCertAuthorities returns a certificate pool from the TLS certificates set up in the certificate authorities list, as well as the number of certificates that were added to the pool.

func CheckAndSetDefaults

func CheckAndSetDefaults(r any) error

CheckAndSetDefaults calls [r.CheckAndSetDefaults] if r implements the method. If r does not implement, then this is a nop.

This method exists for backwards compatibility with old-style resources. Prefer using RFD 153 style resources, passing concrete types and running validations before storage writes only.

func CheckSAMLEntityDescriptor

func CheckSAMLEntityDescriptor(entityDescriptor string) ([]*x509.Certificate, error)

CheckSAMLEntityDescriptor checks if the entity descriptor XML is valid and has at least one valid certificate.

func ClusterAuditConfigSpecFromObject

func ClusterAuditConfigSpecFromObject(in interface{}) (*types.ClusterAuditConfigSpecV2, error)

ClusterAuditConfigSpecFromObject returns audit config spec from object.

func CompareResources

func CompareResources[T any](resA, resB T) int

CompareResources compares two resources by all significant fields.

func CompareRuleScore

func CompareRuleScore(r *types.Rule, o *types.Rule) bool

CompareRuleScore returns true if the first rule is more specific than the other.

* nRule matching wildcard resource is less specific than same rule matching specific resource. * Rule that has wildcard verbs is less specific than the same rules matching specific verb. * Rule that has where section is more specific than the same rule without where section. * Rule that has actions list is more specific than rule without actions list.

func CompareServers

func CompareServers(a, b types.Resource) int

CompareServers compares two provided servers.

func ConvertGithubConnector

func ConvertGithubConnector(c types.GithubConnector) (*types.GithubConnectorV3, error)

ConvertGithubConnector converts a GitHub auth connector so it can be sent over gRPC.

func ExtraElastiCacheLabels

func ExtraElastiCacheLabels(cluster *elasticache.ReplicationGroup, tags []*elasticache.Tag, allNodes []*elasticache.CacheCluster, allSubnetGroups []*elasticache.CacheSubnetGroup) map[string]string

ExtraElastiCacheLabels returns a list of extra labels for provided ElastiCache cluster.

func ExtraMemoryDBLabels

func ExtraMemoryDBLabels(cluster *memorydb.Cluster, tags []*memorydb.Tag, allSubnetGroups []*memorydb.SubnetGroup) map[string]string

ExtraMemoryDBLabels returns a list of extra labels for provided MemoryDB cluster.

func ExtractAllowedResourcesFromCert

func ExtractAllowedResourcesFromCert(cert *ssh.Certificate) ([]types.ResourceID, error)

func ExtractFromCertificate

func ExtractFromCertificate(cert *ssh.Certificate) ([]string, wrappers.Traits, error)

ExtractFromCertificate will extract roles and traits from a *ssh.Certificate.

func ExtractFromIdentity

func ExtractFromIdentity(ctx context.Context, access UserGetter, identity tlsca.Identity) ([]string, wrappers.Traits, error)

ExtractFromIdentity will extract roles and traits from the *x509.Certificate which Teleport passes along as a *tlsca.Identity. If roles and traits do not exist in the certificates, they are extracted from the backend.

func ExtractRolesFromCert

func ExtractRolesFromCert(cert *ssh.Certificate) ([]string, error)

ExtractRolesFromCert extracts roles from certificate metadata extensions.

func ExtractTraitsFromCert

func ExtractTraitsFromCert(cert *ssh.Certificate) (wrappers.Traits, error)

ExtractTraitsFromCert extracts traits from the certificate extensions.

func GenerateIdPServiceProviderFromFields

func GenerateIdPServiceProviderFromFields(name string, entityDescriptor string) (types.SAMLIdPServiceProvider, error)

GenerateIdPServiceProviderFromFields takes `name` and `entityDescriptor` fields and returns a SAMLIdPServiceProvider.

func GetAccessRequest

func GetAccessRequest(ctx context.Context, acc DynamicAccessCore, reqID string) (types.AccessRequest, error)

GetAccessRequest is a helper function assists with loading a specific request by ID.

func GetAttributeNames

func GetAttributeNames(attributes map[string]samltypes.Attribute) []string

GetAttributeNames returns a list of claim names from the claim values

func GetClaimNames

func GetClaimNames(claims jose.Claims) []string

GetClaimNames returns a list of claim names from the claim values

func GetJWTSigner

func GetJWTSigner(signer crypto.Signer, clusterName string, clock clockwork.Clock) (*jwt.Key, error)

GetJWTSigner returns the active JWT key used to sign tokens.

func GetMySQLEngineVersion

func GetMySQLEngineVersion(labels map[string]string) string

GetMySQLEngineVersion returns MySQL engine version from provided metadata labels. An empty string is returned if label doesn't exist.

func GetRedirectURL

func GetRedirectURL(conn types.OIDCConnector, proxyAddr string) (string, error)

GetRedirectURL gets a redirect URL for the given connector. If the connector has a redirect URL which matches the host of the given Proxy address, then that one will be returned. Otherwise, the first URL in the list will be returned.

func GetResourceDetails

func GetResourceDetails(ctx context.Context, clusterName string, lister client.ListResourcesClient, ids []types.ResourceID) (map[string]types.ResourceDetails, error)

TODO(atburke): Remove this once teleport.e reference is switched over

func GetResourceIDsByCluster

func GetResourceIDsByCluster(r types.AccessRequest) map[string][]types.ResourceID

TODO(atburke): Remove this once teleport.e reference is switched over

func GetResourceMarshalerKinds

func GetResourceMarshalerKinds() []string

GetResourceMarshalerKinds lists all registered resource marshalers by kind.

func GetResourcesByResourceIDs

func GetResourcesByResourceIDs(ctx context.Context, lister client.ListResourcesClient, resourceIDs []types.ResourceID, opts ...accessrequest.ListResourcesRequestOption) ([]types.ResourceWithLabels, error)

TODO(atburke): Remove this once teleport.e reference is switched over

func GetSAMLServiceProvider

func GetSAMLServiceProvider(sc types.SAMLConnector, clock clockwork.Clock) (*saml2.SAMLServiceProvider, error)

GetSAMLServiceProvider gets the SAMLConnector's service provider

func GetSSHCheckingKeys

func GetSSHCheckingKeys(ca types.CertAuthority) [][]byte

GetSSHCheckingKeys returns SSH public keys from CA

func GetStringMapValue

func GetStringMapValue(mapVal, keyVal interface{}) (interface{}, error)

GetStringMapValue is a helper function that returns property from map[string]string or map[string][]string the function returns empty value in case if key not found In case if map is nil, returns empty value as well

func GetTLSCerts

func GetTLSCerts(ca types.CertAuthority) [][]byte

GetTLSCerts returns TLS certificates from CA

func GetTraitMappings

func GetTraitMappings(cms []types.ClaimMapping) types.TraitMappingSet

GetTraitMappings gets the AccessRequestConditions' claims as a TraitMappingsSet

func GuessProxyHostAndVersion

func GuessProxyHostAndVersion(proxies []types.Server) (string, string, error)

GuessProxyHostAndVersion tries to find the first proxy with a public address configured and return that public addr and version. If no proxies are configured, it will return a guessed value by concatenating the first proxy's hostname with default port number, and the first proxy's version will also be returned.

Returns empty value if there are no proxies.

func HasProcessForked

func HasProcessForked(ctx context.Context) bool

HasProcessForked returns true if the Teleport process has running forked child(ren).

func InitGithubConnector

func InitGithubConnector(c types.GithubConnector) (types.GithubConnector, error)

InitGithubConnector initializes c and returns a types.GithubConnector ready for use. InitGithubConnector must be used to initialize any uninitialized [types.GithubConnector]s before they can be used.

func IsAWSResourceAvailable

func IsAWSResourceAvailable(r interface{}, status *string) bool

IsAWSResourceAvailable checks if the input status indicates the resource is available for use.

Note that this function checks some common values but not necessarily covers everything. For types that have other known status values, separate functions (e.g. IsRDSClusterAvailable) can be implemented.

func IsAccessExplicitlyDenied

func IsAccessExplicitlyDenied(err error) bool

IsAccessExplicitlyDenied returns true if any of the errors in err's chain is an AccessExplicitlyDenied error.

func IsAccessListMember

func IsAccessListMember(ctx context.Context, identity tlsca.Identity, clock clockwork.Clock, accessList *accesslist.AccessList, members AccessListMemberGetter) error

TODO(mdwn): Remove this in favor of using the access list membership checker.

func IsAccessListOwner

func IsAccessListOwner(identity tlsca.Identity, accessList *accesslist.AccessList) error

IsAccessListOwner will return true if the user is an owner for the current list.

func IsAzureFlexServer

func IsAzureFlexServer(db types.Database) bool

IsAzureFlexServer returns true if the database engine label matches the Azure PostgreSQL or MySQL Flex server engine name. Matching engines are "Microsoft.DBforMySQL/flexibleServers" or "Microsoft.DBforPostgreSQL/flexibleServers".

func IsElastiCacheClusterAvailable

func IsElastiCacheClusterAvailable(cluster *elasticache.ReplicationGroup) bool

IsElastiCacheClusterAvailable checks if the ElastiCache cluster is available.

func IsElastiCacheClusterSupported

func IsElastiCacheClusterSupported(cluster *elasticache.ReplicationGroup) bool

IsElastiCacheClusterSupported checks whether the ElastiCache cluster is supported.

func IsMemoryDBClusterAvailable

func IsMemoryDBClusterAvailable(cluster *memorydb.Cluster) bool

IsMemoryDBClusterAvailable checks if the MemoryDB cluster is available.

func IsMemoryDBClusterSupported

func IsMemoryDBClusterSupported(cluster *memorydb.Cluster) bool

IsMemoryDBClusterSupported checks whether the MemoryDB cluster is supported.

func IsOpenSearchDomainAvailable

func IsOpenSearchDomainAvailable(domain *opensearchservice.DomainStatus) bool

IsOpenSearchDomainAvailable checks if the OpenSearch domain is available.

func IsProcessReloading

func IsProcessReloading(ctx context.Context) bool

IsProcessReloading returns true if the Teleport process is reloading.

func IsRDSClusterAvailable

func IsRDSClusterAvailable(clusterStatus, clusterIndetifier *string) bool

IsRDSClusterAvailable checks if the RDS cluster is available.

func IsRDSClusterSupported

func IsRDSClusterSupported(cluster *rds.DBCluster) bool

IsRDSClusterSupported checks whether the Aurora cluster is supported.

func IsRDSInstanceAvailable

func IsRDSInstanceAvailable(instanceStatus, instanceIdentifier *string) bool

IsRDSInstanceAvailable checks if the RDS instance is available.

func IsRDSInstanceSupported

func IsRDSInstanceSupported(instance *rds.DBInstance) bool

IsRDSInstanceSupported returns true if database supports IAM authentication. Currently, only MariaDB is being checked.

func IsRDSProxyAvailable

func IsRDSProxyAvailable(dbProxy *rds.DBProxy) bool

IsRDSProxyAvailable checks if the RDS Proxy is available.

func IsRDSProxyCustomEndpointAvailable

func IsRDSProxyCustomEndpointAvailable(customEndpoint *rds.DBProxyEndpoint) bool

IsRDSProxyCustomEndpointAvailable checks if the RDS Proxy custom endpoint is available.

func IsRecordAtProxy

func IsRecordAtProxy(mode string) bool

IsRecordAtProxy returns true if recording is sync or async at proxy.

func IsRecordSync

func IsRecordSync(mode string) bool

IsRecordSync returns true if recording is sync for proxy or node.

func IsRedshiftClusterAvailable

func IsRedshiftClusterAvailable(cluster *redshift.Cluster) bool

IsRedshiftClusterAvailable checks if the Redshift cluster is available.

func LastFailed

func LastFailed(x int, attempts []LoginAttempt) bool

LastFailed calculates last x successive attempts are failed

func LatestTunnelConnection

func LatestTunnelConnection(conns []types.TunnelConnection) (types.TunnelConnection, error)

LatestTunnelConnection returns latest tunnel connection from the list of tunnel connections, if no connections found, returns NotFound error

func LockInForceAccessDenied

func LockInForceAccessDenied(lock types.Lock) error

LockInForceAccessDenied is an AccessDenied error returned when a lock is in force.

func LockTargetsFromTLSIdentity

func LockTargetsFromTLSIdentity(id tlsca.Identity) []types.LockTarget

LockTargetsFromTLSIdentity infers a list of LockTargets from tlsca.Identity.

func MakeAzureDatabaseLoginUsername

func MakeAzureDatabaseLoginUsername(db types.Database, user string) string

MakeAzureDatabaseLoginUsername returns a user name appropriate for Azure database logins. Azure requires database login to be <user>@<server-name>, for example: alice@mysql-server-name. Flexible server is an exception to this format and returns the provided username unmodified.

func MakePaginatedResources

func MakePaginatedResources(requestType string, resources []types.ResourceWithLabels) ([]*proto.PaginatedResource, error)

MakePaginatedResources converts a list of resources into a list of paginated proto representations.

func MapRoles

func MapRoles(r types.RoleMap, remoteRoles []string) ([]string, error)

MapRoles maps local roles to remote roles

func MarshalAccessList

func MarshalAccessList(accessList *accesslist.AccessList, opts ...MarshalOption) ([]byte, error)

MarshalAccessList marshals the access list resource to JSON.

func MarshalAccessListMember

func MarshalAccessListMember(member *accesslist.AccessListMember, opts ...MarshalOption) ([]byte, error)

MarshalAccessListMember marshals the access list member resource to JSON.

func MarshalAccessListReview

func MarshalAccessListReview(review *accesslist.Review, opts ...MarshalOption) ([]byte, error)

MarshalAccessListReview marshals the access list review resource to JSON.

func MarshalAccessRequest

func MarshalAccessRequest(accessRequest types.AccessRequest, opts ...MarshalOption) ([]byte, error)

MarshalAccessRequest marshals the AccessRequest resource to JSON.

func MarshalAccessRequestAllowedPromotion

func MarshalAccessRequestAllowedPromotion(accessListIDs *types.AccessRequestAllowedPromotions) ([]byte, error)

MarshalAccessRequestAllowedPromotion marshals the list of access list IDs to JSON.

func MarshalApp

func MarshalApp(app types.Application, opts ...MarshalOption) ([]byte, error)

MarshalApp marshals Application resource to JSON.

func MarshalAppServer

func MarshalAppServer(appServer types.AppServer, opts ...MarshalOption) ([]byte, error)

MarshalAppServer marshals the AppServer resource to JSON.

func MarshalAuditQuery

func MarshalAuditQuery(in *secreports.AuditQuery, opts ...MarshalOption) ([]byte, error)

MarshalAuditQuery marshals an audit query.

func MarshalAuthPreference

func MarshalAuthPreference(c types.AuthPreference, opts ...MarshalOption) ([]byte, error)

MarshalAuthPreference marshals the AuthPreference resource to JSON.

func MarshalCertAuthority

func MarshalCertAuthority(certAuthority types.CertAuthority, opts ...MarshalOption) ([]byte, error)

MarshalCertAuthority marshals the CertAuthority resource to JSON.

func MarshalCertRoles

func MarshalCertRoles(roles []string) (string, error)

MarshalCertRoles marshal roles list to OpenSSH

func MarshalClusterAuditConfig

func MarshalClusterAuditConfig(auditConfig types.ClusterAuditConfig, opts ...MarshalOption) ([]byte, error)

MarshalClusterAuditConfig marshals the ClusterAuditConfig resource to JSON.

func MarshalClusterName

func MarshalClusterName(clusterName types.ClusterName, opts ...MarshalOption) ([]byte, error)

MarshalClusterName marshals the ClusterName resource to JSON.

func MarshalClusterNetworkingConfig

func MarshalClusterNetworkingConfig(netConfig types.ClusterNetworkingConfig, opts ...MarshalOption) ([]byte, error)

MarshalClusterNetworkingConfig marshals the ClusterNetworkingConfig resource to JSON.

func MarshalConnectionDiagnostic

func MarshalConnectionDiagnostic(s types.ConnectionDiagnostic, opts ...MarshalOption) ([]byte, error)

MarshalConnectionDiagnostic marshals the ConnectionDiagnostic resource to JSON.

func MarshalDatabase

func MarshalDatabase(database types.Database, opts ...MarshalOption) ([]byte, error)

MarshalDatabase marshals the database resource to JSON.

func MarshalDatabaseServer

func MarshalDatabaseServer(databaseServer types.DatabaseServer, opts ...MarshalOption) ([]byte, error)

MarshalDatabaseServer marshals the DatabaseServer resource to JSON.

func MarshalDatabaseService

func MarshalDatabaseService(databaseService types.DatabaseService, opts ...MarshalOption) ([]byte, error)

MarshalDatabaseService marshals the DatabaseService resource to JSON.

func MarshalDevice

func MarshalDevice(dev *types.DeviceV1) ([]byte, error)

MarshalDevice marshals a DeviceV1 resource.

func MarshalDiscoveryConfig

func MarshalDiscoveryConfig(discoveryConfig *discoveryconfig.DiscoveryConfig, opts ...MarshalOption) ([]byte, error)

MarshalDiscoveryConfig marshals the DiscoveryCOnfig resource to JSON.

func MarshalExternalAuditStorage

func MarshalExternalAuditStorage(externalAuditStorage *externalauditstorage.ExternalAuditStorage, opts ...MarshalOption) ([]byte, error)

MarshalExternalAuditStorage marshals the External Audit Storage resource to JSON.

func MarshalGithubConnector

func MarshalGithubConnector(connector types.GithubConnector, opts ...MarshalOption) ([]byte, error)

MarshalGithubConnector marshals a GithubConnector resource to JSON.

func MarshalInstaller

func MarshalInstaller(installer types.Installer, opts ...MarshalOption) ([]byte, error)

MarshalInstaller marshals the Installer resource to JSON.

func MarshalIntegration

func MarshalIntegration(ig types.Integration, opts ...MarshalOption) ([]byte, error)

MarshalIntegration marshals the Integration resource to JSON.

func MarshalKubeCluster

func MarshalKubeCluster(kubeCluster types.KubeCluster, opts ...MarshalOption) ([]byte, error)

MarshalKubeCluster marshals the KubeCluster resource to JSON.

func MarshalKubeServer

func MarshalKubeServer(kubeServer types.KubeServer, opts ...MarshalOption) ([]byte, error)

MarshalKubeServer marshals the KubeServer resource to JSON.

func MarshalLicense

func MarshalLicense(license types.License, opts ...MarshalOption) ([]byte, error)

MarshalLicense marshals the License resource to JSON.

func MarshalLock

func MarshalLock(lock types.Lock, opts ...MarshalOption) ([]byte, error)

MarshalLock marshals the Lock resource to JSON.

func MarshalNamespace

func MarshalNamespace(resource types.Namespace, opts ...MarshalOption) ([]byte, error)

MarshalNamespace marshals the Namespace resource to JSON.

func MarshalNetworkRestrictions

func MarshalNetworkRestrictions(restrictions types.NetworkRestrictions, opts ...MarshalOption) ([]byte, error)

MarshalNetworkRestrictions marshals the NetworkRestrictions resource to JSON.

func MarshalOIDCConnector

func MarshalOIDCConnector(oidcConnector types.OIDCConnector, opts ...MarshalOption) ([]byte, error)

MarshalOIDCConnector marshals the OIDCConnector resource to JSON.

func MarshalOSSGithubConnector

func MarshalOSSGithubConnector(githubConnector types.GithubConnector, opts ...MarshalOption) ([]byte, error)

MarshalOSSGithubConnector marshals the open source variant of the GithubConnector resource to JSON.

func MarshalOktaAssignment

func MarshalOktaAssignment(assignment types.OktaAssignment, opts ...MarshalOption) ([]byte, error)

MarshalOktaAssignment marshals the Okta assignment resource to JSON.

func MarshalOktaImportRule

func MarshalOktaImportRule(importRule types.OktaImportRule, opts ...MarshalOption) ([]byte, error)

MarshalOktaImportRule marshals the Okta import rule resource to JSON.

func MarshalPlugin

func MarshalPlugin(plugin types.Plugin, opts ...MarshalOption) ([]byte, error)

MarshalPlugin marshals Plugin resource to JSON.

func MarshalPluginData

func MarshalPluginData(pluginData types.PluginData, opts ...MarshalOption) ([]byte, error)

MarshalPluginData marshals the PluginData resource to JSON.

func MarshalPluginStaticCredentials

func MarshalPluginStaticCredentials(pluginStaticCredentials types.PluginStaticCredentials, opts ...MarshalOption) ([]byte, error)

MarshalPluginStaticCredentials marshals PluginStaticCredentials resource to JSON.

func MarshalProvisionToken

func MarshalProvisionToken(provisionToken types.ProvisionToken, opts ...MarshalOption) ([]byte, error)

MarshalProvisionToken marshals the ProvisionToken resource to JSON.

func MarshalRemoteCluster

func MarshalRemoteCluster(remoteCluster types.RemoteCluster, opts ...MarshalOption) ([]byte, error)

MarshalRemoteCluster marshals the RemoteCluster resource to JSON.

func MarshalResource

func MarshalResource(resource types.Resource, opts ...MarshalOption) ([]byte, error)

MarshalResource attempts to marshal a resource dynamically, returning NotImplementedError if no marshaler has been registered.

NOTE: This function only supports the subset of resources which may be imported/exported by users (e.g. via `tctl get`).

func MarshalReverseTunnel

func MarshalReverseTunnel(reverseTunnel types.ReverseTunnel, opts ...MarshalOption) ([]byte, error)

MarshalReverseTunnel marshals the ReverseTunnel resource to JSON.

func MarshalRole

func MarshalRole(role types.Role, opts ...MarshalOption) ([]byte, error)

MarshalRole marshals the Role resource to JSON.

func MarshalSAMLConnector

func MarshalSAMLConnector(samlConnector types.SAMLConnector, opts ...MarshalOption) ([]byte, error)

MarshalSAMLConnector marshals the SAMLConnector resource to JSON.

func MarshalSAMLIdPServiceProvider

func MarshalSAMLIdPServiceProvider(serviceProvider types.SAMLIdPServiceProvider, opts ...MarshalOption) ([]byte, error)

MarshalSAMLIdPServiceProvider marshals the SAMLIdPServiceProvider resource to JSON.

func MarshalSecurityCostLimiter

func MarshalSecurityCostLimiter(in *secreports.CostLimiter, opts ...MarshalOption) ([]byte, error)

MarshalSecurityCostLimiter marshals a security report state.

func MarshalSecurityReport

func MarshalSecurityReport(in *secreports.Report, opts ...MarshalOption) ([]byte, error)

MarshalSecurityReport marshals a security report.

func MarshalSecurityReportState

func MarshalSecurityReportState(in *secreports.ReportState, opts ...MarshalOption) ([]byte, error)

MarshalSecurityReportState marshals a security report state.

func MarshalSemaphore

func MarshalSemaphore(semaphore types.Semaphore, opts ...MarshalOption) ([]byte, error)

MarshalSemaphore marshals the Semaphore resource to JSON.

func MarshalServer

func MarshalServer(server types.Server, opts ...MarshalOption) ([]byte, error)

MarshalServer marshals the Server resource to JSON.

func MarshalServerInfo

func MarshalServerInfo(si types.ServerInfo, opts ...MarshalOption) ([]byte, error)

MarshalServerInfo marshals the ServerInfo resource to JSON.

func MarshalServerInfos

func MarshalServerInfos(si []types.ServerInfo) ([]byte, error)

MarshalServerInfos marshals a list of ServerInfo resources.

func MarshalServers

func MarshalServers(s []types.Server) ([]byte, error)

MarshalServers marshals a list of Server resources.

func MarshalSessionRecordingConfig

func MarshalSessionRecordingConfig(recConfig types.SessionRecordingConfig, opts ...MarshalOption) ([]byte, error)

MarshalSessionRecordingConfig marshals the SessionRecordingConfig resource to JSON.

func MarshalSessionTracker

func MarshalSessionTracker(session types.SessionTracker) ([]byte, error)

MarshalSessionTracker marshals the Session resource to JSON.

func MarshalStaticTokens

func MarshalStaticTokens(staticToken types.StaticTokens, opts ...MarshalOption) ([]byte, error)

MarshalStaticTokens marshals the StaticTokens resource to JSON.

func MarshalTrustedCluster

func MarshalTrustedCluster(trustedCluster types.TrustedCluster, opts ...MarshalOption) ([]byte, error)

MarshalTrustedCluster marshals the TrustedCluster resource to JSON.

func MarshalTunnelConnection

func MarshalTunnelConnection(tunnelConnection types.TunnelConnection, opts ...MarshalOption) ([]byte, error)

MarshalTunnelConnection marshals the TunnelConnection resource to JSON.

func MarshalUIConfig

func MarshalUIConfig(uiconfig types.UIConfig, opts ...MarshalOption) ([]byte, error)

MarshalUIConfig marshals the UIConfig resource to JSON.

func MarshalUser

func MarshalUser(user types.User, opts ...MarshalOption) ([]byte, error)

MarshalUser marshals the User resource to JSON.

func MarshalUserGroup

func MarshalUserGroup(group types.UserGroup, opts ...MarshalOption) ([]byte, error)

MarshalUserGroup marshals the user group resource to JSON.

func MarshalUserLoginState

func MarshalUserLoginState(userLoginState *userloginstate.UserLoginState, opts ...MarshalOption) ([]byte, error)

MarshalUserLoginState marshals the user login state resource to JSON.

func MarshalUserToken

func MarshalUserToken(token types.UserToken, opts ...MarshalOption) ([]byte, error)

MarshalUserToken marshals the UserToken resource to JSON.

func MarshalUserTokenSecrets

func MarshalUserTokenSecrets(secrets types.UserTokenSecrets, opts ...MarshalOption) ([]byte, error)

MarshalUserTokenSecrets marshals the UserTokenSecrets resource to JSON.

func MarshalWebSession

func MarshalWebSession(webSession types.WebSession, opts ...MarshalOption) ([]byte, error)

MarshalWebSession marshals the WebSession resource to JSON.

func MarshalWebToken

func MarshalWebToken(webToken types.WebToken, opts ...MarshalOption) ([]byte, error)

MarshalWebToken serializes the web token as JSON-encoded payload

func MarshalWindowsDesktop

func MarshalWindowsDesktop(s types.WindowsDesktop, opts ...MarshalOption) ([]byte, error)

MarshalWindowsDesktop marshals the WindowsDesktop resource to JSON.

func MarshalWindowsDesktopService

func MarshalWindowsDesktopService(s types.WindowsDesktopService, opts ...MarshalOption) ([]byte, error)

MarshalWindowsDesktopService marshals the WindowsDesktopService resource to JSON.

func MatchAWSRoleARN

func MatchAWSRoleARN(selectors []string, roleARN string) (bool, string)

MatchAWSRoleARN returns true if provided role ARN matches selectors.

func MatchAzureIdentity

func MatchAzureIdentity(selectors []string, identity string, matchWildcard bool) (bool, string)

MatchAzureIdentity returns true if provided Azure identity matches selectors.

func MatchDatabaseName

func MatchDatabaseName(selectors []string, name string) (bool, string)

MatchDatabaseName returns true if provided database name matches selectors.

func MatchDatabaseUser

func MatchDatabaseUser(selectors []string, user string, matchWildcard bool) (bool, string)

MatchDatabaseUser returns true if provided database user matches selectors.

func MatchGCPServiceAccount

func MatchGCPServiceAccount(selectors []string, account string, matchWildcard bool) (bool, string)

MatchGCPServiceAccount returns true if provided GCP service account matches selectors.

func MatchLabelGetter

func MatchLabelGetter(selector types.Labels, labelGetter LabelGetter) (bool, string, error)

MatchLabelGetter matches selector against labelGetter. Empty selector matches nothing, wildcard matches everything.

func MatchLabels

func MatchLabels(selector types.Labels, target map[string]string) (bool, string, error)

MatchLabels matches selector against target. Empty selector matches nothing, wildcard matches everything.

func MatchNamespace

func MatchNamespace(selectors []string, namespace string) (bool, string)

MatchNamespace returns true if given list of namespace matches target namespace, wildcard matches everything.

func MatchResourceByFilters

func MatchResourceByFilters(resource types.ResourceWithLabels, filter MatchResourceFilter, seenMap map[ResourceSeenKey]struct{}) (bool, error)

MatchResourceByFilters returns true if all filter values given matched against the resource.

If no filters were provided, we will treat that as a match.

If a `seenMap` is provided, this will be treated as a request to filter out duplicate matches. The map will be modified in place as it adds new keys. Seen keys will return match as false.

Resource KubeService is handled differently b/c of its 1-N relationhip with service-clusters, it filters out the non-matched clusters on the kube service and the kube service is modified in place with only the matched clusters. Deduplication for resource `KubeService` is not provided but is provided for kind `KubernetesCluster`.

func MatchResourceLabels

func MatchResourceLabels(matchers []ResourceMatcher, labels map[string]string) bool

MatchResourceLabels returns true if any of the provided selectors matches the provided database.

func MatchValidAzureIdentity

func MatchValidAzureIdentity(identity string) bool

func MetadataFromElastiCacheCluster

func MetadataFromElastiCacheCluster(cluster *elasticache.ReplicationGroup, endpointType string) (*types.AWS, error)

MetadataFromElastiCacheCluster creates AWS metadata for the provided ElastiCache cluster.

func MetadataFromMemoryDBCluster

func MetadataFromMemoryDBCluster(cluster *memorydb.Cluster, endpointType string) (*types.AWS, error)

MetadataFromMemoryDBCluster creates AWS metadata for the provided MemoryDB cluster.

func MetadataFromOpenSearchDomain

func MetadataFromOpenSearchDomain(domain *opensearchservice.DomainStatus, endpointType string) (*types.AWS, error)

MetadataFromOpenSearchDomain creates AWS metadata for the provided OpenSearch domain.

func MetadataFromRDSCluster

func MetadataFromRDSCluster(rdsCluster *rds.DBCluster) (*types.AWS, error)

MetadataFromRDSCluster creates AWS metadata from the provided RDS cluster.

func MetadataFromRDSInstance

func MetadataFromRDSInstance(rdsInstance *rds.DBInstance) (*types.AWS, error)

MetadataFromRDSInstance creates AWS metadata from the provided RDS instance.

func MetadataFromRDSProxy

func MetadataFromRDSProxy(rdsProxy *rds.DBProxy) (*types.AWS, error)

MetadataFromRDSProxy creates AWS metadata from the provided RDS Proxy.

func MetadataFromRDSProxyCustomEndpoint

func MetadataFromRDSProxyCustomEndpoint(rdsProxy *rds.DBProxy, customEndpoint *rds.DBProxyEndpoint) (*types.AWS, error)

MetadataFromRDSProxyCustomEndpoint creates AWS metadata from the provided RDS Proxy custom endpoint.

func MetadataFromRDSV2Cluster

func MetadataFromRDSV2Cluster(rdsCluster *rdsTypesV2.DBCluster, rdsInstance *rdsTypesV2.DBInstance) (*types.AWS, error)

MetadataFromRDSV2Cluster creates AWS metadata from the provided RDS cluster. It uses aws sdk v2. An optional rdsTypesV2.DBInstance can be passed to fill the network configuration of the Cluster.

func MetadataFromRDSV2Instance

func MetadataFromRDSV2Instance(rdsInstance *rdsTypesV2.DBInstance) (*types.AWS, error)

MetadataFromRDSInstance creates AWS metadata from the provided RDS instance. It uses aws sdk v2.

func MetadataFromRedshiftCluster

func MetadataFromRedshiftCluster(cluster *redshift.Cluster) (*types.AWS, error)

MetadataFromRedshiftCluster creates AWS metadata from the provided Redshift cluster.

func MetadataFromRedshiftServerlessVPCEndpoint

func MetadataFromRedshiftServerlessVPCEndpoint(endpoint *redshiftserverless.EndpointAccess, workgroup *redshiftserverless.Workgroup) (*types.AWS, error)

MetadataFromRedshiftServerlessVPCEndpoint creates AWS metadata for the provided Redshift Serverless VPC endpoint.

func MetadataFromRedshiftServerlessWorkgroup

func MetadataFromRedshiftServerlessWorkgroup(workgroup *redshiftserverless.Workgroup) (*types.AWS, error)

MetadataFromRedshiftServerlessWorkgroup creates AWS metadata for the provided Redshift Serverless Workgroup.

func MustCreateProvisionToken

func MustCreateProvisionToken(token string, roles types.SystemRoles, expires time.Time) types.ProvisionToken

MustCreateProvisionToken returns a new valid provision token or panics, used in tests

func NewAWSNodeFromEC2Instance

func NewAWSNodeFromEC2Instance(instance ec2Types.Instance, awsCloudMetadata *types.AWSInfo) (types.Server, error)

NewAWSNodeFromEC2Instance creates a Node resource from an EC2 Instance. It has a pre-populated spec which contains info that is not available in the ec2.Instance object.

func NewAccessRequest

func NewAccessRequest(user string, roles ...string) (types.AccessRequest, error)

NewAccessRequest assembles an AccessRequest resource.

func NewAccessRequestWithResources

func NewAccessRequestWithResources(user string, roles []string, resourceIDs []types.ResourceID) (types.AccessRequest, error)

NewAccessRequestWithResources assembles an AccessRequest resource with requested resources.

func NewActionsParser

func NewActionsParser(ctx RuleContext) (predicate.Parser, error)

NewActionsParser returns standard parser for 'actions' section in access rules

func NewApplicationFromKubeService

func NewApplicationFromKubeService(service corev1.Service, clusterName, protocol string, port corev1.ServicePort) (types.Application, error)

NewApplicationFromKubeService creates application resources from kubernetes service. It transforms service fields and annotations into appropriate Teleport app fields. Service labels are copied to app labels.

func NewClusterNameWithRandomID

func NewClusterNameWithRandomID(spec types.ClusterNameSpecV2) (types.ClusterName, error)

NewClusterNameWithRandomID creates a ClusterName, supplying a random ClusterID if the field is not provided in spec.

func NewDatabaseFromAzureManagedSQLServer

func NewDatabaseFromAzureManagedSQLServer(server *armsql.ManagedInstance) (types.Database, error)

NewDatabaseFromAzureManagedSQLServer creates a database resource from an Azure Managed SQL server.

func NewDatabaseFromAzureMySQLFlexServer

func NewDatabaseFromAzureMySQLFlexServer(server *armmysqlflexibleservers.Server) (types.Database, error)

NewDatabaseFromAzureMySQLFlexServer creates a database resource from an Azure MySQL Flexible server.

func NewDatabaseFromAzurePostgresFlexServer

func NewDatabaseFromAzurePostgresFlexServer(server *armpostgresqlflexibleservers.Server) (types.Database, error)

NewDatabaseFromAzurePostgresFlexServer creates a database resource from an Azure PostgreSQL Flexible server.

func NewDatabaseFromAzureRedis

func NewDatabaseFromAzureRedis(server *armredis.ResourceInfo) (types.Database, error)

NewDatabaseFromAzureRedis creates a database resource from an Azure Redis server.

func NewDatabaseFromAzureRedisEnterprise

func NewDatabaseFromAzureRedisEnterprise(cluster *armredisenterprise.Cluster, database *armredisenterprise.Database) (types.Database, error)

NewDatabaseFromAzureRedisEnterprise creates a database resource from an Azure Redis Enterprise database and its parent cluster.

func NewDatabaseFromAzureSQLServer

func NewDatabaseFromAzureSQLServer(server *armsql.Server) (types.Database, error)

NewDatabaseFromAzureSQLServer creates a database resource from an Azure SQL server.

func NewDatabaseFromAzureServer

func NewDatabaseFromAzureServer(server *azure.DBServer) (types.Database, error)

NewDatabaseFromAzureServer creates a database resource from an AzureDB server.

func NewDatabaseFromElastiCacheConfigurationEndpoint

func NewDatabaseFromElastiCacheConfigurationEndpoint(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Database, error)

NewDatabaseFromElastiCacheConfigurationEndpoint creates a database resource from ElastiCache configuration endpoint.

func NewDatabaseFromMemoryDBCluster

func NewDatabaseFromMemoryDBCluster(cluster *memorydb.Cluster, extraLabels map[string]string) (types.Database, error)

NewDatabaseFromMemoryDBCluster creates a database resource from a MemoryDB cluster.

func NewDatabaseFromRDSCluster

func NewDatabaseFromRDSCluster(cluster *rds.DBCluster, memberInstances []*rds.DBInstance) (types.Database, error)

NewDatabaseFromRDSCluster creates a database resource from an RDS cluster (Aurora).

func NewDatabaseFromRDSClusterReaderEndpoint

func NewDatabaseFromRDSClusterReaderEndpoint(cluster *rds.DBCluster, memberInstances []*rds.DBInstance) (types.Database, error)

NewDatabaseFromRDSClusterReaderEndpoint creates a database resource from an RDS cluster reader endpoint (Aurora).

func NewDatabaseFromRDSInstance

func NewDatabaseFromRDSInstance(instance *rds.DBInstance) (types.Database, error)

NewDatabaseFromRDSInstance creates a database resource from an RDS instance.

func NewDatabaseFromRDSProxy

func NewDatabaseFromRDSProxy(dbProxy *rds.DBProxy, tags []*rds.Tag) (types.Database, error)

NewDatabaseFromRDSProxy creates database resource from RDS Proxy.

func NewDatabaseFromRDSProxyCustomEndpoint

func NewDatabaseFromRDSProxyCustomEndpoint(dbProxy *rds.DBProxy, customEndpoint *rds.DBProxyEndpoint, tags []*rds.Tag) (types.Database, error)

NewDatabaseFromRDSProxyCustomEndpoint creates database resource from RDS Proxy custom endpoint.

func NewDatabaseFromRDSV2Cluster

func NewDatabaseFromRDSV2Cluster(cluster *rdsTypesV2.DBCluster, firstInstance *rdsTypesV2.DBInstance) (types.Database, error)

NewDatabaseFromRDSV2Cluster creates a database resource from an RDS cluster (Aurora). It uses aws sdk v2.

func NewDatabaseFromRDSV2Instance

func NewDatabaseFromRDSV2Instance(instance *rdsTypesV2.DBInstance) (types.Database, error)

NewDatabaseFromRDSV2Instance creates a database resource from an RDS instance. It uses aws sdk v2.

func NewDatabaseFromRedshiftCluster

func NewDatabaseFromRedshiftCluster(cluster *redshift.Cluster) (types.Database, error)

NewDatabaseFromRedshiftCluster creates a database resource from a Redshift cluster.

func NewDatabaseFromRedshiftServerlessVPCEndpoint

func NewDatabaseFromRedshiftServerlessVPCEndpoint(endpoint *redshiftserverless.EndpointAccess, workgroup *redshiftserverless.Workgroup, tags []*redshiftserverless.Tag) (types.Database, error)

NewDatabaseFromRedshiftServerlessVPCEndpoint creates a database resource from a Redshift Serverless VPC endpoint.

func NewDatabaseFromRedshiftServerlessWorkgroup

func NewDatabaseFromRedshiftServerlessWorkgroup(workgroup *redshiftserverless.Workgroup, tags []*redshiftserverless.Tag) (types.Database, error)

NewDatabaseFromRedshiftServerlessWorkgroup creates a database resource from a Redshift Serverless Workgroup.

func NewDatabasesFromElastiCacheNodeGroups

func NewDatabasesFromElastiCacheNodeGroups(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Databases, error)

NewDatabasesFromElastiCacheNodeGroups creates database resources from ElastiCache node groups.

func NewDatabasesFromElastiCacheReplicationGroup

func NewDatabasesFromElastiCacheReplicationGroup(cluster *elasticache.ReplicationGroup, extraLabels map[string]string) (types.Databases, error)

NewDatabasesFromElastiCacheReplicationGroup creates all database resources from an ElastiCache ReplicationGroup.

func NewDatabasesFromOpenSearchDomain

func NewDatabasesFromOpenSearchDomain(domain *opensearchservice.DomainStatus, tags []*opensearchservice.Tag) (types.Databases, error)

NewDatabasesFromOpenSearchDomain creates database resources from an OpenSearch domain.

func NewDatabasesFromRDSCluster

func NewDatabasesFromRDSCluster(cluster *rds.DBCluster, memberInstances []*rds.DBInstance) (types.Databases, error)

NewDatabasesFromRDSCluster creates all database resources from an RDS Aurora cluster.

func NewDatabasesFromRDSClusterCustomEndpoints

func NewDatabasesFromRDSClusterCustomEndpoints(cluster *rds.DBCluster, memberInstances []*rds.DBInstance) (types.Databases, error)

NewDatabasesFromRDSClusterCustomEndpoints creates database resources from RDS cluster custom endpoints (Aurora).

func NewGithubConnector

func NewGithubConnector(name string, spec types.GithubConnectorSpecV3) (types.GithubConnector, error)

NewGithubConnector creates a new GitHub auth connector.

func NewHeadlessAuthenticationID

func NewHeadlessAuthenticationID(pubKey []byte) string

NewHeadlessAuthenticationID returns a new SHA256 (Version 5) UUID based on the supplied ssh public key.

func NewImplicitRole

func NewImplicitRole() types.Role

NewImplicitRole is the default implicit role that gets added to all RoleSets.

func NewKubeClusterFromAWSEKS

func NewKubeClusterFromAWSEKS(cluster *eks.Cluster) (types.KubeCluster, error)

NewKubeClusterFromAWSEKS creates a kube_cluster resource from an EKS cluster.

func NewKubeClusterFromAzureAKS

func NewKubeClusterFromAzureAKS(cluster *azure.AKSCluster) (types.KubeCluster, error)

NewKubeClusterFromAzureAKS creates a kube_cluster resource from an AKSCluster.

func NewKubeClusterFromGCPGKE

func NewKubeClusterFromGCPGKE(cluster gcp.GKECluster) (types.KubeCluster, error)

NewKubeClusterFromGCPGKE creates a kube_cluster resource from an GKE cluster.

func NewLogActionFn

func NewLogActionFn(ctx RuleContext) interface{}

NewLogActionFn creates logger functions

func NewPresetAccessRole

func NewPresetAccessRole() types.Role

NewPresetAccessRole creates a role for users who are allowed to initiate interactive sessions.

func NewPresetAuditorRole

func NewPresetAuditorRole() types.Role

NewPresetAuditorRole returns a new pre-defined role for cluster auditor - someone who can review cluster events and replay sessions, but can't initiate interactive sessions or modify configuration.

func NewPresetDeviceAdminRole

func NewPresetDeviceAdminRole() types.Role

NewPresetDeviceAdminRole returns the preset "device-admin" role, or nil for non-Enterprise builds. The role is used to administer trusted devices.

func NewPresetDeviceEnrollRole

func NewPresetDeviceEnrollRole() types.Role

NewPresetDeviceEnrollRole returns the preset "device-enroll" role, or nil for non-Enterprise builds. The role is used to grant device enrollment powers to users.

func NewPresetEditorRole

func NewPresetEditorRole() types.Role

NewPresetEditorRole returns a new pre-defined role for cluster editors who can edit cluster configuration resources.

func NewPresetGroupAccessRole

func NewPresetGroupAccessRole() types.Role

NewPresetGroupAccessRole returns a new pre-defined role for group access - a role used for requesting and reviewing user group access.

func NewPresetRequesterRole

func NewPresetRequesterRole() types.Role

NewPresetRequesterRole returns a new pre-defined role for requester. The requester will be able to request all resources.

func NewPresetRequireTrustedDeviceRole

func NewPresetRequireTrustedDeviceRole() types.Role

NewPresetRequireTrustedDeviceRole returns the preset "require-trusted-device" role, or nil for non-Enterprise builds. The role is used as a basis for requiring trusted device access to resources.

func NewPresetReviewerRole

func NewPresetReviewerRole() types.Role

NewPresetReviewerRole returns a new pre-defined role for reviewer. The reviewer will be able to review all access requests.

func NewSystemAutomaticAccessApproverRole

func NewSystemAutomaticAccessApproverRole() types.Role

NewSystemAutomaticAccessApproverRole creates a new Role that is allowed to approve any Access Request. This is restricted to Teleport Enterprise, and returns nil in non-Enterproise builds.

func NewSystemAutomaticAccessBotUser

func NewSystemAutomaticAccessBotUser() types.User

NewSystemAutomaticAccessBotUser returns a new User that has (via the the `PresetAutomaticAccessApprovalRoleName` role) the right to automatically approve any access requests.

This user must not:

  • Be allowed to log into the cluster
  • Show up in user lists in WebUI

TODO(tcsc): Implement/enforce above restrictions on this user

func NewTOTPDevice

func NewTOTPDevice(name, key string, addedAt time.Time) (*types.MFADevice, error)

NewTOTPDevice creates a TOTP MFADevice from the given key.

func NewWebSessionAttestationData

func NewWebSessionAttestationData(pub crypto.PublicKey) (*keys.AttestationData, error)

NewWebSessionAttestationData creates attestation data for a web session key. Inserting data to the Auth server will allow certificates generated for the web session key to pass private key policies that are unobtainable in the web (hardware key policies). In exchange, these keys must be kept strictly in the Auth and Proxy processes and Auth storage. These keys and certs can only be retrieved by users in the form of web session cookies.

func NewWhereParser

func NewWhereParser(ctx RuleContext) (predicate.Parser, error)

NewWhereParser returns standard parser for `where` section in access rules.

func NodeHasMissedKeepAlives

func NodeHasMissedKeepAlives(s types.Server) bool

NodeHasMissedKeepAlives checks if node has missed its keep alive

func OIDCClaimsToTraits

func OIDCClaimsToTraits(claims jose.Claims) map[string][]string

OIDCClaimsToTraits converts OIDC-style claims into teleport-specific trait format

func ParseShortcut

func ParseShortcut(in string) (string, error)

ParseShortcut parses resource shortcut Generally, this should include the plural of a singular resource name or vice versa.

func ProcessForkedContext

func ProcessForkedContext(parent context.Context) context.Context

ProcessForkedContext adds a flag to the context to indicate the Teleport process has running forked child(ren).

func ProcessReloadContext

func ProcessReloadContext(parent context.Context) context.Context

ProcessReloadContext adds a flag to the context to indicate the Teleport process is reloading.

func RO

func RO() []string

RO is a shortcut that returns read only verbs that provide access to secrets.

func RW

func RW() []string

RW is a shortcut that returns all CRUD verbs.

func ReadNoSecrets

func ReadNoSecrets() []string

ReadNoSecrets is a shortcut that returns read only verbs that do not provide access to secrets.

func RegisterGithubAuthConverter

func RegisterGithubAuthConverter(convert GithubAuthConverter)

RegisterGithubAuthConverter registers a function to convert GitHub auth connectors.

func RegisterGithubAuthCreator

func RegisterGithubAuthCreator(creator GithubAuthCreator)

RegisterGithubAuthCreator registers a function to create GitHub auth connectors.

func RegisterGithubAuthInitializer

func RegisterGithubAuthInitializer(init GithubAuthInitializer)

RegisterGithubAuthInitializer registers a function to initialize GitHub auth connectors.

func RegisterResourceMarshaler

func RegisterResourceMarshaler(kind string, marshaler ResourceMarshaler)

RegisterResourceMarshaler registers a marshaler for resources of a specific kind. WARNING!! Registering a resource Marshaler requires lib/services/local.CreateResources supports the resource kind or the standard backup/restore procedure of using `tctl get all` and then BootstrapResources in Teleport will fail.

func RegisterResourceUnmarshaler

func RegisterResourceUnmarshaler(kind string, unmarshaler ResourceUnmarshaler)

RegisterResourceUnmarshaler registers an unmarshaler for resources of a specific kind.

func ResourceMatchersToTypes

func ResourceMatchersToTypes(in []ResourceMatcher) []*types.DatabaseResourceMatcher

ResourceMatchersToTypes converts []]services.ResourceMatchers into []*types.ResourceMatcher

func RoleForCertAuthority

func RoleForCertAuthority(ca types.CertAuthority) types.Role

RoleForCertAuthority creates role using types.CertAuthority.

func RoleForUser

func RoleForUser(u types.User) types.Role

RoleForUser creates an admin role for a services.User.

Used in tests only.

func RoleFromSpec

func RoleFromSpec(name string, spec types.RoleSpecV6) (types.Role, error)

RoleFromSpec returns new Role created from spec

func RoleMapToString

func RoleMapToString(r types.RoleMap) string

RoleMapToString prints user friendly representation of role mapping

func RoleNameForCertAuthority

func RoleNameForCertAuthority(name string) string

RoleNameForCertAuthority returns role name associated with a certificate authority.

func RoleNameForUser

func RoleNameForUser(name string) string

RoleNameForUser returns role name associated with a user.

func RolesToLockTargets

func RolesToLockTargets(roles []string) []types.LockTarget

RolesToLockTargets converts a list of roles to a list of LockTargets (one LockTarget per role).

func SAMLAssertionsToTraits

func SAMLAssertionsToTraits(assertions saml2.AssertionInfo) map[string][]string

SAMLAssertionsToTraits converts saml assertions to traits

func ShouldDeleteServerHeartbeatsOnShutdown

func ShouldDeleteServerHeartbeatsOnShutdown(ctx context.Context) bool

ShouldDeleteServerHeartbeatsOnShutdown checks whether server heartbeats should be deleted based on the process shutdown context.

func SimplifyAzureMatchers

func SimplifyAzureMatchers(matchers []types.AzureMatcher) []types.AzureMatcher

SimplifyAzureMatchers returns simplified Azure Matchers. Selectors are deduplicated, wildcard in a selector reduces the selector to just the wildcard, and defaults are applied.

func TraitsToRoleMatchers

func TraitsToRoleMatchers(ms types.TraitMappingSet, traits map[string][]string) ([]parse.Matcher, error)

TraitsToRoleMatchers maps the supplied traits to a list of role matchers. Prefer calling this function directly rather than calling TraitsToRoles and then building matchers from the resulting list since this function forces any roles which include substitutions to be literal matchers.

func TraitsToRoles

func TraitsToRoles(ms types.TraitMappingSet, traits map[string][]string) (warnings []string, roles []string)

TraitsToRoles maps the supplied traits to a list of teleport role names. Returns the list of roles mapped from traits. `warnings` optionally contains the list of warnings potentially interesting to the user.

func TunnelConnectionStatus

func TunnelConnectionStatus(clock clockwork.Clock, conn types.TunnelConnection, offlineThreshold time.Duration) string

TunnelConnectionStatus returns tunnel connection status based on the last heartbeat time recorded for a connection

func UnmarshalAccessList

func UnmarshalAccessList(data []byte, opts ...MarshalOption) (*accesslist.AccessList, error)

UnmarshalAccessList unmarshals the access list resource from JSON.

func UnmarshalAccessListMember

func UnmarshalAccessListMember(data []byte, opts ...MarshalOption) (*accesslist.AccessListMember, error)

UnmarshalAccessListMember unmarshals the access list member resource from JSON.

func UnmarshalAccessListReview

func UnmarshalAccessListReview(data []byte, opts ...MarshalOption) (*accesslist.Review, error)

UnmarshalAccessListReview unmarshals the access list review resource from JSON.

func UnmarshalAccessRequest

func UnmarshalAccessRequest(data []byte, opts ...MarshalOption) (types.AccessRequest, error)

UnmarshalAccessRequest unmarshals the AccessRequest resource from JSON.

func UnmarshalAccessRequestAllowedPromotion

func UnmarshalAccessRequestAllowedPromotion(data []byte) (*types.AccessRequestAllowedPromotions, error)

UnmarshalAccessRequestAllowedPromotion unmarshals the list of access list IDs from JSON.

func UnmarshalApp

func UnmarshalApp(data []byte, opts ...MarshalOption) (types.Application, error)

UnmarshalApp unmarshals Application resource from JSON.

func UnmarshalAppServer

func UnmarshalAppServer(data []byte, opts ...MarshalOption) (types.AppServer, error)

UnmarshalAppServer unmarshals AppServer resource from JSON.

func UnmarshalAuditQuery

func UnmarshalAuditQuery(data []byte, opts ...MarshalOption) (*secreports.AuditQuery, error)

UnmarshalAuditQuery unmarshals an audit query.

func UnmarshalAuthPreference

func UnmarshalAuthPreference(bytes []byte, opts ...MarshalOption) (types.AuthPreference, error)

UnmarshalAuthPreference unmarshals the AuthPreference resource from JSON.

func UnmarshalCertAuthority

func UnmarshalCertAuthority(bytes []byte, opts ...MarshalOption) (types.CertAuthority, error)

UnmarshalCertAuthority unmarshals the CertAuthority resource to JSON.

func UnmarshalCertRoles

func UnmarshalCertRoles(data string) ([]string, error)

UnmarshalCertRoles marshals roles list to OpenSSH format

func UnmarshalClusterAuditConfig

func UnmarshalClusterAuditConfig(bytes []byte, opts ...MarshalOption) (types.ClusterAuditConfig, error)

UnmarshalClusterAuditConfig unmarshals the ClusterAuditConfig resource from JSON.

func UnmarshalClusterName

func UnmarshalClusterName(bytes []byte, opts ...MarshalOption) (types.ClusterName, error)

UnmarshalClusterName unmarshals the ClusterName resource from JSON.

func UnmarshalClusterNetworkingConfig

func UnmarshalClusterNetworkingConfig(bytes []byte, opts ...MarshalOption) (types.ClusterNetworkingConfig, error)

UnmarshalClusterNetworkingConfig unmarshals the ClusterNetworkingConfig resource from JSON.

func UnmarshalConnectionDiagnostic

func UnmarshalConnectionDiagnostic(data []byte, opts ...MarshalOption) (types.ConnectionDiagnostic, error)

UnmarshalConnectionDiagnostic unmarshals the ConnectionDiagnostic resource from JSON.

func UnmarshalDatabase

func UnmarshalDatabase(data []byte, opts ...MarshalOption) (types.Database, error)

UnmarshalDatabase unmarshals the database resource from JSON.

func UnmarshalDatabaseServer

func UnmarshalDatabaseServer(data []byte, opts ...MarshalOption) (types.DatabaseServer, error)

UnmarshalDatabaseServer unmarshals the DatabaseServer resource from JSON.

func UnmarshalDatabaseService

func UnmarshalDatabaseService(data []byte, opts ...MarshalOption) (types.DatabaseService, error)

UnmarshalDatabaseService unmarshals the DatabaseService resource from JSON.

func UnmarshalDevice

func UnmarshalDevice(raw []byte) (*types.DeviceV1, error)

UnmarshalDevice unmarshals a DeviceV1 resource and runs CheckAndSetDefaults.

func UnmarshalDiscoveryConfig

func UnmarshalDiscoveryConfig(data []byte, opts ...MarshalOption) (*discoveryconfig.DiscoveryConfig, error)

UnmarshalDiscoveryConfig unmarshals the DiscoveryConfig resource from JSON.

func UnmarshalExternalAuditStorage

func UnmarshalExternalAuditStorage(data []byte, opts ...MarshalOption) (*externalauditstorage.ExternalAuditStorage, error)

UnmarshalExternalAuditStorage unmarshals the External Audit Storage resource from JSON.

func UnmarshalGithubConnector

func UnmarshalGithubConnector(bytes []byte, opts ...MarshalOption) (types.GithubConnector, error)

UnmarshalGithubConnector unmarshals the GithubConnector resource from JSON.

func UnmarshalInstaller

func UnmarshalInstaller(data []byte, opts ...MarshalOption) (types.Installer, error)

UnmarshalInstaller unmarshals the installer resource from JSON.

func UnmarshalIntegration

func UnmarshalIntegration(data []byte, opts ...MarshalOption) (types.Integration, error)

UnmarshalIntegration unmarshals Integration resource from JSON.

func UnmarshalKubeCluster

func UnmarshalKubeCluster(data []byte, opts ...MarshalOption) (types.KubeCluster, error)

UnmarshalKubeCluster unmarshals KubeCluster resource from JSON.

func UnmarshalKubeServer

func UnmarshalKubeServer(data []byte, opts ...MarshalOption) (types.KubeServer, error)

UnmarshalKubeServer unmarshals KubeServer resource from JSON.

func UnmarshalLicense

func UnmarshalLicense(bytes []byte) (types.License, error)

UnmarshalLicense unmarshals the License resource from JSON.

func UnmarshalLock

func UnmarshalLock(bytes []byte, opts ...MarshalOption) (types.Lock, error)

UnmarshalLock unmarshals the Lock resource from JSON.

func UnmarshalNamespace

func UnmarshalNamespace(data []byte, opts ...MarshalOption) (*types.Namespace, error)

UnmarshalNamespace unmarshals the Namespace resource from JSON.

func UnmarshalNetworkRestrictions

func UnmarshalNetworkRestrictions(bytes []byte, opts ...MarshalOption) (types.NetworkRestrictions, error)

UnmarshalReverseTunnel unmarshals the ReverseTunnel resource from JSON.

func UnmarshalOIDCConnector

func UnmarshalOIDCConnector(bytes []byte, opts ...MarshalOption) (types.OIDCConnector, error)

UnmarshalOIDCConnector unmarshals the OIDCConnector resource from JSON.

func UnmarshalOSSGithubConnector

func UnmarshalOSSGithubConnector(bytes []byte, opts ...MarshalOption) (types.GithubConnector, error)

UnmarshalOSSGithubConnector unmarshals the open source variant of the GithubConnector resource from JSON.

func UnmarshalOktaAssignment

func UnmarshalOktaAssignment(data []byte, opts ...MarshalOption) (types.OktaAssignment, error)

UnmarshalOktaAssignment unmarshals the Okta assignment resource from JSON.

func UnmarshalOktaImportRule

func UnmarshalOktaImportRule(data []byte, opts ...MarshalOption) (types.OktaImportRule, error)

UnmarshalOktaImportRule unmarshals Okta import rule resource from JSON.

func UnmarshalPlugin

func UnmarshalPlugin(data []byte, opts ...MarshalOption) (types.Plugin, error)

UnmarshalPlugin unmarshals the plugin resource from JSON.

func UnmarshalPluginData

func UnmarshalPluginData(raw []byte, opts ...MarshalOption) (types.PluginData, error)

UnmarshalPluginData unmarshals the PluginData resource from JSON.

func UnmarshalPluginStaticCredentials

func UnmarshalPluginStaticCredentials(data []byte, opts ...MarshalOption) (types.PluginStaticCredentials, error)

UnmarshalPluginStaticCredentials unmarshals the plugin static credentials resource from JSON.

func UnmarshalProvisionToken

func UnmarshalProvisionToken(data []byte, opts ...MarshalOption) (types.ProvisionToken, error)

UnmarshalProvisionToken unmarshals the ProvisionToken resource from JSON.

func UnmarshalRemoteCluster

func UnmarshalRemoteCluster(bytes []byte, opts ...MarshalOption) (types.RemoteCluster, error)

UnmarshalRemoteCluster unmarshals the RemoteCluster resource from JSON.

func UnmarshalResource

func UnmarshalResource(kind string, raw []byte, opts ...MarshalOption) (types.Resource, error)

UnmarshalResource attempts to unmarshal a resource dynamically, returning NotImplementedError if no unmarshaler has been registered.

NOTE: This function only supports the subset of resources which may be imported/exported by users (e.g. via `tctl get`).

func UnmarshalReverseTunnel

func UnmarshalReverseTunnel(bytes []byte, opts ...MarshalOption) (types.ReverseTunnel, error)

UnmarshalReverseTunnel unmarshals the ReverseTunnel resource from JSON.

func UnmarshalRole

func UnmarshalRole(bytes []byte, opts ...MarshalOption) (types.Role, error)

UnmarshalRole unmarshals the Role resource from JSON.

func UnmarshalSAMLConnector

func UnmarshalSAMLConnector(bytes []byte, opts ...MarshalOption) (types.SAMLConnector, error)

UnmarshalSAMLConnector unmarshals the SAMLConnector resource from JSON.

func UnmarshalSAMLIdPServiceProvider

func UnmarshalSAMLIdPServiceProvider(data []byte, opts ...MarshalOption) (types.SAMLIdPServiceProvider, error)

UnmarshalSAMLIdPServiceProvider unmarshals SAMLIdPServiceProvider resource from JSON.

func UnmarshalSecurityCostLimiter

func UnmarshalSecurityCostLimiter(data []byte, opts ...MarshalOption) (*secreports.CostLimiter, error)

UnmarshalSecurityCostLimiter unmarshals a security report cost limiter.

func UnmarshalSecurityReport

func UnmarshalSecurityReport(data []byte, opts ...MarshalOption) (*secreports.Report, error)

UnmarshalSecurityReport unmarshals a security report.

func UnmarshalSecurityReportState

func UnmarshalSecurityReportState(data []byte, opts ...MarshalOption) (*secreports.ReportState, error)

UnmarshalSecurityReportState unmarshals a security report state.

func UnmarshalSemaphore

func UnmarshalSemaphore(bytes []byte, opts ...MarshalOption) (types.Semaphore, error)

UnmarshalSemaphore unmarshals the Semaphore resource from JSON.

func UnmarshalServer

func UnmarshalServer(bytes []byte, kind string, opts ...MarshalOption) (types.Server, error)

UnmarshalServer unmarshals the Server resource from JSON.

func UnmarshalServerInfo

func UnmarshalServerInfo(bytes []byte, opts ...MarshalOption) (types.ServerInfo, error)

UnmarshalServerInfo unmarshals the ServerInfo resource from JSON.

func UnmarshalServerInfos

func UnmarshalServerInfos(bytes []byte) ([]types.ServerInfo, error)

UnmarshalServerInfos unmarshals a list of ServerInfo resources.

func UnmarshalServers

func UnmarshalServers(bytes []byte) ([]types.Server, error)

UnmarshalServers unmarshals a list of Server resources.

func UnmarshalSessionRecordingConfig

func UnmarshalSessionRecordingConfig(bytes []byte, opts ...MarshalOption) (types.SessionRecordingConfig, error)

UnmarshalSessionRecordingConfig unmarshals the SessionRecordingConfig resource from JSON.

func UnmarshalSessionTracker

func UnmarshalSessionTracker(bytes []byte) (types.SessionTracker, error)

UnmarshalSessionTracker unmarshals the Session resource from JSON.

func UnmarshalStaticTokens

func UnmarshalStaticTokens(bytes []byte, opts ...MarshalOption) (types.StaticTokens, error)

UnmarshalStaticTokens unmarshals the StaticTokens resource from JSON.

func UnmarshalTrustedCluster

func UnmarshalTrustedCluster(bytes []byte, opts ...MarshalOption) (types.TrustedCluster, error)

UnmarshalTrustedCluster unmarshals the TrustedCluster resource from JSON.

func UnmarshalTunnelConnection

func UnmarshalTunnelConnection(data []byte, opts ...MarshalOption) (types.TunnelConnection, error)

UnmarshalTunnelConnection unmarshals TunnelConnection resource from JSON or YAML, sets defaults and checks the schema

func UnmarshalUIConfig

func UnmarshalUIConfig(data []byte, opts ...MarshalOption) (types.UIConfig, error)

UnmarshalUIConfig unmarshals the UIConfig resource from JSON.

func UnmarshalUser

func UnmarshalUser(bytes []byte, opts ...MarshalOption) (types.User, error)

UnmarshalUser unmarshals the User resource from JSON.

func UnmarshalUserGroup

func UnmarshalUserGroup(data []byte, opts ...MarshalOption) (types.UserGroup, error)

UnmarshalUserGroup unmarshals user group resource from JSON.

func UnmarshalUserLoginState

func UnmarshalUserLoginState(data []byte, opts ...MarshalOption) (*userloginstate.UserLoginState, error)

UnmarshalUserLoginState unmarshals the user login state resource from JSON.

func UnmarshalUserToken

func UnmarshalUserToken(bytes []byte, opts ...MarshalOption) (types.UserToken, error)

UnmarshalUserToken unmarshals the UserToken resource from JSON.

func UnmarshalUserTokenSecrets

func UnmarshalUserTokenSecrets(bytes []byte, opts ...MarshalOption) (types.UserTokenSecrets, error)

UnmarshalUserTokenSecrets unmarshals the UserTokenSecrets resource from JSON.

func UnmarshalWebSession

func UnmarshalWebSession(bytes []byte, opts ...MarshalOption) (types.WebSession, error)

UnmarshalWebSession unmarshals the WebSession resource from JSON.

func UnmarshalWebToken

func UnmarshalWebToken(bytes []byte, opts ...MarshalOption) (types.WebToken, error)

UnmarshalWebToken interprets bytes as JSON-encoded web token value

func UnmarshalWindowsDesktop

func UnmarshalWindowsDesktop(data []byte, opts ...MarshalOption) (types.WindowsDesktop, error)

UnmarshalWindowsDesktop unmarshals the WindowsDesktop resource from JSON.

func UnmarshalWindowsDesktopService

func UnmarshalWindowsDesktopService(data []byte, opts ...MarshalOption) (types.WindowsDesktopService, error)

UnmarshalWindowsDesktopService unmarshals the WindowsDesktopService resource from JSON.

func UserMeetsRequirements

func UserMeetsRequirements(identity tlsca.Identity, requires accesslist.Requires) bool

UserMeetsRequirements will return true if the user meets the requirements for the access list.

func UsersEquals

func UsersEquals(u types.User, other types.User) bool

UsersEquals checks if the users are equal

func ValidateAccessPredicates

func ValidateAccessPredicates(role types.Role) error

ValidateAccessPredicates checks request & review permission predicates for syntax errors. Used to help prevent users from accidentally writing incorrect predicates. This function should only be called by the auth server prior to storing new/updated roles. Normal role validation deliberately omits these checks in order to allow us to extend the available namespaces without breaking backwards compatibility with older nodes/proxies (which never need to evaluate these predicates).

func ValidateAccessRequest

func ValidateAccessRequest(ar types.AccessRequest) error

ValidateAccessRequest validates the AccessRequest and sets default values

func ValidateAccessRequestClusterNames

func ValidateAccessRequestClusterNames(cg ClusterGetter, ar types.AccessRequest) error

ValidateAccessRequestClusterNames checks that the clusters in the access request exist

func ValidateAccessRequestForUser

func ValidateAccessRequestForUser(ctx context.Context, clock clockwork.Clock, getter RequestValidatorGetter, req types.AccessRequest, identity tlsca.Identity, opts ...ValidateRequestOption) error

ValidateAccessRequestForUser validates an access request against the associated users's *statically assigned* roles. If expandRoles is true, it will also expand wildcard requests, setting their role list to include all roles the user is allowed to request. Expansion should be performed before an access request is initially placed in the backend.

func ValidateAssertionConsumerServicesEndpoint

func ValidateAssertionConsumerServicesEndpoint(acs string) error

ValidateAssertionConsumerServicesEndpoint ensures that the Assertion Consumer Service location is a valid HTTPS endpoint.

func ValidateCertAuthority

func ValidateCertAuthority(ca types.CertAuthority) (err error)

ValidateCertAuthority validates the CertAuthority

func ValidateDatabase

func ValidateDatabase(db types.Database) error

ValidateDatabase validates a types.Database.

func ValidateHeadlessAuthentication

func ValidateHeadlessAuthentication(h *types.HeadlessAuthentication) error

ValidateHeadlessAuthentication verifies that the headless authentication has all of the required fields set. Headless authentication stubs will not pass this validation.

func ValidateLocalAuthSecrets

func ValidateLocalAuthSecrets(l *types.LocalAuthSecrets) error

ValidateLocalAuthSecrets validates local auth secret members.

func ValidateNetworkRestrictions

func ValidateNetworkRestrictions(nr *types.NetworkRestrictionsV4) error

ValidateNetworkRestrictions validates the network restrictions and sets defaults

func ValidateReverseTunnel

func ValidateReverseTunnel(rt types.ReverseTunnel) error

ValidateReverseTunnel validates the OIDC connector and sets default values

func ValidateRole

func ValidateRole(r types.Role, opts ...validateRoleOption) error

ValidateRole parses validates the role, and sets default values.

func ValidateRoleName

func ValidateRoleName(role types.Role) error

ValidateRoleName checks that the role name is allowed to be created.

func ValidateSAMLConnector

func ValidateSAMLConnector(sc types.SAMLConnector, rg RoleGetter) error

ValidateSAMLConnector validates the SAMLConnector and sets default values. If a remote to fetch roles is specified, roles will be validated to exist.

func ValidateSQLServerURI

func ValidateSQLServerURI(uri string) error

ValidateSQLServerURI validates SQL Server URI and returns host and port.

Since Teleport only supports SQL Server authentcation using AD (self-hosted or Azure) the database URI must include: computer name, domain and port.

A few examples of valid URIs: - computer.ad.example.com:1433 - computer.domain.com:1433

func ValidateTrustedCluster

func ValidateTrustedCluster(tc types.TrustedCluster, allowEmptyRolesOpts ...bool) error

ValidateTrustedCluster checks and sets Trusted Cluster defaults

func ValidateUser

func ValidateUser(u types.User) error

ValidateUser validates the User and sets default values

func ValidateUserRoles

func ValidateUserRoles(ctx context.Context, u types.User, roleGetter RoleGetter) error

ValidateUserRoles checks that all the roles in the user exist

func VerifyPassword added in v1.0.0

func VerifyPassword(password []byte) error

VerifyPassword makes sure password satisfies our requirements (relaxed), mostly to avoid putting garbage in

Types

type AWSRoleARNMatcher

type AWSRoleARNMatcher struct {
	RoleARN string
}

AWSRoleARNMatcher matches a role against AWS role ARN.

func (*AWSRoleARNMatcher) Match

func (m *AWSRoleARNMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches AWS role ARN against provided role and condition.

func (*AWSRoleARNMatcher) String

func (m *AWSRoleARNMatcher) String() string

String returns the matcher's string representation.

type Access

type Access interface {
	// GetRoles returns a list of roles.
	GetRoles(ctx context.Context) ([]types.Role, error)
	// CreateRole creates a role.
	CreateRole(ctx context.Context, role types.Role) (types.Role, error)
	// UpdateRole updates an existing role.
	UpdateRole(ctx context.Context, role types.Role) (types.Role, error)
	// UpsertRole creates or updates role.
	UpsertRole(ctx context.Context, role types.Role) (types.Role, error)
	// DeleteAllRoles deletes all roles.
	DeleteAllRoles(ctx context.Context) error
	// GetRole returns role by name.
	GetRole(ctx context.Context, name string) (types.Role, error)
	// DeleteRole deletes role by name.
	DeleteRole(ctx context.Context, name string) error

	LockGetter
	// UpsertLock upserts a lock.
	UpsertLock(context.Context, types.Lock) error
	// DeleteLock deletes a lock.
	DeleteLock(context.Context, string) error
	// DeleteAllLocks deletes all/in-force locks.
	DeleteAllLocks(context.Context) error
	// ReplaceRemoteLocks replaces the set of locks associated with a remote cluster.
	ReplaceRemoteLocks(ctx context.Context, clusterName string, locks []types.Lock) error
}

Access service manages roles and permissions.

type AccessCheckable

type AccessCheckable interface {
	GetKind() string
	GetName() string
	GetMetadata() types.Metadata
	GetLabel(key string) (value string, ok bool)
	GetAllLabels() map[string]string
}

AccessCheckable is the subset of types.Resource required for the RBAC checks.

type AccessChecker

type AccessChecker interface {
	// HasRole checks if the checker includes the role
	HasRole(role string) bool

	// RoleNames returns a list of role names
	RoleNames() []string

	// Traits returns the set of user traits
	Traits() wrappers.Traits

	// Roles returns the list underlying roles this AccessChecker is based on.
	Roles() []types.Role

	// CheckAccess checks access to the specified resource.
	CheckAccess(r AccessCheckable, state AccessState, matchers ...RoleMatcher) error

	// CheckAccessToRemoteCluster checks access to remote cluster
	CheckAccessToRemoteCluster(cluster types.RemoteCluster) error

	// CheckAccessToRule checks access to a rule within a namespace.
	CheckAccessToRule(context RuleContext, namespace string, rule string, verb string, silent bool) error

	// CheckLoginDuration checks if role set can login up to given duration and
	// returns a combined list of allowed logins.
	CheckLoginDuration(ttl time.Duration) ([]string, error)

	// CheckKubeGroupsAndUsers check if role can login into kubernetes
	// and returns two lists of combined allowed groups and users
	CheckKubeGroupsAndUsers(ttl time.Duration, overrideTTL bool, matchers ...RoleMatcher) (groups []string, users []string, err error)

	// CheckAWSRoleARNs returns a list of AWS role ARNs role is allowed to assume.
	CheckAWSRoleARNs(ttl time.Duration, overrideTTL bool) ([]string, error)

	// CheckAzureIdentities returns a list of Azure identities the user is allowed to assume.
	CheckAzureIdentities(ttl time.Duration, overrideTTL bool) ([]string, error)

	// CheckGCPServiceAccounts returns a list of GCP service accounts the user is allowed to assume.
	CheckGCPServiceAccounts(ttl time.Duration, overrideTTL bool) ([]string, error)

	// CheckAccessToSAMLIdP checks access to the SAML IdP.
	//
	//nolint:revive // Because we want this to be IdP.
	CheckAccessToSAMLIdP(types.AuthPreference) error

	// AdjustSessionTTL will reduce the requested ttl to lowest max allowed TTL
	// for this role set, otherwise it returns ttl unchanged
	AdjustSessionTTL(ttl time.Duration) time.Duration

	// AdjustClientIdleTimeout adjusts requested idle timeout
	// to the lowest max allowed timeout, the most restrictive
	// option will be picked
	AdjustClientIdleTimeout(ttl time.Duration) time.Duration

	// AdjustDisconnectExpiredCert adjusts the value based on the role set
	// the most restrictive option will be picked
	AdjustDisconnectExpiredCert(disconnect bool) bool

	// CheckAgentForward checks if the role can request agent forward for this
	// user.
	CheckAgentForward(login string) error

	// CanForwardAgents returns true if this role set offers capability to forward
	// agents.
	CanForwardAgents() bool

	// CanPortForward returns true if this RoleSet can forward ports.
	CanPortForward() bool

	// DesktopClipboard returns true if the role set has enabled shared
	// clipboard for desktop sessions. Clipboard sharing is disabled if
	// one or more of the roles in the set has disabled it.
	DesktopClipboard() bool
	// RecordDesktopSession returns true if a role in the role set has enabled
	// desktop session recoring.
	RecordDesktopSession() bool
	// DesktopDirectorySharing returns true if the role set has directory sharing
	// enabled. This setting is enabled if one or more of the roles in the set has
	// enabled it.
	DesktopDirectorySharing() bool

	// MaybeCanReviewRequests attempts to guess if this RoleSet belongs
	// to a user who should be submitting access reviews. Because not all rolesets
	// are derived from statically assigned roles, this may return false positives.
	MaybeCanReviewRequests() bool

	// PermitX11Forwarding returns true if this RoleSet allows X11 Forwarding.
	PermitX11Forwarding() bool

	// CanCopyFiles returns true if the role set has enabled remote file
	// operations via SCP or SFTP. Remote file operations are disabled if
	// one or more of the roles in the set has disabled it.
	CanCopyFiles() bool

	// CertificateFormat returns the most permissive certificate format in a
	// RoleSet.
	CertificateFormat() string

	// EnhancedRecordingSet returns a set of events that will be recorded
	// for enhanced session recording.
	EnhancedRecordingSet() map[string]bool

	// CheckDatabaseNamesAndUsers returns database names and users this role
	// is allowed to use.
	CheckDatabaseNamesAndUsers(ttl time.Duration, overrideTTL bool) (names []string, users []string, err error)

	// CheckDatabaseRoles returns whether a user should be auto-created in the
	// database and a list of database roles to assign.
	CheckDatabaseRoles(types.Database) (mode types.CreateDatabaseUserMode, roles []string, err error)

	// CheckImpersonate checks whether current user is allowed to impersonate
	// users and roles
	CheckImpersonate(currentUser, impersonateUser types.User, impersonateRoles []types.Role) error

	// CheckImpersonateRoles checks whether the current user is allowed to
	// perform roles-only impersonation.
	CheckImpersonateRoles(currentUser types.User, impersonateRoles []types.Role) error

	// CanImpersonateSomeone returns true if this checker has any impersonation rules
	CanImpersonateSomeone() bool

	// LockingMode returns the locking mode to apply with this checker.
	LockingMode(defaultMode constants.LockingMode) constants.LockingMode

	// ExtractConditionForIdentifier returns a restrictive filter expression
	// for list queries based on the rules' `where` conditions.
	ExtractConditionForIdentifier(ctx RuleContext, namespace, resource, verb, identifier string) (*types.WhereExpr, error)

	// CertificateExtensions returns the list of extensions for each role in the RoleSet
	CertificateExtensions() []*types.CertExtension

	// GetAllowedSearchAsRoles returns all of the allowed SearchAsRoles.
	GetAllowedSearchAsRoles() []string

	// GetAllowedPreviewAsRoles returns all of the allowed PreviewAsRoles.
	GetAllowedPreviewAsRoles() []string

	// MaxConnections returns the maximum number of concurrent ssh connections
	// allowed.  If MaxConnections is zero then no maximum was defined and the
	// number of concurrent connections is unconstrained.
	MaxConnections() int64

	// MaxSessions returns the maximum number of concurrent ssh sessions per
	// connection. If MaxSessions is zero then no maximum was defined and the
	// number of sessions is unconstrained.
	MaxSessions() int64

	// SessionPolicySets returns the list of SessionPolicySets for all roles.
	SessionPolicySets() []*types.SessionTrackerPolicySet

	// GetAllLogins returns all valid unix logins for the AccessChecker.
	GetAllLogins() []string

	// GetAllowedResourceIDs returns the list of allowed resources the identity for
	// the AccessChecker is allowed to access. An empty or nil list indicates that
	// there are no resource-specific restrictions.
	GetAllowedResourceIDs() []types.ResourceID

	// SessionRecordingMode returns the recording mode for a specific service.
	SessionRecordingMode(service constants.SessionRecordingService) constants.SessionRecordingMode

	// HostUsers returns host user information matching a server or nil if
	// a role disallows host user creation
	HostUsers(types.Server) (*HostUsersInfo, error)

	// HostSudoers returns host sudoers entries matching a server
	HostSudoers(types.Server) ([]string, error)

	// DesktopGroups returns the desktop groups a user is allowed to create or an access denied error if a role disallows desktop user creation
	DesktopGroups(types.WindowsDesktop) ([]string, error)

	// PinSourceIP forces the same client IP for certificate generation and SSH usage
	PinSourceIP() bool

	// GetAccessState returns the AccessState for the user given their roles, the
	// cluster auth preference, and whether MFA and the user's device were
	// verified.
	GetAccessState(authPref types.AuthPreference) AccessState
	// PrivateKeyPolicy returns the enforced private key policy for this role set,
	// or the provided defaultPolicy - whichever is stricter.
	PrivateKeyPolicy(defaultPolicy keys.PrivateKeyPolicy) (keys.PrivateKeyPolicy, error)

	// GetKubeResources returns the allowed and denied Kubernetes Resources configured
	// for a user.
	GetKubeResources(cluster types.KubeCluster) (allowed, denied []types.KubernetesResource)

	// EnumerateEntities works on a given role set to return a minimal description
	// of allowed set of entities (db_users, db_names, etc). It is biased towards
	// *allowed* entities; It is meant to describe what the user can do, rather than
	// cannot do. For that reason if the user isn't allowed to pick *any* entities,
	// the output will be empty.
	//
	// In cases where * is listed in set of allowed entities, it may be hard for
	// users to figure out the expected entity to use. For this reason the parameter
	// extraEntities provides an extra set of entities to be checked against
	// RoleSet. This extra set of entities may be sourced e.g. from user connection
	// history.
	EnumerateEntities(resource AccessCheckable, listFn roleEntitiesListFn, newMatcher roleMatcherFactoryFn, extraEntities ...string) EnumerationResult

	// EnumerateDatabaseUsers specializes EnumerateEntities to enumerate db_users.
	EnumerateDatabaseUsers(database types.Database, extraUsers ...string) (EnumerationResult, error)

	// EnumerateDatabaseNames specializes EnumerateEntities to enumerate db_names.
	EnumerateDatabaseNames(database types.Database, extraNames ...string) EnumerationResult

	// GetAllowedLoginsForResource returns all of the allowed logins for the passed resource.
	//
	// Supports the following resource types:
	//
	// - types.Server with GetKind() == types.KindNode
	//
	// - types.KindWindowsDesktop
	GetAllowedLoginsForResource(resource AccessCheckable) ([]string, error)
}

AccessChecker interface checks access to resources based on roles, traits, and allowed resources

func NewAccessChecker

func NewAccessChecker(info *AccessInfo, localCluster string, access RoleGetter) (AccessChecker, error)

NewAccessChecker returns a new AccessChecker which can be used to check access to resources. Args:

  • `info *AccessInfo` should hold the roles, traits, and allowed resource IDs for the identity.
  • `localCluster string` should be the name of the local cluster in which access will be checked. You cannot check for access to resources in remote clusters.
  • `access RoleGetter` should be a RoleGetter which will be used to fetch the full RoleSet

func NewAccessCheckerForRemoteCluster

func NewAccessCheckerForRemoteCluster(ctx context.Context, localAccessInfo *AccessInfo, clusterName string, access CurrentUserRoleGetter) (AccessChecker, error)

NewAccessCheckerForRemoteCluster returns an AccessChecker that can check user's access to resources that may be located in remote/leaf Teleport clusters.

func NewAccessCheckerWithRoleSet

func NewAccessCheckerWithRoleSet(info *AccessInfo, localCluster string, roleSet RoleSet) AccessChecker

NewAccessCheckerWithRoleSet is similar to NewAccessChecker, but accepts the full RoleSet rather than a RoleGetter.

type AccessInfo

type AccessInfo struct {
	// Roles is the list of cluster local roles for the identity.
	Roles []string
	// Traits is the set of traits for the identity.
	Traits wrappers.Traits
	// AllowedResourceIDs is the list of resource IDs the identity is allowed to
	// access. A nil or empty list indicates that no resource-specific
	// access restrictions should be applied. Used for search-based access
	// requests.
	AllowedResourceIDs []types.ResourceID
	// Username is the Teleport username.
	Username string
}

AccessInfo hold information about an identity necessary to check whether that identity has access to cluster resources. This info can come from a user or host SSH certificate, TLS certificate, or user information stored in the backend.

func AccessInfoFromLocalCertificate

func AccessInfoFromLocalCertificate(cert *ssh.Certificate) (*AccessInfo, error)

AccessInfoFromLocalCertificate returns a new AccessInfo populated from the given ssh certificate. Should only be used for cluster local users as roles will not be mapped.

func AccessInfoFromLocalIdentity

func AccessInfoFromLocalIdentity(identity tlsca.Identity, access UserGetter) (*AccessInfo, error)

AccessInfoFromLocalIdentity returns a new AccessInfo populated from the given tlsca.Identity. Should only be used for cluster local users as roles will not be mapped.

func AccessInfoFromRemoteCertificate

func AccessInfoFromRemoteCertificate(cert *ssh.Certificate, roleMap types.RoleMap) (*AccessInfo, error)

AccessInfoFromRemoteCertificate returns a new AccessInfo populated from the given remote cluster user's ssh certificate. Remote roles will be mapped to local roles based on the given roleMap.

func AccessInfoFromRemoteIdentity

func AccessInfoFromRemoteIdentity(identity tlsca.Identity, roleMap types.RoleMap) (*AccessInfo, error)

AccessInfoFromRemoteIdentity returns a new AccessInfo populated from the given remote cluster user's tlsca.Identity. Remote roles will be mapped to local roles based on the given roleMap.

func AccessInfoFromUser

func AccessInfoFromUser(user types.User) *AccessInfo

AccessInfoFromUser return a new AccessInfo populated from the roles and traits held be the given user. This should only be used in cases where the user does not have any active access requests (initial web login, initial tbot certs, tests). TODO(mdwn): Remove this once enterprise has been moved away from this function.

func AccessInfoFromUserState

func AccessInfoFromUserState(user UserState) *AccessInfo

AccessInfoFromUserState return a new AccessInfo populated from the roles and traits held be the given user state. This should only be used in cases where the user does not have any active access requests (initial web login, initial tbot certs, tests).

type AccessListMemberGetter

type AccessListMemberGetter interface {
	// GetAccessListMember returns the specified access list member resource.
	// May return a DynamicAccessListError if the requested access list has an
	// implicit member list and the underlying implementation does not have
	// enough information to compute the dynamic member record.
	GetAccessListMember(ctx context.Context, accessList string, memberName string) (*accesslist.AccessListMember, error)
}

AccessListMemberGetter defines an interface that can retrieve access list members.

type AccessListMembers

type AccessListMembers interface {
	AccessListMembersGetter

	// UpsertAccessListMember creates or updates an access list member resource.
	UpsertAccessListMember(ctx context.Context, member *accesslist.AccessListMember) (*accesslist.AccessListMember, error)
	// DeleteAccessListMember hard deletes the specified access list member resource.
	DeleteAccessListMember(ctx context.Context, accessList string, memberName string) error
	// DeleteAllAccessListMembersForAccessList hard deletes all access list members for an access list.
	DeleteAllAccessListMembersForAccessList(ctx context.Context, accessList string) error
	// DeleteAllAccessListMembers hard deletes all access list members.
	DeleteAllAccessListMembers(ctx context.Context) error
}

AccessListMembers defines an interface for managing AccessListMembers.

type AccessListMembersGetter

type AccessListMembersGetter interface {
	AccessListMemberGetter

	// ListAccessListMembers returns a paginated list of all access list members.
	// May return a DynamicAccessListError if the requested access list has an
	// implicit member list and the underlying implementation does not have
	// enough information to compute the dynamic member list.
	ListAccessListMembers(ctx context.Context, accessListName string, pageSize int, pageToken string) (members []*accesslist.AccessListMember, nextToken string, err error)
	// ListAllAccessListMembers returns a paginated list of all access list members for all access lists.
	ListAllAccessListMembers(ctx context.Context, pageSize int, pageToken string) (members []*accesslist.AccessListMember, nextToken string, err error)
	GetAccessListMember(ctx context.Context, accessList string, memberName string) (*accesslist.AccessListMember, error)
}

AccessListMembersGetter defines an interface for reading access list members.

type AccessListMembershipChecker

type AccessListMembershipChecker struct {
	// contains filtered or unexported fields
}

AccessListMembershipChecker will check if users are members of an access list and makes sure the user is not locked and meets membership requirements.

func NewAccessListMembershipChecker

func NewAccessListMembershipChecker(clock clockwork.Clock, members AccessListMemberGetter, locks LockGetter) *AccessListMembershipChecker

NewAccessListMembershipChecker will create a new access list membership checker.

func (AccessListMembershipChecker) IsAccessListMember

func (a AccessListMembershipChecker) IsAccessListMember(ctx context.Context, identity tlsca.Identity, accessList *accesslist.AccessList) error

IsAccessListMember will return true if the user is a member for the current list.

type AccessListReviews

type AccessListReviews interface {
	// ListAccessListReviews will list access list reviews for a particular access list.
	ListAccessListReviews(ctx context.Context, accessList string, pageSize int, pageToken string) (reviews []*accesslist.Review, nextToken string, err error)

	// ListAllAccessListReviews will list access list reviews for all access lists. Only to be used by the cache.
	ListAllAccessListReviews(ctx context.Context, pageSize int, pageToken string) (reviews []*accesslist.Review, nextToken string, err error)

	// CreateAccessListReview will create a new review for an access list.
	CreateAccessListReview(ctx context.Context, review *accesslist.Review) (updatedReview *accesslist.Review, nextReviewDate time.Time, err error)

	// DeleteAccessListReview will delete an access list review from the backend.
	DeleteAccessListReview(ctx context.Context, accessListName, reviewName string) error

	// DeleteAllAccessListReviews will delete all access list reviews from all access lists.
	DeleteAllAccessListReviews(ctx context.Context) error
}

AccessListReviews defines an interface for managing Access List reviews.

type AccessLists

type AccessLists interface {
	AccessListsGetter
	AccessListsSuggestionsGetter
	AccessListMembers
	AccessListReviews

	// UpsertAccessList creates or updates an access list resource.
	UpsertAccessList(context.Context, *accesslist.AccessList) (*accesslist.AccessList, error)
	// DeleteAccessList removes the specified access list resource.
	DeleteAccessList(context.Context, string) error
	// DeleteAllAccessLists removes all access lists.
	DeleteAllAccessLists(context.Context) error

	// UpsertAccessListWithMembers creates or updates an access list resource and its members.
	UpsertAccessListWithMembers(context.Context, *accesslist.AccessList, []*accesslist.AccessListMember) (*accesslist.AccessList, []*accesslist.AccessListMember, error)

	// AccessRequestPromote promotes an access request to an access list.
	AccessRequestPromote(ctx context.Context, req *accesslistv1.AccessRequestPromoteRequest) (*accesslistv1.AccessRequestPromoteResponse, error)
}

AccessLists defines an interface for managing AccessLists.

type AccessListsGetter

type AccessListsGetter interface {
	AccessListMembersGetter

	// GetAccessLists returns a list of all access lists.
	GetAccessLists(context.Context) ([]*accesslist.AccessList, error)
	// ListAccessLists returns a paginated list of access lists.
	ListAccessLists(context.Context, int, string) ([]*accesslist.AccessList, string, error)
	// GetAccessList returns the specified access list resource.
	GetAccessList(context.Context, string) (*accesslist.AccessList, error)
	// GetAccessListsToReview returns access lists that the user needs to review.
	GetAccessListsToReview(context.Context) ([]*accesslist.AccessList, error)
}

AccessListsGetter defines an interface for reading access lists.

type AccessListsSuggestionsGetter

type AccessListsSuggestionsGetter interface {
	// GetSuggestedAccessLists returns a list of access lists that are suggested for a given request.
	GetSuggestedAccessLists(ctx context.Context, accessRequestID string) ([]*accesslist.AccessList, error)
}

AccessListsSuggestionsGetter defines an interface for reading access lists suggestions.

type AccessRequestGetter

type AccessRequestGetter interface {
	// GetAccessRequests gets all currently active access requests.
	GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error)
}

AccessRequestGetter defines the interface for fetching access request resources.

type AccessRequestWatcher

type AccessRequestWatcher struct {
	// contains filtered or unexported fields
}

AccessRequestWatcher is built on top of resourceWatcher to monitor access request resources.

func NewAccessRequestWatcher

func NewAccessRequestWatcher(ctx context.Context, cfg AccessRequestWatcherConfig) (*AccessRequestWatcher, error)

NewAccessRequestWatcher returns a new instance of AccessRequestWatcher.

func (AccessRequestWatcher) Close

func (p AccessRequestWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (AccessRequestWatcher) Done

func (p AccessRequestWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (AccessRequestWatcher) IsInitialized

func (p AccessRequestWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (AccessRequestWatcher) WaitInitialization

func (p AccessRequestWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type AccessRequestWatcherConfig

type AccessRequestWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// AccessRequestGetter is responsible for fetching access request resources.
	AccessRequestGetter
	// Filter is the filter to use to monitor access requests.
	Filter types.AccessRequestFilter
	// AccessRequestsC receives up-to-date list of all access request resources.
	AccessRequestsC chan types.AccessRequests
}

AccessRequestWatcherConfig is a AccessRequestWatcher configuration.

func (*AccessRequestWatcherConfig) CheckAndSetDefaults

func (cfg *AccessRequestWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type AccessState

type AccessState struct {
	// MFARequired determines whether a user's MFA requirement dynamically changes
	// based on their active role (per-role), or is static across all roles
	// (always/never).
	MFARequired MFARequired
	// MFAVerified is set when MFA has been verified by the caller.
	MFAVerified bool
	// EnableDeviceVerification enables device verification in access checks.
	// It's recommended to set this in tandem with DeviceVerified, so device
	// checks are easier to reason about and have a proper chance of succeeding.
	// Used for role-based device mode checks.
	// Defaults to false for backwards compatibility.
	EnableDeviceVerification bool
	// DeviceVerified is true if the user certificate contains all required
	// device extensions.
	// A value of true enables the caller to clear device trust checks.
	// It's recommended to set this in tandem with EnableDeviceVerification.
	// See [dtauthz.IsTLSDeviceVerified] and [dtauthz.IsSSHDeviceVerified].
	DeviceVerified bool
}

AccessState holds state for the present access attempt, including both cluster settings and user state (MFA, device trust, etc).

type AcquireSemaphoreWithRetryConfig

type AcquireSemaphoreWithRetryConfig struct {
	Service types.Semaphores
	Request types.AcquireSemaphoreRequest
	Retry   retryutils.LinearConfig
}

AcquireSemaphoreWithRetryConfig contains parameters for trying to acquire a semaphore with a retry.

type AppGetter

type AppGetter interface {
	// GetApps returns all application resources.
	GetApps(context.Context) ([]types.Application, error)
	// GetApp returns the specified application resource.
	GetApp(ctx context.Context, name string) (types.Application, error)
}

AppGetter defines interface for fetching application resources.

type AppServersGetter

type AppServersGetter interface {
	GetApplicationServers(ctx context.Context, namespace string) ([]types.AppServer, error)
}

AppServersGetter is a service that gets application servers.

type AppSession

type AppSession interface {
	// GetAppSession gets an application web session.
	GetAppSession(context.Context, types.GetAppSessionRequest) (types.WebSession, error)
	// ListAppSessions gets a paginated list of application web sessions.
	ListAppSessions(ctx context.Context, pageSize int, pageToken, user string) ([]types.WebSession, string, error)
	// UpsertAppSession upserts an application web session.
	UpsertAppSession(context.Context, types.WebSession) error
	// DeleteAppSession removes an application web session.
	DeleteAppSession(context.Context, types.DeleteAppSessionRequest) error
	// DeleteAllAppSessions removes all application web sessions.
	DeleteAllAppSessions(context.Context) error
	// DeleteUserAppSessions deletes all user’s application sessions.
	DeleteUserAppSessions(ctx context.Context, req *proto.DeleteUserAppSessionsRequest) error
}

AppSession defines application session features.

type AppWatcher

type AppWatcher struct {
	// contains filtered or unexported fields
}

AppWatcher is built on top of resourceWatcher to monitor application resources.

func NewAppWatcher

func NewAppWatcher(ctx context.Context, cfg AppWatcherConfig) (*AppWatcher, error)

NewAppWatcher returns a new instance of AppWatcher.

func (AppWatcher) Close

func (p AppWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (AppWatcher) Done

func (p AppWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (AppWatcher) IsInitialized

func (p AppWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (AppWatcher) WaitInitialization

func (p AppWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type AppWatcherConfig

type AppWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// AppGetter is responsible for fetching application resources.
	AppGetter
	// AppsC receives up-to-date list of all application resources.
	AppsC chan types.Apps
}

AppWatcherConfig is an AppWatcher configuration.

func (*AppWatcherConfig) CheckAndSetDefaults

func (cfg *AppWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Apps

type Apps interface {
	// AppGetter provides methods for fetching application resources.
	AppGetter
	// CreateApp creates a new application resource.
	CreateApp(context.Context, types.Application) error
	// UpdateApp updates an existing application resource.
	UpdateApp(context.Context, types.Application) error
	// DeleteApp removes the specified application resource.
	DeleteApp(ctx context.Context, name string) error
	// DeleteAllApps removes all database resources.
	DeleteAllApps(context.Context) error
}

Apps defines an interface for managing application resources.

type Assistant

type Assistant interface {
	// GetAssistantMessages returns all messages with given conversation ID.
	GetAssistantMessages(ctx context.Context, req *assist.GetAssistantMessagesRequest) (*assist.GetAssistantMessagesResponse, error)

	// CreateAssistantMessage adds the message to the backend.
	CreateAssistantMessage(ctx context.Context, msg *assist.CreateAssistantMessageRequest) error

	// CreateAssistantConversation creates a new conversation entry in the backend.
	CreateAssistantConversation(ctx context.Context, req *assist.CreateAssistantConversationRequest) (*assist.CreateAssistantConversationResponse, error)

	// DeleteAssistantConversation deletes a conversation entry and associated messages from the backend.
	DeleteAssistantConversation(ctx context.Context, req *assist.DeleteAssistantConversationRequest) error

	// GetAssistantConversations returns all conversations started by a user.
	GetAssistantConversations(ctx context.Context, request *assist.GetAssistantConversationsRequest) (*assist.GetAssistantConversationsResponse, error)

	// UpdateAssistantConversationInfo updates conversation info.
	UpdateAssistantConversationInfo(ctx context.Context, msg *assist.UpdateAssistantConversationInfoRequest) error

	// IsAssistEnabled returns true if the assist is enabled or not on the auth level.
	IsAssistEnabled(ctx context.Context) (*assist.IsAssistEnabledResponse, error)
}

type AuthorityGetter

type AuthorityGetter interface {
	// GetCertAuthority returns cert authority by id
	GetCertAuthority(ctx context.Context, id types.CertAuthID, loadKeys bool) (types.CertAuthority, error)

	// GetCertAuthorities returns a list of cert authorities
	GetCertAuthorities(ctx context.Context, caType types.CertAuthType, loadKeys bool) ([]types.CertAuthority, error)
}

AuthorityGetter defines interface for fetching cert authority resources.

type AzureIdentityMatcher

type AzureIdentityMatcher struct {
	Identity string
}

AzureIdentityMatcher matches a role against Azure identity.

func (*AzureIdentityMatcher) Match

func (m *AzureIdentityMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches Azure identity against provided role and condition.

func (*AzureIdentityMatcher) String

func (m *AzureIdentityMatcher) String() string

String returns the matcher's string representation.

type BoolPredicateParser

type BoolPredicateParser interface {
	predicate.Parser
	EvalBoolPredicate(string) (bool, error)
}

BoolPredicateParser extends predicate.Parser with a convenience method for evaluating bool predicates.

func NewJSONBoolParser

func NewJSONBoolParser(ctx interface{}) (BoolPredicateParser, error)

NewJSONBoolParser returns a generic parser for boolean expressions based on a json-serializable context.

func NewResourceParser

func NewResourceParser(resource types.ResourceWithLabels) (BoolPredicateParser, error)

NewResourceParser returns a parser made for boolean expressions based on a json-serialiable resource. Customized to allow short identifiers common in all resources:

  • shorthand `name` refers to `resource.spec.hostname` for node resources or it refers to `resource.metadata.name` for all other resources eg: `name == "app-name-jenkins"`
  • shorthand `labels` refers to resource `resource.metadata.labels + resource.spec.dynamic_labels` eg: `labels.env == "prod"`

All other fields can be referenced by starting expression with identifier `resource` followed by the names of the json fields ie: `resource.spec.public_addr`.

type CertAuthorityWatcher

type CertAuthorityWatcher struct {
	// contains filtered or unexported fields
}

CertAuthorityWatcher is built on top of resourceWatcher to monitor cert authority resources.

func NewCertAuthorityWatcher

func NewCertAuthorityWatcher(ctx context.Context, cfg CertAuthorityWatcherConfig) (*CertAuthorityWatcher, error)

NewCertAuthorityWatcher returns a new instance of CertAuthorityWatcher.

func (CertAuthorityWatcher) Close

func (p CertAuthorityWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (CertAuthorityWatcher) Done

func (p CertAuthorityWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (CertAuthorityWatcher) IsInitialized

func (p CertAuthorityWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (CertAuthorityWatcher) Subscribe

func (c CertAuthorityWatcher) Subscribe(ctx context.Context, filter types.CertAuthorityFilter) (types.Watcher, error)

Subscribe is used to subscribe to the lock updates.

func (CertAuthorityWatcher) WaitInitialization

func (p CertAuthorityWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type CertAuthorityWatcherConfig

type CertAuthorityWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// AuthorityGetter is responsible for fetching cert authority resources.
	AuthorityGetter
	// Types restricts which cert authority types are retrieved via the AuthorityGetter.
	Types []types.CertAuthType
}

CertAuthorityWatcherConfig is a CertAuthorityWatcher configuration.

func (*CertAuthorityWatcherConfig) CheckAndSetDefaults

func (cfg *CertAuthorityWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type ClusterConfiguration

type ClusterConfiguration interface {
	// SetClusterName gets services.ClusterName from the backend.
	GetClusterName(opts ...MarshalOption) (types.ClusterName, error)
	// SetClusterName sets services.ClusterName on the backend.
	SetClusterName(types.ClusterName) error
	// UpsertClusterName upserts cluster name
	UpsertClusterName(types.ClusterName) error

	// DeleteClusterName deletes cluster name resource
	DeleteClusterName() error

	// GetStaticTokens gets services.StaticTokens from the backend.
	GetStaticTokens() (types.StaticTokens, error)
	// SetStaticTokens sets services.StaticTokens on the backend.
	SetStaticTokens(types.StaticTokens) error
	// DeleteStaticTokens deletes static tokens resource
	DeleteStaticTokens() error

	// GetUIConfig gets the proxy service UI config from the backend
	GetUIConfig(context.Context) (types.UIConfig, error)
	// SetUIConfig sets the proxy service UI config from the backend
	SetUIConfig(context.Context, types.UIConfig) error
	// DeleteUIConfig deletes the proxy service UI config from the backend
	DeleteUIConfig(ctx context.Context) error

	// GetAuthPreference gets types.AuthPreference from the backend.
	GetAuthPreference(context.Context) (types.AuthPreference, error)
	// SetAuthPreference sets types.AuthPreference from the backend.
	SetAuthPreference(context.Context, types.AuthPreference) error
	// DeleteAuthPreference deletes types.AuthPreference from the backend.
	DeleteAuthPreference(ctx context.Context) error

	// GetSessionRecordingConfig gets SessionRecordingConfig from the backend.
	GetSessionRecordingConfig(context.Context, ...MarshalOption) (types.SessionRecordingConfig, error)
	// SetSessionRecordingConfig sets SessionRecordingConfig from the backend.
	SetSessionRecordingConfig(context.Context, types.SessionRecordingConfig) error
	// DeleteSessionRecordingConfig deletes SessionRecordingConfig from the backend.
	DeleteSessionRecordingConfig(ctx context.Context) error

	// GetClusterAuditConfig gets ClusterAuditConfig from the backend.
	GetClusterAuditConfig(context.Context, ...MarshalOption) (types.ClusterAuditConfig, error)
	// SetClusterAuditConfig sets ClusterAuditConfig from the backend.
	SetClusterAuditConfig(context.Context, types.ClusterAuditConfig) error
	// DeleteClusterAuditConfig deletes ClusterAuditConfig from the backend.
	DeleteClusterAuditConfig(ctx context.Context) error

	// GetClusterNetworkingConfig gets ClusterNetworkingConfig from the backend.
	GetClusterNetworkingConfig(context.Context, ...MarshalOption) (types.ClusterNetworkingConfig, error)
	// SetClusterNetworkingConfig sets ClusterNetworkingConfig from the backend.
	SetClusterNetworkingConfig(context.Context, types.ClusterNetworkingConfig) error
	// DeleteClusterNetworkingConfig deletes ClusterNetworkingConfig from the backend.
	DeleteClusterNetworkingConfig(ctx context.Context) error

	// GetInstallers gets all installer scripts from the backend
	GetInstallers(context.Context) ([]types.Installer, error)
	// GetInstaller gets the installer script from the backend
	GetInstaller(ctx context.Context, name string) (types.Installer, error)
	// SetInstaller sets the installer script in the backend
	SetInstaller(context.Context, types.Installer) error
	// DeleteInstaller removes the installer script from the backend
	DeleteInstaller(ctx context.Context, name string) error
	// DeleteAllInstallers removes all installer script resources from the backend
	DeleteAllInstallers(context.Context) error

	// GetClusterMaintenanceConfig loads the current maintenance config singleton.
	GetClusterMaintenanceConfig(ctx context.Context) (types.ClusterMaintenanceConfig, error)
	// UpdateClusterMaintenanceConfig updates the maintenance config singleton.
	UpdateClusterMaintenanceConfig(ctx context.Context, cfg types.ClusterMaintenanceConfig) error
	// DeleteClusterMaintenanceConfig deletes the maintenance config singleton.
	DeleteClusterMaintenanceConfig(ctx context.Context) error
}

ClusterConfiguration stores the cluster configuration in the backend. All the resources modified by this interface can only have a single instance in the backend.

type ClusterGetter

type ClusterGetter interface {
	// GetClusterName returns the local cluster name
	GetClusterName(opts ...MarshalOption) (types.ClusterName, error)
	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)
}

ClusterGetter provides access to the local cluster

type CommandLabels

type CommandLabels map[string]types.CommandLabel

CommandLabels is a set of command labels

func (*CommandLabels) Clone

func (c *CommandLabels) Clone() CommandLabels

Clone returns copy of the set

func (*CommandLabels) SetEnv

func (c *CommandLabels) SetEnv(v string) error

SetEnv sets the value of the label from environment variable

type ConnectionDiagnosticTraceAppender

type ConnectionDiagnosticTraceAppender interface {
	// AppendDiagnosticTrace atomically adds a new trace into the ConnectionDiagnostic.
	AppendDiagnosticTrace(ctx context.Context, name string, t *types.ConnectionDiagnosticTrace) (types.ConnectionDiagnostic, error)
}

ConnectionDiagnosticTraceAppender specifies methods to add Traces into a DiagnosticConnection

type ConnectionsDiagnostic

type ConnectionsDiagnostic interface {
	// CreateConnectionDiagnostic creates a new Connection Diagnostic
	CreateConnectionDiagnostic(context.Context, types.ConnectionDiagnostic) error

	// UpdateConnectionDiagnostic updates a Connection Diagnostic
	UpdateConnectionDiagnostic(context.Context, types.ConnectionDiagnostic) error

	// GetConnectionDiagnostic receives a name and returns the Connection Diagnostic matching that name
	//
	// If not found, a `trace.NotFound` error is returned
	GetConnectionDiagnostic(ctx context.Context, name string) (types.ConnectionDiagnostic, error)

	// ConnectionDiagnosticTraceAppender adds a method to append traces into ConnectionDiagnostics.
	ConnectionDiagnosticTraceAppender
}

ConnectionsDiagnostic defines an interface for managing Connection Diagnostics.

type Context

type Context struct {
	// User is currently authenticated user
	User UserState
	// Resource is an optional resource, in case if the rule
	// checks access to the resource
	Resource types.Resource
	// Session is an optional session.end or windows.desktop.session.end event.
	// These events hold information about session recordings.
	Session events.AuditEvent
	// SSHSession is an optional (active) SSH session.
	SSHSession *session.Session
	// HostCert is an optional host certificate.
	HostCert *HostCertContext
	// SessionTracker is an optional session tracker, in case if the rule checks access to the tracker.
	SessionTracker types.SessionTracker
}

Context is a default rule context used in teleport

func (*Context) GetIdentifier

func (ctx *Context) GetIdentifier(fields []string) (interface{}, error)

GetIdentifier returns identifier defined in a context

func (*Context) GetResource

func (ctx *Context) GetResource() (types.Resource, error)

GetResource returns resource specified in the context, returns error if not specified.

func (*Context) String

func (ctx *Context) String() string

String returns user friendly representation of this context

type CostLimiter

type CostLimiter interface {
	// UpsertCostLimiter upserts a security cost limiter.
	UpsertCostLimiter(ctx context.Context, item *secreports.CostLimiter) error
	// GetCostLimiter returns a security cost limiter.
	GetCostLimiter(ctx context.Context, name string) (*secreports.CostLimiter, error)
}

CostLimiter is the interface for the security cost limiter.

type CurrentUserRoleGetter

type CurrentUserRoleGetter interface {
	// GetCurrentUserRoles returns the remote cluster roles for the current
	// user, traits have not been applied.
	GetCurrentUserRoles(context.Context) ([]types.Role, error)
	// GetCurrentUser returns the remote cluster's view of the current user.
	GetCurrentUser(context.Context) (types.User, error)
}

CurrentUserRoleGetter limits the interface of auth.ClientI to methods needed by NewAccessCheckerForRemoteCluster.

type DatabaseGetter

type DatabaseGetter interface {
	// GetDatabases returns all database resources.
	GetDatabases(context.Context) ([]types.Database, error)
	// GetDatabase returns the specified database resource.
	GetDatabase(ctx context.Context, name string) (types.Database, error)
}

DatabaseGetter defines interface for fetching database resources.

type DatabaseNameMatcher

type DatabaseNameMatcher struct {
	Name string
}

DatabaseNameMatcher matches a role against database name.

func (*DatabaseNameMatcher) Match

func (m *DatabaseNameMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches database name against provided role and condition.

func (*DatabaseNameMatcher) String

func (m *DatabaseNameMatcher) String() string

String returns the matcher's string representation.

type DatabaseServersGetter

type DatabaseServersGetter interface {
	GetDatabaseServers(context.Context, string, ...MarshalOption) ([]types.DatabaseServer, error)
}

DatabaseServersGetter is a service that gets database servers.

type DatabaseServices

type DatabaseServices interface {
	// UpsertDatabaseService updates an existing DatabaseService resource.
	UpsertDatabaseService(context.Context, types.DatabaseService) (*types.KeepAlive, error)

	// DeleteDatabaseService removes the specified DatabaseService resource.
	DeleteDatabaseService(ctx context.Context, name string) error

	// DeleteAllDatabaseServices removes all DatabaseService resources.
	DeleteAllDatabaseServices(context.Context) error
}

DatabaseServices defines an interface for managing DatabaseService resources.

type DatabaseWatcher

type DatabaseWatcher struct {
	// contains filtered or unexported fields
}

DatabaseWatcher is built on top of resourceWatcher to monitor database resources.

func NewDatabaseWatcher

func NewDatabaseWatcher(ctx context.Context, cfg DatabaseWatcherConfig) (*DatabaseWatcher, error)

NewDatabaseWatcher returns a new instance of DatabaseWatcher.

func (DatabaseWatcher) Close

func (p DatabaseWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (DatabaseWatcher) Done

func (p DatabaseWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (DatabaseWatcher) IsInitialized

func (p DatabaseWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (DatabaseWatcher) WaitInitialization

func (p DatabaseWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type DatabaseWatcherConfig

type DatabaseWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// DatabaseGetter is responsible for fetching database resources.
	DatabaseGetter
	// DatabasesC receives up-to-date list of all database resources.
	DatabasesC chan types.Databases
}

DatabaseWatcherConfig is a DatabaseWatcher configuration.

func (*DatabaseWatcherConfig) CheckAndSetDefaults

func (cfg *DatabaseWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Databases

type Databases interface {
	// DatabaseGetter provides methods for fetching database resources.
	DatabaseGetter
	// CreateDatabase creates a new database resource.
	CreateDatabase(context.Context, types.Database) error
	// UpdateDatabase updates an existing database resource.
	UpdateDatabase(context.Context, types.Database) error
	// DeleteDatabase removes the specified database resource.
	DeleteDatabase(ctx context.Context, name string) error
	// DeleteAllDatabases removes all database resources.
	DeleteAllDatabases(context.Context) error
}

Databases defines an interface for managing database resources.

type DiscoveryConfigs

type DiscoveryConfigs interface {
	DiscoveryConfigsGetter
	// CreateDiscoveryConfig creates a new DiscoveryConfig resource.
	CreateDiscoveryConfig(context.Context, *discoveryconfig.DiscoveryConfig) (*discoveryconfig.DiscoveryConfig, error)
	// UpdateDiscoveryConfig updates an existing DiscoveryConfig resource.
	UpdateDiscoveryConfig(context.Context, *discoveryconfig.DiscoveryConfig) (*discoveryconfig.DiscoveryConfig, error)
	// UpsertDiscoveryConfig upserts a DiscoveryConfig resource.
	UpsertDiscoveryConfig(context.Context, *discoveryconfig.DiscoveryConfig) (*discoveryconfig.DiscoveryConfig, error)
	// DeleteDiscoveryConfig removes the specified DiscoveryConfig resource.
	DeleteDiscoveryConfig(ctx context.Context, name string) error
	// DeleteAllDiscoveryConfigs removes all DiscoveryConfigs.
	DeleteAllDiscoveryConfigs(context.Context) error
}

DiscoveryConfigs defines an interface for managing DiscoveryConfigs.

type DiscoveryConfigsGetter

type DiscoveryConfigsGetter interface {
	// ListDiscoveryConfigs returns a paginated list of all DiscoveryConfig resources.
	// An optional DiscoveryGroup can be provided to filter.
	ListDiscoveryConfigs(ctx context.Context, pageSize int, nextToken string) ([]*discoveryconfig.DiscoveryConfig, string, error)
	// GetDiscoveryConfig returns the specified DiscoveryConfig resources.
	GetDiscoveryConfig(ctx context.Context, name string) (*discoveryconfig.DiscoveryConfig, error)
}

DiscoveryConfigsGetter defines methods for List/Read operations on DiscoveryConfig Resources.

type DynamicAccess

type DynamicAccess interface {
	DynamicAccessCore
	// SetAccessRequestState updates the state of an existing access request.
	SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) error
	// SubmitAccessReview applies a review to a request and returns the post-application state.
	SubmitAccessReview(ctx context.Context, params types.AccessReviewSubmission) (types.AccessRequest, error)
	// GetAccessRequestAllowedPromotions returns suggested access lists for the given access request.
	GetAccessRequestAllowedPromotions(ctx context.Context, req types.AccessRequest) (*types.AccessRequestAllowedPromotions, error)
}

DynamicAccess is a service which manages dynamic RBAC. Specifically, this is the dynamic access interface implemented by remote clients.

type DynamicAccessCore

type DynamicAccessCore interface {
	AccessRequestGetter
	// CreateAccessRequestV2 stores a new access request.
	CreateAccessRequestV2(ctx context.Context, req types.AccessRequest) (types.AccessRequest, error)
	// DeleteAccessRequest deletes an access request.
	DeleteAccessRequest(ctx context.Context, reqID string) error
}

DynamicAccessCore is the core functionality common to all DynamicAccess implementations.

type DynamicAccessExt

type DynamicAccessExt interface {
	DynamicAccessCore
	// CreateAccessRequest stores a new access request.
	CreateAccessRequest(ctx context.Context, req types.AccessRequest) error
	// ApplyAccessReview applies a review to a request in the backend and returns the post-application state.
	ApplyAccessReview(ctx context.Context, params types.AccessReviewSubmission, checker ReviewPermissionChecker) (types.AccessRequest, error)
	// UpsertAccessRequest creates or updates an access request.
	UpsertAccessRequest(ctx context.Context, req types.AccessRequest) error
	// DeleteAllAccessRequests deletes all existent access requests.
	DeleteAllAccessRequests(ctx context.Context) error
	// SetAccessRequestState updates the state of an existing access request.
	SetAccessRequestState(ctx context.Context, params types.AccessRequestUpdate) (types.AccessRequest, error)
	// CreateAccessRequestAllowedPromotions creates a list of allowed access list promotions for the given access request.
	CreateAccessRequestAllowedPromotions(ctx context.Context, req types.AccessRequest, accessLists *types.AccessRequestAllowedPromotions) error
	// GetAccessRequestAllowedPromotions returns a lists of allowed access list promotions for the given access request.
	GetAccessRequestAllowedPromotions(ctx context.Context, req types.AccessRequest) (*types.AccessRequestAllowedPromotions, error)
}

DynamicAccessExt is an extended dynamic access interface used to implement some auth server internals.

type DynamicAccessOracle

type DynamicAccessOracle interface {
	GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error)
}

DynamicAccessOracle is a service capable of answering questions related to the dynamic access API. Necessary because some information (e.g. the list of roles a user is allowed to request) can not be calculated by actors with limited privileges.

type Embeddings

type Embeddings interface {
	// GetEmbedding looks up a single embedding by its name in the backend.
	GetEmbedding(ctx context.Context, kind, resourceID string) (*embedding.Embedding, error)
	// GetEmbeddings returns all embeddings for a given kind.
	GetEmbeddings(ctx context.Context, kind string) stream.Stream[*embedding.Embedding]
	// GetEmbeddings returns all embeddings.
	GetAllEmbeddings(ctx context.Context) stream.Stream[*embedding.Embedding]
	// UpsertEmbedding creates or updates a single ai.Embedding in the backend.
	UpsertEmbedding(ctx context.Context, embedding *embedding.Embedding) (*embedding.Embedding, error)
}

Embeddings service is responsible for storing and retrieving embeddings in the backend. The backend acts as an embedding cache. Embeddings can be re-generated by an ai.Embedder.

type EmptyResource

type EmptyResource struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`
	// Version is a resource version
	Version string `json:"version"`
	// Metadata is Role metadata
	Metadata types.Metadata `json:"metadata"`
}

EmptyResource is used to represent a use case when no resource is specified in the rules matcher

func (*EmptyResource) CheckAndSetDefaults

func (r *EmptyResource) CheckAndSetDefaults() error

func (*EmptyResource) Expiry

func (r *EmptyResource) Expiry() time.Time

Expiry returns the expiry time for the object.

func (*EmptyResource) GetKind

func (r *EmptyResource) GetKind() string

GetKind returns resource kind

func (*EmptyResource) GetMetadata

func (r *EmptyResource) GetMetadata() types.Metadata

GetMetadata returns role metadata.

func (*EmptyResource) GetName

func (r *EmptyResource) GetName() string

GetName gets the role name and is a shortcut for GetMetadata().Name.

func (*EmptyResource) GetResourceID

func (r *EmptyResource) GetResourceID() int64

GetResourceID returns resource ID

func (*EmptyResource) GetRevision

func (r *EmptyResource) GetRevision() string

GetRevision returns the revision

func (*EmptyResource) GetSubKind

func (r *EmptyResource) GetSubKind() string

GetSubKind returns resource sub kind

func (*EmptyResource) GetVersion

func (r *EmptyResource) GetVersion() string

GetVersion returns resource version

func (*EmptyResource) SetExpiry

func (r *EmptyResource) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object.

func (*EmptyResource) SetName

func (r *EmptyResource) SetName(s string)

SetName sets the role name and is a shortcut for SetMetadata().Name.

func (*EmptyResource) SetResourceID

func (r *EmptyResource) SetResourceID(id int64)

SetResourceID sets resource ID

func (*EmptyResource) SetRevision

func (r *EmptyResource) SetRevision(rev string)

SetRevision sets the revision

func (*EmptyResource) SetSubKind

func (r *EmptyResource) SetSubKind(s string)

SetSubKind sets resource subkind

type EnumerationResult

type EnumerationResult struct {
	// contains filtered or unexported fields
}

EnumerationResult is a result of enumerating a role set against some property, e.g. allowed names or logins.

func NewEnumerationResult

func NewEnumerationResult() EnumerationResult

NewEnumerationResult returns new EnumerationResult.

func (*EnumerationResult) Allowed

func (result *EnumerationResult) Allowed() []string

Allowed returns all known allowed entities.

func (*EnumerationResult) Denied

func (result *EnumerationResult) Denied() []string

Denied returns all explicitly denied entities.

func (*EnumerationResult) WildcardAllowed

func (result *EnumerationResult) WildcardAllowed() bool

WildcardAllowed is true if the * entity is allowed for a given rule set.

func (*EnumerationResult) WildcardDenied

func (result *EnumerationResult) WildcardDenied() bool

WildcardDenied is true if the * entity is denied for a given rule set.

type Fanout

type Fanout struct {
	// contains filtered or unexported fields
}

Fanout is a helper which allows a stream of events to be fanned-out to many watchers. Used by the cache layer to forward events.

func NewFanout

func NewFanout(eventsCh ...chan FanoutEvent) *Fanout

NewFanout creates a new Fanout instance in an uninitialized state. Until initialized, watchers will be queued but no events will be sent.

func (*Fanout) Close

func (f *Fanout) Close()

Close permanently closes the fanout. Existing watchers will be closed and no new watchers will be added.

func (*Fanout) Emit

func (f *Fanout) Emit(events ...types.Event)

Emit broadcasts events to all matching watchers that have been attached to this fanout instance.

func (*Fanout) Len

func (f *Fanout) Len() int

Len returns a total count of watchers

func (*Fanout) NewWatcher

func (f *Fanout) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

NewWatcher attaches a new watcher to this fanout instance.

func (*Fanout) Reset

func (f *Fanout) Reset()

Reset closes all attached watchers and places the fanout instance into an uninitialized state. Reset may be called on an uninitialized fanout instance to remove "queued" watchers.

func (*Fanout) SetInit

func (f *Fanout) SetInit(confirmedKinds []types.WatchKind)

SetInit sets Fanout into an initialized state, sending OpInit events to any watchers which were added prior to initialization. Caller must pass a list of resource kinds confirmed by the upstream event source. As a result of this call, each member watcher will also receive a confirmation based on the provided kinds. Some of the watchers might be closed with an error if resource kinds requested by them weren't confirmed by the upstream event source and they didn't enable partial success mode.

type FanoutEvent

type FanoutEvent struct {
	// Kind is event kind
	Kind int
}

FanoutEvent is used in tests

type FanoutV2

type FanoutV2 struct {
	// contains filtered or unexported fields
}

FanoutV2 is a drop-in replacement for Fanout that offers a different set of performance characteristics. It supports variable-size buffers to better accommodate large spikes in event load, but it does so at the cost of higher levels of context-switching since all readers are notified of all events as well as higher baseline memory usage due to relying on a large shared buffer.

func NewFanoutV2

func NewFanoutV2(cfg FanoutV2Config) *FanoutV2

NewFanoutV2 allocates a new fanout instance.

func (*FanoutV2) Close

func (f *FanoutV2) Close() error

func (*FanoutV2) Emit

func (f *FanoutV2) Emit(events ...types.Event)

func (*FanoutV2) NewStream

func (f *FanoutV2) NewStream(ctx context.Context, watch types.Watch) stream.Stream[types.Event]

NewStream gets a new event stream. The provided context will form the basis of the stream's close context. Note that streams *must* be explicitly closed when completed in order to avoid performance issues.

func (*FanoutV2) NewWatcher

func (f *FanoutV2) NewWatcher(ctx context.Context, watch types.Watch) (types.Watcher, error)

func (*FanoutV2) Reset

func (f *FanoutV2) Reset()

func (*FanoutV2) SetInit

func (f *FanoutV2) SetInit(kinds []types.WatchKind)

type FanoutV2Config

type FanoutV2Config struct {
	Capacity    uint64
	GracePeriod time.Duration
	Clock       clockwork.Clock
}

func (*FanoutV2Config) SetDefaults

func (c *FanoutV2Config) SetDefaults()

type GCPServiceAccountMatcher

type GCPServiceAccountMatcher struct {
	// ServiceAccount is a GCP service account to match, e.g. teleport@example-123456.iam.gserviceaccount.com.
	// It can also be a wildcard *, but that is only respected for Deny rules.
	ServiceAccount string
}

GCPServiceAccountMatcher matches a role against GCP service account.

func (*GCPServiceAccountMatcher) Match

func (m *GCPServiceAccountMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches GCP ServiceAccount against provided role and condition.

func (*GCPServiceAccountMatcher) String

func (m *GCPServiceAccountMatcher) String() string

String returns the matcher's string representation.

type GithubAuthConverter

type GithubAuthConverter func(types.GithubConnector) (*types.GithubConnectorV3, error)

GithubAuthConverter converts a GitHub auth connector so it can be sent over gRPC.

type GithubAuthCreator

type GithubAuthCreator func(string, types.GithubConnectorSpecV3) (types.GithubConnector, error)

GithubAuthCreator creates a new GitHub connector.

type GithubAuthInitializer

type GithubAuthInitializer func(types.GithubConnector) (types.GithubConnector, error)

GithubAuthInitializer initializes a GitHub auth connector.

type HeadlessAuthenticationService

type HeadlessAuthenticationService interface {
	// GetHeadlessAuthentication gets a headless authentication.
	GetHeadlessAuthentication(ctx context.Context, username, name string) (*types.HeadlessAuthentication, error)

	// GetHeadlessAuthentications gets all headless authentications.
	GetHeadlessAuthentications(ctx context.Context) ([]*types.HeadlessAuthentication, error)

	// UpsertHeadlessAuthentication upserts a headless authentication.
	UpsertHeadlessAuthentication(ctx context.Context, ha *types.HeadlessAuthentication) error

	// CompareAndSwapHeadlessAuthentication performs a compare
	// and swap replacement on a headless authentication resource.
	CompareAndSwapHeadlessAuthentication(ctx context.Context, old, new *types.HeadlessAuthentication) (*types.HeadlessAuthentication, error)

	// DeleteHeadlessAuthentication deletes a headless authentication from the backend.
	DeleteHeadlessAuthentication(ctx context.Context, username, name string) error

	// DeleteAllHeadlessAuthentications deletes all headless authentications from the backend.
	DeleteAllHeadlessAuthentications(ctx context.Context) error
}

HeadlessAuthenticationService is responsible for headless authentication resource management

type HostCertContext

type HostCertContext struct {
	// HostID is the host ID in the cert request.
	HostID string `json:"host_id"`
	// NodeName is the node name in the cert request.
	NodeName string `json:"node_name"`
	// Principals is the list of requested certificate principals.
	Principals []string `json:"principals"`
	// ClusterName is the name of the cluster for which the certificate should
	// be issued.
	ClusterName string `json:"cluster_name"`
	// Role is the name of the Teleport role for which the cert should be
	// issued.
	Role types.SystemRole `json:"role"`
	// TTL is the requested certificate TTL.
	TTL time.Duration `json:"ttl"`
}

HostCertContext is used to evaluate the `where` condition on a `host_cert` pseudo-resource. These resources only exist for RBAC purposes and do not exist in the database.

type HostCertParams

type HostCertParams struct {
	// CASigner is the signer that will sign the public key of the host with the CA private key.
	CASigner ssh.Signer
	// PublicHostKey is the public key of the host
	PublicHostKey []byte
	// HostID is used by Teleport to uniquely identify a node within a cluster
	HostID string
	// Principals is a list of additional principals to add to the certificate.
	Principals []string
	// NodeName is the DNS name of the node
	NodeName string
	// ClusterName is the name of the cluster within which a node lives
	ClusterName string
	// Role identifies the role of a Teleport instance
	Role types.SystemRole
	// TTL defines how long a certificate is valid for
	TTL time.Duration
}

HostCertParams defines all parameters needed to generate a host certificate

func (HostCertParams) Check

func (c HostCertParams) Check() error

Check checks parameters for errors

type HostUsersInfo

type HostUsersInfo struct {
	// Groups is the list of groups to include host users in
	Groups []string
	// Mode determines if a host user should be deleted after a session
	// ends or not.
	Mode types.CreateHostUserMode
	// UID is the UID that the host user will be created with
	UID string
	// GID is the GID that the host user will be created with
	GID string
}

HostUsersInfo keeps information about groups and sudoers entries for a particular host user

type Identity added in v1.0.0

type Identity interface {
	// CreateUser creates user, only if the user entry does not exist
	CreateUser(ctx context.Context, user types.User) (types.User, error)

	// UsersService implements most methods
	UsersService

	// AddUserLoginAttempt logs user login attempt
	AddUserLoginAttempt(user string, attempt LoginAttempt, ttl time.Duration) error

	// GetUserLoginAttempts returns user login attempts
	GetUserLoginAttempts(user string) ([]LoginAttempt, error)

	// DeleteUserLoginAttempts removes all login attempts of a user. Should be
	// called after successful login.
	DeleteUserLoginAttempts(user string) error

	// GetUserByOIDCIdentity returns a user by its specified OIDC Identity, returns first
	// user specified with this identity
	GetUserByOIDCIdentity(id types.ExternalIdentity) (types.User, error)

	// GetUserBySAMLIdentity returns a user by its specified OIDC Identity, returns first
	// user specified with this identity
	GetUserBySAMLIdentity(id types.ExternalIdentity) (types.User, error)

	// GetUserByGithubIdentity returns a user by its specified Github identity
	GetUserByGithubIdentity(id types.ExternalIdentity) (types.User, error)

	// UpsertPasswordHash upserts user password hash
	UpsertPasswordHash(user string, hash []byte) error

	// GetPasswordHash returns the password hash for a given user
	GetPasswordHash(user string) ([]byte, error)

	// UpsertUsedTOTPToken upserts a TOTP token to the backend so it can't be used again
	// during the 30 second window it's valid.
	UpsertUsedTOTPToken(user string, otpToken string) error

	// GetUsedTOTPToken returns the last successfully used TOTP token.
	GetUsedTOTPToken(user string) (string, error)

	// UpsertPassword upserts new password and OTP token
	UpsertPassword(user string, password []byte) error

	// UpsertWebauthnLocalAuth creates or updates the local auth configuration for
	// Webauthn.
	// WebauthnLocalAuth is a component of LocalAuthSecrets.
	// Automatically indexes the WebAuthn user ID for lookup by
	// GetTeleportUserByWebauthnID.
	UpsertWebauthnLocalAuth(ctx context.Context, user string, wla *types.WebauthnLocalAuth) error

	// GetWebauthnLocalAuth retrieves the existing local auth configuration for
	// Webauthn, if any.
	// WebauthnLocalAuth is a component of LocalAuthSecrets.
	GetWebauthnLocalAuth(ctx context.Context, user string) (*types.WebauthnLocalAuth, error)

	// GetTeleportUserByWebauthnID reads a Teleport username from a WebAuthn user
	// ID (aka user handle).
	// See UpsertWebauthnLocalAuth and types.WebauthnLocalAuth.
	GetTeleportUserByWebauthnID(ctx context.Context, webID []byte) (string, error)

	// UpsertWebauthnSessionData creates or updates WebAuthn session data in
	// storage, for the purpose of later verifying an authentication or
	// registration challenge.
	// Session data is expected to expire according to backend settings.
	UpsertWebauthnSessionData(ctx context.Context, user, sessionID string, sd *wanpb.SessionData) error

	// GetWebauthnSessionData retrieves a previously-stored session data by ID,
	// if it exists and has not expired.
	GetWebauthnSessionData(ctx context.Context, user, sessionID string) (*wanpb.SessionData, error)

	// DeleteWebauthnSessionData deletes session data by ID, if it exists and has
	// not expired.
	DeleteWebauthnSessionData(ctx context.Context, user, sessionID string) error

	// UpsertGlobalWebauthnSessionData creates or updates WebAuthn session data in
	// storage, for the purpose of later verifying an authentication challenge.
	// Session data is expected to expire according to backend settings.
	// Used for passwordless challenges.
	UpsertGlobalWebauthnSessionData(ctx context.Context, scope, id string, sd *wanpb.SessionData) error

	// GetGlobalWebauthnSessionData retrieves previously-stored session data by ID,
	// if it exists and has not expired.
	// Used for passwordless challenges.
	GetGlobalWebauthnSessionData(ctx context.Context, scope, id string) (*wanpb.SessionData, error)

	// DeleteGlobalWebauthnSessionData deletes session data by ID, if it exists
	// and has not expired.
	DeleteGlobalWebauthnSessionData(ctx context.Context, scope, id string) error

	// UpsertMFADevice upserts an MFA device for the user.
	UpsertMFADevice(ctx context.Context, user string, d *types.MFADevice) error

	// GetMFADevices gets all MFA devices for the user.
	GetMFADevices(ctx context.Context, user string, withSecrets bool) ([]*types.MFADevice, error)

	// DeleteMFADevice deletes an MFA device for the user by ID.
	DeleteMFADevice(ctx context.Context, user, id string) error

	// CreateOIDCConnector creates a new OIDC connector.
	CreateOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)
	// UpdateOIDCConnector updates an existing OIDC connector.
	UpdateOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)
	// UpsertOIDCConnector updates or creates an OIDC connector.
	UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) (types.OIDCConnector, error)

	// DeleteOIDCConnector deletes OIDC Connector
	DeleteOIDCConnector(ctx context.Context, connectorID string) error

	// GetOIDCConnector returns OIDC connector data, withSecrets adds or removes client secret from return results
	GetOIDCConnector(ctx context.Context, id string, withSecrets bool) (types.OIDCConnector, error)

	// GetOIDCConnectors returns valid registered connectors, withSecrets adds or removes client secret from return
	// results.  Invalid Connectors are simply logged but errors are not forwarded.
	GetOIDCConnectors(ctx context.Context, withSecrets bool) ([]types.OIDCConnector, error)

	// CreateOIDCAuthRequest creates new auth request
	CreateOIDCAuthRequest(ctx context.Context, req types.OIDCAuthRequest, ttl time.Duration) error

	// GetOIDCAuthRequest returns OIDC auth request if found
	GetOIDCAuthRequest(ctx context.Context, stateToken string) (*types.OIDCAuthRequest, error)

	// CreateSAMLConnector creates a new SAML connector.
	CreateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)
	// UpdateSAMLConnector updates an existing SAML connector
	UpdateSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)
	// UpsertSAMLConnector updates or creates a SAML connector
	UpsertSAMLConnector(ctx context.Context, connector types.SAMLConnector) (types.SAMLConnector, error)

	// DeleteSAMLConnector deletes OIDC Connector
	DeleteSAMLConnector(ctx context.Context, connectorID string) error

	// GetSAMLConnector returns OIDC connector data, withSecrets adds or removes secrets from return results
	GetSAMLConnector(ctx context.Context, id string, withSecrets bool) (types.SAMLConnector, error)

	// GetSAMLConnectors returns valid registered connectors, withSecrets adds or removes secret from return results.
	// Invalid Connectors are simply logged but errors are not forwarded.
	GetSAMLConnectors(ctx context.Context, withSecrets bool) ([]types.SAMLConnector, error)

	// CreateSAMLAuthRequest creates new auth request
	CreateSAMLAuthRequest(ctx context.Context, req types.SAMLAuthRequest, ttl time.Duration) error

	// GetSAMLAuthRequest returns SAML auth request if found
	GetSAMLAuthRequest(ctx context.Context, id string) (*types.SAMLAuthRequest, error)

	// CreateSSODiagnosticInfo creates new SSO diagnostic info record.
	CreateSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string, entry types.SSODiagnosticInfo) error

	// GetSSODiagnosticInfo returns SSO diagnostic info records.
	GetSSODiagnosticInfo(ctx context.Context, authKind string, authRequestID string) (*types.SSODiagnosticInfo, error)

	// CreateGithubConnector creates a new Github connector.
	CreateGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)
	// UpdateGithubConnector updates an existing Github connector.
	UpdateGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)
	// UpsertGithubConnector creates or updates a Github connector.
	UpsertGithubConnector(ctx context.Context, connector types.GithubConnector) (types.GithubConnector, error)

	// GetGithubConnectors returns valid Github connectors, invalid Connectors are simply logged but errors are not forwarded.
	GetGithubConnectors(ctx context.Context, withSecrets bool) ([]types.GithubConnector, error)

	// GetGithubConnector returns a Github connector by its name
	GetGithubConnector(ctx context.Context, name string, withSecrets bool) (types.GithubConnector, error)

	// DeleteGithubConnector deletes a Github connector by its name
	DeleteGithubConnector(ctx context.Context, name string) error

	// CreateGithubAuthRequest creates a new auth request for Github OAuth2 flow
	CreateGithubAuthRequest(ctx context.Context, req types.GithubAuthRequest) error

	// GetGithubAuthRequest retrieves Github auth request by the token
	GetGithubAuthRequest(ctx context.Context, stateToken string) (*types.GithubAuthRequest, error)

	// CreateUserToken creates a new user token.
	CreateUserToken(ctx context.Context, token types.UserToken) (types.UserToken, error)

	// DeleteUserToken deletes a user token.
	DeleteUserToken(ctx context.Context, tokenID string) error

	// GetUserTokens returns all user tokens.
	GetUserTokens(ctx context.Context) ([]types.UserToken, error)

	// GetUserToken returns a user token by id.
	GetUserToken(ctx context.Context, tokenID string) (types.UserToken, error)

	// UpsertUserTokenSecrets upserts a user token secrets.
	UpsertUserTokenSecrets(ctx context.Context, secrets types.UserTokenSecrets) error

	// GetUserTokenSecrets returns a user token secrets.
	GetUserTokenSecrets(ctx context.Context, tokenID string) (types.UserTokenSecrets, error)

	// UpsertRecoveryCodes upserts a user's new recovery codes.
	UpsertRecoveryCodes(ctx context.Context, user string, recovery *types.RecoveryCodesV1) error

	// GetRecoveryCodes gets a user's recovery codes.
	GetRecoveryCodes(ctx context.Context, user string, withSecrets bool) (*types.RecoveryCodesV1, error)

	// CreateUserRecoveryAttempt logs user recovery attempt.
	CreateUserRecoveryAttempt(ctx context.Context, user string, attempt *types.RecoveryAttempt) error

	// GetUserRecoveryAttempts returns user recovery attempts sorted by oldest to latest time.
	GetUserRecoveryAttempts(ctx context.Context, user string) ([]*types.RecoveryAttempt, error)

	// DeleteUserRecoveryAttempts removes all recovery attempts of a user.
	DeleteUserRecoveryAttempts(ctx context.Context, user string) error

	// UpsertKeyAttestationData upserts a verified public key attestation response.
	UpsertKeyAttestationData(ctx context.Context, attestationData *keys.AttestationData, ttl time.Duration) error

	// GetKeyAttestationData gets a verified public key attestation response.
	GetKeyAttestationData(ctx context.Context, publicKey crypto.PublicKey) (*keys.AttestationData, error)

	HeadlessAuthenticationService

	types.WebSessionsGetter
	types.WebTokensGetter

	// AppSession defines application session features.
	AppSession
	// SnowflakeSession defines Snowflake session features.
	SnowflakeSession
	// SAMLIdPSession defines SAML IdP session features.
	SAMLIdPSession
}

Identity is responsible for managing user entries and external identities

type ImplicitAccessListError

type ImplicitAccessListError struct{}

ImplicitAccessListError indicates that an operation that only makes sense for AccessLists with an explicit Member list has been attempted on an implicit- membership AccessList

func (ImplicitAccessListError) Error

Error implements the `error` interface for ImplicitAccessListError

type Integrations

type Integrations interface {
	IntegrationsGetter
	// CreateIntegration creates a new integration resource.
	CreateIntegration(context.Context, types.Integration) (types.Integration, error)
	// UpdateIntegration updates an existing integration resource.
	UpdateIntegration(context.Context, types.Integration) (types.Integration, error)
	// DeleteIntegration removes the specified integration resource.
	DeleteIntegration(ctx context.Context, name string) error
	// DeleteAllIntegrations removes all integrations.
	DeleteAllIntegrations(context.Context) error
}

Integrations defines an interface for managing Integrations.

type IntegrationsGetter

type IntegrationsGetter interface {
	// ListIntegrations returns a paginated list of all integration resources.
	ListIntegrations(ctx context.Context, pageSize int, nextToken string) ([]types.Integration, string, error)
	// GetIntegration returns the specified integration resources.
	GetIntegration(ctx context.Context, name string) (types.Integration, error)
}

IntegrationsGetter defines methods for List/Read operations on Integration Resources.

type IntegrationsTokenGenerator

type IntegrationsTokenGenerator interface {
	// GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.
	GenerateAWSOIDCToken(ctx context.Context, req types.GenerateAWSOIDCTokenRequest) (string, error)
}

IntegrationsTokenGenerator defines methods to generate tokens for Integrations.

type Inventory

type Inventory interface {
	// GetInstances iterates the full teleport server inventory.
	GetInstances(ctx context.Context, req types.InstanceFilter) stream.Stream[types.Instance]
}

Inventory is a subset of Presence dedicated to tracking the status of all teleport instances independent of any specific service.

NOTE: the instance resource scales linearly with cluster size and is not cached in a traditional manner. as such, it is should not be accessed as part of the "hot path" of any normal request.

type InventoryInternal

type InventoryInternal interface {
	Inventory

	// UpsertInstance creates or updates an instance resource.
	UpsertInstance(ctx context.Context, instance types.Instance) error
}

InventoryInternal is a subset of the PresenceInternal interface that extends inventory functionality with auth-specific internal methods.

type KubeClusterWatcher

type KubeClusterWatcher struct {
	// contains filtered or unexported fields
}

KubeClusterWatcher is built on top of resourceWatcher to monitor kube_cluster resources.

func NewKubeClusterWatcher

func NewKubeClusterWatcher(ctx context.Context, cfg KubeClusterWatcherConfig) (*KubeClusterWatcher, error)

NewKubeClusterWatcher returns a new instance of KubeClusterWatcher.

func (KubeClusterWatcher) Close

func (p KubeClusterWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (KubeClusterWatcher) Done

func (p KubeClusterWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (KubeClusterWatcher) IsInitialized

func (p KubeClusterWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (KubeClusterWatcher) WaitInitialization

func (p KubeClusterWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type KubeClusterWatcherConfig

type KubeClusterWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// KubernetesGetter is responsible for fetching kube_cluster resources.
	KubernetesClusterGetter
	// KubeClustersC receives up-to-date list of all kube_cluster resources.
	KubeClustersC chan types.KubeClusters
}

KubeClusterWatcherConfig is an KubeClusterWatcher configuration.

func (*KubeClusterWatcherConfig) CheckAndSetDefaults

func (cfg *KubeClusterWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type KubeResourcesMatcher

type KubeResourcesMatcher struct {
	// contains filtered or unexported fields
}

KubeResourcesMatcher matches a role against any Kubernetes Resource specified. It also keeps track of the resources that did not match any of user's roles and that shouldn't be included in the resource ids because the user is not allowed to request them.

func NewKubeResourcesMatcher

func NewKubeResourcesMatcher(resources []types.KubernetesResource) *KubeResourcesMatcher

NewKubeResourcesMatcher creates a new KubeResourcesMatcher matcher that matches a role against any Kubernetes Resource specified. It also keeps track of the resources that did not match any of user's roles and that shouldn't be included in the resource ids because the user is not allowed to request them.

func (*KubeResourcesMatcher) Match

func (m *KubeResourcesMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches a Kubernetes resource against provided role and condition.

func (*KubeResourcesMatcher) String

func (m *KubeResourcesMatcher) String() string

String returns the matcher's string representation.

func (*KubeResourcesMatcher) Unmatched

func (m *KubeResourcesMatcher) Unmatched() []string

Unmatched returns the Kubernetes Resource request access that that didn't match with any `search_as_roles` kubernetes resources.

type KubeServerWatcher

type KubeServerWatcher struct {
	// contains filtered or unexported fields
}

KubeServerWatcher is built on top of resourceWatcher to monitor kube_server resources.

func NewKubeServerWatcher

func NewKubeServerWatcher(ctx context.Context, cfg KubeServerWatcherConfig) (*KubeServerWatcher, error)

NewKubeServerWatcher returns a new instance of KubeServerWatcher.

func (KubeServerWatcher) Close

func (p KubeServerWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (KubeServerWatcher) Done

func (p KubeServerWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (*KubeServerWatcher) GetKubeServersByClusterName

func (k *KubeServerWatcher) GetKubeServersByClusterName(ctx context.Context, clusterName string) ([]types.KubeServer, error)

GetKubeServersByClusterName returns a list of kubernetes servers for the specified cluster.

func (*KubeServerWatcher) GetKubernetesServers

func (k *KubeServerWatcher) GetKubernetesServers(ctx context.Context) ([]types.KubeServer, error)

GetKubernetesServers returns a list of kubernetes servers for all clusters.

func (KubeServerWatcher) IsInitialized

func (p KubeServerWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (KubeServerWatcher) WaitInitialization

func (p KubeServerWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type KubeServerWatcherConfig

type KubeServerWatcherConfig struct {
	// ResourceWatcherConfig is the resource watcher configuration.
	ResourceWatcherConfig
	// KubernetesServerGetter is responsible for fetching kube_server resources.
	KubernetesServerGetter
}

KubeServerWatcherConfig is an KubeServerWatcher configuration.

func (*KubeServerWatcherConfig) CheckAndSetDefaults

func (cfg *KubeServerWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Kubernetes

type Kubernetes interface {
	// KubernetesGetter provides methods for fetching kubernetes resources.
	KubernetesClusterGetter
	// CreateKubernetesCluster creates a new kubernetes cluster resource.
	CreateKubernetesCluster(context.Context, types.KubeCluster) error
	// UpdateKubernetesCluster updates an existing kubernetes cluster resource.
	UpdateKubernetesCluster(context.Context, types.KubeCluster) error
	// DeleteKubernetesCluster removes the specified kubernetes cluster resource.
	DeleteKubernetesCluster(ctx context.Context, name string) error
	// DeleteAllKubernetesClusters removes all kubernetes resources.
	DeleteAllKubernetesClusters(context.Context) error
}

Kubernetes defines an interface for managing kubernetes clusters resources.

type KubernetesClusterGetter

type KubernetesClusterGetter interface {
	// GetKubernetesClusters returns all kubernetes cluster resources.
	GetKubernetesClusters(context.Context) ([]types.KubeCluster, error)
	// GetKubernetesCluster returns the specified kubernetes cluster resource.
	GetKubernetesCluster(ctx context.Context, name string) (types.KubeCluster, error)
}

KubernetesClusterGetter defines interface for fetching kubernetes cluster resources.

type KubernetesResourceMatcher

type KubernetesResourceMatcher struct {
	// contains filtered or unexported fields
}

KubernetesResourceMatcher matches a role against a Kubernetes Resource. Kind is must be stricly equal but namespace and name allow wildcards.

func NewKubernetesResourceMatcher

func NewKubernetesResourceMatcher(resource types.KubernetesResource) *KubernetesResourceMatcher

NewKubernetesResourceMatcher creates a KubernetesResourceMatcher that checks whether the role's KubeResources match the specified condition.

func (*KubernetesResourceMatcher) Match

func (m *KubernetesResourceMatcher) Match(role types.Role, condition types.RoleConditionType) (bool, error)

Match matches a Kubernetes Resource against provided role and condition.

func (*KubernetesResourceMatcher) String

func (m *KubernetesResourceMatcher) String() string

String returns the matcher's string representation.

type KubernetesServerGetter

type KubernetesServerGetter interface {
	// GetKubernetesServers returns all kubernetes server resources.
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)
}

KubernetesServerGetter defines interface for fetching kubernetes server resources.

type LabelGetter

type LabelGetter interface {
	GetLabel(key string) (value string, ok bool)
	GetAllLabels() map[string]string
}

LabelGetter allows retrieving a particular label by name or retreiving all labels at once. Prefer to use GetLabel when possible to avoid unnecessary copies.

type LockGetter

type LockGetter interface {
	// GetLock gets a lock by name.
	GetLock(ctx context.Context, name string) (types.Lock, error)
	// GetLocks gets all/in-force locks that match at least one of the targets when specified.
	GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)
}

LockGetter is a service that gets locks.

type LockWatcher

type LockWatcher struct {
	// contains filtered or unexported fields
}

LockWatcher is built on top of resourceWatcher to monitor changes to locks.

func NewLockWatcher

func NewLockWatcher(ctx context.Context, cfg LockWatcherConfig) (*LockWatcher, error)

NewLockWatcher returns a new instance of LockWatcher.

func (LockWatcher) CheckLockInForce

func (p LockWatcher) CheckLockInForce(mode constants.LockingMode, targets ...types.LockTarget) error

CheckLockInForce returns an AccessDenied error if there is a lock in force matching at least one of the targets.

func (LockWatcher) Close

func (p LockWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (LockWatcher) Done

func (p LockWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (LockWatcher) GetCurrent

func (p LockWatcher) GetCurrent() []types.Lock

GetCurrent returns the currently stored locks.

func (LockWatcher) IsInitialized

func (p LockWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (LockWatcher) IsStale

func (p LockWatcher) IsStale() bool

IsStale is used to check whether the lock watcher is stale. Used in tests.

func (LockWatcher) Subscribe

func (p LockWatcher) Subscribe(ctx context.Context, targets ...types.LockTarget) (types.Watcher, error)

Subscribe is used to subscribe to the lock updates.

func (LockWatcher) WaitInitialization

func (p LockWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type LockWatcherConfig

type LockWatcherConfig struct {
	ResourceWatcherConfig
	LockGetter
}

LockWatcherConfig is a LockWatcher configuration.

func (*LockWatcherConfig) CheckAndSetDefaults

func (cfg *LockWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type LogAction

type LogAction struct {
	// contains filtered or unexported fields
}

LogAction represents action that will emit log entry when specified in the actions of a matched rule

func (*LogAction) Log

func (l *LogAction) Log(level, format string, args ...interface{}) predicate.BoolPredicate

Log logs with specified level and formatting string with arguments

type LoginAttempt

type LoginAttempt struct {
	// Time is time of the attempt
	Time time.Time `json:"time"`
	// Success indicates whether attempt was successful
	Success bool `json:"bool"`
}

LoginAttempt represents successful or unsuccessful attempt for user to login

func (*LoginAttempt) Check

func (la *LoginAttempt) Check() error

Check checks parameters

type MFARequired

type MFARequired string

MFARequired determines when MFA is required for a user to access a resource.

const (
	// MFARequiredNever means that MFA is never required for any sessions started by this user. This either
	// means both the cluster auth preference and all roles have per-session MFA off, or at least one of
	// those resources has "require_session_mfa: hardware_key_touch", which overrides per-session MFA.
	MFARequiredNever MFARequired = "never"
	// MFARequiredAlways means that MFA is required for all sessions started by a user. This either
	// means that the cluster auth preference requires per-session MFA, or all of the user's roles require
	// per-session MFA
	MFARequiredAlways MFARequired = "always"
	// MFARequiredPerRole means that MFA requirement is based on which of the user's roles
	// provides access to the session in question.
	MFARequiredPerRole MFARequired = "per-role"
)

type MarshalConfig

type MarshalConfig struct {
	// Version specifies a particular version we should marshal resources with
	Version string

	// ID is a record ID to assign
	ID int64

	// Revision of the resource to assign.
	Revision string

	// PreserveResourceID preserves resource IDs in resource
	// specs when marshaling
	PreserveResourceID bool

	// Expires is an optional expiry time
	Expires time.Time
}

MarshalConfig specifies marshaling options

func CollectOptions

func CollectOptions(opts []MarshalOption) (*MarshalConfig, error)

CollectOptions collects all options from functional arg and returns config

func (*MarshalConfig) GetVersion

func (m *MarshalConfig) GetVersion() string

GetVersion returns explicitly provided version or sets latest as default

type MarshalOption

type MarshalOption func(c *MarshalConfig) error

MarshalOption sets marshaling option

func AddOptions

func AddOptions(opts []MarshalOption, add ...MarshalOption) []MarshalOption

AddOptions adds marshal options and returns a new copy

func PreserveResourceID

func PreserveResourceID() MarshalOption

PreserveResourceID preserves resource ID when marshaling value

func WithExpires

func WithExpires(expires time.Time) MarshalOption

WithExpires assigns expiry value

func WithResourceID

func WithResourceID(id int64) MarshalOption

WithResourceID assigns ID to the resource

func WithRevision

func WithRevision(rev string) MarshalOption

WithRevision assigns Revision to the resource

func WithVersion

func WithVersion(v string) MarshalOption

WithVersion sets marshal version

type MatchResourceFilter

type MatchResourceFilter struct {
	// ResourceKind is the resource kind and is used to fine tune the filtering.
	ResourceKind string
	// Labels are the labels to match.
	Labels map[string]string
	// SearchKeywords is a list of search keywords to match.
	SearchKeywords []string
	// PredicateExpression holds boolean conditions that must be matched.
	PredicateExpression string
	// Kinds is a list of resourceKinds to be used when doing a unified resource query.
	// It will filter out any kind not present in the list. If the list is not present or empty
	// then all kinds are valid and will be returned (still subject to other included filters)
	Kinds []string
}

MatchResourceFilter holds the filter values to match against a resource.

func (*MatchResourceFilter) IsSimple

func (m *MatchResourceFilter) IsSimple() bool

IsSimple is used to short-circuit matching when a filter doesn't specify anything more specific than resource kind.

type Matcher

type Matcher[T any] func(T) bool

Matcher is used by reconciler to match resources.

type Node

type Node interface {
	// ResourceWithLabels provides common resource headers
	types.ResourceWithLabels
	// GetTeleportVersion returns the teleport version the server is running on
	GetTeleportVersion() string
	// GetAddr return server address
	GetAddr() string
	// GetHostname returns server hostname
	GetHostname() string
	// GetNamespace returns server namespace
	GetNamespace() string
	// GetCmdLabels gets command labels
	GetCmdLabels() map[string]types.CommandLabel
	// GetRotation gets the state of certificate authority rotation.
	GetRotation() types.Rotation
	// GetUseTunnel gets if a reverse tunnel should be used to connect to this node.
	GetUseTunnel() bool
	// GetProxyID returns a list of proxy ids this server is connected to.
	GetProxyIDs() []string
}

Node is a readonly subset of the types.Server interface which users may filter by in GetNodes.

type NodeWatcher

type NodeWatcher struct {
	// contains filtered or unexported fields
}

NodeWatcher is built on top of resourceWatcher to monitor additions and deletions to the set of nodes.

func NewNodeWatcher

func NewNodeWatcher(ctx context.Context, cfg NodeWatcherConfig) (*NodeWatcher, error)

NewNodeWatcher returns a new instance of NodeWatcher.

func (NodeWatcher) Close

func (p NodeWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (NodeWatcher) Done

func (p NodeWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (NodeWatcher) GetNodes

func (n NodeWatcher) GetNodes(ctx context.Context, fn func(n Node) bool) []types.Server

GetNodes allows callers to retrieve a subset of nodes that match the filter provided. The returned servers are a copy and can be safely modified. It is intentionally hard to retrieve the full set of nodes to reduce the number of copies needed since the number of nodes can get quite large and doing so can be expensive.

func (NodeWatcher) IsInitialized

func (p NodeWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (NodeWatcher) NodeCount

func (n NodeWatcher) NodeCount() int

func (NodeWatcher) WaitInitialization

func (p NodeWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type NodeWatcherConfig

type NodeWatcherConfig struct {
	ResourceWatcherConfig
	// NodesGetter is used to directly fetch the list of active nodes.
	NodesGetter
}

NodeWatcherConfig is a NodeWatcher configuration.

func (*NodeWatcherConfig) CheckAndSetDefaults

func (cfg *NodeWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type NodesGetter

type NodesGetter interface {
	// GetNodes returns a list of registered servers.
	GetNodes(ctx context.Context, namespace string) ([]types.Server, error)
}

NodesGetter is a service that gets nodes.

type NodesStreamGetter

type NodesStreamGetter interface {
	// GetNodeStream returns a list of registered servers.
	GetNodeStream(ctx context.Context, namespace string) stream.Stream[types.Server]
}

NodesStreamGetter is a service that gets nodes.

type Okta

type Okta interface {
	OktaImportRules
	OktaAssignments
}

Okta is an Okta interface for both the rules and assignments.

type OktaAssignmentWatcher

type OktaAssignmentWatcher struct {
	// contains filtered or unexported fields
}

OktaAssignmentWatcher is built on top of resourceWatcher to monitor Okta assignment resources.

func NewOktaAssignmentWatcher

func NewOktaAssignmentWatcher(ctx context.Context, cfg OktaAssignmentWatcherConfig) (*OktaAssignmentWatcher, error)

NewOktaAssignmentWatcher returns a new instance of OktaAssignmentWatcher. The context here will be used to exit early from the resource watcher if needed.

func (*OktaAssignmentWatcher) Close

func (o *OktaAssignmentWatcher) Close()

Close closes the underlying resource watcher

func (*OktaAssignmentWatcher) CollectorChan

func (o *OktaAssignmentWatcher) CollectorChan() chan types.OktaAssignments

CollectorChan is the channel that collects the Okta assignments.

func (*OktaAssignmentWatcher) Done

func (o *OktaAssignmentWatcher) Done() <-chan struct{}

Done returns the channel that signals watcher closer.

type OktaAssignmentWatcherConfig

type OktaAssignmentWatcherConfig struct {
	// RWCfg is the resource watcher configuration.
	RWCfg ResourceWatcherConfig
	// OktaAssignments is responsible for fetching Okta assignments.
	OktaAssignments OktaAssignmentsGetter
	// PageSize is the number of Okta assignments to list at a time.
	PageSize int
	// OktaAssignmentsC receives up-to-date list of all Okta assignment resources.
	OktaAssignmentsC chan types.OktaAssignments
}

OktaAssignmentWatcherConfig is a OktaAssignmentWatcher configuration.

func (*OktaAssignmentWatcherConfig) CheckAndSetDefaults

func (cfg *OktaAssignmentWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type OktaAssignments

type OktaAssignments interface {
	OktaAssignmentsGetter

	// CreateOktaAssignment creates a new Okta assignment resource.
	CreateOktaAssignment(context.Context, types.OktaAssignment) (types.OktaAssignment, error)
	// UpdateOktaAssignment updates an existing Okta assignment resource.
	UpdateOktaAssignment(context.Context, types.OktaAssignment) (types.OktaAssignment, error)
	// UpdateOktaAssignmentStatus will update the status for an Okta assignment if the given time has passed
	// since the last transition.
	UpdateOktaAssignmentStatus(ctx context.Context, name, status string, timeHasPassed time.Duration) error
	// DeleteOktaAssignment removes the specified Okta assignment resource.
	DeleteOktaAssignment(ctx context.Context, name string) error
	// DeleteAllOktaAssignments removes all Okta assignments.
	DeleteAllOktaAssignments(context.Context) error
}

OktaAssignments defines an interface for managing OktaAssignments.

type OktaAssignmentsGetter

type OktaAssignmentsGetter interface {
	// ListOktaAssignments returns a paginated list of all Okta assignment resources.
	ListOktaAssignments(context.Context, int, string) ([]types.OktaAssignment, string, error)
	// GetOktaAssignment returns the specified Okta assignment resources.
	GetOktaAssignment(ctx context.Context, name string) (types.OktaAssignment, error)
}

OktaAssignmentsGetter defines an interface for reading OktaAssignments.

type OktaImportRules

type OktaImportRules interface {
	// ListOktaImportRules returns a paginated list of all Okta import rule resources.
	ListOktaImportRules(context.Context, int, string) ([]types.OktaImportRule, string, error)
	// GetOktaImportRule returns the specified Okta import rule resources.
	GetOktaImportRule(ctx context.Context, name string) (types.OktaImportRule, error)
	// CreateOktaImportRule creates a new Okta import rule resource.
	CreateOktaImportRule(context.Context, types.OktaImportRule) (types.OktaImportRule, error)
	// UpdateOktaImportRule updates an existing Okta import rule resource.
	UpdateOktaImportRule(context.Context, types.OktaImportRule) (types.OktaImportRule, error)
	// DeleteOktaImportRule removes the specified Okta import rule resource.
	DeleteOktaImportRule(ctx context.Context, name string) error
	// DeleteAllOktaImportRules removes all Okta import rules.
	DeleteAllOktaImportRules(context.Context) error
}

OktaImportRules defines an interface for managing OktaImportRules.

type PluginData

type PluginData interface {
	PluginDataGetter

	// UpdatePluginData updates a per-resource PluginData entry.
	UpdatePluginData(ctx context.Context, params types.PluginDataUpdateParams) error
}

PluginData defines the interface for managing plugin data.

type PluginDataGetter

type PluginDataGetter interface {
	// GetPluginData loads all plugin data matching the supplied filter.
	GetPluginData(ctx context.Context, filter types.PluginDataFilter) ([]types.PluginData, error)
}

PluginDataGetter defines the interface for getting plugin data.

type PluginStaticCredentials

type PluginStaticCredentials interface {
	// CreatePluginStaticCredentials will create a new plugin static credentials resource.
	CreatePluginStaticCredentials(ctx context.Context, pluginStaticCredentials types.PluginStaticCredentials) error

	// GetPluginStaticCredentials will get a plugin static credentials resource by name.
	GetPluginStaticCredentials(ctx context.Context, name string) (types.PluginStaticCredentials, error)

	// GetPluginStaticCredentialsByLabels will get a list of plugin static credentials resource by matching labels.
	GetPluginStaticCredentialsByLabels(ctx context.Context, labels map[string]string) ([]types.PluginStaticCredentials, error)

	// DeletePluginStaticCredentials will delete a plugin static credentials resource.
	DeletePluginStaticCredentials(ctx context.Context, name string) error
}

PluginStaticCredentials is the plugin static credentials service

type Plugins

type Plugins interface {
	CreatePlugin(ctx context.Context, plugin types.Plugin) error
	DeleteAllPlugins(ctx context.Context) error
	DeletePlugin(ctx context.Context, name string) error
	GetPlugin(ctx context.Context, name string, withSecrets bool) (types.Plugin, error)
	GetPlugins(ctx context.Context, withSecrets bool) ([]types.Plugin, error)
	ListPlugins(ctx context.Context, limit int, startKey string, withSecrets bool) ([]types.Plugin, string, error)
	HasPluginType(ctx context.Context, pluginType types.PluginType) (bool, error)
	SetPluginCredentials(ctx context.Context, name string, creds types.PluginCredentials) error
	SetPluginStatus(ctx context.Context, name string, creds types.PluginStatus) error
}

Plugins is the plugin service

type Presence added in v1.0.0

type Presence interface {
	// Inventory is a subset of Presence dedicated to tracking the status of all
	// teleport instances independent of any specific service.
	Inventory

	// Semaphores is responsible for semaphore handling
	types.Semaphores

	// GetNode returns a node by name and namespace.
	GetNode(ctx context.Context, namespace, name string) (types.Server, error)

	// NodesGetter gets nodes
	NodesGetter

	// DeleteAllNodes deletes all nodes in a namespace.
	DeleteAllNodes(ctx context.Context, namespace string) error

	// DeleteNode deletes node in a namespace
	DeleteNode(ctx context.Context, namespace, name string) error

	// UpsertNode registers node presence, permanently if TTL is 0 or for the
	// specified duration with second resolution if it's >= 1 second.
	UpsertNode(ctx context.Context, server types.Server) (*types.KeepAlive, error)

	// GetAuthServers returns a list of registered servers
	GetAuthServers() ([]types.Server, error)

	// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertAuthServer(ctx context.Context, server types.Server) error

	// DeleteAuthServer deletes auth server by name
	DeleteAuthServer(name string) error

	// DeleteAllAuthServers deletes all auth servers
	DeleteAllAuthServers() error

	// UpsertProxy registers proxy server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(ctx context.Context, server types.Server) error

	// ProxyGetter gets a list of proxies
	ProxyGetter

	// DeleteProxy deletes proxy by name
	DeleteProxy(ctx context.Context, name string) error

	// DeleteAllProxies deletes all proxies
	DeleteAllProxies() error

	// UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently
	UpsertReverseTunnel(tunnel types.ReverseTunnel) error

	// GetReverseTunnel returns reverse tunnel by name
	GetReverseTunnel(name string, opts ...MarshalOption) (types.ReverseTunnel, error)

	// GetReverseTunnels returns a list of registered servers
	GetReverseTunnels(ctx context.Context, opts ...MarshalOption) ([]types.ReverseTunnel, error)

	// DeleteReverseTunnel deletes reverse tunnel by it's domain name
	DeleteReverseTunnel(domainName string) error

	// DeleteAllReverseTunnels deletes all reverse tunnels
	DeleteAllReverseTunnels() error

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]types.Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*types.Namespace, error)

	// DeleteAllNamespaces deletes all namespaces
	DeleteAllNamespaces() error

	// UpsertNamespace upserts namespace
	UpsertNamespace(types.Namespace) error

	// DeleteNamespace deletes namespace by name
	DeleteNamespace(name string) error

	// GetServerInfos returns a stream of ServerInfos.
	GetServerInfos(ctx context.Context) stream.Stream[types.ServerInfo]

	// GetServerInfo returns a ServerInfo by name.
	GetServerInfo(ctx context.Context, name string) (types.ServerInfo, error)

	// UpsertServerInfo upserts a ServerInfo.
	UpsertServerInfo(ctx context.Context, si types.ServerInfo) error

	// DeleteServerInfo deletes a ServerInfo by name.
	DeleteServerInfo(ctx context.Context, name string) error

	// DeleteAllServerInfos deletes all ServerInfos.
	DeleteAllServerInfos(ctx context.Context) error

	// UpsertTrustedCluster creates or updates a TrustedCluster in the backend.
	UpsertTrustedCluster(ctx context.Context, tc types.TrustedCluster) (types.TrustedCluster, error)

	// GetTrustedCluster returns a single TrustedCluster by name.
	GetTrustedCluster(ctx context.Context, name string) (types.TrustedCluster, error)

	// GetTrustedClusters returns all TrustedClusters in the backend.
	GetTrustedClusters(ctx context.Context) ([]types.TrustedCluster, error)

	// DeleteTrustedCluster removes a TrustedCluster from the backend by name.
	DeleteTrustedCluster(ctx context.Context, name string) error

	// UpsertTunnelConnection upserts tunnel connection
	UpsertTunnelConnection(types.TunnelConnection) error

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...MarshalOption) ([]types.TunnelConnection, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...MarshalOption) ([]types.TunnelConnection, error)

	// DeleteTunnelConnection deletes tunnel connection by name
	DeleteTunnelConnection(clusterName string, connName string) error

	// DeleteTunnelConnections deletes all tunnel connections for cluster
	DeleteTunnelConnections(clusterName string) error

	// DeleteAllTunnelConnections deletes all tunnel connections for cluster
	DeleteAllTunnelConnections() error

	// CreateRemoteCluster creates a remote cluster
	CreateRemoteCluster(types.RemoteCluster) error

	// UpdateRemoteCluster updates a remote cluster
	UpdateRemoteCluster(ctx context.Context, rc types.RemoteCluster) error

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...MarshalOption) ([]types.RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (types.RemoteCluster, error)

	// DeleteRemoteCluster deletes remote cluster by name
	DeleteRemoteCluster(ctx context.Context, clusterName string) error

	// DeleteAllRemoteClusters deletes all remote clusters
	DeleteAllRemoteClusters() error

	// GetApplicationServers returns all registered application servers.
	GetApplicationServers(context.Context, string) ([]types.AppServer, error)
	// UpsertApplicationServer registers an application server.
	UpsertApplicationServer(context.Context, types.AppServer) (*types.KeepAlive, error)
	// DeleteApplicationServer deletes specified application server.
	DeleteApplicationServer(ctx context.Context, namespace, hostID, name string) error
	// DeleteAllApplicationServers removes all registered application servers.
	DeleteAllApplicationServers(context.Context, string) error

	// GetDatabaseServers returns all registered database proxy servers.
	GetDatabaseServers(context.Context, string, ...MarshalOption) ([]types.DatabaseServer, error)
	// UpsertDatabaseServer creates or updates a new database proxy server.
	UpsertDatabaseServer(context.Context, types.DatabaseServer) (*types.KeepAlive, error)
	// DeleteDatabaseServer removes the specified database proxy server.
	DeleteDatabaseServer(ctx context.Context, namespace, hostID, name string) error
	// DeleteAllDatabaseServers removes all database proxy servers.
	DeleteAllDatabaseServers(context.Context, string) error

	// KeepAliveServer updates TTL of the server resource in the backend.
	KeepAliveServer(ctx context.Context, h types.KeepAlive) error

	// GetKubernetesServers returns a list of registered kubernetes servers.
	GetKubernetesServers(context.Context) ([]types.KubeServer, error)

	// DeleteKubernetesServer deletes a named kubernetes servers.
	DeleteKubernetesServer(ctx context.Context, hostID, name string) error

	// DeleteAllKubernetesServers deletes all registered kubernetes servers.
	DeleteAllKubernetesServers(context.Context) error

	// UpsertKubernetesServer registers an kubernetes server.
	UpsertKubernetesServer(context.Context, types.KubeServer) (*types.KeepAlive, error)

	// GetWindowsDesktopServices returns all registered Windows desktop services.
	GetWindowsDesktopServices(context.Context) ([]types.WindowsDesktopService, error)
	// GetWindowsDesktopService returns a Windows desktop service by name
	GetWindowsDesktopService(ctx context.Context, name string) (types.WindowsDesktopService, error)
	// UpsertWindowsDesktopService creates or updates a new Windows desktop service.
	UpsertWindowsDesktopService(context.Context, types.WindowsDesktopService) (*types.KeepAlive, error)
	// DeleteWindowsDesktopService removes the specified Windows desktop service.
	DeleteWindowsDesktopService(ctx context.Context, name string) error
	// DeleteAllWindowsDesktopServices removes all Windows desktop services.
	DeleteAllWindowsDesktopServices(context.Context) error

	// ListResources returns a paginated list of resources.
	ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
}

Presence records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes

type PresenceInternal

type PresenceInternal interface {
	Presence
	InventoryInternal
}

PresenceInternal extends the Presence interface with auth-specific internal methods.

type Provisioner added in v1.0.0

type Provisioner interface {
	// UpsertToken adds provisioning tokens for the auth server
	UpsertToken(ctx context.Context, token types.ProvisionToken) error

	// CreateToken adds provisioning tokens for the auth server
	CreateToken(ctx context.Context, token types.ProvisionToken) error

	// GetToken finds and returns token by id
	GetToken(ctx context.Context, token string) (types.ProvisionToken, error)

	// DeleteToken deletes provisioning token
	// Imlementations must guarantee that this returns trace.NotFound error if the token doesn't exist
	DeleteToken(ctx context.Context, token string) error

	// DeleteAllTokens deletes all provisioning tokens
	DeleteAllTokens() error

	// GetTokens returns all non-expired tokens
	GetTokens(ctx context.Context) ([]types.ProvisionToken, error)
}

Provisioner governs adding new nodes to the cluster

type ProxyGetter

type ProxyGetter interface {
	// GetProxies returns a list of registered proxies.
	GetProxies() ([]types.Server, error)
}

ProxyGetter is a service that gets proxies.

type ProxyWatcher

type ProxyWatcher struct {
	// contains filtered or unexported fields
}

ProxyWatcher is built on top of resourceWatcher to monitor additions and deletions to the set of proxies.

func NewProxyWatcher

func NewProxyWatcher(ctx context.Context, cfg ProxyWatcherConfig) (*ProxyWatcher, error)

NewProxyWatcher returns a new instance of ProxyWatcher.

func (ProxyWatcher) Close

func (p ProxyWatcher) Close()

Close closes the resource watcher and cancels all the functions.

func (ProxyWatcher) Done

func (p ProxyWatcher) Done() <-chan struct{}

Done returns a channel that signals resource watcher closure.

func (ProxyWatcher) GetCurrent

func (p ProxyWatcher) GetCurrent() []types.Server

GetCurrent returns the currently stored proxies.

func (ProxyWatcher) IsInitialized

func (p ProxyWatcher) IsInitialized() bool

IsInitialized is a non-blocking way to check if resource watcher is already initialized.

func (ProxyWatcher) WaitInitialization

func (p ProxyWatcher) WaitInitialization() error

WaitInitialization blocks until resource watcher is fully initialized with the resources presented in auth server.

type ProxyWatcherConfig

type ProxyWatcherConfig struct {
	ResourceWatcherConfig
	// ProxyGetter is used to directly fetch the list of active proxies.
	ProxyGetter
	// ProxyDiffer is used to decide whether a put operation on an existing proxy should
	// trigger a event.
	ProxyDiffer func(old, new types.Server) bool
	// ProxiesC is a channel used to report the current proxy set. It receives
	// a fresh list at startup and subsequently a list of all known proxies
	// whenever an addition or deletion is detected.
	ProxiesC chan []types.Server
}

ProxyWatcherConfig is a ProxyWatcher configuration.

func (*ProxyWatcherConfig) CheckAndSetDefaults

func (cfg *ProxyWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type RDSEndpointType

type RDSEndpointType string

RDSEndpointType specifies the endpoint type for RDS clusters.

const (
	// RDSEndpointTypePrimary is the endpoint that specifies the connection for the primary instance of the RDS cluster.
	RDSEndpointTypePrimary RDSEndpointType = "primary"
	// RDSEndpointTypeReader is the endpoint that load-balances connections across the Aurora Replicas that are
	// available in an RDS cluster.
	RDSEndpointTypeReader RDSEndpointType = "reader"
	// RDSEndpointTypeCustom is the endpoint that specifies one of the custom endpoints associated with the RDS cluster.
	RDSEndpointTypeCustom RDSEndpointType = "custom"
	// RDSEndpointTypeInstance is the endpoint of an RDS DB instance.
	RDSEndpointTypeInstance RDSEndpointType = "instance"
)

type Reconciled

type Reconciled interface {
	GetName() string
}

Reconciled holds the common information required by any subject of the Reconciler.

type Reconciler

type Reconciler[T Reconciled] struct {
	// contains filtered or unexported fields
}

Reconciler reconciles currently registered resources with new resources and creates/updates/deletes them appropriately.

It's used in combination with watchers by agents (app, database, desktop) to enable dynamically registered resources.

func NewReconciler

func NewReconciler[T Reconciled](cfg ReconcilerConfig[T]) (*Reconciler[T], error)

NewReconciler creates a new reconciler with provided configuration.

func (*Reconciler[T]) Reconcile

func (r *Reconciler[T]) Reconcile(ctx context.Context) error

Reconcile reconciles currently registered resources with new resources and creates/updates/deletes them appropriately.

type ReconcilerConfig

type ReconcilerConfig[T Reconciled] struct {
	// Matcher is used to match resources.
	Matcher Matcher[T]
	// GetCurrentResources returns currently registered resources.
	GetCurrentResources func() map[string]T
	// GetNewResources returns resources to compare current resources against.
	GetNewResources func() map[string]T
	// OnCreate is called when a new resource is detected.
	OnCreate func(context.Context, T) error
	// OnUpdate is called when an existing resource is updated.
	OnUpdate func(ctx context.Context, new, old T) error
	// OnDelete is called when an existing resource is deleted.
	OnDelete func(context.Context, T) error
	// Log is the reconciler's logger.
	Log logrus.FieldLogger
}

ReconcilerConfig is the resource reconciler configuration.

func (*ReconcilerConfig[T]) CheckAndSetDefaults

func (c *ReconcilerConfig[T]) CheckAndSetDefaults() error

CheckAndSetDefaults validates the reconciler configuration and sets defaults.

type Ref

type Ref struct {
	Kind    string
	SubKind string
	Name    string
}

Ref is a resource reference. Typically of the form kind/name, but sometimes of the form kind/subkind/name.

func ParseRef

func ParseRef(ref string) (*Ref, error)

ParseRef parses resource reference eg daemonsets/ds1

func (*Ref) Set

func (r *Ref) Set(v string) error

Set sets the name of the resource

func (*Ref) String

func (r *Ref) String() string

type Refs

type Refs []Ref

Refs is a set of resource references

func ParseRefs

func ParseRefs(refs string) (Refs, error)

ParseRefs parses a comma-separated string of resource references (eg "users/alice,users/bob")

func (*Refs) IsAll

func (r *Refs) IsAll() bool

IsAll checks if refs is special wildcard case `all`.

func (*Refs) Set

func (r *Refs) Set(v string) error

Set sets the value of `r` from a comma-separated string of resource references (in-place equivalent of `ParseRefs`).

func (*Refs) String

func (r *Refs) String() string

type RequestIDs

type RequestIDs struct {
	AccessRequests []string `json:"access_requests,omitempty"`
}

RequestIDs is a collection of IDs for privilege escalation requests.

func (*RequestIDs) Check

func (r *RequestIDs) Check() error

func (*RequestIDs) IsEmpty

func (r *RequestIDs) IsEmpty() bool

func (*RequestIDs) Marshal

func (r *RequestIDs) Marshal() ([]byte, error)

func (*RequestIDs) Unmarshal

func (r *RequestIDs) Unmarshal(data []byte) error

type RequestValidator

type RequestValidator struct {
	Roles struct {
		AllowRequest, DenyRequest []parse.Matcher
		AllowSearch, DenySearch   []string
	}
	Annotations struct {
		Allow, Deny map[string][]string
	}
	ThresholdMatchers []struct {
		Matchers   []parse.Matcher
		Thresholds []types.AccessReviewThreshold
	}
	SuggestedReviewers  []string
	MaxDurationMatchers []struct {
		Matchers    []parse.Matcher
		MaxDuration time.Duration
	}
	// contains filtered or unexported fields
}

RequestValidator a helper for validating access requests. a user's statically assigned roles are "added" to the validator via the push() method, which extracts all the relevant rules, performs variable substitutions, and builds a set of simple Allow/Deny datastructures. These, in turn, are used to validate and expand the access request.

func NewRequestValidator

func NewRequestValidator(ctx context.Context, clock clockwork.Clock, getter RequestValidatorGetter, username string, opts ...ValidateRequestOption) (RequestValidator, error)

NewRequestValidator configures a new RequestValidator for the specified user.

func (*RequestValidator) CanRequestRole

func (m *RequestValidator) CanRequestRole(name string) bool

CanRequestRole checks if a given role can be requested.

func (*RequestValidator) CanSearchAsRole

func (m *RequestValidator) CanSearchAsRole(name string) bool

CanSearchAsRole check if a given role can be requested through a search-based access request

func (*RequestValidator) GetRequestableRoles

func (m *RequestValidator) GetRequestableRoles() ([]string, error)

GetRequestableRoles gets the list of all existent roles which the user is able to request. This operation is expensive since it loads all existent roles in order to determine the role list. Prefer calling CanRequestRole when checking against a known role list.

func (*RequestValidator) SystemAnnotations

func (m *RequestValidator) SystemAnnotations() map[string][]string

SystemAnnotations calculates the system annotations for a pending access request.

func (*RequestValidator) Validate

func (m *RequestValidator) Validate(ctx context.Context, req types.AccessRequest, identity tlsca.Identity) error

Validate validates an access request and potentially modifies it depending on how the validator was configured.

type RequestValidatorGetter

type RequestValidatorGetter interface {
	UserLoginStatesGetter
	UserGetter
	RoleGetter
	client.ListResourcesClient
	GetRoles(ctx context.Context) ([]types.Role, error)
	GetClusterName(opts ...MarshalOption) (types.ClusterName, error)
}

RequestValidatorGetter is the interface required by the request validation functions used to get necessary resources.

type ResourceAccess

type ResourceAccess struct {
	List   bool `json:"list"`
	Read   bool `json:"read"`
	Edit   bool `json:"edit"`
	Create bool `json:"create"`
	Delete bool `json:"remove"`
	Use    bool `json:"use"`
}

type ResourceGetter

ResourceGetter is an interface that provides a way to fetch all the resources that can be stored in the UnifiedResourceCache

type ResourceMarshaler

type ResourceMarshaler func(types.Resource, ...MarshalOption) ([]byte, error)

ResourceMarshaler handles marshaling of a specific resource type.

type ResourceMatcher

type ResourceMatcher struct {
	// Labels match resource labels.
	Labels types.Labels
	// AWS contains AWS specific settings.
	AWS ResourceMatcherAWS
}

ResourceMatcher matches cluster resources.

type ResourceMatcherAWS

type ResourceMatcherAWS struct {
	// AssumeRoleARN is the AWS role to assume for accessing the resource.
	AssumeRoleARN string
	// ExternalID is an optional AWS external ID used to enable assuming an AWS
	// role across accounts.
	ExternalID string
}

ResourceMatcherAWS contains AWS specific settings.

type ResourceSeenKey

type ResourceSeenKey struct {
	// contains filtered or unexported fields
}

ResourceSeenKey is used as a key for a map that keeps track of unique resource names and address. Currently "addr" only applies to resource Application.

type ResourceUnmarshaler

type ResourceUnmarshaler func([]byte, ...MarshalOption) (types.Resource, error)

ResourceUnmarshaler handles unmarshaling of a specific resource type.

type ResourceWatcherConfig

type ResourceWatcherConfig struct {
	// Component is a component used in logs.
	Component string
	// Log is a logger.
	Log logrus.FieldLogger
	// MaxRetryPeriod is the maximum retry period on failed watchers.
	MaxRetryPeriod time.Duration
	// Clock is used to control time.
	Clock clockwork.Clock
	// Client is used to create new watchers.
	Client types.Events
	// MaxStaleness is a maximum acceptable staleness for the locally maintained
	// resources, zero implies no staleness detection.
	MaxStaleness time.Duration
	// ResetC is a channel to notify of internal watcher reset (used in tests).
	ResetC chan time.Duration
	// QueueSize is an optional queue size
	QueueSize int
}

ResourceWatcherConfig configures resource watcher.

func (*ResourceWatcherConfig) CheckAndSetDefaults

func (cfg *ResourceWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values.

type Restrictions

type Restrictions interface {
	GetNetworkRestrictions(context.Context) (types.NetworkRestrictions, error)
	SetNetworkRestrictions(context.Context, types.NetworkRestrictions) error
	DeleteNetworkRestrictions(context.Context) error
}

type ReviewPermissionChecker

type ReviewPermissionChecker struct {
	UserState UserState
	Roles     struct {
		// allow/deny mappings sort role matches into lists based on their
		// constraining predicate (where) expression.
		AllowReview, DenyReview map[string][]parse.Matcher
	}
}

ReviewPermissionChecker is a helper for validating whether a user is allowed to review specific access requests.

func NewReviewPermissionChecker

func NewReviewPermissionChecker(
	ctx context.Context,
	getter RequestValidatorGetter,
	username string,
	identity *tlsca.Identity,
) (ReviewPermissionChecker, error)

func (*ReviewPermissionChecker) CanReviewRequest

func (c *ReviewPermissionChecker) CanReviewRequest(req types.AccessRequest) (bool, error)

CanReviewRequest checks if the user is allowed to review the specified request. note that the ability to review a request does not necessarily imply that any specific approval/denial thresholds will actually match the user's review. Matching one or more thresholds is not a pre-requisite for review submission.

func (*ReviewPermissionChecker) HasAllowDirectives

func (c *ReviewPermissionChecker) HasAllowDirectives() bool

HasAllowDirectives checks if any allow directives exist. A user with no allow directives will never be able to review any requests.

type RoleGetter

type RoleGetter interface {
	// GetRole returns role by name
	GetRole(ctx context.Context, name string) (types.Role, error)
}

RoleGetter is an interface that defines GetRole method

type RoleMatcher

type RoleMatcher interface {
	Match(types.Role, types.RoleConditionType) (bool, error)
}

RoleMatcher defines an interface for a generic role matcher.

func NewDatabaseUserMatcher

func NewDatabaseUserMatcher(db types.Database, user string) RoleMatcher

NewDatabaseUserMatcher creates a RoleMatcher that checks whether the role's database users match the specified condition.

func NewKubernetesClusterLabelMatcher

func NewKubernetesClusterLabelMatcher(clustersLabels map[string]string, userTraits wrappers.Traits) RoleMatcher

NewKubernetesClusterLabelMatcher creates a RoleMatcher that checks whether a role's Kubernetes service labels match.

func NewLoginMatcher

func NewLoginMatcher(login string) RoleMatcher

NewLoginMatcher creates a RoleMatcher that checks whether the role's logins match the specified condition.

func NewWindowsLoginMatcher

func NewWindowsLoginMatcher(login string) RoleMatcher

NewWindowsLoginMatcher creates a RoleMatcher that checks whether the role's Windows desktop logins match the specified condition.

type RoleMatcherFunc

type RoleMatcherFunc func(types.Role, types.RoleConditionType) (bool, error)

RoleMatcherFunc is a convenience type for creating a role matcher from a function.

func (RoleMatcherFunc) Match

func (f RoleMatcherFunc) Match(role types.Role, condition types.RoleConditionType) (bool, error)

type RoleMatchers

type RoleMatchers []RoleMatcher

RoleMatchers defines a list of matchers.

func (RoleMatchers) MatchAll

func (m RoleMatchers) MatchAll(role types.Role, condition types.RoleConditionType) (bool, error)

MatchAll returns true if all matchers in the set match.

func (RoleMatchers) MatchAny

func (m RoleMatchers) MatchAny(role types.Role, condition types.RoleConditionType) (bool, RoleMatcher, error)

MatchAny returns true if at least one of the matchers in the set matches.

If the result is true, returns matcher that matched.

type RoleSet

type RoleSet []types.Role

RoleSet is a set of roles that implements access control functionality

func FetchRoleList

func FetchRoleList(roleNames []string, access RoleGetter, traits map[string][]string) (RoleSet, error)

FetchRoleList fetches roles by their names, applies the traits to role variables, and returns the list

func FetchRoles

func FetchRoles(roleNames []string, access RoleGetter, traits map[string][]string) (RoleSet, error)

FetchRoles fetches roles by their names, applies the traits to role variables, and returns the RoleSet. Adds runtime roles like the default implicit role to RoleSet.

func NewRoleSet

func NewRoleSet(roles ...types.Role) RoleSet

NewRoleSet returns new RoleSet based on the roles

func RoleSetFromSpec

func RoleSetFromSpec(name string, spec types.RoleSpecV6) (RoleSet, error)

RoleSetFromSpec returns a new RoleSet from spec

func (RoleSet) AdjustClientIdleTimeout

func (set RoleSet) AdjustClientIdleTimeout(timeout time.Duration) time.Duration

AdjustClientIdleTimeout adjusts requested idle timeout to the lowest max allowed timeout, the most restrictive option will be picked, negative values will be assumed as 0

func (RoleSet) AdjustDisconnectExpiredCert

func (set RoleSet) AdjustDisconnectExpiredCert(disconnect bool) bool

AdjustDisconnectExpiredCert adjusts the value based on the role set the most restrictive option will be picked

func (RoleSet) AdjustSessionTTL

func (set RoleSet) AdjustSessionTTL(ttl time.Duration) time.Duration

AdjustSessionTTL will reduce the requested ttl to the lowest max allowed TTL for this role set, otherwise it returns ttl unchanged

func (RoleSet) CanCopyFiles

func (set RoleSet) CanCopyFiles() bool

CanCopyFiles returns true if the role set has enabled remote file operations via SCP or SFTP. Remote file operations are disabled if one or more of the roles in the set has disabled it.

func (RoleSet) CanForwardAgents

func (set RoleSet) CanForwardAgents() bool

CanForwardAgents returns true if role set allows forwarding agents.

func (RoleSet) CanImpersonateSomeone

func (set RoleSet) CanImpersonateSomeone() bool

CanImpersonateSomeone returns true if this checker has any impersonation rules

func (RoleSet) CanPortForward

func (set RoleSet) CanPortForward() bool

CanPortForward returns true if a role in the RoleSet allows port forwarding.

func (RoleSet) CertificateExtensions

func (set RoleSet) CertificateExtensions() []*types.CertExtension

CertificateExtensions returns the list of extensions for each role in the RoleSet

func (RoleSet) CertificateFormat

func (set RoleSet) CertificateFormat() string

CertificateFormat returns the most permissive certificate format in a RoleSet.

func (RoleSet) CheckAWSRoleARNs

func (set RoleSet) CheckAWSRoleARNs(ttl time.Duration, overrideTTL bool) ([]string, error)

CheckAWSRoleARNs returns a list of AWS role ARNs this role set is allowed to assume.

func (RoleSet) CheckAccessToRule

func (set RoleSet) CheckAccessToRule(ctx RuleContext, namespace string, resource string, verb string, silent bool) error

CheckAccessToRule checks if the RoleSet provides access in the given namespace to the specified resource and verb. silent controls whether the access violations are logged.

func (RoleSet) CheckAccessToSAMLIdP

func (set RoleSet) CheckAccessToSAMLIdP(authPref types.AuthPreference) error

CheckAccessToSAMLIdP checks access to the SAML IdP.

func (RoleSet) CheckAgentForward

func (set RoleSet) CheckAgentForward(login string) error

CheckAgentForward checks if the role can request to forward the SSH agent for this user.

func (RoleSet) CheckAzureIdentities

func (set RoleSet) CheckAzureIdentities(ttl time.Duration, overrideTTL bool) ([]string, error)

CheckAzureIdentities returns a list of Azure identities the user is allowed to assume.

func (RoleSet) CheckDatabaseNamesAndUsers

func (set RoleSet) CheckDatabaseNamesAndUsers(ttl time.Duration, overrideTTL bool) ([]string, []string, error)

CheckDatabaseNamesAndUsers checks if the role has any allowed database names or users.

func (RoleSet) CheckGCPServiceAccounts

func (set RoleSet) CheckGCPServiceAccounts(ttl time.Duration, overrideTTL bool) ([]string, error)

CheckGCPServiceAccounts returns a list of GCP service accounts this role set is allowed to assume.

func (RoleSet) CheckImpersonate

func (set RoleSet) CheckImpersonate(currentUser, impersonateUser types.User, impersonateRoles []types.Role) error

CheckImpersonate returns nil if this role set can impersonate a user and their roles, returns AccessDenied otherwise CheckImpersonate checks whether current user is allowed to impersonate users and roles

func (RoleSet) CheckImpersonateRoles

func (set RoleSet) CheckImpersonateRoles(currentUser types.User, impersonateRoles []types.Role) error

CheckImpersonateRoles validates that the current user can perform role-only impersonation of the given roles. Role-only impersonation requires an allow rule with roles but no users (and no user-less deny rules). All requested roles must be allowed for the check to succeed.

func (RoleSet) CheckKubeGroupsAndUsers

func (set RoleSet) CheckKubeGroupsAndUsers(ttl time.Duration, overrideTTL bool, matchers ...RoleMatcher) ([]string, []string, error)

CheckKubeGroupsAndUsers check if role can login into kubernetes and returns two lists of allowed groups and users

func (RoleSet) CheckLoginDuration

func (set RoleSet) CheckLoginDuration(ttl time.Duration) ([]string, error)

CheckLoginDuration checks if role set can login up to given duration and returns a combined list of allowed logins.

func (RoleSet) DesktopClipboard

func (set RoleSet) DesktopClipboard() bool

DesktopClipboard returns true if the role set has enabled shared clipboard for desktop sessions. Clipboard sharing is disabled if one or more of the roles in the set has disabled it.

func (RoleSet) DesktopDirectorySharing

func (set RoleSet) DesktopDirectorySharing() bool

DesktopDirectorySharing returns true if the role set has directory sharing enabled. This setting is disabled if one or more of the roles in the set has disabled it.

func (RoleSet) EnhancedRecordingSet

func (set RoleSet) EnhancedRecordingSet() map[string]bool

EnhancedRecordingSet returns the set of enhanced session recording events to capture for thi role set.

func (RoleSet) ExtractConditionForIdentifier

func (set RoleSet) ExtractConditionForIdentifier(ctx RuleContext, namespace, resource, verb, identifier string) (*types.WhereExpr, error)

ExtractConditionForIdentifier returns a restrictive filter expression for list queries based on the rules' `where` conditions.

func (RoleSet) GetAccessState

func (set RoleSet) GetAccessState(authPref types.AuthPreference) AccessState

GetAccessState returns the AccessState, setting [AccessState.MFARequired] according to the user's roles and cluster auth preference.

func (RoleSet) GetAllLogins

func (set RoleSet) GetAllLogins() []string

GetAllLogins returns all valid unix logins for the RoleSet.

func (RoleSet) GetAllowedPreviewAsRoles

func (set RoleSet) GetAllowedPreviewAsRoles() []string

GetAllowedPreviewAsRoles returns all PreviewAsRoles for this RoleSet.

func (RoleSet) GetAllowedSearchAsRoles

func (set RoleSet) GetAllowedSearchAsRoles() []string

GetSearchAsRoles returns all SearchAsRoles for this RoleSet.

func (RoleSet) GetCreateDatabaseUserMode

func (set RoleSet) GetCreateDatabaseUserMode() types.CreateDatabaseUserMode

GetCreateDatabaseUserMode returns the create database user mode of the rule set.

func (RoleSet) GetKubeResources

func (set RoleSet) GetKubeResources(cluster types.KubeCluster, userTraits wrappers.Traits) (allowed, denied []types.KubernetesResource)

GetKubeResources returns allowed and denied list of Kubernetes Resources configured in the RoleSet.

func (RoleSet) GetLoginsForTTL

func (set RoleSet) GetLoginsForTTL(ttl time.Duration) (logins []string, matchedTTL bool)

GetLoginsForTTL collects all logins that are valid for the given TTL. The matchedTTL value indicates whether the TTL is within scope of *any* role. This helps to distinguish between TTLs which are categorically invalid, and TTLs which are theoretically valid but happen to grant no logins.

func (RoleSet) GuessIfAccessIsPossible

func (set RoleSet) GuessIfAccessIsPossible(ctx RuleContext, namespace string, resource string, verb string, silent bool) error

GuessIfAccessIsPossible guesses if access is possible for an entire category of resources. It responds the question: "is it possible that there is a resource of this kind that the current user can access?". GuessIfAccessIsPossible is used, mainly, for UI decisions ("should the tab for resource X appear"?). Most callers should use CheckAccessToRule instead.

func (RoleSet) HasRole

func (set RoleSet) HasRole(role string) bool

HasRole checks if the role set has the role

func (RoleSet) LockingMode

func (set RoleSet) LockingMode(defaultMode constants.LockingMode) constants.LockingMode

LockingMode returns the locking mode to apply with this RoleSet.

func (RoleSet) MaxConnections

func (set RoleSet) MaxConnections() int64

MaxConnections returns the maximum number of concurrent ssh connections allowed. If MaxConnections is zero then no maximum was defined and the number of concurrent connections is unconstrained.

func (RoleSet) MaxKubernetesConnections

func (set RoleSet) MaxKubernetesConnections() int64

MaxConnections returns the maximum number of concurrent Kubernetes connections allowed. If MaxConnections is zero then no maximum was defined and the number of concurrent connections is unconstrained.

func (RoleSet) MaxSessions

func (set RoleSet) MaxSessions() int64

MaxSessions returns the maximum number of concurrent ssh sessions per connection. If MaxSessions is zero then no maximum was defined and the number of sessions is unconstrained.

func (RoleSet) MaybeCanReviewRequests

func (set RoleSet) MaybeCanReviewRequests() bool

MaybeCanReviewRequests attempts to guess if this RoleSet belongs to a user who should be submitting access reviews. Because not all rolesets are derived from statically assigned roles, this may return false positives.

func (RoleSet) PermitX11Forwarding

func (set RoleSet) PermitX11Forwarding() bool

PermitX11Forwarding returns true if this RoleSet allows X11 Forwarding.

func (RoleSet) PinSourceIP

func (set RoleSet) PinSourceIP() bool

PinSourceIP determines if the role set should use source IP pinning. If one or more roles in the set requires IP pinning then it will be enabled.

func (RoleSet) PrivateKeyPolicy

func (set RoleSet) PrivateKeyPolicy(authPreferencePolicy keys.PrivateKeyPolicy) (keys.PrivateKeyPolicy, error)

PrivateKeyPolicy returns the enforced private key policy for this role set.

func (RoleSet) RecordDesktopSession

func (set RoleSet) RecordDesktopSession() bool

RecordDesktopSession returns true if the role set has enabled desktop session recording. Recording is considered enabled if at least one role in the set has enabled it.

func (RoleSet) RoleNames

func (set RoleSet) RoleNames() []string

RoleNames returns a slice with role names. Removes runtime roles like the default implicit role.

func (RoleSet) Roles

func (set RoleSet) Roles() []types.Role

Roles returns the list underlying roles this RoleSet is based on.

func (RoleSet) SessionPolicySets

func (set RoleSet) SessionPolicySets() []*types.SessionTrackerPolicySet

SessionPolicySets returns the list of SessionPolicySets for all roles.

func (RoleSet) SessionRecordingMode

func (set RoleSet) SessionRecordingMode(service constants.SessionRecordingService) constants.SessionRecordingMode

SessionRecordingMode returns the recording mode for a specific service.

func (RoleSet) String

func (set RoleSet) String() string

func (RoleSet) WithoutImplicit

func (set RoleSet) WithoutImplicit() (out RoleSet)

WithoutImplicit returns this role set with default implicit role filtered out.

type RotationGetter

type RotationGetter func(role types.SystemRole) (*types.Rotation, error)

RotationGetter returns the rotation state.

type RuleContext

type RuleContext interface {
	// GetIdentifier returns identifier defined in a context
	GetIdentifier(fields []string) (interface{}, error)
	// GetResource returns resource if specified in the context,
	// if unspecified, returns error.
	GetResource() (types.Resource, error)
}

RuleContext specifies context passed to the rule processing matcher, and contains information about current session, e.g. current user

type RuleSet

type RuleSet map[string][]types.Rule

RuleSet maps resource to a set of rules defined for it

func MakeRuleSet

func MakeRuleSet(rules []types.Rule) RuleSet

MakeRuleSet creates a new rule set from a list

func (RuleSet) Match

func (set RuleSet) Match(whereParser predicate.Parser, actionsParser predicate.Parser, resource string, verb string) (bool, error)

Match tests if the resource name and verb are in a given list of rules. More specific rules will be matched first. See Rule.IsMoreSpecificThan for exact specs on whether the rule is more or less specific.

Specifying order solves the problem on having multiple rules, e.g. one wildcard rule can override more specific rules with 'where' sections that can have 'actions' lists with side effects that will not be triggered otherwise.

func (RuleSet) Slice

func (set RuleSet) Slice() []types.Rule

Slice returns slice from a set

type SAMLIdPServiceProviders

type SAMLIdPServiceProviders interface {
	SAMLIdpServiceProviderGetter
	// GetSAMLIdPServiceProvider returns the specified SAML IdP service provider resources.
	GetSAMLIdPServiceProvider(ctx context.Context, name string) (types.SAMLIdPServiceProvider, error)
	// CreateSAMLIdPServiceProvider creates a new SAML IdP service provider resource.
	CreateSAMLIdPServiceProvider(context.Context, types.SAMLIdPServiceProvider) error
	// UpdateSAMLIdPServiceProvider updates an existing SAML IdP service provider resource.
	UpdateSAMLIdPServiceProvider(context.Context, types.SAMLIdPServiceProvider) error
	// DeleteSAMLIdPServiceProvider removes the specified SAML IdP service provider resource.
	DeleteSAMLIdPServiceProvider(ctx context.Context, name string) error
	// DeleteAllSAMLIdPServiceProviders removes all SAML IdP service providers.
	DeleteAllSAMLIdPServiceProviders(context.Context) error
}

SAMLIdPServiceProviders defines an interface for managing SAML IdP service providers.

type SAMLIdPSession

type SAMLIdPSession interface {
	// GetSAMLIdPSession gets a SAML IdP session.
	GetSAMLIdPSession(context.Context, types.GetSAMLIdPSessionRequest) (types.WebSession, error)
	// ListSAMLIdPSessions gets a paginated list of SAML IdP sessions.
	ListSAMLIdPSessions(ctx context.Context, pageSize int, pageToken, user string) ([]types.WebSession, string, error)
	// UpsertSAMLIdPSession upserts a SAML IdP session.
	UpsertSAMLIdPSession(context.Context, types.WebSession) error
	// DeleteSAMLIdPSession removes a SAML IdP session.
	DeleteSAMLIdPSession(context.Context, types.DeleteSAMLIdPSessionRequest) error
	// DeleteAllSAMLIdPSessions removes all SAML IdP sessions.
	DeleteAllSAMLIdPSessions(context.Context) error
	// DeleteUserSAMLIdPSessions deletes all of a user's SAML IdP sessions.
	DeleteUserSAMLIdPSessions(ctx context.Context, user string) error
}

SAMLIdPSession defines SAML IdP session features.

type SAMLIdpServiceProviderGetter

type SAMLIdpServiceProviderGetter interface {
	ListSAMLIdPServiceProviders(ctx context.Context, pageSize int, nextKey string) ([]types.SAMLIdPServiceProvider, string, error)
}

SAMLIdpServiceProviderGetter defines interface for fetching SAMLIdPServiceProvider resources.

type SecReports

type SecReports interface {
	SecurityAuditQueryGetter
	// UpsertSecurityAuditQuery upserts an audit query.
	UpsertSecurityAuditQuery(ctx context.Context, in *secreports.AuditQuery) error
	// DeleteSecurityAuditQuery deletes an audit query.
	DeleteSecurityAuditQuery(ctx context.Context, name string) error
	// DeleteAllSecurityAuditQueries deletes all audit queries.
	DeleteAllSecurityAuditQueries(context.Context) error

	SecurityReportGetter
	// UpsertSecurityReport upserts a security report.
	UpsertSecurityReport(ctx context.Context, item *secreports.Report) error
	// DeleteSecurityReport deletes a security report.
	DeleteSecurityReport(ctx context.Context, name string) error
	// DeleteAllSecurityReports deletes all audit queries.
	DeleteAllSecurityReports(context.Context) error

	SecurityReportStateGetter
	// UpsertSecurityReportsState upserts a security report state.
	UpsertSecurityReportsState(ctx context.Context, item *secreports.ReportState) error
	// DeleteSecurityReportsState deletes all audit queries.
	DeleteSecurityReportsState(ctx context.Context, name string) error
	// DeleteAllSecurityReportsStates deletes all audit queries.
	DeleteAllSecurityReportsStates(context.Context) error
}

SecReports is the interface for the SecReports service.

type SecurityAuditQueryGetter

type SecurityAuditQueryGetter interface {
	// GetSecurityAuditQuery returns an audit query.
	GetSecurityAuditQuery(ctx context.Context, name string) (*secreports.AuditQuery, error)
	// GetSecurityAuditQueries returns all audit queries.
	GetSecurityAuditQueries(context.Context) ([]*secreports.AuditQuery, error)
	// ListSecurityAuditQueries lists audit queries.
	ListSecurityAuditQueries(context.Context, int, string) ([]*secreports.AuditQuery, string, error)
}

SecurityAuditQueryGetter is the interface for audit query getters.

type SecurityReportGetter

type SecurityReportGetter interface {
	// GetSecurityReport returns a security report.
	GetSecurityReport(ctx context.Context, name string) (*secreports.Report, error)
	// GetSecurityReports returns a security report.
	GetSecurityReports(ctx context.Context) ([]*secreports.Report, error)
	// ListSecurityReports lists security reports.
	ListSecurityReports(ctx context.Context, i int, token string) ([]*secreports.Report, string, error)
}

SecurityReportGetter is the interface for security report getters.

type SecurityReportStateGetter

type SecurityReportStateGetter interface {
	// GetSecurityReportState returns a security report state.
	GetSecurityReportState(ctx context.Context, name string) (*secreports.ReportState, error)
	// GetSecurityReportsStates returns security report states.
	GetSecurityReportsStates(context.Context) ([]*secreports.ReportState, error)
	// ListSecurityReportsStates  lists security report states.
	ListSecurityReportsStates(context.Context, int, string) ([]*secreports.ReportState, string, error)
}

SecurityReportStateGetter is the interface for security report state getters.

type SemaphoreLock

type SemaphoreLock struct {
	// contains filtered or unexported fields
}

SemaphoreLock provides a convenient interface for managing semaphore lease keepalive operations.

func AcquireSemaphoreLock

func AcquireSemaphoreLock(ctx context.Context, cfg SemaphoreLockConfig) (*SemaphoreLock, error)

AcquireSemaphoreLock attempts to acquire and hold a semaphore lease. If successfully acquired, background keepalive processes are started and an associated lock handle is returned. Canceling the supplied context releases the semaphore.

func (*SemaphoreLock) Done

func (l *SemaphoreLock) Done() <-chan struct{}

Done signals that lease keepalive operations have stopped.

func (*SemaphoreLock) Renewed

func (l *SemaphoreLock) Renewed() <-chan struct{}

Renewed notifies on next successful lease keepalive. Used in tests to block until next renewal.

func (*SemaphoreLock) Stop

func (l *SemaphoreLock) Stop()

Stop stops associated lease keepalive.

func (*SemaphoreLock) Wait

func (l *SemaphoreLock) Wait() error

Wait blocks until the final result is available. Note that this method may block longer than desired since cancellation of the parent context triggers the *start* of the release operation.

type SemaphoreLockConfig

type SemaphoreLockConfig struct {
	// Service is the service against which all semaphore
	// operations are performed.
	Service types.Semaphores
	// Expiry is an optional lease expiry parameter.
	Expiry time.Duration
	// TickRate is the rate at which lease renewals are attempted
	// and defaults to 1/2 expiry.  Used to accelerate tests.
	TickRate time.Duration
	// Params holds the semaphore lease acquisition parameters.
	Params types.AcquireSemaphoreRequest
	// Clock used to alter time in tests
	Clock clockwork.Clock
}

func (*SemaphoreLockConfig) CheckAndSetDefaults

func (l *SemaphoreLockConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default parameters

type SessionTrackerService

type SessionTrackerService interface {
	// GetActiveSessionTrackers returns a list of active session trackers.
	GetActiveSessionTrackers(ctx context.Context) ([]types.SessionTracker, error)

	// GetActiveSessionTrackersWithFilter returns a list of active sessions filtered by a filter.
	GetActiveSessionTrackersWithFilter(ctx context.Context, filter *types.SessionTrackerFilter) ([]types.SessionTracker, error)

	// GetSessionTracker returns the current state of a session tracker for an active session.
	GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error)

	// CreateSessionTracker creates a tracker resource for an active session.
	CreateSessionTracker(ctx context.Context, st types.SessionTracker) (types.SessionTracker, error)

	// UpdateSessionTracker updates a tracker resource for an active session.
	UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error

	// RemoveSessionTracker removes a tracker resource for an active session.
	RemoveSessionTracker(ctx context.Context, sessionID string) error

	// UpdatePresence updates the presence status of a user in a session.
	UpdatePresence(ctx context.Context, sessionID, user string) error
}

SessionTrackerService is a realtime session service that has information about sessions that are in-flight in the cluster at the moment.

type SnowflakeSession

type SnowflakeSession interface {
	// GetSnowflakeSession gets a Snowflake web session.
	GetSnowflakeSession(context.Context, types.GetSnowflakeSessionRequest) (types.WebSession, error)
	// GetSnowflakeSessions gets all Snowflake web sessions.
	GetSnowflakeSessions(context.Context) ([]types.WebSession, error)
	// UpsertSnowflakeSession upserts a Snowflake web session.
	UpsertSnowflakeSession(context.Context, types.WebSession) error
	// DeleteSnowflakeSession removes a Snowflake web session.
	DeleteSnowflakeSession(context.Context, types.DeleteSnowflakeSessionRequest) error
	// DeleteAllSnowflakeSessions removes all Snowflake web sessions.
	DeleteAllSnowflakeSessions(context.Context) error
}

SnowflakeSession defines Snowflake session features.

type SortedLoginAttempts

type SortedLoginAttempts []LoginAttempt

SortedLoginAttempts sorts login attempts by time

func (SortedLoginAttempts) Len

func (s SortedLoginAttempts) Len() int

Len returns length of a role list

func (SortedLoginAttempts) Less

func (s SortedLoginAttempts) Less(i, j int) bool

Less stacks latest attempts to the end of the list

func (SortedLoginAttempts) Swap

func (s SortedLoginAttempts) Swap(i, j int)

Swap swaps two attempts

type SortedReverseTunnels

type SortedReverseTunnels []types.ReverseTunnel

SortedReverseTunnels sorts reverse tunnels by cluster name

func (SortedReverseTunnels) Len

func (s SortedReverseTunnels) Len() int

func (SortedReverseTunnels) Less

func (s SortedReverseTunnels) Less(i, j int) bool

func (SortedReverseTunnels) Swap

func (s SortedReverseTunnels) Swap(i, j int)

type SortedRoles

type SortedRoles []types.Role

SortedRoles sorts roles by name

func (SortedRoles) Len

func (s SortedRoles) Len() int

Len returns length of a role list

func (SortedRoles) Less

func (s SortedRoles) Less(i, j int) bool

Less compares roles by name

func (SortedRoles) Swap

func (s SortedRoles) Swap(i, j int)

Swap swaps two roles in a list

type SortedServers

type SortedServers []types.Server

SortedServers is a sort wrapper that sorts servers by name

func (SortedServers) Len

func (s SortedServers) Len() int

func (SortedServers) Less

func (s SortedServers) Less(i, j int) bool

func (SortedServers) Swap

func (s SortedServers) Swap(i, j int)

type Status

type Status interface {
	// GetClusterAlerts loads all matching cluster alerts.
	GetClusterAlerts(ctx context.Context, query types.GetClusterAlertsRequest) ([]types.ClusterAlert, error)

	// UpsertClusterAlert creates the specified alert, overwriting any preexising alert with the same ID.
	UpsertClusterAlert(ctx context.Context, alert types.ClusterAlert) error

	// CreateAlertAck marks a cluster alert as acknowledged.
	CreateAlertAck(ctx context.Context, ack types.AlertAcknowledgement) error

	// GetAlertAcks gets active alert ackowledgements.
	GetAlertAcks(ctx context.Context) ([]types.AlertAcknowledgement, error)

	// ClearAlertAcks clears alert acknowledgments.
	ClearAlertAcks(ctx context.Context, req proto.ClearAlertAcksRequest) error
}

Status defines an interface for managing cluster status info.

type StatusInternal

type StatusInternal interface {
	Status

	// DeleteClusterAlert deletes the cluster alert with the specified ID.
	DeleteClusterAlert(ctx context.Context, alertID string) error
}

StatusInternal extends Status with auth-internal methods.

type Trust added in v1.0.0

type Trust interface {
	// AuthorityGetter retrieves certificate authorities
	AuthorityGetter

	// CreateCertAuthority inserts a new certificate authority
	CreateCertAuthority(ctx context.Context, ca types.CertAuthority) error

	// UpsertCertAuthority updates or inserts a new certificate authority
	UpsertCertAuthority(ctx context.Context, ca types.CertAuthority) error

	// CompareAndSwapCertAuthority updates the cert authority value
	// if existing value matches existing parameter,
	// returns nil if succeeds, trace.CompareFailed otherwise
	CompareAndSwapCertAuthority(new, existing types.CertAuthority) error

	// DeleteCertAuthority deletes particular certificate authority
	DeleteCertAuthority(ctx context.Context, id types.CertAuthID) error

	// DeleteAllCertAuthorities deletes cert authorities of a certain type
	DeleteAllCertAuthorities(caType types.CertAuthType) error

	// ActivateCertAuthority moves a CertAuthority from the deactivated list to
	// the normal list.
	ActivateCertAuthority(id types.CertAuthID) error

	// DeactivateCertAuthority moves a CertAuthority from the normal list to
	// the deactivated list.
	DeactivateCertAuthority(id types.CertAuthID) error

	// UpdateUserCARoleMap updates the role map of the userCA of the specified existing cluster.
	UpdateUserCARoleMap(ctx context.Context, name string, roleMap types.RoleMap, activated bool) error
}

Trust is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com

There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts

Remote authorities have only public keys available, so they can be only used to validate

type UnifiedResourceCache

type UnifiedResourceCache struct {
	ResourceGetter
	// contains filtered or unexported fields
}

UnifiedResourceCache contains a representation of all resources that are displayable in the UI

func NewUnifiedResourceCache

func NewUnifiedResourceCache(ctx context.Context, cfg UnifiedResourceCacheConfig) (*UnifiedResourceCache, error)

NewUnifiedResourceCache creates a new memory cache that holds the unified resources

func (*UnifiedResourceCache) GetUnifiedResources

func (c *UnifiedResourceCache) GetUnifiedResources(ctx context.Context) ([]types.ResourceWithLabels, error)

GetUnifiedResources returns a list of all resources stored in the current unifiedResourceCollector tree in ascending order

func (*UnifiedResourceCache) GetUnifiedResourcesByIDs

func (c *UnifiedResourceCache) GetUnifiedResourcesByIDs(ctx context.Context, ids []string, matchFn func(types.ResourceWithLabels) (bool, error)) ([]types.ResourceWithLabels, error)

GetUnifiedResourcesByIDs will take a list of ids and return any items found in the unifiedResourceCache tree by id and that return true from matchFn

func (*UnifiedResourceCache) IsInitialized

func (c *UnifiedResourceCache) IsInitialized() bool

IsInitialized is used to check that the cache has done its initial sync

func (*UnifiedResourceCache) IterateUnifiedResources

type UnifiedResourceCacheConfig

type UnifiedResourceCacheConfig struct {
	// BTreeDegree is a degree of B-Tree, 2 for example, will create a
	// 2-3-4 tree (each node contains 1-3 items and 2-4 children).
	BTreeDegree int
	// Clock is a clock for time-related operations
	Clock clockwork.Clock
	// Component is a logging component
	Component string
	ResourceWatcherConfig
	ResourceGetter
}

UnifiedResourceCacheConfig is used to configure a UnifiedResourceCache

func (*UnifiedResourceCacheConfig) CheckAndSetDefaults

func (cfg *UnifiedResourceCacheConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

type UnknownResource

type UnknownResource struct {
	types.ResourceHeader
	// Raw is raw representation of the resource
	Raw []byte
}

UnknownResource is used to detect resources

func (*UnknownResource) UnmarshalJSON

func (u *UnknownResource) UnmarshalJSON(raw []byte) error

UnmarshalJSON unmarshals header and captures raw state

type UserACL

type UserACL struct {
	// RecordedSessions defines access to recorded sessions.
	RecordedSessions ResourceAccess `json:"recordedSessions"`
	// ActiveSessions defines access to active sessions.
	ActiveSessions ResourceAccess `json:"activeSessions"`
	// AuthConnectors defines access to auth.connectors.
	AuthConnectors ResourceAccess `json:"authConnectors"`
	// Roles defines access to roles.
	Roles ResourceAccess `json:"roles"`
	// Users defines access to users.
	Users ResourceAccess `json:"users"`
	// TrustedClusters defines access to trusted clusters.
	TrustedClusters ResourceAccess `json:"trustedClusters"`
	// Events defines access to audit logs.
	Events ResourceAccess `json:"events"`
	// Tokens defines access to tokens.
	Tokens ResourceAccess `json:"tokens"`
	// Nodes defines access to nodes.
	Nodes ResourceAccess `json:"nodes"`
	// AppServers defines access to application servers
	AppServers ResourceAccess `json:"appServers"`
	// DBServers defines access to database servers.
	DBServers ResourceAccess `json:"dbServers"`
	// DB defines access to database resource.
	DB ResourceAccess `json:"db"`
	// KubeServers defines access to kubernetes servers.
	KubeServers ResourceAccess `json:"kubeServers"`
	// Desktops defines access to desktops.
	Desktops ResourceAccess `json:"desktops"`
	// AccessRequests defines access to access requests.
	AccessRequests ResourceAccess `json:"accessRequests"`
	// Billing defines access to billing information.
	Billing ResourceAccess `json:"billing"`
	// ConnectionDiagnostic defines access to connection diagnostics.
	ConnectionDiagnostic ResourceAccess `json:"connectionDiagnostic"`
	// Clipboard defines whether the user can use a shared clipboard during windows desktop sessions.
	Clipboard bool `json:"clipboard"`
	// DesktopSessionRecording defines whether the user's desktop sessions are being recorded.
	DesktopSessionRecording bool `json:"desktopSessionRecording"`
	// DirectorySharing defines whether a user is permitted to share a directory during windows desktop sessions.
	DirectorySharing bool `json:"directorySharing"`
	// Download defines whether the user has access to download Teleport Enterprise Binaries
	Download ResourceAccess `json:"download"`
	// Download defines whether the user has access to download the license
	License ResourceAccess `json:"license"`
	// Plugins defines whether the user has access to manage hosted plugin instances
	Plugins ResourceAccess `json:"plugins"`
	// Integrations defines whether the user has access to manage integrations.
	Integrations ResourceAccess `json:"integrations"`
	// DeviceTrust defines access to device trust.
	DeviceTrust ResourceAccess `json:"deviceTrust"`
	// Locks defines access to locking resources.
	Locks ResourceAccess `json:"lock"`
	// Assist defines access to assist feature.
	Assist ResourceAccess `json:"assist"`
	// SAMLIdpServiceProvider defines access to `saml_idp_service_provider` objects.
	SAMLIdpServiceProvider ResourceAccess `json:"samlIdpServiceProvider"`
	// AccessList defines access to access list management.
	AccessList ResourceAccess `json:"accessList"`
	// DiscoveryConfig defines whether the user has access to manage DiscoveryConfigs.
	DiscoveryConfig ResourceAccess `json:"discoverConfigs"`
	// AuditQuery defines access to audit query management.
	AuditQuery ResourceAccess `json:"auditQuery"`
	// SecurityReport defines access to security reports.
	SecurityReport ResourceAccess `json:"securityReport"`
	// ExternalAuditStorage defines access to manage ExternalAuditStorage
	ExternalAuditStorage ResourceAccess `json:"externalAuditStorage"`
	// AccessGraph defines access to access graph.
	AccessGraph ResourceAccess `json:"accessGraph"`
	// Bots defines access to manage Bots.
	Bots ResourceAccess `json:"bots"`
}

UserACL is derived from a user's role set and includes information as to what features the user is allowed to use.

func NewUserACL

func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, desktopRecordingEnabled, accessMonitoringEnabled bool) UserACL

NewUserACL builds an ACL for a user based on their roles.

type UserCertParams

type UserCertParams struct {
	// CASigner is the signer that will sign the public key of the user with the CA private key
	CASigner ssh.Signer
	// PublicUserKey is the public key of the user
	PublicUserKey []byte
	// TTL defines how long a certificate is valid for
	TTL time.Duration
	// Username is teleport username
	Username string
	// Impersonator is set when a user requests certificate for another user
	Impersonator string
	// AllowedLogins is a list of SSH principals
	AllowedLogins []string
	// PermitX11Forwarding permits X11 forwarding for this cert
	PermitX11Forwarding bool
	// PermitAgentForwarding permits agent forwarding for this cert
	PermitAgentForwarding bool
	// PermitPortForwarding permits port forwarding.
	PermitPortForwarding bool
	// PermitFileCopying permits the use of SCP/SFTP.
	PermitFileCopying bool
	// Roles is a list of roles assigned to this user
	Roles []string
	// CertificateFormat is the format of the SSH certificate.
	CertificateFormat string
	// RouteToCluster specifies the target cluster
	// if present in the certificate, will be used
	// to route the requests to
	RouteToCluster string
	// Traits hold claim data used to populate a role at runtime.
	Traits wrappers.Traits
	// ActiveRequests tracks privilege escalation requests applied during
	// certificate construction.
	ActiveRequests RequestIDs
	// MFAVerified is the UUID of an MFA device when this Identity was
	// confirmed immediately after an MFA check.
	MFAVerified string
	// PreviousIdentityExpires is the expiry time of the identity/cert that this
	// identity/cert was derived from. It is used to determine a session's hard
	// deadline in cases where both require_session_mfa and disconnect_expired_cert
	// are enabled. See https://github.com/gravitational/teleport/issues/18544.
	PreviousIdentityExpires time.Time
	// LoginIP is an observed IP of the client on the moment of certificate creation.
	LoginIP string
	// PinnedIP is an IP from which client must communicate with Teleport.
	PinnedIP string
	// DisallowReissue flags that any attempt to request new certificates while
	// authenticated with this cert should be denied.
	DisallowReissue bool
	// CertificateExtensions are user configured ssh key extensions
	CertificateExtensions []*types.CertExtension
	// Renewable indicates this certificate is renewable.
	Renewable bool
	// Generation counts the number of times a certificate has been renewed.
	Generation uint64
	// BotName is set to the name of the bot, if the user is a Machine ID bot user.
	// Empty for human users.
	BotName string
	// AllowedResourceIDs lists the resources the user should be able to access.
	AllowedResourceIDs string
	// ConnectionDiagnosticID references the ConnectionDiagnostic that we should use to append traces when testing a Connection.
	ConnectionDiagnosticID string
	// PrivateKeyPolicy is the private key policy supported by this certificate.
	PrivateKeyPolicy keys.PrivateKeyPolicy
	// DeviceID is the trusted device identifier.
	DeviceID string
	// DeviceAssetTag is the device inventory identifier.
	DeviceAssetTag string
	// DeviceCredentialID is the identifier for the credential used by the device
	// to authenticate itself.
	DeviceCredentialID string
}

UserCertParams defines OpenSSH user certificate parameters

func (*UserCertParams) CheckAndSetDefaults

func (c *UserCertParams) CheckAndSetDefaults() error

CheckAndSetDefaults checks the user certificate parameters

type UserGetter

type UserGetter interface {
	// GetUser returns a user by name
	GetUser(ctx context.Context, user string, withSecrets bool) (types.User, error)
}

UserGetter is responsible for getting users

type UserGroups

type UserGroups interface {
	// ListUserGroups returns a paginated list of all user group resources.
	ListUserGroups(context.Context, int, string) ([]types.UserGroup, string, error)
	// GetUserGroup returns the specified user group resources.
	GetUserGroup(ctx context.Context, name string) (types.UserGroup, error)
	// CreateUserGroup creates a new user group resource.
	CreateUserGroup(context.Context, types.UserGroup) error
	// UpdateUserGroup updates an existing user group resource.
	UpdateUserGroup(context.Context, types.UserGroup) error
	// DeleteUserGroup removes the specified user group resource.
	DeleteUserGroup(ctx context.Context, name string) error
	// DeleteAllUserGroups removes all user groups.
	DeleteAllUserGroups(context.Context) error
}

UserGroups defines an interface for managing UserGroups.

type UserLoginStates

type UserLoginStates interface {
	UserLoginStatesGetter

	// UpsertUserLoginState creates or updates a user login state resource.
	UpsertUserLoginState(context.Context, *userloginstate.UserLoginState) (*userloginstate.UserLoginState, error)

	// DeleteUserLoginState removes the specified user login state resource.
	DeleteUserLoginState(context.Context, string) error

	// DeleteAllUserLoginStates removes all user login state resources.
	DeleteAllUserLoginStates(context.Context) error
}

UserLoginStates is the interface for managing with user login states.

type UserLoginStatesGetter

type UserLoginStatesGetter interface {
	// GetUserLoginStates returns the all user login state resources.
	GetUserLoginStates(context.Context) ([]*userloginstate.UserLoginState, error)

	// GetUserLoginState returns the specified user login state resource.
	GetUserLoginState(context.Context, string) (*userloginstate.UserLoginState, error)
}

UserLoginStatesGetter is the interface for reading user login states.

type UserOrLoginStateGetter

type UserOrLoginStateGetter interface {
	UserLoginStatesGetter
	UserGetter
}

UserOrLoginStateGetter defines an interface that can get user login states or users.

type UserPreferences

type UserPreferences interface {
	// GetUserPreferences returns the user preferences for a given user.
	GetUserPreferences(ctx context.Context, username string) (*userpreferencesv1.UserPreferences, error)
	// UpsertUserPreferences creates or updates user preferences for a given username.
	UpsertUserPreferences(ctx context.Context, username string, prefs *userpreferencesv1.UserPreferences) error
}

UserPreferences is the interface for managing user preferences.

type UserState

type UserState interface {
	// GetName returns the username associated with the user state.
	GetName() string

	// GetRoles returns the roles associated with the user's current state.
	GetRoles() []string

	// GetTraits returns the traits associated with the user's current sate.
	GetTraits() map[string][]string

	// GetUserType returns the user type for the user login state.
	GetUserType() types.UserType

	// IsBot returns true if the user belongs to a bot.
	IsBot() bool
}

UserState is a representation of a user's current state.

func GetUserOrLoginState

func GetUserOrLoginState(ctx context.Context, getter UserOrLoginStateGetter, username string) (UserState, error)

GetUserOrLoginState will return the given user or the login state associated with the user.

type Users added in v1.0.0

type Users []types.User

Users represents a slice of users, makes it sort compatible (sorts by username)

func (Users) Len added in v1.0.0

func (u Users) Len() int

func (Users) Less added in v1.0.0

func (u Users) Less(i, j int) bool

func (Users) Swap added in v1.0.0

func (u Users) Swap(i, j int)

type UsersService

type UsersService interface {
	UserGetter
	// UpdateUser updates an existing user.
	UpdateUser(ctx context.Context, user types.User) (types.User, error)
	// UpdateAndSwapUser reads an existing user, runs `fn` against it and writes
	// the result to storage. Return `false` from `fn` to avoid storage changes.
	// Roughly equivalent to [GetUser] followed by [CompareAndSwapUser].
	// Returns the storage user.
	UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (changed bool, err error)) (types.User, error)
	// UpsertUser updates parameters about user
	UpsertUser(ctx context.Context, user types.User) (types.User, error)
	// CompareAndSwapUser updates an existing user, but fails if the user does
	// not match an expected backend value.
	CompareAndSwapUser(ctx context.Context, new, existing types.User) error
	// DeleteUser deletes a user with all the keys from the backend
	DeleteUser(ctx context.Context, user string) error
	// GetUsers returns a list of users registered with the local auth server
	GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error)
	// ListUsers returns a page of users.
	ListUsers(ctx context.Context, pageSize int, nextToken string, withSecrets bool) ([]types.User, string, error)
	// DeleteAllUsers deletes all users
	DeleteAllUsers(ctx context.Context) error
}

UsersService is responsible for basic user management

type ValidateRequestOption

type ValidateRequestOption func(*RequestValidator)

func ExpandVars

func ExpandVars(expand bool) ValidateRequestOption

ExpandVars toggles variable expansion during request validation. Variable expansion includes expanding wildcard requests, setting system annotations, and gathering threshold information. Variable expansion should be run by the auth server prior to storing an access request for the first time.

type WindowsDesktopGetter

type WindowsDesktopGetter interface {
	GetWindowsDesktops(context.Context, types.WindowsDesktopFilter) ([]types.WindowsDesktop, error)
}

WindowsDesktopGetter is an interface for fetching WindowsDesktop resources.

type WindowsDesktops

type WindowsDesktops interface {
	WindowsDesktopGetter
	CreateWindowsDesktop(context.Context, types.WindowsDesktop) error
	UpdateWindowsDesktop(context.Context, types.WindowsDesktop) error
	UpsertWindowsDesktop(ctx context.Context, desktop types.WindowsDesktop) error
	DeleteWindowsDesktop(ctx context.Context, hostID, name string) error
	DeleteAllWindowsDesktops(context.Context) error
	ListWindowsDesktops(ctx context.Context, req types.ListWindowsDesktopsRequest) (*types.ListWindowsDesktopsResponse, error)
	ListWindowsDesktopServices(ctx context.Context, req types.ListWindowsDesktopServicesRequest) (*types.ListWindowsDesktopServicesResponse, error)
}

WindowsDesktops defines an interface for managing Windows desktop hosts.

Directories

Path Synopsis
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL