Documentation
¶
Overview ¶
package modules allows external packages override certain behavioral aspects of teleport
Index ¶
- Constants
- func SetModules(m Modules)
- func SetTestModules(t *testing.T, testModules Modules)
- func ValidateResource(res types.Resource) error
- type AccessListFeature
- type AccessListGetter
- type AccessListSuggestionClient
- type AccessMonitoringFeature
- type AccessRequestsFeature
- type AccessResourcesGetter
- type DeviceTrustFeature
- type Features
- type Modules
- type PolicyFeature
- type ProductType
- type RoleGetter
- type TestModules
- func (m *TestModules) AttestHardwareKey(ctx context.Context, obj interface{}, as *keys.AttestationStatement, ...) (*keys.AttestationData, error)
- func (m *TestModules) BuildType() string
- func (p *TestModules) EnableAccessGraph()
- func (p *TestModules) EnableAccessMonitoring()
- func (p *TestModules) EnablePlugins()
- func (p *TestModules) EnableRecoveryCodes()
- func (m *TestModules) Features() Features
- func (p *TestModules) GenerateAccessRequestPromotions(_ context.Context, _ AccessResourcesGetter, _ types.AccessRequest) (*types.AccessRequestAllowedPromotions, error)
- func (p *TestModules) GetSuggestedAccessLists(ctx context.Context, identity *tlsca.Identity, clt AccessListSuggestionClient, ...) ([]*accesslist.AccessList, error)
- func (m *TestModules) IsBoringBinary() bool
- func (m *TestModules) PrintVersion()
- func (p *TestModules) SetFeatures(f Features)
Constants ¶
View Source
const ( // BuildOSS specifies open source build type BuildOSS = "oss" // BuildEnterprise specifies enterprise build type BuildEnterprise = "ent" )
Variables ¶
This section is empty.
Functions ¶
func SetTestModules ¶
SetTestModules sets the value returned from GetModules to testModules and reverts the change in the test cleanup function. It must not be used in parallel tests.
func TestWithFakeModules(t *testing.T) {
modules.SetTestModules(t, &modules.TestModules{
TestBuildType: modules.BuildEnterprise,
TestFeatures: modules.Features{
Cloud: true,
},
})
// test implementation
// cleanup will revert module changes after test completes
}
func ValidateResource ¶
ValidateResource performs additional resource checks.
Types ¶
type AccessListFeature ¶
type AccessListFeature struct {
// Limit for the number of access list creatable when feature is
// not enabled.
CreateLimit int
}
AccessListFeature holds the Access List feature settings. Limits have no affect if feature is enabled.
type AccessListGetter ¶
type AccessListGetter interface {
GetAccessList(ctx context.Context, name string) (*accesslist.AccessList, error)
}
type AccessListSuggestionClient ¶
type AccessListSuggestionClient interface {
GetUser(ctx context.Context, userName string, withSecrets bool) (types.User, error)
RoleGetter
GetAccessRequestAllowedPromotions(ctx context.Context, req types.AccessRequest) (*types.AccessRequestAllowedPromotions, error)
GetAccessRequests(ctx context.Context, filter types.AccessRequestFilter) ([]types.AccessRequest, error)
}
type AccessMonitoringFeature ¶
type AccessMonitoringFeature struct {
// True if enabled in the auth service config: [auth_service.access_monitoring.enabled].
Enabled bool
// Defines the max number of days to include in an access report.
MaxReportRangeLimit int
}
AccessMonitoring holds the Access Monitoring feature settings. Limits have no affect if [Feature.IdentityGovernanceSecurity] is enabled.
type AccessRequestsFeature ¶
type AccessRequestsFeature struct {
// MonthlyRequestLimit is the usage-based limit for the number of
// access requests created in a calendar month.
MonthlyRequestLimit int
}
AccessRequestsFeature holds the Access Requests feature general and usage-based settings. Limits have no affect if [Feature.IdentityGovernanceSecurity] is enabled.
type AccessResourcesGetter ¶
type AccessResourcesGetter interface {
ListAccessLists(context.Context, int, string) ([]*accesslist.AccessList, string, error)
ListResources(ctx context.Context, req proto.ListResourcesRequest) (*types.ListResourcesResponse, error)
ListAccessListMembers(ctx context.Context, accessList string, pageSize int, pageToken string) (members []*accesslist.AccessListMember, nextToken string, err error)
GetAccessListMember(ctx context.Context, accessList string, memberName string) (*accesslist.AccessListMember, error)
GetUser(ctx context.Context, userName string, withSecrets bool) (types.User, error)
GetRole(ctx context.Context, name string) (types.Role, error)
GetLock(ctx context.Context, name string) (types.Lock, error)
GetLocks(ctx context.Context, inForceOnly bool, targets ...types.LockTarget) ([]types.Lock, error)
}
AccessResourcesGetter is a minimal interface that is used to get access lists and related resources from the backend.
type DeviceTrustFeature ¶
type DeviceTrustFeature struct {
// Currently this flag is to gate actions from OSS clusters.
//
// Determining support for device trust is currently determined by:
// 1) Enterprise + [Features.IdentityGovernanceSecurity] == true, new flag
// introduced with Enterprise Usage Based (EUB) product.
// 2) Enterprise + [Features.IsUsageBasedBilling] == false, legacy support
// where before EUB, it was unlimited.
Enabled bool
// DevicesUsageLimit is the usage-based limit for the number of
// registered/enrolled devices, at the implementation's discretion.
DevicesUsageLimit int
}
DeviceTrustFeature holds the Device Trust feature general and usage-based settings. Limits have no affect if [Feature.IdentityGovernanceSecurity] is enabled.
type Features ¶
type Features struct {
// Kubernetes enables Kubernetes Access product
Kubernetes bool
// App enables Application Access product
App bool
// DB enables database access product
DB bool
// OIDC enables OIDC connectors
OIDC bool
// SAML enables SAML connectors
SAML bool
// AccessControls enables FIPS access controls
AccessControls bool
// Currently this flag is to gate actions from OSS clusters.
//
// Determining support for access request is currently determined by:
// 1) Enterprise + [Features.IdentityGovernanceSecurity] == true, new flag
// introduced with Enterprise Usage Based (EUB) product.
// 2) Enterprise + [Features.IsUsageBasedBilling] == false, legacy support
// where before EUB, it was unlimited.
//
// AdvancedAccessWorkflows is currently set to true for all
// enterprise editions (team, cloud, on-prem). Historically, access request
// was only available for enterprise cloud and enterprise on-prem.
AdvancedAccessWorkflows bool
// Cloud enables some cloud-related features
Cloud bool
// HSM enables PKCS#11 HSM support
HSM bool
// Desktop enables desktop access product
Desktop bool
// RecoveryCodes enables account recovery codes
RecoveryCodes bool
// Plugins enables hosted plugins
Plugins bool
// AutomaticUpgrades enables automatic upgrades of agents/services.
AutomaticUpgrades bool
// IsUsageBasedBilling enables some usage-based billing features
IsUsageBasedBilling bool
// Assist enables Assistant feature
Assist bool
// DeviceTrust holds its namesake feature settings.
DeviceTrust DeviceTrustFeature
// FeatureHiding enables hiding features from being discoverable for users who don't have the necessary permissions.
FeatureHiding bool
// AccessRequests holds its namesake feature settings.
AccessRequests AccessRequestsFeature
// CustomTheme holds the name of WebUI custom theme.
CustomTheme string
// AccessGraph enables the usage of access graph.
// NOTE: this is a legacy flag that is currently used to signal
// that Access Graph integration is *enabled* on a cluster.
// *Access* to the feature is gated on the `Policy` flag.
// TODO(justinas): remove this field once "TAG enabled" status is moved to a resource in the backend.
AccessGraph bool
// IdentityGovernanceSecurity indicates whether IGS related features are enabled:
// access list, access request, access monitoring, device trust.
IdentityGovernanceSecurity bool
// AccessList holds its namesake feature settings.
AccessList AccessListFeature
// AccessMonitoring holds its namesake feature settings.
AccessMonitoring AccessMonitoringFeature
// ProductType describes the product being used.
ProductType ProductType
// Policy holds settings for the Teleport Policy feature set.
// At the time of writing, this includes Teleport Access Graph (TAG).
Policy PolicyFeature
}
Features provides supported and unsupported features
func (Features) IGSEnabled ¶
type Modules ¶
type Modules interface {
// PrintVersion prints teleport version
PrintVersion()
// IsBoringBinary checks if the binary was compiled with BoringCrypto.
IsBoringBinary() bool
// Features returns supported features
Features() Features
// SetFeatures set features queried from Cloud
SetFeatures(Features)
// BuildType returns build type (OSS or Enterprise)
BuildType() string
// AttestHardwareKey attests a hardware key and returns its associated private key policy.
AttestHardwareKey(context.Context, interface{}, *keys.AttestationStatement, crypto.PublicKey, time.Duration) (*keys.AttestationData, error)
// GenerateAccessRequestPromotions generates a list of valid promotions for given access request.
GenerateAccessRequestPromotions(context.Context, AccessResourcesGetter, types.AccessRequest) (*types.AccessRequestAllowedPromotions, error)
// GetSuggestedAccessLists generates a list of valid promotions for given access request.
GetSuggestedAccessLists(ctx context.Context, identity *tlsca.Identity, clt AccessListSuggestionClient, accessListGetter AccessListGetter, requestID string) ([]*accesslist.AccessList, error)
// EnableRecoveryCodes enables the usage of recovery codes for resetting forgotten passwords
EnableRecoveryCodes()
// EnablePlugins enables the hosted plugins runtime
EnablePlugins()
// EnableAccessGraph enables the usage of access graph.
EnableAccessGraph()
// EnableAccessMonitoring enables the usage of access monitoring.
EnableAccessMonitoring()
}
Modules defines interface that external libraries can implement customizing default teleport behavior
type PolicyFeature ¶
type PolicyFeature struct {
// Enabled is set to `true` if Teleport Policy is enabled in the license.
Enabled bool
}
type ProductType ¶
type ProductType int32
ProductType is the type of product.
const ( ProductTypeUnknown ProductType = 0 // ProductTypeTeam is Teleport ProductTypeTeam product. ProductTypeTeam ProductType = 1 // ProductTypeEUB is Teleport Enterprise Usage Based product. ProductTypeEUB ProductType = 2 )
type RoleGetter ¶
type TestModules ¶
type TestModules struct {
// TestBuildType is returned from the BuiltType function.
TestBuildType string
// TestFeatures is returned from the Features function.
TestFeatures Features
// MockAttestationData is fake attestation data to return
// during tests when hardware key support is enabled.
MockAttestationData *keys.AttestationData
// contains filtered or unexported fields
}
TestModules implements the Modules interface for testing.
Setting Test* fields will return those values from interface methods. IsBoringBinary and PrintVersion functions return the same values from default modules.
See SetTestModules for an example.
func (*TestModules) AttestHardwareKey ¶
func (m *TestModules) AttestHardwareKey(ctx context.Context, obj interface{}, as *keys.AttestationStatement, pk crypto.PublicKey, d time.Duration) (*keys.AttestationData, error)
AttestHardwareKey attests a hardware key.
func (*TestModules) BuildType ¶
func (m *TestModules) BuildType() string
BuildType returns build type (OSS or Enterprise).
func (*TestModules) EnableAccessGraph ¶
func (p *TestModules) EnableAccessGraph()
EnableAccessGraph enables the usage of access graph. This is a noop since OSS teleport does not support access graph.
func (*TestModules) EnableAccessMonitoring ¶
func (p *TestModules) EnableAccessMonitoring()
EnableAccessMonitoring enables the usage of access monitoring. This is a noop since OSS teleport does not support access monitoring.
func (*TestModules) EnablePlugins ¶
func (p *TestModules) EnablePlugins()
EnablePlugins enables hosted plugins runtime. This is a noop since OSS teleport does not support hosted plugins
func (*TestModules) EnableRecoveryCodes ¶
func (p *TestModules) EnableRecoveryCodes()
EnableRecoveryCodes enables recovery codes. This is a noop since OSS teleport does not support recovery codes
func (*TestModules) Features ¶
func (m *TestModules) Features() Features
Features returns supported features.
func (*TestModules) GenerateAccessRequestPromotions ¶
func (p *TestModules) GenerateAccessRequestPromotions(_ context.Context, _ AccessResourcesGetter, _ types.AccessRequest) (*types.AccessRequestAllowedPromotions, error)
GenerateAccessRequestPromotions is a noop since OSS teleport does not support generating access list promotions.
func (*TestModules) GetSuggestedAccessLists ¶
func (p *TestModules) GetSuggestedAccessLists(ctx context.Context, identity *tlsca.Identity, clt AccessListSuggestionClient, accessListGetter AccessListGetter, requestID string, ) ([]*accesslist.AccessList, error)
func (*TestModules) IsBoringBinary ¶
func (m *TestModules) IsBoringBinary() bool
IsBoringBinary checks if the binary was compiled with BoringCrypto.
func (*TestModules) PrintVersion ¶
func (m *TestModules) PrintVersion()
PrintVersion prints teleport version
func (*TestModules) SetFeatures ¶
func (p *TestModules) SetFeatures(f Features)
SetFeatures sets features queried from Cloud. This is a noop since OSS teleport does not support enterprise features
Source Files
Click to show internal directories.
Click to hide internal directories.