services

package
v4.2.1-rc.2+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 3, 2020 License: Apache-2.0 Imports: 49 Imported by: 0

Documentation

Overview

Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.

* Local services are implemented in local package * Package suite contains the set of acceptance tests for services

Package services implements API services exposed by Teleport: * presence service that takes care of heartbeats * web service that takes care of web logins * ca service - certificate authorities

Index

Constants

View Source
const (
	// RotationStateStandby is initial status of the rotation -
	// nothing is being rotated.
	RotationStateStandby = "standby"
	// RotationStateInProgress - that rotation is in progress.
	RotationStateInProgress = "in_progress"
	// RotationPhaseStandby is the initial phase of the rotation
	// it means no operations have started.
	RotationPhaseStandby = "standby"
	// RotationPhaseInit = is a phase of the rotation
	// when new certificate authoirty is issued, but not used
	// It is necessary for remote trusted clusters to fetch the
	// new certificate authority, otherwise the new clients
	// will reject it
	RotationPhaseInit = "init"
	// RotationPhaseUpdateClients is a phase of the rotation
	// when client credentials will have to be updated and reloaded
	// but servers will use and respond with old credentials
	// because clients have no idea about new credentials at first.
	RotationPhaseUpdateClients = "update_clients"
	// RotationPhaseUpdateServers is a phase of the rotation
	// when servers will have to reload and should start serving
	// TLS and SSH certificates signed by new CA.
	RotationPhaseUpdateServers = "update_servers"
	// RotationPhaseRollback means that rotation is rolling
	// back to the old certificate authority.
	RotationPhaseRollback = "rollback"
	// RotationModeManual is a manual rotation mode when all phases
	// are set by the operator.
	RotationModeManual = "manual"
	// RotationModeAuto is set to go through all phases by the schedule.
	RotationModeAuto = "auto"
)
View Source
const (
	// RecordAtNode is the default. Sessions are recorded at Teleport nodes.
	RecordAtNode string = "node"

	// RecordAtProxy enables the recording proxy which intercepts and records
	// all sessions.
	RecordAtProxy string = "proxy"

	// RecordOff is used to disable session recording completely.
	RecordOff string = "off"
)
View Source
const (
	// HostKeyCheckYes is the default. The proxy will check the host key of the
	// target node it connects to.
	HostKeyCheckYes string = "yes"

	// HostKeyCheckNo is used to disable host key checking. This is a insecure
	// settings which makes MITM possible with no indications, use with caution.
	HostKeyCheckNo string = "no"
)
View Source
const (
	// UserIdentifier represents user registered identifier in the rules
	UserIdentifier = "user"
	// ResourceIdentifier represents resource registered identifer in the rules
	ResourceIdentifier = "resource"
)
View Source
const (
	// DefaultAPIGroup is a default group of permissions API,
	// lets us to add different permission types
	DefaultAPIGroup = "gravitational.io/teleport"

	// ActionRead grants read access (get, list)
	ActionRead = "read"

	// ActionWrite allows to write (create, update, delete)
	ActionWrite = "write"

	// Wildcard is a special wildcard character matching everything
	Wildcard = "*"

	// KindNamespace is a namespace
	KindNamespace = "namespace"

	// KindUser is a user resource
	KindUser = "user"

	// KindKeyPair is a public/private key pair
	KindKeyPair = "key_pair"

	// KindHostCert is a host certificate
	KindHostCert = "host_cert"

	// KindLicense is a license resource
	KindLicense = "license"

	// KindRole is a role resource
	KindRole = "role"

	// KindAccessRequest is an AccessReqeust resource
	KindAccessRequest = "access_request"

	// KindOIDC is OIDC connector resource
	KindOIDC = "oidc"

	// KindSAML is SAML connector resource
	KindSAML = "saml"

	// KindGithub is Github connector resource
	KindGithub = "github"

	// KindOIDCRequest is OIDC auth request resource
	KindOIDCRequest = "oidc_request"

	// KindSAMLRequest is SAML auth request resource
	KindSAMLRequest = "saml_request"

	// KindGithubRequest is Github auth request resource
	KindGithubRequest = "github_request"

	// KindSession is a recorded SSH session.
	KindSession = "session"

	// KindSSHSession is an active SSH session.
	KindSSHSession = "ssh_session"

	// KindWebSession is a web session resource
	KindWebSession = "web_session"

	// KindEvent is structured audit logging event
	KindEvent = "event"

	// KindAuthServer is auth server resource
	KindAuthServer = "auth_server"

	// KindProxy is proxy resource
	KindProxy = "proxy"

	// KindNode is node resource
	KindNode = "node"

	// KindToken is a provisioning token resource
	KindToken = "token"

	// KindCertAuthority is a certificate authority resource
	KindCertAuthority = "cert_authority"

	// KindReverseTunnel is a reverse tunnel connection
	KindReverseTunnel = "tunnel"

	// KindOIDCConnector is a OIDC connector resource
	KindOIDCConnector = "oidc"

	// KindSAMLConnector is a SAML connector resource
	KindSAMLConnector = "saml"

	// KindGithubConnector is Github OAuth2 connector resource
	KindGithubConnector = "github"

	// KindConnectors is a shortcut for all authentication connector types.
	KindConnectors = "connectors"

	// KindClusterAuthPreference is the type of authentication for this cluster.
	KindClusterAuthPreference = "cluster_auth_preference"

	// MetaNameClusterAuthPreference is the type of authentication for this cluster.
	MetaNameClusterAuthPreference = "cluster-auth-preference"

	// KindClusterConfig is the resource that holds cluster level configuration.
	KindClusterConfig = "cluster_config"

	// MetaNameClusterConfig is the exact name of the cluster config singleton resource.
	MetaNameClusterConfig = "cluster-config"

	// KindClusterName is a type of configuration resource that contains the cluster name.
	KindClusterName = "cluster_name"

	// MetaNameClusterName is the name of a configuration resource for cluster name.
	MetaNameClusterName = "cluster-name"

	// KindStaticTokens is a type of configuration resource that contains static tokens.
	KindStaticTokens = "static_tokens"

	// MetaNameStaticTokens is the name of a configuration resource for static tokens.
	MetaNameStaticTokens = "static-tokens"

	// KindTrustedCluster is a resource that contains trusted cluster configuration.
	KindTrustedCluster = "trusted_cluster"

	// KindAuthConnector allows access to OIDC and SAML connectors.
	KindAuthConnector = "auth_connector"

	// KindTunnelConnection specifies connection of a reverse tunnel to proxy
	KindTunnelConnection = "tunnel_connection"

	// KindRemoteCluster represents remote cluster connected via reverse tunnel
	// to proxy
	KindRemoteCluster = "remote_cluster"

	// KindInviteToken is a local user invite token
	KindInviteToken = "invite_token"

	// KindIdentity is local on disk identity resource
	KindIdentity = "identity"

	// KindState is local on disk process state
	KindState = "state"

	// V3 is the third version of resources.
	V3 = "v3"

	// V2 is the second version of resources.
	V2 = "v2"

	// V1 is the first version of resources. Note: The first version was
	// not explicitly versioned.
	V1 = "v1"
)
View Source
const (
	// VerbList is used to list all objects. Does not imply the ability to read a single object.
	VerbList = "list"

	// VerbCreate is used to create an object.
	VerbCreate = "create"

	// VerbRead is used to read a single object.
	VerbRead = "read"

	// VerbReadNoSecrets is used to read a single object without secrets.
	VerbReadNoSecrets = "readnosecrets"

	// VerbUpdate is used to update an object.
	VerbUpdate = "update"

	// VerbDelete is used to remove an object.
	VerbDelete = "delete"

	// VerbRotate is used to rotate certificate authorities
	// used only internally
	VerbRotate = "rotate"
)
View Source
const (
	// Equal means two objects are equal
	Equal = iota
	// OnlyTimestampsDifferent is true when only timestamps are different
	OnlyTimestampsDifferent = iota
	// Differnt means that some fields are different
	Different = iota
)
View Source
const AccessRequestSpecSchema = `` /* 280-byte string literal not displayed */
View Source
const AuthPreferenceSpecSchemaTemplate = `` /* 421-byte string literal not displayed */
View Source
const CertAuthoritySpecV2Schema = `` /* 800-byte string literal not displayed */

CertAuthoritySpecV2Schema is JSON schema for cert authority V2

View Source
const CertRolesSchema = `` /* 207-byte string literal not displayed */

CertRolesSchema defines cert roles schema

View Source
const ClusterConfigSpecSchemaTemplate = `` /* 1194-byte string literal not displayed */

ClusterConfigSpecSchemaTemplate is a template for ClusterConfig schema.

View Source
const ClusterNameSpecSchemaTemplate = `` /* 131-byte string literal not displayed */

ClusterNameSpecSchemaTemplate is a template for ClusterName schema.

View Source
const CreatedBySchema = `` /* 486-byte string literal not displayed */
View Source
const DefaultDefinitions = ``

DefaultDefinitions the default list of JSON schema definitions which is none.

View Source
const ExternalIdentitySchema = `` /* 156-byte string literal not displayed */
View Source
const GithubConnectorV3SchemaTemplate = `` /* 252-byte string literal not displayed */

GithubConnectorV3SchemaTemplate is the JSON schema for a Github connector

View Source
const LicenseSpecV3Template = `` /* 334-byte string literal not displayed */

LicenseSpecV3Template is a template for V3 License JSON schema

View Source
const LocalAuthSecretsSchema = `` /* 507-byte string literal not displayed */

LocalAuthSecretsSchema is a JSON schema for LocalAuthSecrets

View Source
const LoginStatusSchema = `` /* 241-byte string literal not displayed */
View Source
const MetadataSchema = `` /* 489-byte string literal not displayed */

MetadataSchema is a schema for resource metadata

View Source
const NamespaceSchemaTemplate = `` /* 258-byte string literal not displayed */
View Source
const NamespaceSpecSchema = `{
  "type": "object",
  "additionalProperties": false,
  "default": {}
}`
View Source
const OIDCConnectorV2SchemaTemplate = `` /* 252-byte string literal not displayed */

OIDCConnectorV2SchemaTemplate is a template JSON Schema for user

View Source
const ProvisionTokenSpecV2Schema = `` /* 138-byte string literal not displayed */

ProvisionTokenSpecV2Schema is a JSON schema for provision token

View Source
const RemoteClusterV3SchemaTemplate = `` /* 246-byte string literal not displayed */

RemoteClusterSchemaTemplate is a template JSON Schema for V3 style objects

View Source
const RemoteClusterV3StatusSchema = `` /* 205-byte string literal not displayed */

RemoteClusterV3StatusSchema is a template for remote

View Source
const ReverseTunnelSpecV2Schema = `` /* 295-byte string literal not displayed */

ReverseTunnelSpecV2Schema is JSON schema for reverse tunnel spec

View Source
const RoleMapSchema = `` /* 265-byte string literal not displayed */

RoleMapSchema is a schema for role mappings of trusted clusters

View Source
const RoleSpecV2SchemaTemplate = `` /* 668-byte string literal not displayed */
View Source
const RoleSpecV3SchemaDefinitions = `` /* 1369-byte string literal not displayed */
View Source
const RoleSpecV3SchemaTemplate = `` /* 802-byte string literal not displayed */
View Source
const RotationSchema = `` /* 537-byte string literal not displayed */

RotationSchema is a JSON validation schema of the CA rotation state object.

View Source
const SAMLConnectorV2SchemaTemplate = `` /* 252-byte string literal not displayed */

SAMLConnectorV2SchemaTemplate is a template JSON Schema for user

View Source
const ServerSpecV2Schema = `` /* 851-byte string literal not displayed */

ServerSpecV2Schema is JSON schema for server

View Source
const StaticTokensSpecSchemaTemplate = `` /* 397-byte string literal not displayed */

StaticTokensSpecSchemaTemplate is a template for StaticTokens schema.

View Source
const TrustedClusterSpecSchemaTemplate = `` /* 344-byte string literal not displayed */

TrustedClusterSpecSchemaTemplate is a template for trusted cluster schema

View Source
const TunnelConnectionSpecV2Schema = `` /* 293-byte string literal not displayed */

TunnelConnectionSpecV2Schema is JSON schema for reverse tunnel spec

View Source
const UserSpecV2SchemaTemplate = `` /* 737-byte string literal not displayed */

UserSpecV2SchemaTemplate is JSON schema for V2 user

View Source
const V2SchemaTemplate = `` /* 290-byte string literal not displayed */

V2SchemaTemplate is a template JSON Schema for V2 style objects

View Source
const WebSessionSpecV2Schema = `` /* 415-byte string literal not displayed */

WebSessionSpecV2Schema is JSON schema for cert authority V2

Variables

View Source
var (
	// ResourceNameExpr is the identifer that specifies resource name.
	ResourceNameExpr = builder.Identifier("resource.metadata.name")
	// CertAuthorityTypeExpr is a function call that returns
	// cert authority type.
	CertAuthorityTypeExpr = builder.Identifier(`system.catype()`)
)
View Source
var (
	ErrInvalidLengthTypes = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowTypes   = fmt.Errorf("proto: integer overflow")
)

AdminUserRules provides access to the default set of rules assigned to all users.

View Source
var AttributeMappingSchema = fmt.Sprintf(`{
  "type": "object",
  "additionalProperties": false,
  "required": ["name", "value" ],
  "properties": {
    "name": {"type": "string"},
    "value": {"type": "string"},
    "roles": {
      "type": "array",
      "items": {
        "type": "string"
      }
    },
    "role_template": %v
  }
}`, GetRoleSchema(V2, ""))

AttribueMappingSchema is JSON schema for claim mapping

View Source
var ClaimMappingSchema = fmt.Sprintf(`{
  "type": "object",
  "additionalProperties": false,
  "required": ["claim", "value" ],
  "properties": {
    "claim": {"type": "string"},
    "value": {"type": "string"},
    "roles": {
      "type": "array",
      "items": {
        "type": "string"
      }
    },
    "role_template": %v
  }
}`, GetRoleSchema(V2, ""))

ClaimMappingSchema is JSON schema for claim mapping

DefaultCertAuthorityRules provides access the minimal set of resources needed for a certificate authority to function.

DefaultImplicitRules provides access to the default set of implicit rules assigned to all roles.

View Source
var GithubConnectorSpecV3Schema = fmt.Sprintf(`{
  "type": "object",
  "additionalProperties": false,
  "required": ["client_id", "client_secret", "redirect_url"],
  "properties": {
    "client_id": {"type": "string"},
    "client_secret": {"type": "string"},
    "redirect_url": {"type": "string"},
    "display": {"type": "string"},
    "teams_to_logins": {
      "type": "array",
      "items": %v
    }
  }
}`, TeamMappingSchema)

GithubConnectorSpecV3Schema is the JSON schema for Github connector spec

View Source
var OIDCConnectorSpecV2Schema = fmt.Sprintf(`{
  "type": "object",
  "additionalProperties": false,
  "required": ["issuer_url", "client_id", "client_secret", "redirect_url"],
  "properties": {
    "issuer_url": {"type": "string"},
    "client_id": {"type": "string"},
    "client_secret": {"type": "string"},
    "redirect_url": {"type": "string"},
    "acr_values": {"type": "string"},
    "provider": {"type": "string"},
    "display": {"type": "string"},
    "google_service_account_uri": {"type": "string"},
    "google_admin_email": {"type": "string"},
    "scope": {
      "type": "array",
      "items": {
        "type": "string"
      }
    },
    "claims_to_roles": {
      "type": "array",
      "items": %v
    }
  }
}`, ClaimMappingSchema)

OIDCConnectorSpecV2Schema is a JSON Schema for OIDC Connector

View Source
var RequestState_name = map[int32]string{
	0: "NONE",
	1: "PENDING",
	2: "APPROVED",
	3: "DENIED",
}
View Source
var RequestState_value = map[string]int32{
	"NONE":     0,
	"PENDING":  1,
	"APPROVED": 2,
	"DENIED":   3,
}

RotatePhases lists all supported rotation phases

View Source
var SAMLConnectorSpecV2Schema = fmt.Sprintf(`{
  "type": "object",
  "additionalProperties": false,
  "required": ["acs"],
  "properties": {
    "issuer": {"type": "string"},
    "sso": {"type": "string"},
    "cert": {"type": "string"},
    "provider": {"type": "string"},
    "display": {"type": "string"},
    "acs": {"type": "string"},
    "audience": {"type": "string"},
    "service_provider_issuer": {"type": "string"},
    "entity_descriptor": {"type": "string"},
    "entity_descriptor_url": {"type": "string"},
    "attributes_to_roles": {
      "type": "array",
      "items": %v
    },
    "signing_key_pair": %v
  }
}`, AttributeMappingSchema, SigningKeyPairSchema)

SAMLConnectorSpecV2Schema is a JSON Schema for SAML Connector

View Source
var SigningKeyPairSchema = `` /* 148-byte string literal not displayed */

SigningKeyPairSchema

View Source
var TeamMappingSchema = `` /* 392-byte string literal not displayed */

TeamMappingSchema is the JSON schema for team membership mapping

Functions

func BoolDefaultTrue

func BoolDefaultTrue(v *BoolOption) bool

BoolDefaultTrue returns true if v is not set (pointer is nil) otherwise returns real boolean value

func CertPool

func CertPool(ca CertAuthority) (*x509.CertPool, error)

CertPool returns certificate pools from TLS certificates set up in the certificate authority

func CertPoolFromCertAuthorities

func CertPoolFromCertAuthorities(cas []CertAuthority) (*x509.CertPool, error)

CertPoolFromCertAuthorities returns certificate pools from TLS certificates set up in the certificate authorities list

func CmdLabelMapsEqual

func CmdLabelMapsEqual(a, b map[string]CommandLabel) bool

CmdLabelMapsEqual compares two maps with command labels, returns true if label sets are equal

func CompareServers

func CompareServers(a, b Server) int

CompareServers returns difference between two server objects, Equal (0) if identical, OnlyTimestampsDifferent(1) if only timestamps differ, Different(2) otherwise

func ConvertV1CertAuthority

func ConvertV1CertAuthority(v1 *CertAuthorityV1) (CertAuthority, Role)

ConvertV1CertAuthority converts V1 cert authority for new CA and Role

func ExtractFromCertificate

func ExtractFromCertificate(access UserGetter, cert *ssh.Certificate) ([]string, wrappers.Traits, error)

ExtractFromCertificate will extract roles and traits from a *ssh.Certificate or from the backend if they do not exist in the certificate.

func ExtractFromIdentity

func ExtractFromIdentity(access UserGetter, identity *tlsca.Identity) ([]string, wrappers.Traits, error)

ExtractFromIdentity will extract roles and traits from the *x509.Certificate which Teleport passes along as a *tlsca.Identity. If roles and traits do not exist in the certificates, they are extracted from the backend.

func GetAccessRequestSchema

func GetAccessRequestSchema() string

func GetAttributeNames

func GetAttributeNames(attributes map[string]types.Attribute) []string

GetAttributeNames returns a list of claim names from the claim values

func GetAuthPreferenceSchema

func GetAuthPreferenceSchema(extensionSchema string) string

GetAuthPreferenceSchema returns the schema with optionally injected schema for extensions.

func GetCertAuthoritySchema

func GetCertAuthoritySchema() string

GetCertAuthoritySchema returns JSON Schema for cert authorities

func GetClaimNames

func GetClaimNames(claims jose.Claims) []string

GetClaimNames returns a list of claim names from the claim values

func GetClusterConfigSchema

func GetClusterConfigSchema(extensionSchema string) string

GetClusterConfigSchema returns the schema with optionally injected schema for extensions.

func GetClusterNameSchema

func GetClusterNameSchema(extensionSchema string) string

GetClusterNameSchema returns the schema with optionally injected schema for extensions.

func GetGithubConnectorSchema

func GetGithubConnectorSchema() string

GetGithubConnectorSchema returns schema for Github connector

func GetNamespaceSchema

func GetNamespaceSchema() string

GetNamespaceSchema returns namespace schema

func GetOIDCConnectorSchema

func GetOIDCConnectorSchema() string

GetOIDCConnectorSchema returns schema for OIDCConnector

func GetProvisionTokenSchema

func GetProvisionTokenSchema() string

GetProvisionTokenSchema returns provision token schema

func GetRemoteClusterSchema

func GetRemoteClusterSchema() string

GetRemoteClusterSchema returns the schema for remote cluster

func GetResourceMarshalerKinds

func GetResourceMarshalerKinds() []string

GetResourceMarshalerKinds lists all registered resource marshalers by kind.

func GetReverseTunnelSchema

func GetReverseTunnelSchema() string

GetReverseTunnelSchema returns role schema with optionally injected schema for extensions

func GetRoleSchema

func GetRoleSchema(version string, extensionSchema string) string

GetRoleSchema returns role schema for the version requested with optionally injected schema for extensions.

func GetSAMLConnectorSchema

func GetSAMLConnectorSchema() string

GetSAMLConnectorSchema returns schema for SAMLConnector

func GetServerSchema

func GetServerSchema() string

GetServerSchema returns role schema with optionally injected schema for extensions

func GetStaticTokensSchema

func GetStaticTokensSchema(extensionSchema string) string

GetStaticTokensSchema returns the schema with optionally injected schema for extensions.

func GetStringMapValue

func GetStringMapValue(mapVal, keyVal interface{}) (interface{}, error)

GetStringMapValue is a helper function that returns property from map[string]string or map[string][]string the function returns empty value in case if key not found In case if map is nil, returns empty value as well

func GetTrustedClusterSchema

func GetTrustedClusterSchema(extensionSchema string) string

GetTrustedClusterSchema returns the schema with optionally injected schema for extensions.

func GetTunnelConnectionSchema

func GetTunnelConnectionSchema() string

GetTunnelConnectionSchema returns role schema with optionally injected schema for extensions

func GetUserSchema

func GetUserSchema(extensionSchema string) string

GetRoleSchema returns role schema with optionally injected schema for extensions

func GetWebSessionSchema

func GetWebSessionSchema() string

GetWebSessionSchema returns JSON Schema for web session

func GetWebSessionSchemaWithExtensions

func GetWebSessionSchemaWithExtensions(extension string) string

GetWebSessionSchemaWithExtensions returns JSON Schema for web session with user-supplied extensions

func IsValidNamespace

func IsValidNamespace(s string) bool

func LabelsToV2

func LabelsToV2(labels map[string]CommandLabel) map[string]CommandLabelV2

LabelsToV2 converts labels from interface to V2 spec

func LastFailed

func LastFailed(x int, attempts []LoginAttempt) bool

LastFailed calculates last x successive attempts are failed

func MarshalCertRoles

func MarshalCertRoles(roles []string) (string, error)

MarshalCertRoles marshal roles list to OpenSSH

func MarshalLicense

func MarshalLicense(license License, opts ...MarshalOption) ([]byte, error)

MarshalLicense marshals role to JSON or YAML.

func MarshalNamespace

func MarshalNamespace(resource Namespace, opts ...MarshalOption) ([]byte, error)

MarshalNamespace marshals namespace to JSON

func MarshalProvisionToken

func MarshalProvisionToken(t ProvisionToken, opts ...MarshalOption) ([]byte, error)

MarshalProvisionToken marshals provisioning token into JSON.

func MarshalRemoteCluster

func MarshalRemoteCluster(c RemoteCluster, opts ...MarshalOption) ([]byte, error)

MarshalRemoteCluster marshals remote cluster to JSON.

func MarshalResource

func MarshalResource(resource Resource, opts ...MarshalOption) ([]byte, error)

MarshalResource attempts to marshal a resource dynamically, returning NotImplementedError if no marshaler has been registered.

NOTE: This function only supports the subset of resources which may be imported/exported by users (e.g. via `tctl get`).

func MarshalTunnelConnection

func MarshalTunnelConnection(rt TunnelConnection, opts ...MarshalOption) ([]byte, error)

MarshalTunnelConnection marshals tunnel connection

func MatchLabels

func MatchLabels(selector Labels, target map[string]string) (bool, string, error)

MatchLabels matches selector against target. Empty selector matches nothing, wildcard matches everything.

func MatchLogin

func MatchLogin(selectors []string, login string) (bool, string)

MatchLogin returns true if attempted login matches any of the logins.

func MatchNamespace

func MatchNamespace(selectors []string, namespace string) (bool, string)

MatchNamespace returns true if given list of namespace matches target namespace, wildcard matches everything.

func NewActionsParser

func NewActionsParser(ctx RuleContext) (predicate.Parser, error)

NewActionsParser returns standard parser for 'actions' section in access rules

func NewLogActionFn

func NewLogActionFn(ctx RuleContext) interface{}

NewLogActionFn creates logger functions

func NewWhereParser

func NewWhereParser(ctx RuleContext) (predicate.Parser, error)

NewWhereParser returns standard parser for `where` section in access rules.

func ParseShortcut

func ParseShortcut(in string) (string, error)

ParseShortcut parses resource shortcut

func ProcessNamespace

func ProcessNamespace(namespace string) string

ProcessNamespace sets default namespace in case if namespace is empty

func RO

func RO() []string

RO is a shortcut that returns read only verbs that provide access to secrets.

func RW

func RW() []string

RW is a shortcut that returns all verbs.

func ReadNoSecrets

func ReadNoSecrets() []string

ReadNoSecrets is a shortcut that returns read only verbs that do not provide access to secrets.

func RegisterResourceMarshaler

func RegisterResourceMarshaler(kind string, marshaler ResourceMarshaler)

RegisterResourceMarshaler registers a marshaler for resources of a specific kind.

func RegisterResourceUnmarshaler

func RegisterResourceUnmarshaler(kind string, unmarshaler ResourceUnmarshaler)

RegisterResourceUnmarshaler registers an unmarshaler for resources of a specific kind.

func RemoveCASecrets

func RemoveCASecrets(ca CertAuthority)

RemoveCASecrets removes secret values and keys from the certificate authority

func RoleNameForCertAuthority

func RoleNameForCertAuthority(name string) string

RoleNameForCertAuthority returns role name associated with a certificate authority.

func RoleNameForUser

func RoleNameForUser(name string) string

RoleNameForUser returns role name associated with a user.

func RuleSlicesEqual

func RuleSlicesEqual(a, b []Rule) bool

RuleSlicesEqual returns true if two rule slices are equal

func SetActionsParserFn

func SetActionsParserFn(fn NewParserFn)

SetActionsParserFn sets global function that creates actions parsers this function is used in external tools to override and extend actions in rules

func SetAuthPreferenceMarshaler

func SetAuthPreferenceMarshaler(m AuthPreferenceMarshaler)

func SetCertAuthorityMarshaler

func SetCertAuthorityMarshaler(u CertAuthorityMarshaler)

SetCertAuthorityMarshaler sets global user marshaler

func SetClusterConfigMarshaler

func SetClusterConfigMarshaler(m ClusterConfigMarshaler)

SetClusterConfigMarshaler sets the marshaler.

func SetClusterNameMarshaler

func SetClusterNameMarshaler(m ClusterNameMarshaler)

SetClusterNameMarshaler sets the marshaler.

func SetGithubConnectorMarshaler

func SetGithubConnectorMarshaler(m GithubConnectorMarshaler)

SetGithubConnectorMarshaler sets Github connector marshaler

func SetOIDCConnectorMarshaler

func SetOIDCConnectorMarshaler(m OIDCConnectorMarshaler)

SetOIDCConnectorMarshaler sets global user marshaler

func SetReerseTunnelMarshaler

func SetReerseTunnelMarshaler(m ReverseTunnelMarshaler)

func SetRoleMarshaler

func SetRoleMarshaler(m RoleMarshaler)

func SetSAMLConnectorMarshaler

func SetSAMLConnectorMarshaler(m SAMLConnectorMarshaler)

SetSAMLConnectorMarshaler sets global user marshaler

func SetServerMarshaler

func SetServerMarshaler(m ServerMarshaler)

func SetStaticTokensMarshaler

func SetStaticTokensMarshaler(m StaticTokensMarshaler)

SetStaticTokensMarshaler sets the marshaler.

func SetTrustedClusterMarshaler

func SetTrustedClusterMarshaler(m TrustedClusterMarshaler)

func SetUserMarshaler

func SetUserMarshaler(u UserMarshaler)

SetUserMarshaler sets global user marshaler

func SetWebSessionMarshaler

func SetWebSessionMarshaler(u WebSessionMarshaler)

SetWebSessionMarshaler sets global user marshaler

func SetWhereParserFn

func SetWhereParserFn(fn NewParserFn)

SetWhereParserFn sets global function that creates where parsers this function is used in external tools to override and extend 'where' in rules

func TLSCerts

func TLSCerts(ca CertAuthority) [][]byte

TLSCerts returns TLS certificates from CA

func TunnelConnectionStatus

func TunnelConnectionStatus(clock clockwork.Clock, conn TunnelConnection, offlineThreshold time.Duration) string

TunnelConnectionStatus returns tunnel connection status based on the last heartbeat time recorded for a connection

func UnmarshalCertRoles

func UnmarshalCertRoles(data string) ([]string, error)

UnmarshalCertRoles marshals roles list to OpenSSH

func ValidateAccessRequest

func ValidateAccessRequest(getter UserAndRoleGetter, req AccessRequest) error

func VerifyPassword added in v1.0.0

func VerifyPassword(password []byte) error

VerifyPassword makes sure password satisfies our requirements (relaxed), mostly to avoid putting garbage in

Types

type Access

type Access interface {
	// GetRoles returns a list of roles
	GetRoles() ([]Role, error)

	// CreateRole creates a role
	CreateRole(role Role) error

	// UpsertRole creates or updates role
	UpsertRole(role Role) error

	// DeleteAllRoles deletes all roles
	DeleteAllRoles() error

	// GetRole returns role by name
	GetRole(name string) (Role, error)

	// DeleteRole deletes role by name
	DeleteRole(name string) error
}

Access service manages roles and permissions

type AccessChecker

type AccessChecker interface {
	// HasRole checks if the checker includes the role
	HasRole(role string) bool

	// RoleNames returns a list of role names
	RoleNames() []string

	// CheckAccessToServer checks access to server.
	CheckAccessToServer(login string, server Server) error

	// CheckAccessToRule checks access to a rule within a namespace.
	CheckAccessToRule(context RuleContext, namespace string, rule string, verb string, silent bool) error

	// CheckLoginDuration checks if role set can login up to given duration and
	// returns a combined list of allowed logins.
	CheckLoginDuration(ttl time.Duration) ([]string, error)

	// CheckKubeGroups check if role can login into kubernetes
	// and returns a combined list of allowed groups
	CheckKubeGroups(ttl time.Duration) ([]string, error)

	// AdjustSessionTTL will reduce the requested ttl to lowest max allowed TTL
	// for this role set, otherwise it returns ttl unchanged
	AdjustSessionTTL(ttl time.Duration) time.Duration

	// AdjustClientIdleTimeout adjusts requested idle timeout
	// to the lowest max allowed timeout, the most restrictive
	// option will be picked
	AdjustClientIdleTimeout(ttl time.Duration) time.Duration

	// AdjustDisconnectExpiredCert adjusts the value based on the role set
	// the most restrictive option will be picked
	AdjustDisconnectExpiredCert(disconnect bool) bool

	// CheckAgentForward checks if the role can request agent forward for this
	// user.
	CheckAgentForward(login string) error

	// CanForwardAgents returns true if this role set offers capability to forward
	// agents.
	CanForwardAgents() bool

	// CanPortForward returns true if this RoleSet can forward ports.
	CanPortForward() bool

	// CertificateFormat returns the most permissive certificate format in a
	// RoleSet.
	CertificateFormat() string

	// EnhancedRecordingSet returns a set of events that will be recorded
	// for enhanced session recording.
	EnhancedRecordingSet() map[string]bool
}

AccessChecker interface implements access checks for given role or role set

type AccessRequest

type AccessRequest interface {
	Resource
	// GetUser gets the name of the requesting user
	GetUser() string
	// GetRoles gets the roles being requested by the user
	GetRoles() []string
	// GetState gets the current state of the request
	GetState() RequestState
	// SetState sets the approval state of the request
	SetState(RequestState) error
	// GetCreationTime gets the time at which the request was
	// originally registered with the auth server.
	GetCreationTime() time.Time
	// SetCreationTime sets the creation time of the request.
	SetCreationTime(time.Time)
	// GetAccessExpiry gets the upper limit for which this request
	// may be considered active.
	GetAccessExpiry() time.Time
	// SetAccessExpiry sets the upper limit for which this request
	// may be considered active.
	SetAccessExpiry(time.Time)
	// CheckAndSetDefaults validates the access request and
	// supplies default values where appropriate.
	CheckAndSetDefaults() error
	// Equals checks equality between access request values.
	Equals(AccessRequest) bool
}

AccessRequest is a request for temporarily granted roles

func GetAccessRequest

func GetAccessRequest(ctx context.Context, acc DynamicAccess, reqID string) (AccessRequest, error)

GetAccessRequest is a helper function assists with loading a specific request by ID.

func NewAccessRequest

func NewAccessRequest(user string, roles ...string) (AccessRequest, error)

NewAccessRequest assembled an AccessReqeust resource.

type AccessRequestConditions

type AccessRequestConditions struct {
	// Roles is the name of roles which will match the request rule.
	Roles                []string `protobuf:"bytes,1,rep,name=Roles" json:"roles,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

AccessRequestConditions is a matcher for allow/deny restrictions on access-requests.

func (*AccessRequestConditions) Descriptor

func (*AccessRequestConditions) Descriptor() ([]byte, []int)

func (*AccessRequestConditions) Marshal

func (m *AccessRequestConditions) Marshal() (dAtA []byte, err error)

func (*AccessRequestConditions) MarshalTo

func (m *AccessRequestConditions) MarshalTo(dAtA []byte) (int, error)

func (*AccessRequestConditions) ProtoMessage

func (*AccessRequestConditions) ProtoMessage()

func (*AccessRequestConditions) Reset

func (m *AccessRequestConditions) Reset()

func (*AccessRequestConditions) Size

func (m *AccessRequestConditions) Size() (n int)

func (*AccessRequestConditions) String

func (m *AccessRequestConditions) String() string

func (*AccessRequestConditions) Unmarshal

func (m *AccessRequestConditions) Unmarshal(dAtA []byte) error

func (*AccessRequestConditions) XXX_DiscardUnknown

func (m *AccessRequestConditions) XXX_DiscardUnknown()

func (*AccessRequestConditions) XXX_Marshal

func (m *AccessRequestConditions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*AccessRequestConditions) XXX_Merge

func (dst *AccessRequestConditions) XXX_Merge(src proto.Message)

func (*AccessRequestConditions) XXX_Size

func (m *AccessRequestConditions) XXX_Size() int

func (*AccessRequestConditions) XXX_Unmarshal

func (m *AccessRequestConditions) XXX_Unmarshal(b []byte) error

type AccessRequestFilter

type AccessRequestFilter struct {
	// ID specifies a request ID if set.
	ID string `protobuf:"bytes,1,opt,name=ID,proto3" json:"id"`
	// User specifies a username if set.
	User string `protobuf:"bytes,2,opt,name=User,proto3" json:"user"`
	// RequestState filters for requests in a specific state.
	State                RequestState `protobuf:"varint,3,opt,name=State,proto3,enum=services.RequestState" json:"state"`
	XXX_NoUnkeyedLiteral struct{}     `json:"-"`
	XXX_unrecognized     []byte       `json:"-"`
	XXX_sizecache        int32        `json:"-"`
}

AccessRequestFilter encodes filter params for access requests.

func (*AccessRequestFilter) Descriptor

func (*AccessRequestFilter) Descriptor() ([]byte, []int)

func (*AccessRequestFilter) Equals

func (*AccessRequestFilter) FromMap

func (f *AccessRequestFilter) FromMap(m map[string]string) error

func (*AccessRequestFilter) IntoMap

func (f *AccessRequestFilter) IntoMap() map[string]string

func (*AccessRequestFilter) Marshal

func (m *AccessRequestFilter) Marshal() (dAtA []byte, err error)

func (*AccessRequestFilter) MarshalTo

func (m *AccessRequestFilter) MarshalTo(dAtA []byte) (int, error)

func (*AccessRequestFilter) Match

func (f *AccessRequestFilter) Match(req AccessRequest) bool

Match checks if a given access request matches this filter.

func (*AccessRequestFilter) ProtoMessage

func (*AccessRequestFilter) ProtoMessage()

func (*AccessRequestFilter) Reset

func (m *AccessRequestFilter) Reset()

func (*AccessRequestFilter) Size

func (m *AccessRequestFilter) Size() (n int)

func (*AccessRequestFilter) String

func (m *AccessRequestFilter) String() string

func (*AccessRequestFilter) Unmarshal

func (m *AccessRequestFilter) Unmarshal(dAtA []byte) error

func (*AccessRequestFilter) XXX_DiscardUnknown

func (m *AccessRequestFilter) XXX_DiscardUnknown()

func (*AccessRequestFilter) XXX_Marshal

func (m *AccessRequestFilter) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*AccessRequestFilter) XXX_Merge

func (dst *AccessRequestFilter) XXX_Merge(src proto.Message)

func (*AccessRequestFilter) XXX_Size

func (m *AccessRequestFilter) XXX_Size() int

func (*AccessRequestFilter) XXX_Unmarshal

func (m *AccessRequestFilter) XXX_Unmarshal(b []byte) error

type AccessRequestMarshaler

type AccessRequestMarshaler interface {
	MarshalAccessRequest(req AccessRequest, opts ...MarshalOption) ([]byte, error)
	UnmarshalAccessRequest(bytes []byte, opts ...MarshalOption) (AccessRequest, error)
}

func GetAccessRequestMarshaler

func GetAccessRequestMarshaler() AccessRequestMarshaler

type AccessRequestSpecV3

type AccessRequestSpecV3 struct {
	// User is the name of the user to whom the roles will be applied.
	User string `protobuf:"bytes,1,opt,name=User,proto3" json:"user"`
	// Roles is the name of the roles being requested.
	Roles []string `protobuf:"bytes,2,rep,name=Roles" json:"roles"`
	// State is the current state of this access request.
	State RequestState `protobuf:"varint,3,opt,name=State,proto3,enum=services.RequestState" json:"state,omitempty"`
	// Created encodes the time at which the request was registered with the auth server.
	Created time.Time `protobuf:"bytes,4,opt,name=Created,stdtime" json:"created,omitempty"`
	// Expires constrains the maximum lifetime of any login session for which this request is active.
	Expires              time.Time `protobuf:"bytes,5,opt,name=Expires,stdtime" json:"expires,omitempty"`
	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
	XXX_unrecognized     []byte    `json:"-"`
	XXX_sizecache        int32     `json:"-"`
}

AccessRequestSpec is the specification for AccessRequest

func (*AccessRequestSpecV3) Descriptor

func (*AccessRequestSpecV3) Descriptor() ([]byte, []int)

func (*AccessRequestSpecV3) Equals

func (s *AccessRequestSpecV3) Equals(other *AccessRequestSpecV3) bool

func (*AccessRequestSpecV3) Marshal

func (m *AccessRequestSpecV3) Marshal() (dAtA []byte, err error)

func (*AccessRequestSpecV3) MarshalTo

func (m *AccessRequestSpecV3) MarshalTo(dAtA []byte) (int, error)

func (*AccessRequestSpecV3) ProtoMessage

func (*AccessRequestSpecV3) ProtoMessage()

func (*AccessRequestSpecV3) Reset

func (m *AccessRequestSpecV3) Reset()

func (*AccessRequestSpecV3) Size

func (m *AccessRequestSpecV3) Size() (n int)

func (*AccessRequestSpecV3) String

func (m *AccessRequestSpecV3) String() string

func (*AccessRequestSpecV3) Unmarshal

func (m *AccessRequestSpecV3) Unmarshal(dAtA []byte) error

func (*AccessRequestSpecV3) XXX_DiscardUnknown

func (m *AccessRequestSpecV3) XXX_DiscardUnknown()

func (*AccessRequestSpecV3) XXX_Marshal

func (m *AccessRequestSpecV3) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*AccessRequestSpecV3) XXX_Merge

func (dst *AccessRequestSpecV3) XXX_Merge(src proto.Message)

func (*AccessRequestSpecV3) XXX_Size

func (m *AccessRequestSpecV3) XXX_Size() int

func (*AccessRequestSpecV3) XXX_Unmarshal

func (m *AccessRequestSpecV3) XXX_Unmarshal(b []byte) error

type AccessRequestV3

type AccessRequestV3 struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version"`
	// Metadata is AccessRequest metadata
	Metadata Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata"`
	// Spec is an AccessReqeust specification
	Spec                 AccessRequestSpecV3 `protobuf:"bytes,5,opt,name=Spec" json:"spec"`
	XXX_NoUnkeyedLiteral struct{}            `json:"-"`
	XXX_unrecognized     []byte              `json:"-"`
	XXX_sizecache        int32               `json:"-"`
}

AccessRequest represents an access request resource specification

func (*AccessRequestV3) Check

func (r *AccessRequestV3) Check() error

func (*AccessRequestV3) CheckAndSetDefaults

func (r *AccessRequestV3) CheckAndSetDefaults() error

func (*AccessRequestV3) Descriptor

func (*AccessRequestV3) Descriptor() ([]byte, []int)

func (*AccessRequestV3) Equals

func (r *AccessRequestV3) Equals(other AccessRequest) bool

func (*AccessRequestV3) Expiry

func (r *AccessRequestV3) Expiry() time.Time

func (*AccessRequestV3) GetAccessExpiry

func (r *AccessRequestV3) GetAccessExpiry() time.Time

func (*AccessRequestV3) GetCreationTime

func (r *AccessRequestV3) GetCreationTime() time.Time

func (*AccessRequestV3) GetKind

func (r *AccessRequestV3) GetKind() string

func (*AccessRequestV3) GetMetadata

func (r *AccessRequestV3) GetMetadata() Metadata

func (*AccessRequestV3) GetName

func (r *AccessRequestV3) GetName() string

func (*AccessRequestV3) GetResourceID

func (r *AccessRequestV3) GetResourceID() int64

func (*AccessRequestV3) GetRoles

func (r *AccessRequestV3) GetRoles() []string

func (*AccessRequestV3) GetState

func (r *AccessRequestV3) GetState() RequestState

func (*AccessRequestV3) GetSubKind

func (r *AccessRequestV3) GetSubKind() string

func (*AccessRequestV3) GetUser

func (r *AccessRequestV3) GetUser() string

func (*AccessRequestV3) GetVersion

func (r *AccessRequestV3) GetVersion() string

func (*AccessRequestV3) Marshal

func (m *AccessRequestV3) Marshal() (dAtA []byte, err error)

func (*AccessRequestV3) MarshalTo

func (m *AccessRequestV3) MarshalTo(dAtA []byte) (int, error)

func (*AccessRequestV3) ProtoMessage

func (*AccessRequestV3) ProtoMessage()

func (*AccessRequestV3) Reset

func (m *AccessRequestV3) Reset()

func (*AccessRequestV3) SetAccessExpiry

func (r *AccessRequestV3) SetAccessExpiry(expiry time.Time)

func (*AccessRequestV3) SetCreationTime

func (r *AccessRequestV3) SetCreationTime(t time.Time)

func (*AccessRequestV3) SetExpiry

func (r *AccessRequestV3) SetExpiry(expiry time.Time)

func (*AccessRequestV3) SetName

func (r *AccessRequestV3) SetName(name string)

func (*AccessRequestV3) SetResourceID

func (r *AccessRequestV3) SetResourceID(id int64)

func (*AccessRequestV3) SetState

func (r *AccessRequestV3) SetState(state RequestState) error

func (*AccessRequestV3) SetSubKind

func (r *AccessRequestV3) SetSubKind(subKind string)

func (*AccessRequestV3) SetTTL

func (r *AccessRequestV3) SetTTL(clock clockwork.Clock, ttl time.Duration)

func (*AccessRequestV3) Size

func (m *AccessRequestV3) Size() (n int)

func (*AccessRequestV3) String

func (r *AccessRequestV3) String() string

func (*AccessRequestV3) Unmarshal

func (m *AccessRequestV3) Unmarshal(dAtA []byte) error

func (*AccessRequestV3) XXX_DiscardUnknown

func (m *AccessRequestV3) XXX_DiscardUnknown()

func (*AccessRequestV3) XXX_Marshal

func (m *AccessRequestV3) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*AccessRequestV3) XXX_Merge

func (dst *AccessRequestV3) XXX_Merge(src proto.Message)

func (*AccessRequestV3) XXX_Size

func (m *AccessRequestV3) XXX_Size() int

func (*AccessRequestV3) XXX_Unmarshal

func (m *AccessRequestV3) XXX_Unmarshal(b []byte) error

type AttributeMapping

type AttributeMapping struct {
	// Name is attribute statement name
	Name string `json:"name"`
	// Value is attribute statement value to match
	Value string `json:"value"`
	// Roles is a list of teleport roles to map to
	Roles []string `json:"roles,omitempty"`
	// RoleTemplate is a template for a role that will be filled
	// with data from claims.
	RoleTemplate *RoleV2 `json:"role_template,omitempty"`
}

AttributeMapping is SAML Attribute statement mapping from SAML attribute statements to roles

type AuditConfig

type AuditConfig struct {
	// Type is audit backend type
	Type string `protobuf:"bytes,1,opt,name=Type,proto3" json:"type,omitempty"`
	// Region is a region setting for audit sessions used by cloud providers
	Region string `protobuf:"bytes,2,opt,name=Region,proto3" json:"region,omitempty"`
	// AuditSessionsURI is a parameter where to upload sessions
	AuditSessionsURI string `protobuf:"bytes,3,opt,name=AuditSessionsURI,proto3" json:"audit_sessions_uri,omitempty"`
	// AuditEventsURI is a parameter with all supported outputs
	// for audit events
	AuditEventsURI github_com_gravitational_teleport_lib_wrappers.Strings `` /* 142-byte string literal not displayed */
	// AuditTableName is a DB table name used for audits
	// Deprecated in favor of AuditEventsURI
	// DELETE IN (3.1.0)
	AuditTableName       string   `protobuf:"bytes,5,opt,name=AuditTableName,proto3" json:"audit_table_name,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

AuditConfig represents audit log settings in the cluster

func AuditConfigFromObject

func AuditConfigFromObject(in interface{}) (*AuditConfig, error)

AuditConfigFromObject returns audit config from interface object

func (*AuditConfig) Descriptor

func (*AuditConfig) Descriptor() ([]byte, []int)

func (*AuditConfig) Marshal

func (m *AuditConfig) Marshal() (dAtA []byte, err error)

func (*AuditConfig) MarshalTo

func (m *AuditConfig) MarshalTo(dAtA []byte) (int, error)

func (*AuditConfig) ProtoMessage

func (*AuditConfig) ProtoMessage()

func (*AuditConfig) Reset

func (m *AuditConfig) Reset()

func (AuditConfig) ShouldUploadSessions

func (a AuditConfig) ShouldUploadSessions() bool

ShouldUploadSessions returns whether audit config instructs server to upload sessions

func (*AuditConfig) Size

func (m *AuditConfig) Size() (n int)

func (*AuditConfig) String

func (m *AuditConfig) String() string

func (*AuditConfig) Unmarshal

func (m *AuditConfig) Unmarshal(dAtA []byte) error

func (*AuditConfig) XXX_DiscardUnknown

func (m *AuditConfig) XXX_DiscardUnknown()

func (*AuditConfig) XXX_Marshal

func (m *AuditConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*AuditConfig) XXX_Merge

func (dst *AuditConfig) XXX_Merge(src proto.Message)

func (*AuditConfig) XXX_Size

func (m *AuditConfig) XXX_Size() int

func (*AuditConfig) XXX_Unmarshal

func (m *AuditConfig) XXX_Unmarshal(b []byte) error

type AuthPreference

type AuthPreference interface {
	// Expiry returns object expiry setting
	Expiry() time.Time
	// SetExpiry sets object expiry
	SetExpiry(time.Time)

	// GetResourceID returns resource ID
	GetResourceID() int64
	// SetResourceID sets resource ID
	SetResourceID(int64)

	// GetType gets the type of authentication: local, saml, or oidc.
	GetType() string
	// SetType sets the type of authentication: local, saml, or oidc.
	SetType(string)

	// GetSecondFactor gets the type of second factor: off, otp or u2f.
	GetSecondFactor() string
	// SetSecondFactor sets the type of second factor: off, otp, or u2f.
	SetSecondFactor(string)

	// GetConnectorName gets the name of the OIDC or SAML connector to use. If
	// this value is empty, we fall back to the first connector in the backend.
	GetConnectorName() string
	// GetConnectorName sets the name of the OIDC or SAML connector to use. If
	// this value is empty, we fall back to the first connector in the backend.
	SetConnectorName(string)

	// GetU2F gets the U2F configuration settings.
	GetU2F() (*U2F, error)
	// SetU2F sets the U2F configuration settings.
	SetU2F(*U2F)

	// CheckAndSetDefaults sets and default values and then
	// verifies the constraints for AuthPreference.
	CheckAndSetDefaults() error

	// String represents a human readable version of authentication settings.
	String() string
}

AuthPreference defines the authentication preferences for a specific cluster. It defines the type (local, oidc) and second factor (off, otp, oidc). AuthPreference is a configuration resource, never create more than one instance of it.

func NewAuthPreference

func NewAuthPreference(spec AuthPreferenceSpecV2) (AuthPreference, error)

NewAuthPreference is a convenience method to to create AuthPreferenceV2.

type AuthPreferenceMarshaler

type AuthPreferenceMarshaler interface {
	Marshal(c AuthPreference, opts ...MarshalOption) ([]byte, error)
	Unmarshal(bytes []byte, opts ...MarshalOption) (AuthPreference, error)
}

AuthPreferenceMarshaler implements marshal/unmarshal of AuthPreference implementations mostly adds support for extended versions.

func GetAuthPreferenceMarshaler

func GetAuthPreferenceMarshaler() AuthPreferenceMarshaler

type AuthPreferenceSpecV2

type AuthPreferenceSpecV2 struct {
	// Type is the type of authentication.
	Type string `json:"type"`

	// SecondFactor is the type of second factor.
	SecondFactor string `json:"second_factor,omitempty"`

	// ConnectorName is the name of the OIDC or SAML connector. If this value is
	// not set the first connector in the backend will be used.
	ConnectorName string `json:"connector_name,omitempty"`

	// U2F are the settings for the U2F device.
	U2F *U2F `json:"u2f,omitempty"`
}

AuthPreferenceSpecV2 is the actual data we care about for AuthPreferenceV2.

type AuthPreferenceV2

type AuthPreferenceV2 struct {
	// Kind is a resource kind - always resource.
	Kind string `json:"kind"`

	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`

	// Version is a resource version.
	Version string `json:"version"`

	// Metadata is metadata about the resource.
	Metadata Metadata `json:"metadata"`

	// Spec is the specification of the resource.
	Spec AuthPreferenceSpecV2 `json:"spec"`
}

AuthPreferenceV2 implements AuthPreference.

func (*AuthPreferenceV2) CheckAndSetDefaults

func (c *AuthPreferenceV2) CheckAndSetDefaults() error

CheckAndSetDefaults verifies the constraints for AuthPreference.

func (*AuthPreferenceV2) Expiry

func (s *AuthPreferenceV2) Expiry() time.Time

Expirey returns object expiry setting

func (*AuthPreferenceV2) GetConnectorName

func (c *AuthPreferenceV2) GetConnectorName() string

GetConnectorName gets the name of the OIDC or SAML connector to use. If this value is empty, we fall back to the first connector in the backend.

func (*AuthPreferenceV2) GetKind

func (c *AuthPreferenceV2) GetKind() string

GetKind returns resource kind

func (*AuthPreferenceV2) GetResourceID

func (c *AuthPreferenceV2) GetResourceID() int64

GetResourceID returns resource ID

func (*AuthPreferenceV2) GetSecondFactor

func (c *AuthPreferenceV2) GetSecondFactor() string

GetSecondFactor returns the type of second factor.

func (*AuthPreferenceV2) GetSubKind

func (c *AuthPreferenceV2) GetSubKind() string

GetSubKind returns resource subkind

func (*AuthPreferenceV2) GetType

func (c *AuthPreferenceV2) GetType() string

GetType returns the type of authentication.

func (*AuthPreferenceV2) GetU2F

func (c *AuthPreferenceV2) GetU2F() (*U2F, error)

GetU2F gets the U2F configuration settings.

func (*AuthPreferenceV2) SetConnectorName

func (c *AuthPreferenceV2) SetConnectorName(cn string)

GetConnectorName sets the name of the OIDC or SAML connector to use. If this value is empty, we fall back to the first connector in the backend.

func (*AuthPreferenceV2) SetExpiry

func (s *AuthPreferenceV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*AuthPreferenceV2) SetResourceID

func (c *AuthPreferenceV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*AuthPreferenceV2) SetSecondFactor

func (c *AuthPreferenceV2) SetSecondFactor(s string)

SetSecondFactor sets the type of second factor.

func (*AuthPreferenceV2) SetSubKind

func (c *AuthPreferenceV2) SetSubKind(sk string)

SetSubKind sets resource subkind

func (*AuthPreferenceV2) SetType

func (c *AuthPreferenceV2) SetType(s string)

SetType sets the type of authentication.

func (*AuthPreferenceV2) SetU2F

func (c *AuthPreferenceV2) SetU2F(u2f *U2F)

SetU2F sets the U2F configuration settings.

func (*AuthPreferenceV2) String

func (c *AuthPreferenceV2) String() string

String represents a human readable version of authentication settings.

type Bool

type Bool bool

Bool is a wrapper around boolean values

func NewBool

func NewBool(b bool) Bool

NewBool returns Bool struct based on bool value

func (Bool) MarshalJSON

func (b Bool) MarshalJSON() ([]byte, error)

MarshalJSON marshals boolean value.

func (Bool) MarshalYAML

func (b Bool) MarshalYAML() (interface{}, error)

MarshalYAML marshals bool into yaml value

func (*Bool) UnmarshalJSON

func (b *Bool) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals JSON from string or bool, in case if value is missing or not recognized, defaults to false

func (*Bool) UnmarshalYAML

func (b *Bool) UnmarshalYAML(unmarshal func(interface{}) error) error

func (Bool) Value

func (b Bool) Value() bool

Value returns boolean value of the wrapper

type BoolOption

type BoolOption struct {
	// Value is a value of the option
	Value bool
}

BoolOption is a wrapper around bool that can take multiple values: * true, false and non-set (when pointer is nil) and can marshal itself to protobuf equivalent BoolValue

func NewBoolOption

func NewBoolOption(b bool) *BoolOption

NewBoolOption returns Bool struct based on bool value

func (BoolOption) Marshal

func (b BoolOption) Marshal() ([]byte, error)

Marshal marshals value into protobuf representation

func (BoolOption) MarshalJSON

func (b BoolOption) MarshalJSON() ([]byte, error)

MarshalJSON marshals boolean value.

func (BoolOption) MarshalTo

func (b BoolOption) MarshalTo(data []byte) (int, error)

MarshalTo marshals value to the slice

func (*BoolOption) MarshalYAML

func (b *BoolOption) MarshalYAML() (interface{}, error)

MarshalYAML marshals bool into yaml value

func (BoolOption) Size

func (b BoolOption) Size() int

Size returns protobuf size

func (*BoolOption) Unmarshal

func (b *BoolOption) Unmarshal(data []byte) error

Unmarshal unmarshals value from protobuf

func (*BoolOption) UnmarshalJSON

func (b *BoolOption) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals JSON from string or bool, in case if value is missing or not recognized, defaults to false

func (*BoolOption) UnmarshalYAML

func (b *BoolOption) UnmarshalYAML(unmarshal func(interface{}) error) error

type BoolValue

type BoolValue struct {
	Value                bool     `protobuf:"varint,1,opt,name=Value,proto3" json:"Value,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

BoolValue is a wrapper around bool, used in cases whenever bool value can have different default value when missing

func (*BoolValue) Descriptor

func (*BoolValue) Descriptor() ([]byte, []int)

func (*BoolValue) Marshal

func (m *BoolValue) Marshal() (dAtA []byte, err error)

func (*BoolValue) MarshalTo

func (m *BoolValue) MarshalTo(dAtA []byte) (int, error)

func (*BoolValue) ProtoMessage

func (*BoolValue) ProtoMessage()

func (*BoolValue) Reset

func (m *BoolValue) Reset()

func (*BoolValue) Size

func (m *BoolValue) Size() (n int)

func (*BoolValue) String

func (m *BoolValue) String() string

func (*BoolValue) Unmarshal

func (m *BoolValue) Unmarshal(dAtA []byte) error

func (*BoolValue) XXX_DiscardUnknown

func (m *BoolValue) XXX_DiscardUnknown()

func (*BoolValue) XXX_Marshal

func (m *BoolValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*BoolValue) XXX_Merge

func (dst *BoolValue) XXX_Merge(src proto.Message)

func (*BoolValue) XXX_Size

func (m *BoolValue) XXX_Size() int

func (*BoolValue) XXX_Unmarshal

func (m *BoolValue) XXX_Unmarshal(b []byte) error

type CertAuthID added in v1.0.0

type CertAuthID struct {
	Type       CertAuthType `json:"type"`
	DomainName string       `json:"domain_name"`
}

CertAuthID - id of certificate authority (it's type and domain name)

func (*CertAuthID) Check added in v1.0.0

func (c *CertAuthID) Check() error

Check returns error if any of the id parameters are bad, nil otherwise

func (*CertAuthID) String added in v1.0.0

func (c *CertAuthID) String() string

type CertAuthType added in v1.0.0

type CertAuthType string

CertAuthType specifies certificate authority type, user or host

const (
	// HostCA identifies the key as a host certificate authority
	HostCA CertAuthType = "host"
	// UserCA identifies the key as a user certificate authority
	UserCA CertAuthType = "user"
)

func (CertAuthType) Check added in v1.0.0

func (c CertAuthType) Check() error

Check checks if certificate authority type value is correct

type CertAuthority added in v1.0.0

type CertAuthority interface {
	// Resource sets common resource properties
	Resource
	// GetID returns certificate authority ID -
	// combined type and name
	GetID() CertAuthID
	// GetType returns user or host certificate authority
	GetType() CertAuthType
	// GetClusterName returns cluster name this cert authority
	// is associated with
	GetClusterName() string
	// GetCheckingKeys returns public keys to check signature
	GetCheckingKeys() [][]byte
	// GetSigning keys returns signing keys
	GetSigningKeys() [][]byte
	// CombinedMapping is used to specify combined mapping from legacy property Roles
	// and new property RoleMap
	CombinedMapping() RoleMap
	// GetRoleMap returns role map property
	GetRoleMap() RoleMap
	// SetRoleMap sets role map
	SetRoleMap(m RoleMap)
	// GetRoles returns a list of roles assumed by users signed by this CA
	GetRoles() []string
	// SetRoles sets assigned roles for this certificate authority
	SetRoles(roles []string)
	// FirstSigningKey returns first signing key or returns error if it's not here
	// The first key is returned because multiple keys can exist during key rotation.
	FirstSigningKey() ([]byte, error)
	// Check checks object for errors
	Check() error
	// CheckAndSetDefaults checks and set default values for any missing fields.
	CheckAndSetDefaults() error
	// SetSigningKeys sets signing keys
	SetSigningKeys([][]byte) error
	// SetCheckingKeys sets signing keys
	SetCheckingKeys([][]byte) error
	// AddRole adds a role to ca role list
	AddRole(name string)
	// Checkers returns public keys that can be used to check cert authorities
	Checkers() ([]ssh.PublicKey, error)
	// Signers returns a list of signers that could be used to sign keys
	Signers() ([]ssh.Signer, error)
	// V1 returns V1 version of the resource
	V1() *CertAuthorityV1
	// V2 returns V2 version of the resource
	V2() *CertAuthorityV2
	// String returns human readable version of the CertAuthority
	String() string
	// TLSCA returns first TLS certificate authority from the list of key pairs
	TLSCA() (*tlsca.CertAuthority, error)
	// SetTLSKeyPairs sets TLS key pairs
	SetTLSKeyPairs(keyPairs []TLSKeyPair)
	// GetTLSKeyPairs returns first PEM encoded TLS cert
	GetTLSKeyPairs() []TLSKeyPair
	// GetRotation returns rotation state.
	GetRotation() Rotation
	// SetRotation sets rotation state.
	SetRotation(Rotation)
	// Clone returns a copy of the cert authority object.
	Clone() CertAuthority
}

CertAuthority is a host or user certificate authority that can check and if it has private key stored as well, sign it too

func NewCertAuthority

func NewCertAuthority(caType CertAuthType, clusterName string, signingKeys, checkingKeys [][]byte, roles []string) CertAuthority

NewCertAuthority returns new cert authority

type CertAuthorityMarshaler

type CertAuthorityMarshaler interface {
	// UnmarshalCertAuthority unmarhsals cert authority from binary representation
	UnmarshalCertAuthority(bytes []byte, opts ...MarshalOption) (CertAuthority, error)
	// MarshalCertAuthority to binary representation
	MarshalCertAuthority(c CertAuthority, opts ...MarshalOption) ([]byte, error)
	// GenerateCertAuthority is used to generate new cert authority
	// based on standard teleport one and is used to add custom
	// parameters and extend it in extensions of teleport
	GenerateCertAuthority(CertAuthority) (CertAuthority, error)
}

CertAuthorityMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions

func GetCertAuthorityMarshaler

func GetCertAuthorityMarshaler() CertAuthorityMarshaler

GetCertAuthorityMarshaler returns currently set user marshaler

type CertAuthoritySpecV2

type CertAuthoritySpecV2 struct {
	// Type is either user or host certificate authority
	Type CertAuthType `protobuf:"bytes,1,opt,name=Type,proto3,casttype=CertAuthType" json:"type"`
	// DELETE IN(2.7.0) this field is deprecated,
	// as resource name matches cluster name after migrations.
	// and this property is enforced by the auth server code.
	// ClusterName identifies cluster name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	ClusterName string `protobuf:"bytes,2,opt,name=ClusterName,proto3" json:"cluster_name"`
	// Checkers is a list of SSH public keys that can be used to check
	// certificate signatures
	CheckingKeys [][]byte `protobuf:"bytes,3,rep,name=CheckingKeys" json:"checking_keys"`
	// SigningKeys is a list of private keys used for signing
	SigningKeys [][]byte `protobuf:"bytes,4,rep,name=SigningKeys" json:"signing_keys,omitempty"`
	// Roles is a list of roles assumed by users signed by this CA
	Roles []string `protobuf:"bytes,5,rep,name=Roles" json:"roles,omitempty"`
	// RoleMap specifies role mappings to remote roles
	RoleMap []RoleMapping `protobuf:"bytes,6,rep,name=RoleMap" json:"role_map,omitempty"`
	// TLS is a list of TLS key pairs
	TLSKeyPairs []TLSKeyPair `protobuf:"bytes,7,rep,name=TLSKeyPairs" json:"tls_key_pairs,omitempty"`
	// Rotation is a status of the certificate authority rotation
	Rotation             *Rotation `protobuf:"bytes,8,opt,name=Rotation" json:"rotation,omitempty"`
	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
	XXX_unrecognized     []byte    `json:"-"`
	XXX_sizecache        int32     `json:"-"`
}

CertAuthoritySpecV2 is a host or user certificate authority that can check and if it has private key stored as well, sign it too

func (*CertAuthoritySpecV2) Descriptor

func (*CertAuthoritySpecV2) Descriptor() ([]byte, []int)

func (*CertAuthoritySpecV2) Marshal

func (m *CertAuthoritySpecV2) Marshal() (dAtA []byte, err error)

func (*CertAuthoritySpecV2) MarshalTo

func (m *CertAuthoritySpecV2) MarshalTo(dAtA []byte) (int, error)

func (*CertAuthoritySpecV2) ProtoMessage

func (*CertAuthoritySpecV2) ProtoMessage()

func (*CertAuthoritySpecV2) Reset

func (m *CertAuthoritySpecV2) Reset()

func (*CertAuthoritySpecV2) Size

func (m *CertAuthoritySpecV2) Size() (n int)

func (*CertAuthoritySpecV2) String

func (m *CertAuthoritySpecV2) String() string

func (*CertAuthoritySpecV2) Unmarshal

func (m *CertAuthoritySpecV2) Unmarshal(dAtA []byte) error

func (*CertAuthoritySpecV2) XXX_DiscardUnknown

func (m *CertAuthoritySpecV2) XXX_DiscardUnknown()

func (*CertAuthoritySpecV2) XXX_Marshal

func (m *CertAuthoritySpecV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*CertAuthoritySpecV2) XXX_Merge

func (dst *CertAuthoritySpecV2) XXX_Merge(src proto.Message)

func (*CertAuthoritySpecV2) XXX_Size

func (m *CertAuthoritySpecV2) XXX_Size() int

func (*CertAuthoritySpecV2) XXX_Unmarshal

func (m *CertAuthoritySpecV2) XXX_Unmarshal(b []byte) error

type CertAuthorityV1

type CertAuthorityV1 struct {
	// Type is either user or host certificate authority
	Type CertAuthType `json:"type"`
	// DomainName identifies domain name this authority serves,
	// for host authorities that means base hostname of all servers,
	// for user authorities that means organization name
	DomainName string `json:"domain_name"`
	// Checkers is a list of SSH public keys that can be used to check
	// certificate signatures
	CheckingKeys [][]byte `json:"checking_keys"`
	// SigningKeys is a list of private keys used for signing
	SigningKeys [][]byte `json:"signing_keys"`
	// AllowedLogins is a list of allowed logins for users within
	// this certificate authority
	AllowedLogins []string `json:"allowed_logins"`
}

CertAuthorityV1 is a host or user certificate authority that can check and if it has private key stored as well, sign it too

func CertAuthoritiesToV1

func CertAuthoritiesToV1(in []CertAuthority) ([]CertAuthorityV1, error)

CertAuthoritiesToV1 converts list of cert authorities to V1 slice

func (*CertAuthorityV1) CombinedMapping

func (ca *CertAuthorityV1) CombinedMapping() RoleMap

CombinedMapping is used to specify combined mapping from legacy property Roles and new property RoleMap

func (*CertAuthorityV1) GetRoleMap

func (ca *CertAuthorityV1) GetRoleMap() RoleMap

GetRoleMap returns role map property

func (*CertAuthorityV1) SetRoleMap

func (c *CertAuthorityV1) SetRoleMap(m RoleMap)

SetRoleMap sets role map

func (*CertAuthorityV1) String

func (c *CertAuthorityV1) String() string

String returns human readable version of the CertAuthorityV1.

func (*CertAuthorityV1) V1

V1 returns V1 version of the resource

func (*CertAuthorityV1) V2

V2 returns V2 version of the resource

type CertAuthorityV2

type CertAuthorityV2 struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version"`
	// Metadata is connector metadata
	Metadata Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata"`
	// Spec contains cert authority specification
	Spec                 CertAuthoritySpecV2 `protobuf:"bytes,5,opt,name=Spec" json:"spec"`
	XXX_NoUnkeyedLiteral struct{}            `json:"-"`
	XXX_unrecognized     []byte              `json:"-"`
	XXX_sizecache        int32               `json:"-"`
}

CertAuthorityV2 is version 2 resource spec for Cert Authority

func (*CertAuthorityV2) AddRole

func (ca *CertAuthorityV2) AddRole(name string)

AddRole adds a role to ca role list

func (*CertAuthorityV2) Check

func (ca *CertAuthorityV2) Check() error

Check checks if all passed parameters are valid

func (*CertAuthorityV2) CheckAndSetDefaults

func (ca *CertAuthorityV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and set default values for any missing fields.

func (*CertAuthorityV2) Checkers

func (ca *CertAuthorityV2) Checkers() ([]ssh.PublicKey, error)

Checkers returns public keys that can be used to check cert authorities

func (*CertAuthorityV2) Clone

func (c *CertAuthorityV2) Clone() CertAuthority

Clone returns a copy of the cert authority object.

func (*CertAuthorityV2) CombinedMapping

func (ca *CertAuthorityV2) CombinedMapping() RoleMap

CombinedMapping is used to specify combined mapping from legacy property Roles and new property RoleMap

func (*CertAuthorityV2) Descriptor

func (*CertAuthorityV2) Descriptor() ([]byte, []int)

func (*CertAuthorityV2) Expiry

func (c *CertAuthorityV2) Expiry() time.Time

Expires returns object expiry setting

func (*CertAuthorityV2) FirstSigningKey

func (ca *CertAuthorityV2) FirstSigningKey() ([]byte, error)

FirstSigningKey returns first signing key or returns error if it's not here

func (*CertAuthorityV2) GetCheckingKeys

func (ca *CertAuthorityV2) GetCheckingKeys() [][]byte

GetCheckingKeys returns public keys to check signature

func (*CertAuthorityV2) GetClusterName

func (ca *CertAuthorityV2) GetClusterName() string

GetClusterName returns cluster name this cert authority is associated with.

func (*CertAuthorityV2) GetID

func (ca *CertAuthorityV2) GetID() CertAuthID

GetID returns certificate authority ID - combined type and name

func (*CertAuthorityV2) GetKind

func (c *CertAuthorityV2) GetKind() string

GetKind returns resource kind

func (*CertAuthorityV2) GetMetadata

func (c *CertAuthorityV2) GetMetadata() Metadata

GetMetadata returns object metadata

func (*CertAuthorityV2) GetName

func (ca *CertAuthorityV2) GetName() string

GetName returns cert authority name

func (*CertAuthorityV2) GetResourceID

func (c *CertAuthorityV2) GetResourceID() int64

GetResourceID returns resource ID

func (*CertAuthorityV2) GetRoleMap

func (ca *CertAuthorityV2) GetRoleMap() RoleMap

GetRoleMap returns role map property

func (*CertAuthorityV2) GetRoles

func (ca *CertAuthorityV2) GetRoles() []string

GetRoles returns a list of roles assumed by users signed by this CA

func (*CertAuthorityV2) GetRotation

func (c *CertAuthorityV2) GetRotation() Rotation

GetRotation returns rotation state.

func (*CertAuthorityV2) GetSigningKeys

func (ca *CertAuthorityV2) GetSigningKeys() [][]byte

GetSigning keys returns signing keys

func (*CertAuthorityV2) GetSubKind

func (c *CertAuthorityV2) GetSubKind() string

GetSubKind returns resource sub kind

func (*CertAuthorityV2) GetTLSKeyPairs

func (c *CertAuthorityV2) GetTLSKeyPairs() []TLSKeyPair

GetTLSPrivateKey returns TLS key pairs

func (*CertAuthorityV2) GetType

func (ca *CertAuthorityV2) GetType() CertAuthType

GetType returns user or host certificate authority

func (*CertAuthorityV2) GetVersion

func (c *CertAuthorityV2) GetVersion() string

GetVersion returns resource version

func (*CertAuthorityV2) ID

func (ca *CertAuthorityV2) ID() *CertAuthID

ID returns id (consisting of domain name and type) that identifies the authority this key belongs to

func (*CertAuthorityV2) Marshal

func (m *CertAuthorityV2) Marshal() (dAtA []byte, err error)

func (*CertAuthorityV2) MarshalTo

func (m *CertAuthorityV2) MarshalTo(dAtA []byte) (int, error)

func (*CertAuthorityV2) ProtoMessage

func (*CertAuthorityV2) ProtoMessage()

func (*CertAuthorityV2) Reset

func (m *CertAuthorityV2) Reset()

func (*CertAuthorityV2) SetCheckingKeys

func (ca *CertAuthorityV2) SetCheckingKeys(keys [][]byte) error

SetCheckingKeys sets SSH public keys

func (*CertAuthorityV2) SetExpiry

func (c *CertAuthorityV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*CertAuthorityV2) SetName

func (ca *CertAuthorityV2) SetName(name string)

SetName sets cert authority name

func (*CertAuthorityV2) SetResourceID

func (c *CertAuthorityV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*CertAuthorityV2) SetRoleMap

func (c *CertAuthorityV2) SetRoleMap(m RoleMap)

SetRoleMap sets role map

func (*CertAuthorityV2) SetRoles

func (ca *CertAuthorityV2) SetRoles(roles []string)

SetRoles sets assigned roles for this certificate authority

func (*CertAuthorityV2) SetRotation

func (c *CertAuthorityV2) SetRotation(r Rotation)

SetRotation sets rotation state.

func (*CertAuthorityV2) SetSigningKeys

func (ca *CertAuthorityV2) SetSigningKeys(keys [][]byte) error

SetSigningKeys sets signing keys

func (*CertAuthorityV2) SetSubKind

func (c *CertAuthorityV2) SetSubKind(s string)

SetSubKind sets resource subkind

func (*CertAuthorityV2) SetTLSKeyPairs

func (c *CertAuthorityV2) SetTLSKeyPairs(pairs []TLSKeyPair)

SetTLSPrivateKey sets TLS key pairs

func (*CertAuthorityV2) SetTTL

func (c *CertAuthorityV2) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*CertAuthorityV2) Signers

func (ca *CertAuthorityV2) Signers() ([]ssh.Signer, error)

Signers returns a list of signers that could be used to sign keys

func (*CertAuthorityV2) Size

func (m *CertAuthorityV2) Size() (n int)

func (*CertAuthorityV2) String

func (c *CertAuthorityV2) String() string

String returns human readable version of the CertAuthorityV2.

func (*CertAuthorityV2) TLSCA

func (c *CertAuthorityV2) TLSCA() (*tlsca.CertAuthority, error)

TLSCA returns TLS certificate authority

func (*CertAuthorityV2) Unmarshal

func (m *CertAuthorityV2) Unmarshal(dAtA []byte) error

func (*CertAuthorityV2) V1

V1 returns V1 version of the object

func (*CertAuthorityV2) V2

V2 returns V2 version of the resouirce - itself

func (*CertAuthorityV2) XXX_DiscardUnknown

func (m *CertAuthorityV2) XXX_DiscardUnknown()

func (*CertAuthorityV2) XXX_Marshal

func (m *CertAuthorityV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*CertAuthorityV2) XXX_Merge

func (dst *CertAuthorityV2) XXX_Merge(src proto.Message)

func (*CertAuthorityV2) XXX_Size

func (m *CertAuthorityV2) XXX_Size() int

func (*CertAuthorityV2) XXX_Unmarshal

func (m *CertAuthorityV2) XXX_Unmarshal(b []byte) error

type CertRoles

type CertRoles struct {
	// Version is current version of the roles
	Version string `json:"version"`
	// Roles is a list of roles
	Roles []string `json:"roles"`
}

CertRoles defines certificate roles

type ChangePasswordReq

type ChangePasswordReq struct {
	// User is user ID
	User string
	// OldPassword is user current password
	OldPassword []byte `json:"old_password"`
	// NewPassword is user new password
	NewPassword []byte `json:"new_password"`
	// SecondFactorToken is user 2nd factor token
	SecondFactorToken string `json:"second_factor_token"`
	// U2FSignResponse is U2F sign response
	U2FSignResponse *u2f.SignResponse `json:"u2f_sign_response"`
}

ChangePasswordReq defines a request to change user password

type ClaimMapping

type ClaimMapping struct {
	// Claim is OIDC claim name
	Claim string `json:"claim"`
	// Value is claim value to match
	Value string `json:"value"`
	// Roles is a list of static teleport roles to match.
	Roles []string `json:"roles,omitempty"`
	// RoleTemplate a template role that will be filled out with claims.
	RoleTemplate *RoleV2 `json:"role_template,omitempty"`
}

ClaimMapping is OIDC claim mapping that maps claim name to teleport roles

type ClusterConfig

type ClusterConfig interface {
	// Resource provides common resource properties.
	Resource

	// GetSessionRecording gets where the session is being recorded.
	GetSessionRecording() string

	// SetSessionRecording sets where the session is recorded.
	SetSessionRecording(string)

	// GetClusterID returns the unique cluster ID
	GetClusterID() string

	// SetClusterID sets the cluster ID
	SetClusterID(string)

	// GetProxyChecksHostKeys sets if the proxy will check host keys.
	GetProxyChecksHostKeys() string

	// SetProxyChecksHostKeys gets if the proxy will check host keys.
	SetProxyChecksHostKeys(string)

	// CheckAndSetDefaults checks and set default values for missing fields.
	CheckAndSetDefaults() error

	// GetAuditConfig returns audit settings
	GetAuditConfig() AuditConfig

	// SetAuditConfig sets audit config
	SetAuditConfig(AuditConfig)

	// GetClientIdleTimeout returns client idle timeout setting
	GetClientIdleTimeout() time.Duration

	// SetClientIdleTimeout sets client idle timeout setting
	SetClientIdleTimeout(t time.Duration)

	// GetDisconnectExpiredCert returns disconnect expired certificate setting
	GetDisconnectExpiredCert() bool

	// SetDisconnectExpiredCert sets disconnect client with expired certificate setting
	SetDisconnectExpiredCert(bool)

	// GetKeepAliveInterval gets the keep-alive interval for server to client
	// connections.
	GetKeepAliveInterval() time.Duration

	// SetKeepAliveInterval sets the keep-alive interval for server to client
	// connections.
	SetKeepAliveInterval(t time.Duration)

	// GetKeepAliveCountMax gets the number of missed keep-alive messages before
	// the server disconnects the client.
	GetKeepAliveCountMax() int64

	// SetKeepAliveCountMax sets the number of missed keep-alive messages before
	// the server disconnects the client.
	SetKeepAliveCountMax(c int64)

	// GetLocalAuth gets if local authentication is allowed.
	GetLocalAuth() bool

	// SetLocalAuth sets if local authentication is allowed.
	SetLocalAuth(bool)

	// Copy creates a copy of the resource and returns it.
	Copy() ClusterConfig
}

ClusterConfig defines cluster level configuration. This is a configuration resource, never create more than one instance of it.

func DefaultClusterConfig

func DefaultClusterConfig() ClusterConfig

DefaultClusterConfig is used as the default cluster configuration when one is not specified (record at node).

func NewClusterConfig

func NewClusterConfig(spec ClusterConfigSpecV3) (ClusterConfig, error)

NewClusterConfig is a convenience wrapper to create a ClusterConfig resource.

type ClusterConfigMarshaler

type ClusterConfigMarshaler interface {
	Marshal(c ClusterConfig, opts ...MarshalOption) ([]byte, error)
	Unmarshal(bytes []byte, opts ...MarshalOption) (ClusterConfig, error)
}

ClusterConfigMarshaler implements marshal/unmarshal of ClusterConfig implementations mostly adds support for extended versions.

func GetClusterConfigMarshaler

func GetClusterConfigMarshaler() ClusterConfigMarshaler

GetClusterConfigMarshaler gets the marshaler.

type ClusterConfigSpecV3

type ClusterConfigSpecV3 struct {
	// SessionRecording controls where (or if) the session is recorded.
	SessionRecording string `protobuf:"bytes,1,opt,name=SessionRecording,proto3" json:"session_recording"`
	// ClusterID is the unique cluster ID that is set once during the first auth
	// server startup.
	ClusterID string `protobuf:"bytes,2,opt,name=ClusterID,proto3" json:"cluster_id"`
	// ProxyChecksHostKeys is used to control if the proxy will check host keys
	// when in recording mode.
	ProxyChecksHostKeys string `protobuf:"bytes,3,opt,name=ProxyChecksHostKeys,proto3" json:"proxy_checks_host_keys"`
	// Audit is a section with audit config
	Audit AuditConfig `protobuf:"bytes,4,opt,name=Audit" json:"audit"`
	// ClientIdleTimeout sets global cluster default setting for client idle timeouts
	ClientIdleTimeout Duration `protobuf:"varint,5,opt,name=ClientIdleTimeout,proto3,casttype=Duration" json:"client_idle_timeout"`
	// DisconnectExpiredCert provides disconnect expired certificate setting -
	// if true, connections with expired client certificates will get disconnected
	DisconnectExpiredCert Bool `protobuf:"varint,6,opt,name=DisconnectExpiredCert,proto3,casttype=Bool" json:"disconnect_expired_cert"`
	// KeepAliveInterval is the interval the server sends keep-alive messsages
	// to the client at.
	KeepAliveInterval Duration `protobuf:"varint,7,opt,name=KeepAliveInterval,proto3,casttype=Duration" json:"keep_alive_interval"`
	// KeepAliveCountMax is the number of keep-alive messages that can be missed before
	// the server disconnects the connection to the client.
	KeepAliveCountMax int64 `protobuf:"varint,8,opt,name=KeepAliveCountMax,proto3" json:"keep_alive_count_max"`
	// LocalAuth is true if local authentication is enabled.
	LocalAuth            Bool     `protobuf:"varint,9,opt,name=LocalAuth,proto3,casttype=Bool" json:"local_auth"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

ClusterConfigSpecV3 is the actual data we care about for ClusterConfig.

func (*ClusterConfigSpecV3) Descriptor

func (*ClusterConfigSpecV3) Descriptor() ([]byte, []int)

func (*ClusterConfigSpecV3) Marshal

func (m *ClusterConfigSpecV3) Marshal() (dAtA []byte, err error)

func (*ClusterConfigSpecV3) MarshalTo

func (m *ClusterConfigSpecV3) MarshalTo(dAtA []byte) (int, error)

func (*ClusterConfigSpecV3) ProtoMessage

func (*ClusterConfigSpecV3) ProtoMessage()

func (*ClusterConfigSpecV3) Reset

func (m *ClusterConfigSpecV3) Reset()

func (*ClusterConfigSpecV3) Size

func (m *ClusterConfigSpecV3) Size() (n int)

func (*ClusterConfigSpecV3) String

func (m *ClusterConfigSpecV3) String() string

func (*ClusterConfigSpecV3) Unmarshal

func (m *ClusterConfigSpecV3) Unmarshal(dAtA []byte) error

func (*ClusterConfigSpecV3) XXX_DiscardUnknown

func (m *ClusterConfigSpecV3) XXX_DiscardUnknown()

func (*ClusterConfigSpecV3) XXX_Marshal

func (m *ClusterConfigSpecV3) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ClusterConfigSpecV3) XXX_Merge

func (dst *ClusterConfigSpecV3) XXX_Merge(src proto.Message)

func (*ClusterConfigSpecV3) XXX_Size

func (m *ClusterConfigSpecV3) XXX_Size() int

func (*ClusterConfigSpecV3) XXX_Unmarshal

func (m *ClusterConfigSpecV3) XXX_Unmarshal(b []byte) error

type ClusterConfigV3

type ClusterConfigV3 struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version"`
	// Metadata is User metadata
	Metadata Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata"`
	// Spec is a cluster config V3 spec
	Spec                 ClusterConfigSpecV3 `protobuf:"bytes,5,opt,name=Spec" json:"spec"`
	XXX_NoUnkeyedLiteral struct{}            `json:"-"`
	XXX_unrecognized     []byte              `json:"-"`
	XXX_sizecache        int32               `json:"-"`
}

ClusterConfigV3 implements the ClusterConfig interface.

func (*ClusterConfigV3) CheckAndSetDefaults

func (c *ClusterConfigV3) CheckAndSetDefaults() error

CheckAndSetDefaults checks validity of all parameters and sets defaults.

func (*ClusterConfigV3) Copy

func (c *ClusterConfigV3) Copy() ClusterConfig

Copy creates a copy of the resource and returns it.

func (*ClusterConfigV3) Descriptor

func (*ClusterConfigV3) Descriptor() ([]byte, []int)

func (*ClusterConfigV3) Expiry

func (c *ClusterConfigV3) Expiry() time.Time

Expires returns object expiry setting

func (*ClusterConfigV3) GetAuditConfig

func (c *ClusterConfigV3) GetAuditConfig() AuditConfig

GetAuditConfig returns audit settings

func (*ClusterConfigV3) GetClientIdleTimeout

func (c *ClusterConfigV3) GetClientIdleTimeout() time.Duration

GetClientIdleTimeout returns client idle timeout setting

func (*ClusterConfigV3) GetClusterID

func (c *ClusterConfigV3) GetClusterID() string

GetClusterID returns the unique cluster ID

func (*ClusterConfigV3) GetDisconnectExpiredCert

func (c *ClusterConfigV3) GetDisconnectExpiredCert() bool

GetDisconnectExpiredCert returns disconnect expired certificate setting

func (*ClusterConfigV3) GetKeepAliveCountMax

func (c *ClusterConfigV3) GetKeepAliveCountMax() int64

GetKeepAliveCountMax gets the number of missed keep-alive messages before the server disconnects the client.

func (*ClusterConfigV3) GetKeepAliveInterval

func (c *ClusterConfigV3) GetKeepAliveInterval() time.Duration

GetKeepAliveInterval gets the keep-alive interval.

func (*ClusterConfigV3) GetKind

func (c *ClusterConfigV3) GetKind() string

GetKind returns resource kind

func (*ClusterConfigV3) GetLocalAuth

func (c *ClusterConfigV3) GetLocalAuth() bool

GetLocalAuth gets if local authentication is allowed.

func (*ClusterConfigV3) GetMetadata

func (c *ClusterConfigV3) GetMetadata() Metadata

GetMetadata returns object metadata

func (*ClusterConfigV3) GetName

func (c *ClusterConfigV3) GetName() string

GetName returns the name of the cluster.

func (*ClusterConfigV3) GetProxyChecksHostKeys

func (c *ClusterConfigV3) GetProxyChecksHostKeys() string

GetProxyChecksHostKeys sets if the proxy will check host keys.

func (*ClusterConfigV3) GetResourceID

func (c *ClusterConfigV3) GetResourceID() int64

GetResourceID returns resource ID

func (*ClusterConfigV3) GetSessionRecording

func (c *ClusterConfigV3) GetSessionRecording() string

GetClusterConfig gets the name of the cluster.

func (*ClusterConfigV3) GetSubKind

func (c *ClusterConfigV3) GetSubKind() string

GetSubKind returns resource subkind

func (*ClusterConfigV3) GetVersion

func (c *ClusterConfigV3) GetVersion() string

GetVersion returns resource version

func (*ClusterConfigV3) Marshal

func (m *ClusterConfigV3) Marshal() (dAtA []byte, err error)

func (*ClusterConfigV3) MarshalTo

func (m *ClusterConfigV3) MarshalTo(dAtA []byte) (int, error)

func (*ClusterConfigV3) ProtoMessage

func (*ClusterConfigV3) ProtoMessage()

func (*ClusterConfigV3) Reset

func (m *ClusterConfigV3) Reset()

func (*ClusterConfigV3) SetAuditConfig

func (c *ClusterConfigV3) SetAuditConfig(cfg AuditConfig)

SetAuditConfig sets audit config

func (*ClusterConfigV3) SetClientIdleTimeout

func (c *ClusterConfigV3) SetClientIdleTimeout(d time.Duration)

SetClientIdleTimeout sets client idle timeout setting

func (*ClusterConfigV3) SetClusterID

func (c *ClusterConfigV3) SetClusterID(id string)

SetClusterID sets the cluster ID

func (*ClusterConfigV3) SetDisconnectExpiredCert

func (c *ClusterConfigV3) SetDisconnectExpiredCert(b bool)

SetDisconnectExpiredCert sets disconnect client with expired certificate setting

func (*ClusterConfigV3) SetExpiry

func (c *ClusterConfigV3) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*ClusterConfigV3) SetKeepAliveCountMax

func (c *ClusterConfigV3) SetKeepAliveCountMax(m int64)

SetKeepAliveCountMax sets the number of missed keep-alive messages before the server disconnects the client.

func (*ClusterConfigV3) SetKeepAliveInterval

func (c *ClusterConfigV3) SetKeepAliveInterval(t time.Duration)

SetKeepAliveInterval sets the keep-alive interval.

func (*ClusterConfigV3) SetLocalAuth

func (c *ClusterConfigV3) SetLocalAuth(b bool)

SetLocalAuth gets if local authentication is allowed.

func (*ClusterConfigV3) SetName

func (c *ClusterConfigV3) SetName(e string)

SetName sets the name of the cluster.

func (*ClusterConfigV3) SetProxyChecksHostKeys

func (c *ClusterConfigV3) SetProxyChecksHostKeys(t string)

SetProxyChecksHostKeys sets if the proxy will check host keys.

func (*ClusterConfigV3) SetResourceID

func (c *ClusterConfigV3) SetResourceID(id int64)

SetResourceID sets resource ID

func (*ClusterConfigV3) SetSessionRecording

func (c *ClusterConfigV3) SetSessionRecording(s string)

SetClusterConfig sets the name of the cluster.

func (*ClusterConfigV3) SetSubKind

func (c *ClusterConfigV3) SetSubKind(sk string)

SetSubKind sets resource subkind

func (*ClusterConfigV3) SetTTL

func (c *ClusterConfigV3) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*ClusterConfigV3) Size

func (m *ClusterConfigV3) Size() (n int)

func (*ClusterConfigV3) String

func (c *ClusterConfigV3) String() string

String represents a human readable version of the cluster name.

func (*ClusterConfigV3) Unmarshal

func (m *ClusterConfigV3) Unmarshal(dAtA []byte) error

func (*ClusterConfigV3) XXX_DiscardUnknown

func (m *ClusterConfigV3) XXX_DiscardUnknown()

func (*ClusterConfigV3) XXX_Marshal

func (m *ClusterConfigV3) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ClusterConfigV3) XXX_Merge

func (dst *ClusterConfigV3) XXX_Merge(src proto.Message)

func (*ClusterConfigV3) XXX_Size

func (m *ClusterConfigV3) XXX_Size() int

func (*ClusterConfigV3) XXX_Unmarshal

func (m *ClusterConfigV3) XXX_Unmarshal(b []byte) error

type ClusterConfiguration

type ClusterConfiguration interface {
	// SetClusterName gets services.ClusterName from the backend.
	GetClusterName(opts ...MarshalOption) (ClusterName, error)
	// SetClusterName sets services.ClusterName on the backend.
	SetClusterName(ClusterName) error
	// UpsertClusterName upserts cluster name
	UpsertClusterName(ClusterName) error

	// DeleteClusterName deletes cluster name resource
	DeleteClusterName() error

	// GetStaticTokens gets services.StaticTokens from the backend.
	GetStaticTokens() (StaticTokens, error)
	// SetStaticTokens sets services.StaticTokens on the backend.
	SetStaticTokens(StaticTokens) error
	// DeleteStaticTokens deletes static tokens resource
	DeleteStaticTokens() error

	// GetAuthPreference gets services.AuthPreference from the backend.
	GetAuthPreference() (AuthPreference, error)
	// SetAuthPreference sets services.AuthPreference from the backend.
	SetAuthPreference(AuthPreference) error

	// GetClusterConfig gets services.ClusterConfig from the backend.
	GetClusterConfig(opts ...MarshalOption) (ClusterConfig, error)
	// SetClusterConfig sets services.ClusterConfig on the backend.
	SetClusterConfig(ClusterConfig) error
	// DeleteClusterConfig deletes cluster config resource
	DeleteClusterConfig() error
}

ClusterConfiguration stores the cluster configuration in the backend. All the resources modified by this interface can only have a single instance in the backend.

type ClusterName

type ClusterName interface {
	// Resource provides common resource properties.
	Resource

	// SetClusterName sets the name of the cluster.
	SetClusterName(string)
	// GetClusterName gets the name of the cluster.
	GetClusterName() string

	// CheckAndSetDefaults checks and set default values for missing fields.
	CheckAndSetDefaults() error
}

ClusterName defines the name of the cluster. This is a configuration resource, never create more than one instance of it.

func NewClusterName

func NewClusterName(spec ClusterNameSpecV2) (ClusterName, error)

NewClusterName is a convenience wrapper to create a ClusterName resource.

type ClusterNameMarshaler

type ClusterNameMarshaler interface {
	Marshal(c ClusterName, opts ...MarshalOption) ([]byte, error)
	Unmarshal(bytes []byte, opts ...MarshalOption) (ClusterName, error)
}

ClusterNameMarshaler implements marshal/unmarshal of ClusterName implementations mostly adds support for extended versions.

func GetClusterNameMarshaler

func GetClusterNameMarshaler() ClusterNameMarshaler

GetClusterNameMarshaler gets the marshaler.

type ClusterNameSpecV2

type ClusterNameSpecV2 struct {
	// ClusterName is the name of the cluster. Changing this value once the
	// cluster is setup can and will cause catastrophic problems.
	ClusterName          string   `protobuf:"bytes,1,opt,name=ClusterName,proto3" json:"cluster_name"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

ClusterNameSpecV2 is the actual data we care about for ClusterName.

func (*ClusterNameSpecV2) Descriptor

func (*ClusterNameSpecV2) Descriptor() ([]byte, []int)

func (*ClusterNameSpecV2) Marshal

func (m *ClusterNameSpecV2) Marshal() (dAtA []byte, err error)

func (*ClusterNameSpecV2) MarshalTo

func (m *ClusterNameSpecV2) MarshalTo(dAtA []byte) (int, error)

func (*ClusterNameSpecV2) ProtoMessage

func (*ClusterNameSpecV2) ProtoMessage()

func (*ClusterNameSpecV2) Reset

func (m *ClusterNameSpecV2) Reset()

func (*ClusterNameSpecV2) Size

func (m *ClusterNameSpecV2) Size() (n int)

func (*ClusterNameSpecV2) String

func (m *ClusterNameSpecV2) String() string

func (*ClusterNameSpecV2) Unmarshal

func (m *ClusterNameSpecV2) Unmarshal(dAtA []byte) error

func (*ClusterNameSpecV2) XXX_DiscardUnknown

func (m *ClusterNameSpecV2) XXX_DiscardUnknown()

func (*ClusterNameSpecV2) XXX_Marshal

func (m *ClusterNameSpecV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ClusterNameSpecV2) XXX_Merge

func (dst *ClusterNameSpecV2) XXX_Merge(src proto.Message)

func (*ClusterNameSpecV2) XXX_Size

func (m *ClusterNameSpecV2) XXX_Size() int

func (*ClusterNameSpecV2) XXX_Unmarshal

func (m *ClusterNameSpecV2) XXX_Unmarshal(b []byte) error

type ClusterNameV2

type ClusterNameV2 struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version"`
	// Metadata is User metadata
	Metadata Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata"`
	// Spec is a cluster name V2 spec
	Spec                 ClusterNameSpecV2 `protobuf:"bytes,5,opt,name=Spec" json:"spec"`
	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
	XXX_unrecognized     []byte            `json:"-"`
	XXX_sizecache        int32             `json:"-"`
}

ClusterNameV2 implements the ClusterName interface.

func (*ClusterNameV2) CheckAndSetDefaults

func (c *ClusterNameV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks validity of all parameters and sets defaults.

func (*ClusterNameV2) Descriptor

func (*ClusterNameV2) Descriptor() ([]byte, []int)

func (*ClusterNameV2) Expiry

func (c *ClusterNameV2) Expiry() time.Time

Expires returns object expiry setting

func (*ClusterNameV2) GetClusterName

func (c *ClusterNameV2) GetClusterName() string

GetClusterName gets the name of the cluster.

func (*ClusterNameV2) GetKind

func (c *ClusterNameV2) GetKind() string

GetKind returns resource kind

func (*ClusterNameV2) GetMetadata

func (c *ClusterNameV2) GetMetadata() Metadata

GetMetadata returns object metadata

func (*ClusterNameV2) GetName

func (c *ClusterNameV2) GetName() string

GetName returns the name of the cluster.

func (*ClusterNameV2) GetResourceID

func (c *ClusterNameV2) GetResourceID() int64

GetResourceID returns resource ID

func (*ClusterNameV2) GetSubKind

func (c *ClusterNameV2) GetSubKind() string

GetSubKind returns resource sub kind

func (*ClusterNameV2) GetVersion

func (c *ClusterNameV2) GetVersion() string

GetVersion returns resource version

func (*ClusterNameV2) Marshal

func (m *ClusterNameV2) Marshal() (dAtA []byte, err error)

func (*ClusterNameV2) MarshalTo

func (m *ClusterNameV2) MarshalTo(dAtA []byte) (int, error)

func (*ClusterNameV2) ProtoMessage

func (*ClusterNameV2) ProtoMessage()

func (*ClusterNameV2) Reset

func (m *ClusterNameV2) Reset()

func (*ClusterNameV2) SetClusterName

func (c *ClusterNameV2) SetClusterName(n string)

SetClusterName sets the name of the cluster.

func (*ClusterNameV2) SetExpiry

func (c *ClusterNameV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*ClusterNameV2) SetName

func (c *ClusterNameV2) SetName(e string)

SetName sets the name of the cluster.

func (*ClusterNameV2) SetResourceID

func (c *ClusterNameV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*ClusterNameV2) SetSubKind

func (c *ClusterNameV2) SetSubKind(sk string)

SetSubKind sets resource subkind

func (*ClusterNameV2) SetTTL

func (c *ClusterNameV2) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*ClusterNameV2) Size

func (m *ClusterNameV2) Size() (n int)

func (*ClusterNameV2) String

func (c *ClusterNameV2) String() string

String represents a human readable version of the cluster name.

func (*ClusterNameV2) Unmarshal

func (m *ClusterNameV2) Unmarshal(dAtA []byte) error

func (*ClusterNameV2) XXX_DiscardUnknown

func (m *ClusterNameV2) XXX_DiscardUnknown()

func (*ClusterNameV2) XXX_Marshal

func (m *ClusterNameV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ClusterNameV2) XXX_Merge

func (dst *ClusterNameV2) XXX_Merge(src proto.Message)

func (*ClusterNameV2) XXX_Size

func (m *ClusterNameV2) XXX_Size() int

func (*ClusterNameV2) XXX_Unmarshal

func (m *ClusterNameV2) XXX_Unmarshal(b []byte) error

type CommandLabel

type CommandLabel interface {
	// GetPeriod returns label period
	GetPeriod() time.Duration
	// SetPeriod sets label period
	SetPeriod(time.Duration)
	// GetResult returns label result
	GetResult() string
	// SetResult sets label result
	SetResult(string)
	// GetCommand returns to execute and set as a label result
	GetCommand() []string
	// Clone returns label copy
	Clone() CommandLabel
	// Equals returns true if label is equal to the other one
	// false otherwise
	Equals(CommandLabel) bool
}

CommandLabelV2 is a label that has a value as a result of the output generated by running command, e.g. hostname

type CommandLabelV1

type CommandLabelV1 struct {
	// Period is a time between command runs
	Period time.Duration `json:"period"`
	// Command is a command to run
	Command []string `json:"command"` //["/usr/bin/hostname", "--long"]
	// Result captures standard output
	Result string `json:"result"`
}

CommandLabelV1 is a label that has a value as a result of the output generated by running command, e.g. hostname

type CommandLabelV2

type CommandLabelV2 struct {
	// Period is a time between command runs
	Period Duration `protobuf:"varint,1,opt,name=Period,proto3,casttype=Duration" json:"period"`
	// Command is a command to run
	Command []string `protobuf:"bytes,2,rep,name=Command" json:"command"`
	// Result captures standard output
	Result               string   `protobuf:"bytes,3,opt,name=Result,proto3" json:"result"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

CommandLabelV2 is a label that has a value as a result of the output generated by running command, e.g. hostname

func (*CommandLabelV2) Clone

func (c *CommandLabelV2) Clone() CommandLabel

Clone returns non-shallow copy of the label

func (*CommandLabelV2) Descriptor

func (*CommandLabelV2) Descriptor() ([]byte, []int)

func (*CommandLabelV2) Equals

func (c *CommandLabelV2) Equals(other CommandLabel) bool

Equals returns true if labels are equal, false otherwise

func (*CommandLabelV2) GetCommand

func (c *CommandLabelV2) GetCommand() []string

GetCommand returns to execute and set as a label result

func (*CommandLabelV2) GetPeriod

func (c *CommandLabelV2) GetPeriod() time.Duration

GetPeriod returns label period

func (*CommandLabelV2) GetResult

func (c *CommandLabelV2) GetResult() string

GetResult returns label result

func (*CommandLabelV2) Marshal

func (m *CommandLabelV2) Marshal() (dAtA []byte, err error)

func (*CommandLabelV2) MarshalTo

func (m *CommandLabelV2) MarshalTo(dAtA []byte) (int, error)

func (*CommandLabelV2) ProtoMessage

func (*CommandLabelV2) ProtoMessage()

func (*CommandLabelV2) Reset

func (m *CommandLabelV2) Reset()

func (*CommandLabelV2) SetPeriod

func (c *CommandLabelV2) SetPeriod(p time.Duration)

SetPeriod sets label period

func (*CommandLabelV2) SetResult

func (c *CommandLabelV2) SetResult(r string)

SetResult sets label result

func (*CommandLabelV2) Size

func (m *CommandLabelV2) Size() (n int)

func (*CommandLabelV2) String

func (m *CommandLabelV2) String() string

func (*CommandLabelV2) Unmarshal

func (m *CommandLabelV2) Unmarshal(dAtA []byte) error

func (*CommandLabelV2) XXX_DiscardUnknown

func (m *CommandLabelV2) XXX_DiscardUnknown()

func (*CommandLabelV2) XXX_Marshal

func (m *CommandLabelV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*CommandLabelV2) XXX_Merge

func (dst *CommandLabelV2) XXX_Merge(src proto.Message)

func (*CommandLabelV2) XXX_Size

func (m *CommandLabelV2) XXX_Size() int

func (*CommandLabelV2) XXX_Unmarshal

func (m *CommandLabelV2) XXX_Unmarshal(b []byte) error

type CommandLabels

type CommandLabels map[string]CommandLabel

CommandLabels is a set of command labels

func (*CommandLabels) Clone

func (c *CommandLabels) Clone() CommandLabels

Clone returns copy of the set

func (*CommandLabels) SetEnv

func (c *CommandLabels) SetEnv(v string) error

SetEnv sets the value of the label from environment variable

type ConnectorRef

type ConnectorRef struct {
	// Type is connector type
	Type string `protobuf:"bytes,1,opt,name=Type,proto3" json:"type"`
	// ID is connector ID
	ID string `protobuf:"bytes,2,opt,name=ID,proto3" json:"id"`
	// Identity is external identity of the user
	Identity             string   `protobuf:"bytes,3,opt,name=Identity,proto3" json:"identity"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

ConnectorRef holds information about OIDC connector

func (*ConnectorRef) Descriptor

func (*ConnectorRef) Descriptor() ([]byte, []int)

func (*ConnectorRef) IsSameProvider

func (r *ConnectorRef) IsSameProvider(other *ConnectorRef) bool

IsSameProvider returns true if the provided connector has the same ID/type as this one

func (*ConnectorRef) Marshal

func (m *ConnectorRef) Marshal() (dAtA []byte, err error)

func (*ConnectorRef) MarshalTo

func (m *ConnectorRef) MarshalTo(dAtA []byte) (int, error)

func (*ConnectorRef) ProtoMessage

func (*ConnectorRef) ProtoMessage()

func (*ConnectorRef) Reset

func (m *ConnectorRef) Reset()

func (*ConnectorRef) Size

func (m *ConnectorRef) Size() (n int)

func (*ConnectorRef) String

func (m *ConnectorRef) String() string

func (*ConnectorRef) Unmarshal

func (m *ConnectorRef) Unmarshal(dAtA []byte) error

func (*ConnectorRef) XXX_DiscardUnknown

func (m *ConnectorRef) XXX_DiscardUnknown()

func (*ConnectorRef) XXX_Marshal

func (m *ConnectorRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ConnectorRef) XXX_Merge

func (dst *ConnectorRef) XXX_Merge(src proto.Message)

func (*ConnectorRef) XXX_Size

func (m *ConnectorRef) XXX_Size() int

func (*ConnectorRef) XXX_Unmarshal

func (m *ConnectorRef) XXX_Unmarshal(b []byte) error

type Context

type Context struct {
	// User is currently authenticated user
	User User
	// Resource is an optional resource, in case if the rule
	// checks access to the resource
	Resource Resource
}

Context is a default rule context used in teleport

func (*Context) GetIdentifier

func (ctx *Context) GetIdentifier(fields []string) (interface{}, error)

GetIdentifier returns identifier defined in a context

func (*Context) GetResource

func (ctx *Context) GetResource() (Resource, error)

GetResource returns resource specified in the context, returns error if not specified.

func (*Context) String

func (ctx *Context) String() string

String returns user friendly representation of this context

type CreatedBy

type CreatedBy struct {
	// Identity if present means that user was automatically created by identity
	Connector *ConnectorRef `protobuf:"bytes,1,opt,name=Connector" json:"connector,omitempty"`
	// Time specifies when user was created
	Time time.Time `protobuf:"bytes,2,opt,name=Time,stdtime" json:"time"`
	// User holds information about user
	User                 UserRef  `protobuf:"bytes,3,opt,name=User" json:"user"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

CreatedBy holds information about the person or agent who created the user

func (*CreatedBy) Descriptor

func (*CreatedBy) Descriptor() ([]byte, []int)

func (CreatedBy) IsEmpty

func (c CreatedBy) IsEmpty() bool

IsEmpty returns true if there's no info about who created this user

func (*CreatedBy) Marshal

func (m *CreatedBy) Marshal() (dAtA []byte, err error)

func (*CreatedBy) MarshalTo

func (m *CreatedBy) MarshalTo(dAtA []byte) (int, error)

func (*CreatedBy) ProtoMessage

func (*CreatedBy) ProtoMessage()

func (*CreatedBy) Reset

func (m *CreatedBy) Reset()

func (*CreatedBy) Size

func (m *CreatedBy) Size() (n int)

func (CreatedBy) String

func (c CreatedBy) String() string

String returns human readable information about the user

func (*CreatedBy) Unmarshal

func (m *CreatedBy) Unmarshal(dAtA []byte) error

func (*CreatedBy) XXX_DiscardUnknown

func (m *CreatedBy) XXX_DiscardUnknown()

func (*CreatedBy) XXX_Marshal

func (m *CreatedBy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*CreatedBy) XXX_Merge

func (dst *CreatedBy) XXX_Merge(src proto.Message)

func (*CreatedBy) XXX_Size

func (m *CreatedBy) XXX_Size() int

func (*CreatedBy) XXX_Unmarshal

func (m *CreatedBy) XXX_Unmarshal(b []byte) error

type Duration

type Duration time.Duration

Duration is a wrapper around duration to set up custom marshal/unmarshal

func MaxDuration

func MaxDuration() Duration

MaxDuration returns maximum duration that is possible

func NewDuration

func NewDuration(d time.Duration) Duration

NewDuration returns Duration struct based on time.Duration

func (Duration) Duration

func (d Duration) Duration() time.Duration

Duration returns time.Duration from Duration typex

func (Duration) MarshalJSON

func (d Duration) MarshalJSON() ([]byte, error)

MarshalJSON marshals Duration to string

func (Duration) MarshalYAML

func (d Duration) MarshalYAML() (interface{}, error)

MarshalYAML marshals duration into YAML value, encodes it as a string in format "1m"

func (*Duration) UnmarshalJSON

func (d *Duration) UnmarshalJSON(data []byte) error

UnmarshalJSON marshals Duration to string

func (*Duration) UnmarshalYAML

func (d *Duration) UnmarshalYAML(unmarshal func(interface{}) error) error

func (Duration) Value

func (d Duration) Value() time.Duration

Value returns time.Duration value of this wrapper

type DynamicAccess

type DynamicAccess interface {
	// CreateAccessRequest stores a new access request.
	CreateAccessRequest(ctx context.Context, req AccessRequest) error
	// SetAccessRequestState updates the state of an existing access request.
	SetAccessRequestState(ctx context.Context, reqID string, state RequestState) error
	// GetAccessRequests gets all currently active access requests.
	GetAccessRequests(ctx context.Context, filter AccessRequestFilter) ([]AccessRequest, error)
	// DeleteAccessRequest deletes an access request.
	DeleteAccessRequest(ctx context.Context, reqID string) error
}

DynamicAccess is a service which manages dynamic RBAC.

type DynamicAccessExt

type DynamicAccessExt interface {
	DynamicAccess
	// UpsertAccessRequest creates or updates an access request.
	UpsertAccessRequest(ctx context.Context, req AccessRequest) error
	// DeleteAllAccessRequests deletes all existant access requests.
	DeleteAllAccessRequests(ctx context.Context) error
}

DynamicAccessExt is an extended dynamic access interface used to implement some auth server internals.

type EmptyResource

type EmptyResource struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`
	// Version is a resource version
	Version string `json:"version"`
	// Metadata is Role metadata
	Metadata Metadata `json:"metadata"`
}

EmptyResource is used to represent a use case when no resource is specified in the rules matcher

func (*EmptyResource) Expiry

func (r *EmptyResource) Expiry() time.Time

Expiry returns the expiry time for the object.

func (*EmptyResource) GetKind

func (r *EmptyResource) GetKind() string

GetKind returns resource kind

func (*EmptyResource) GetMetadata

func (r *EmptyResource) GetMetadata() Metadata

GetMetadata returns role metadata.

func (*EmptyResource) GetName

func (r *EmptyResource) GetName() string

GetName gets the role name and is a shortcut for GetMetadata().Name.

func (*EmptyResource) GetResourceID

func (r *EmptyResource) GetResourceID() int64

GetResourceID returns resource ID

func (*EmptyResource) GetSubKind

func (r *EmptyResource) GetSubKind() string

GetSubKind returns resource sub kind

func (*EmptyResource) GetVersion

func (r *EmptyResource) GetVersion() string

GetVersion returns resource version

func (*EmptyResource) SetExpiry

func (r *EmptyResource) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object.

func (*EmptyResource) SetName

func (r *EmptyResource) SetName(s string)

SetName sets the role name and is a shortcut for SetMetadata().Name.

func (*EmptyResource) SetResourceID

func (r *EmptyResource) SetResourceID(id int64)

SetResourceID sets resource ID

func (*EmptyResource) SetSubKind

func (r *EmptyResource) SetSubKind(s string)

SetSubKind sets resource subkind

func (*EmptyResource) SetTTL

func (r *EmptyResource) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets TTL header using realtime clock.

type Event

type Event struct {
	// Type is the event type
	Type backend.OpType
	// Resource is a modified or deleted resource
	// in case of deleted resources, only resource header
	// will be provided
	Resource Resource
}

Event represents an event that happened in the backend

type Events

type Events interface {
	// NewWatcher returns a new event watcher
	NewWatcher(ctx context.Context, watch Watch) (Watcher, error)
}

Events returns new events interface

type ExternalIdentity

type ExternalIdentity struct {
	// ConnectorID is id of registered OIDC connector, e.g. 'google-example.com'
	ConnectorID string `protobuf:"bytes,1,opt,name=ConnectorID,proto3" json:"connector_id,omitempty"`
	// Username is username supplied by external identity provider
	Username             string   `protobuf:"bytes,2,opt,name=Username,proto3" json:"username,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

ExternalIdentity is OpenID Connect/SAML or Github identity that is linked to particular user and connector and lets user to log in using external credentials, e.g. google

func (*ExternalIdentity) Check

func (i *ExternalIdentity) Check() error

Check returns nil if all parameters are great, err otherwise

func (*ExternalIdentity) Descriptor

func (*ExternalIdentity) Descriptor() ([]byte, []int)

func (*ExternalIdentity) Equals

func (i *ExternalIdentity) Equals(other *ExternalIdentity) bool

Equals returns true if this identity equals to passed one

func (*ExternalIdentity) Marshal

func (m *ExternalIdentity) Marshal() (dAtA []byte, err error)

func (*ExternalIdentity) MarshalTo

func (m *ExternalIdentity) MarshalTo(dAtA []byte) (int, error)

func (*ExternalIdentity) ProtoMessage

func (*ExternalIdentity) ProtoMessage()

func (*ExternalIdentity) Reset

func (m *ExternalIdentity) Reset()

func (*ExternalIdentity) Size

func (m *ExternalIdentity) Size() (n int)

func (*ExternalIdentity) String

func (i *ExternalIdentity) String() string

String returns debug friendly representation of this identity

func (*ExternalIdentity) Unmarshal

func (m *ExternalIdentity) Unmarshal(dAtA []byte) error

func (*ExternalIdentity) XXX_DiscardUnknown

func (m *ExternalIdentity) XXX_DiscardUnknown()

func (*ExternalIdentity) XXX_Marshal

func (m *ExternalIdentity) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ExternalIdentity) XXX_Merge

func (dst *ExternalIdentity) XXX_Merge(src proto.Message)

func (*ExternalIdentity) XXX_Size

func (m *ExternalIdentity) XXX_Size() int

func (*ExternalIdentity) XXX_Unmarshal

func (m *ExternalIdentity) XXX_Unmarshal(b []byte) error

type GithubAuthRequest

type GithubAuthRequest struct {
	// ConnectorID is the name of the connector to use
	ConnectorID string `json:"connector_id"`
	// Type is opaque string that helps callbacks identify the request type
	Type string `json:"type"`
	// StateToken is used to validate the request
	StateToken string `json:"state_token"`
	// CSRFToken is used to protect against CSRF attacks
	CSRFToken string `json:"csrf_token"`
	// PublicKey is an optional public key to sign in case of successful auth
	PublicKey []byte `json:"public_key"`
	// CertTTL is TTL of the cert that's generated in case of successful auth
	CertTTL time.Duration `json:"cert_ttl"`
	// CreateWebSession indicates that a user wants to generate a web session
	// after successul authentication
	CreateWebSession bool `json:"create_web_session"`
	// RedirectURL will be used by browser
	RedirectURL string `json:"redirect_url"`
	// ClientRedirectURL is the URL where client will be redirected after
	// successful auth
	ClientRedirectURL string `json:"client_redirect_url"`
	// Compatibility specifies OpenSSH compatibility flags
	Compatibility string `json:"compatibility,omitempty"`
	// Expires is a global expiry time header can be set on any resource in the system.
	Expires *time.Time `json:"expires,omitempty"`
}

GithubAuthRequest is the request to start Github OAuth2 flow

func (*GithubAuthRequest) Check

func (r *GithubAuthRequest) Check() error

Check makes sure the request is valid

func (*GithubAuthRequest) Expiry

func (r *GithubAuthRequest) Expiry() time.Time

Expires returns object expiry setting.

func (*GithubAuthRequest) SetExpiry

func (r *GithubAuthRequest) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*GithubAuthRequest) SetTTL

func (r *GithubAuthRequest) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

type GithubClaims

type GithubClaims struct {
	// Username is the user's username
	Username string
	// OrganizationToTeams is the user's organization and team membership
	OrganizationToTeams map[string][]string
}

GithubClaims represents Github user information obtained during OAuth2 flow

type GithubConnector

type GithubConnector interface {
	// Resource is a common interface for all resources
	Resource
	// CheckAndSetDefaults validates the connector and sets some defaults
	CheckAndSetDefaults() error
	// GetClientID returns the connector client ID
	GetClientID() string
	// SetClientID sets the connector client ID
	SetClientID(string)
	// GetClientSecret returns the connector client secret
	GetClientSecret() string
	// SetClientSecret sets the connector client secret
	SetClientSecret(string)
	// GetRedirectURL returns the connector redirect URL
	GetRedirectURL() string
	// SetRedirectURL sets the connector redirect URL
	SetRedirectURL(string)
	// GetTeamsToLogins returns the mapping of Github teams to allowed logins
	GetTeamsToLogins() []TeamMapping
	// SetTeamsToLogins sets the mapping of Github teams to allowed logins
	SetTeamsToLogins([]TeamMapping)
	// MapClaims returns the list of allows logins based on the retrieved claims
	// returns list of logins and kubernetes groups
	MapClaims(GithubClaims) ([]string, []string)
	// GetDisplay returns the connector display name
	GetDisplay() string
	// SetDisplay sets the connector display name
	SetDisplay(string)
}

GithubConnector defines an interface for a Github OAuth2 connector

func NewGithubConnector

func NewGithubConnector(name string, spec GithubConnectorSpecV3) GithubConnector

NewGithubConnector creates a new Github connector from name and spec

type GithubConnectorMarshaler

type GithubConnectorMarshaler interface {
	// Unmarshal unmarshals connector from binary representation
	Unmarshal(bytes []byte) (GithubConnector, error)
	// Marshal marshals connector to binary representation
	Marshal(c GithubConnector, opts ...MarshalOption) ([]byte, error)
}

GithubConnectorMarshaler defines interface for Github connector marshaler

func GetGithubConnectorMarshaler

func GetGithubConnectorMarshaler() GithubConnectorMarshaler

GetGithubConnectorMarshaler returns currently set Github connector marshaler

type GithubConnectorSpecV3

type GithubConnectorSpecV3 struct {
	// ClientID is the Github OAuth app client ID
	ClientID string `json:"client_id"`
	// ClientSecret is the Github OAuth app client secret
	ClientSecret string `json:"client_secret"`
	// RedirectURL is the authorization callback URL
	RedirectURL string `json:"redirect_url"`
	// TeamsToLogins maps Github team memberships onto allowed logins/roles
	TeamsToLogins []TeamMapping `json:"teams_to_logins"`
	// Display is the connector display name
	Display string `json:"display"`
}

GithubConnectorSpecV3 is the current Github connector spec

type GithubConnectorV3

type GithubConnectorV3 struct {
	// Kind is a resource kind, for Github connector it is "github"
	Kind string `json:"kind"`
	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`
	// Version is resource version
	Version string `json:"version"`
	// Metadata is resource metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains connector specification
	Spec GithubConnectorSpecV3 `json:"spec"`
}

GithubConnectorV3 represents a Github connector

func (*GithubConnectorV3) CheckAndSetDefaults

func (c *GithubConnectorV3) CheckAndSetDefaults() error

CheckAndSetDefaults verifies the connector is valid and sets some defaults

func (*GithubConnectorV3) Expiry

func (c *GithubConnectorV3) Expiry() time.Time

Expires returns the connector expiration time

func (*GithubConnectorV3) GetClientID

func (c *GithubConnectorV3) GetClientID() string

GetClientID returns the connector client ID

func (*GithubConnectorV3) GetClientSecret

func (c *GithubConnectorV3) GetClientSecret() string

GetClientSecret returns the connector client secret

func (*GithubConnectorV3) GetDisplay

func (c *GithubConnectorV3) GetDisplay() string

GetDisplay returns the connector display name

func (*GithubConnectorV3) GetKind

func (c *GithubConnectorV3) GetKind() string

GetKind returns resource kind

func (*GithubConnectorV3) GetMetadata

func (c *GithubConnectorV3) GetMetadata() Metadata

GetMetadata returns the connector metadata

func (*GithubConnectorV3) GetName

func (c *GithubConnectorV3) GetName() string

GetName returns the name of the connector

func (*GithubConnectorV3) GetRedirectURL

func (c *GithubConnectorV3) GetRedirectURL() string

GetRedirectURL returns the connector redirect URL

func (*GithubConnectorV3) GetResourceID

func (c *GithubConnectorV3) GetResourceID() int64

GetResourceID returns resource ID

func (*GithubConnectorV3) GetSubKind

func (c *GithubConnectorV3) GetSubKind() string

GetSubKind returns resource sub kind

func (*GithubConnectorV3) GetTeamsToLogins

func (c *GithubConnectorV3) GetTeamsToLogins() []TeamMapping

GetTeamsToLogins returns the connector team membership mappings

func (*GithubConnectorV3) GetVersion

func (c *GithubConnectorV3) GetVersion() string

GetVersion returns resource version

func (*GithubConnectorV3) MapClaims

func (c *GithubConnectorV3) MapClaims(claims GithubClaims) ([]string, []string)

MapClaims returns a list of logins based on the provided claims, returns a list of logins and list of kubernetes groups

func (*GithubConnectorV3) SetClientID

func (c *GithubConnectorV3) SetClientID(id string)

SetClientID sets the connector client ID

func (*GithubConnectorV3) SetClientSecret

func (c *GithubConnectorV3) SetClientSecret(secret string)

SetClientSecret sets the connector client secret

func (*GithubConnectorV3) SetDisplay

func (c *GithubConnectorV3) SetDisplay(display string)

SetDisplay sets the connector display name

func (*GithubConnectorV3) SetExpiry

func (c *GithubConnectorV3) SetExpiry(expires time.Time)

SetExpiry sets the connector expiration time

func (*GithubConnectorV3) SetName

func (c *GithubConnectorV3) SetName(name string)

SetName sets the connector name

func (*GithubConnectorV3) SetRedirectURL

func (c *GithubConnectorV3) SetRedirectURL(redirectURL string)

SetRedirectURL sets the connector redirect URL

func (*GithubConnectorV3) SetResourceID

func (c *GithubConnectorV3) SetResourceID(id int64)

SetResourceID sets resource ID

func (*GithubConnectorV3) SetSubKind

func (c *GithubConnectorV3) SetSubKind(s string)

SetSubKind sets resource subkind

func (*GithubConnectorV3) SetTTL

func (c *GithubConnectorV3) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets the connector TTL

func (*GithubConnectorV3) SetTeamsToLogins

func (c *GithubConnectorV3) SetTeamsToLogins(teamsToLogins []TeamMapping)

SetTeamsToLogins sets the connector team membership mappings

type HostCertParams

type HostCertParams struct {
	// PrivateCASigningKey is the private key of the CA that will sign the public key of the host
	PrivateCASigningKey []byte
	// PublicHostKey is the public key of the host
	PublicHostKey []byte
	// HostID is used by Teleport to uniquely identify a node within a cluster
	HostID string
	// Principals is a list of additional principals to add to the certificate.
	Principals []string
	// NodeName is the DNS name of the node
	NodeName string
	// ClusterName is the name of the cluster within which a node lives
	ClusterName string
	// Roles identifies the roles of a Teleport instance
	Roles teleport.Roles
	// TTL defines how long a certificate is valid for
	TTL time.Duration
}

HostCertParams defines all parameters needed to generate a host certificate

func (*HostCertParams) Check

func (c *HostCertParams) Check() error

Check checks parameters for errors

type Identity added in v1.0.0

type Identity interface {
	// CreateUser creates user, only if the user entry does not exist
	CreateUser(user User) error

	// UsersService implements most methods
	UsersService

	// AddUserLoginAttempt logs user login attempt
	AddUserLoginAttempt(user string, attempt LoginAttempt, ttl time.Duration) error

	// GetUserLoginAttempts returns user login attempts
	GetUserLoginAttempts(user string) ([]LoginAttempt, error)

	// DeleteUserLoginAttempts removes all login attempts of a user. Should be
	// called after successful login.
	DeleteUserLoginAttempts(user string) error

	// GetUserByOIDCIdentity returns a user by its specified OIDC Identity, returns first
	// user specified with this identity
	GetUserByOIDCIdentity(id ExternalIdentity) (User, error)

	// GetUserBySAMLIdentity returns a user by its specified OIDC Identity, returns first
	// user specified with this identity
	GetUserBySAMLIdentity(id ExternalIdentity) (User, error)

	// GetUserByGithubIdentity returns a user by its specified Github identity
	GetUserByGithubIdentity(id ExternalIdentity) (User, error)

	// UpsertPasswordHash upserts user password hash
	UpsertPasswordHash(user string, hash []byte) error

	// GetPasswordHash returns the password hash for a given user
	GetPasswordHash(user string) ([]byte, error)

	// UpsertHOTP upserts HOTP state for user
	// Deprecated: HOTP use is deprecated, use UpsertTOTP instead.
	UpsertHOTP(user string, otp *hotp.HOTP) error

	// GetHOTP gets HOTP token state for a user
	// Deprecated: HOTP use is deprecated, use GetTOTP instead.
	GetHOTP(user string) (*hotp.HOTP, error)

	// UpsertTOTP upserts TOTP secret key for a user that can be used to generate and validate tokens.
	UpsertTOTP(user string, secretKey string) error

	// GetTOTP returns the secret key used by the TOTP algorithm to validate tokens.
	GetTOTP(user string) (string, error)

	// UpsertUsedTOTPToken upserts a TOTP token to the backend so it can't be used again
	// during the 30 second window it's valid.
	UpsertUsedTOTPToken(user string, otpToken string) error

	// GetUsedTOTPToken returns the last successfully used TOTP token.
	GetUsedTOTPToken(user string) (string, error)

	// DeleteUsedTOTPToken removes the used token from the backend. This should only
	// be used during tests.
	DeleteUsedTOTPToken(user string) error

	// UpsertWebSession updates or inserts a web session for a user and session
	UpsertWebSession(user, sid string, session WebSession) error

	// GetWebSession returns a web session state for a given user and session id
	GetWebSession(user, sid string) (WebSession, error)

	// DeleteWebSession deletes web session from the storage
	DeleteWebSession(user, sid string) error

	// UpsertPassword upserts new password and OTP token
	UpsertPassword(user string, password []byte) error

	// UpsertSignupToken upserts signup token - one time token that lets user to create a user account
	UpsertSignupToken(token string, tokenData SignupToken, ttl time.Duration) error

	// GetSignupToken returns signup token data
	GetSignupToken(token string) (*SignupToken, error)

	// GetSignupTokens returns a list of signup tokens
	GetSignupTokens() ([]SignupToken, error)

	// DeleteSignupToken deletes signup token from the storage
	DeleteSignupToken(token string) error

	// UpsertU2FRegisterChallenge upserts a U2F challenge for a new user corresponding to the token
	UpsertU2FRegisterChallenge(token string, u2fChallenge *u2f.Challenge) error

	// GetU2FRegisterChallenge returns a U2F challenge for a new user corresponding to the token
	GetU2FRegisterChallenge(token string) (*u2f.Challenge, error)

	// UpsertU2FRegistration upserts a U2F registration from a valid register response
	UpsertU2FRegistration(user string, u2fReg *u2f.Registration) error

	// GetU2FRegistration returns a U2F registration from a valid register response
	GetU2FRegistration(user string) (*u2f.Registration, error)

	// UpsertU2FSignChallenge upserts a U2F sign (auth) challenge
	UpsertU2FSignChallenge(user string, u2fChallenge *u2f.Challenge) error

	// GetU2FSignChallenge returns a U2F sign (auth) challenge
	GetU2FSignChallenge(user string) (*u2f.Challenge, error)

	// UpsertU2FRegistrationCounter upserts a counter associated with a U2F registration
	UpsertU2FRegistrationCounter(user string, counter uint32) error

	// GetU2FRegistrationCounter returns a counter associated with a U2F registration
	GetU2FRegistrationCounter(user string) (uint32, error)

	// UpsertOIDCConnector upserts OIDC Connector
	UpsertOIDCConnector(connector OIDCConnector) error

	// DeleteOIDCConnector deletes OIDC Connector
	DeleteOIDCConnector(connectorID string) error

	// GetOIDCConnector returns OIDC connector data, withSecrets adds or removes client secret from return results
	GetOIDCConnector(id string, withSecrets bool) (OIDCConnector, error)

	// GetOIDCConnectors returns registered connectors, withSecrets adds or removes client secret from return results
	GetOIDCConnectors(withSecrets bool) ([]OIDCConnector, error)

	// CreateOIDCAuthRequest creates new auth request
	CreateOIDCAuthRequest(req OIDCAuthRequest, ttl time.Duration) error

	// GetOIDCAuthRequest returns OIDC auth request if found
	GetOIDCAuthRequest(stateToken string) (*OIDCAuthRequest, error)

	// CreateSAMLConnector creates SAML Connector
	CreateSAMLConnector(connector SAMLConnector) error

	// UpsertSAMLConnector upserts SAML Connector
	UpsertSAMLConnector(connector SAMLConnector) error

	// DeleteSAMLConnector deletes OIDC Connector
	DeleteSAMLConnector(connectorID string) error

	// GetSAMLConnector returns OIDC connector data, withSecrets adds or removes secrets from return results
	GetSAMLConnector(id string, withSecrets bool) (SAMLConnector, error)

	// GetSAMLConnectors returns registered connectors, withSecrets adds or removes secret from return results
	GetSAMLConnectors(withSecrets bool) ([]SAMLConnector, error)

	// CreateSAMLAuthRequest creates new auth request
	CreateSAMLAuthRequest(req SAMLAuthRequest, ttl time.Duration) error

	// GetSAMLAuthRequest returns OSAML auth request if found
	GetSAMLAuthRequest(id string) (*SAMLAuthRequest, error)

	// CreateGithubConnector creates a new Github connector
	CreateGithubConnector(connector GithubConnector) error
	// UpsertGithubConnector creates or updates a new Github connector
	UpsertGithubConnector(connector GithubConnector) error
	// GetGithubConnectors returns all configured Github connectors
	GetGithubConnectors(withSecrets bool) ([]GithubConnector, error)
	// GetGithubConnector returns a Github connector by its name
	GetGithubConnector(name string, withSecrets bool) (GithubConnector, error)
	// DeleteGithubConnector deletes a Github connector by its name
	DeleteGithubConnector(name string) error
	// CreateGithubAuthRequest creates a new auth request for Github OAuth2 flow
	CreateGithubAuthRequest(req GithubAuthRequest) error
	// GetGithubAuthRequest retrieves Github auth request by the token
	GetGithubAuthRequest(stateToken string) (*GithubAuthRequest, error)
}

Identity is responsible for managing user entries and external identities

type InviteTokenSpecV3

type InviteTokenSpecV3 struct {
	// URL is a helper invite token URL
	URL string `json:"url"`
}

InviteTokenSpecV3 is a spec for invite token

type InviteTokenV3

type InviteTokenV3 struct {
	// Kind is a resource kind - always resource.
	Kind string `json:"kind"`

	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`

	// Version is a resource version.
	Version string `json:"version"`

	// Metadata is metadata about the resource.
	Metadata Metadata `json:"metadata"`

	// Spec is a spec of the invite token
	Spec InviteTokenSpecV3 `json:"spec"`
}

InviteTokenV3 is an invite token spec format V3

func NewInviteToken

func NewInviteToken(token, signupURL string, expires time.Time) *InviteTokenV3

NewInviteToken returns a new instance of the invite token

type KeepAlive

type KeepAlive struct {
	// ServerName is a server name to keep alive
	ServerName string `protobuf:"bytes,1,opt,name=ServerName,proto3" json:"server_name"`
	// Namespace is a server namespace
	Namespace string `protobuf:"bytes,2,opt,name=Namespace,proto3" json:"namespace"`
	// LeaseID is ID of the lease
	LeaseID int64 `protobuf:"varint,3,opt,name=LeaseID,proto3" json:"lease_id"`
	// Expires is set to update expiry time
	Expires              time.Time `protobuf:"bytes,4,opt,name=Expires,stdtime" json:"expires"`
	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
	XXX_unrecognized     []byte    `json:"-"`
	XXX_sizecache        int32     `json:"-"`
}

func (*KeepAlive) CheckAndSetDefaults

func (s *KeepAlive) CheckAndSetDefaults() error

func (*KeepAlive) Descriptor

func (*KeepAlive) Descriptor() ([]byte, []int)

func (*KeepAlive) IsEmpty

func (s *KeepAlive) IsEmpty() bool

IsEmpty returns true if keepalive is empty, used to indicate that keepalive is not supported

func (*KeepAlive) Marshal

func (m *KeepAlive) Marshal() (dAtA []byte, err error)

func (*KeepAlive) MarshalTo

func (m *KeepAlive) MarshalTo(dAtA []byte) (int, error)

func (*KeepAlive) ProtoMessage

func (*KeepAlive) ProtoMessage()

func (*KeepAlive) Reset

func (m *KeepAlive) Reset()

func (*KeepAlive) Size

func (m *KeepAlive) Size() (n int)

func (*KeepAlive) String

func (m *KeepAlive) String() string

func (*KeepAlive) Unmarshal

func (m *KeepAlive) Unmarshal(dAtA []byte) error

func (*KeepAlive) XXX_DiscardUnknown

func (m *KeepAlive) XXX_DiscardUnknown()

func (*KeepAlive) XXX_Marshal

func (m *KeepAlive) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*KeepAlive) XXX_Merge

func (dst *KeepAlive) XXX_Merge(src proto.Message)

func (*KeepAlive) XXX_Size

func (m *KeepAlive) XXX_Size() int

func (*KeepAlive) XXX_Unmarshal

func (m *KeepAlive) XXX_Unmarshal(b []byte) error

type KeepAliver

type KeepAliver interface {
	// KeepAlives allows to receive keep alives
	KeepAlives() chan<- KeepAlive

	// Done returns the channel signalling the closure
	Done() <-chan struct{}

	// Close closes the watcher and releases
	// all associated resources
	Close() error

	// Error returns error associated with keep aliver if any
	Error() error
}

KeepAliver keeps object alive

type Labels

type Labels map[string]utils.Strings

Labels is a wrapper around map that can marshal and unmarshal itself from scalar and list values

func (Labels) Clone

func (l Labels) Clone() Labels

Clone returns non-shallow copy of the labels set

func (Labels) Equals

func (l Labels) Equals(o Labels) bool

Equals returns true if two label sets are equal

func (Labels) Marshal

func (l Labels) Marshal() ([]byte, error)

Marshal marshals value into protobuf representation

func (Labels) MarshalTo

func (l Labels) MarshalTo(data []byte) (int, error)

MarshalTo marshals value to the array

func (Labels) Size

func (l Labels) Size() int

Size returns protobuf size

func (*Labels) Unmarshal

func (l *Labels) Unmarshal(data []byte) error

Unmarshal unmarshals value from protobuf

type License

type License interface {
	Resource
	// GetReportsUsage returns true if teleport cluster reports usage
	// to control plane
	GetReportsUsage() Bool

	// SetReportsUsage sets usage report
	SetReportsUsage(Bool)

	// GetAWSProductID returns product id that limits usage to AWS instance
	// with a similar product ID
	GetAWSProductID() string

	// SetAWSProductID sets AWS product ID
	SetAWSProductID(string)

	// GetAWSAccountID limits usage to AWS instance within account ID
	GetAWSAccountID() string

	// SetAWSAccountID sets AWS account ID that will be limiting
	// usage to AWS instance
	SetAWSAccountID(accountID string)

	// GetSupportsKubernetes returns kubernetes support flag
	GetSupportsKubernetes() Bool

	// SetSupportsKubernetes sets kubernetes support flag
	SetSupportsKubernetes(Bool)

	// SetLabels sets metadata labels
	SetLabels(labels map[string]string)

	// GetAccountID returns Account ID
	GetAccountID() string

	// CheckAndSetDefaults sets and default values and then
	// verifies the constraints for License.
	CheckAndSetDefaults() error
}

License defines teleport License Information

func NewLicense

func NewLicense(name string, spec LicenseSpecV3) (License, error)

NewLicense is a convenience method to to create LicenseV3.

func UnmarshalLicense

func UnmarshalLicense(bytes []byte) (License, error)

UnmarshalLicense unmarshals License from JSON or YAML and validates schema

type LicenseSpecV3

type LicenseSpecV3 struct {
	// AccountID is a customer account ID
	AccountID string `json:"account_id,omitempty"`
	// AWSProductID limits usage to AWS instance with a product ID
	AWSProductID string `json:"aws_pid,omitempty"`
	// AWSAccountID limits usage to AWS instance within account ID
	AWSAccountID string `json:"aws_account,omitempty"`
	// SupportsKubernetes turns kubernetes support on or off
	SupportsKubernetes Bool `json:"k8s"`
	// ReportsUsage is turned on when system reports usage
	ReportsUsage Bool `json:"usage,omitempty"`
}

LicenseSpecV3 is the actual data we care about for LicenseV3.

type LicenseV3

type LicenseV3 struct {
	// Kind is a resource kind - always resource.
	Kind string `json:"kind"`

	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`

	// Version is a resource version.
	Version string `json:"version"`

	// Metadata is metadata about the resource.
	Metadata Metadata `json:"metadata"`

	// Spec is the specification of the resource.
	Spec LicenseSpecV3 `json:"spec"`
}

LicenseV3 represents License resource version V3

func (*LicenseV3) CheckAndSetDefaults

func (c *LicenseV3) CheckAndSetDefaults() error

CheckAndSetDefaults verifies the constraints for License.

func (*LicenseV3) Expiry

func (c *LicenseV3) Expiry() time.Time

Expiry returns object expiry setting

func (*LicenseV3) GetAWSAccountID

func (c *LicenseV3) GetAWSAccountID() string

GetAWSAccountID limits usage to AWS instance within account ID

func (*LicenseV3) GetAWSProductID

func (c *LicenseV3) GetAWSProductID() string

GetAWSProductID returns product ID that limits usage to AWS instance with a similar product ID

func (*LicenseV3) GetAccountID

func (c *LicenseV3) GetAccountID() string

GetAccountID sets AWS product ID

func (*LicenseV3) GetKind

func (c *LicenseV3) GetKind() string

GetKind returns resource kind

func (*LicenseV3) GetLabels

func (c *LicenseV3) GetLabels() map[string]string

GetLabels returns metadata labels

func (*LicenseV3) GetMetadata

func (c *LicenseV3) GetMetadata() Metadata

GetMetadata returns object metadata

func (*LicenseV3) GetName

func (c *LicenseV3) GetName() string

GetName returns the name of the resource

func (*LicenseV3) GetReportsUsage

func (c *LicenseV3) GetReportsUsage() Bool

GetReportsUsage returns true if teleport cluster reports usage to control plane

func (*LicenseV3) GetResourceID

func (c *LicenseV3) GetResourceID() int64

GetResourceID returns resource ID

func (*LicenseV3) GetSubKind

func (c *LicenseV3) GetSubKind() string

GetSubKind returns resource sub kind

func (*LicenseV3) GetSupportsKubernetes

func (c *LicenseV3) GetSupportsKubernetes() Bool

GetSupportsKubernetes returns kubernetes support flag

func (*LicenseV3) GetVersion

func (c *LicenseV3) GetVersion() string

GetVersion returns resource version

func (*LicenseV3) SetAWSAccountID

func (c *LicenseV3) SetAWSAccountID(accountID string)

SetAWSAccountID sets AWS account ID that will be limiting usage to AWS instance

func (*LicenseV3) SetAWSProductID

func (c *LicenseV3) SetAWSProductID(pid string)

SetAWSProductID sets AWS product ID

func (*LicenseV3) SetExpiry

func (c *LicenseV3) SetExpiry(t time.Time)

SetExpiry sets object expiry

func (*LicenseV3) SetLabels

func (c *LicenseV3) SetLabels(labels map[string]string)

SetLabels sets metadata labels

func (*LicenseV3) SetName

func (c *LicenseV3) SetName(name string)

SetName sets the name of the resource

func (*LicenseV3) SetReportsUsage

func (c *LicenseV3) SetReportsUsage(reports Bool)

SetReportsUsage sets usage report

func (*LicenseV3) SetResourceID

func (c *LicenseV3) SetResourceID(id int64)

SetResourceID sets resource ID

func (*LicenseV3) SetSubKind

func (c *LicenseV3) SetSubKind(s string)

SetSubKind sets resource subkind

func (*LicenseV3) SetSupportsKubernetes

func (c *LicenseV3) SetSupportsKubernetes(supportsK8s Bool)

SetSupportsKubernetes sets kubernetes support flag

func (*LicenseV3) SetTTL

func (c *LicenseV3) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using current clock

func (*LicenseV3) String

func (c *LicenseV3) String() string

String represents a human readable version of license enabled features

type LocalAuthSecrets

type LocalAuthSecrets struct {
	// PasswordHash encodes a combined salt & hash for password verification.
	PasswordHash []byte `protobuf:"bytes,1,opt,name=PasswordHash,proto3" json:"password_hash,omitempty"`
	// TOTPKey is the key used for Time-based One Time Password varification.
	TOTPKey string `protobuf:"bytes,2,opt,name=TOTPKey,proto3" json:"totp_key,omitempty"`
	// U2FRegistration holds Universal Second Factor registration info.
	U2FRegistration *U2FRegistrationData `protobuf:"bytes,3,opt,name=U2FRegistration" json:"u2f_registration,omitempty"`
	// U2FCounter holds the highest seen Universal Second Factor registration count.
	U2FCounter           uint32   `protobuf:"varint,4,opt,name=U2FCounter,proto3" json:"u2f_counter,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

LocalAuthSecrets holds sensitive data used to authenticate a local user.

func (*LocalAuthSecrets) Check

func (l *LocalAuthSecrets) Check() error

Check validates local auth secret members.

func (*LocalAuthSecrets) Descriptor

func (*LocalAuthSecrets) Descriptor() ([]byte, []int)

func (*LocalAuthSecrets) Equals

func (lhs *LocalAuthSecrets) Equals(rhs *LocalAuthSecrets) bool

Equals checks equality (nil safe).

func (*LocalAuthSecrets) GetU2FRegistration

func (l *LocalAuthSecrets) GetU2FRegistration() (*u2f.Registration, error)

GetU2FRegistration decodes the u2f registration data and builds the expected registration object. Returns (nil,nil) if no registration data is present.

func (*LocalAuthSecrets) Marshal

func (m *LocalAuthSecrets) Marshal() (dAtA []byte, err error)

func (*LocalAuthSecrets) MarshalTo

func (m *LocalAuthSecrets) MarshalTo(dAtA []byte) (int, error)

func (*LocalAuthSecrets) ProtoMessage

func (*LocalAuthSecrets) ProtoMessage()

func (*LocalAuthSecrets) Reset

func (m *LocalAuthSecrets) Reset()

func (*LocalAuthSecrets) SetU2FRegistration

func (l *LocalAuthSecrets) SetU2FRegistration(reg *u2f.Registration) error

SetU2FRegistration encodes and stores a u2f registration. Use nil to delete an existing registration.

func (*LocalAuthSecrets) Size

func (m *LocalAuthSecrets) Size() (n int)

func (*LocalAuthSecrets) String

func (m *LocalAuthSecrets) String() string

func (*LocalAuthSecrets) Unmarshal

func (m *LocalAuthSecrets) Unmarshal(dAtA []byte) error

func (*LocalAuthSecrets) XXX_DiscardUnknown

func (m *LocalAuthSecrets) XXX_DiscardUnknown()

func (*LocalAuthSecrets) XXX_Marshal

func (m *LocalAuthSecrets) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*LocalAuthSecrets) XXX_Merge

func (dst *LocalAuthSecrets) XXX_Merge(src proto.Message)

func (*LocalAuthSecrets) XXX_Size

func (m *LocalAuthSecrets) XXX_Size() int

func (*LocalAuthSecrets) XXX_Unmarshal

func (m *LocalAuthSecrets) XXX_Unmarshal(b []byte) error

type LogAction

type LogAction struct {
	// contains filtered or unexported fields
}

LogAction represents action that will emit log entry when specified in the actions of a matched rule

func (*LogAction) Log

func (l *LogAction) Log(level, format string, args ...interface{}) predicate.BoolPredicate

Log logs with specified level and formatting string with arguments

type LoginAttempt

type LoginAttempt struct {
	// Time is time of the attempt
	Time time.Time `json:"time"`
	// Success indicates whether attempt was successful
	Success bool `json:"bool"`
}

LoginAttempt represents successful or unsuccessful attempt for user to login

func (*LoginAttempt) Check

func (la *LoginAttempt) Check() error

Check checks parameters

type LoginStatus

type LoginStatus struct {
	// IsLocked tells us if user is locked
	IsLocked bool `protobuf:"varint,1,opt,name=IsLocked,proto3" json:"is_locked"`
	// LockedMessage contains the message in case if user is locked
	LockedMessage string `protobuf:"bytes,2,opt,name=LockedMessage,proto3" json:"locked_message,omitempty"`
	// LockedTime contains time when user was locked
	LockedTime time.Time `protobuf:"bytes,3,opt,name=LockedTime,stdtime" json:"locked_time,omitempty"`
	// LockExpires contains time when this lock will expire
	LockExpires          time.Time `protobuf:"bytes,4,opt,name=LockExpires,stdtime" json:"lock_expires,omitempty"`
	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
	XXX_unrecognized     []byte    `json:"-"`
	XXX_sizecache        int32     `json:"-"`
}

LoginStatus is a login status of the user

func (*LoginStatus) Descriptor

func (*LoginStatus) Descriptor() ([]byte, []int)

func (*LoginStatus) Marshal

func (m *LoginStatus) Marshal() (dAtA []byte, err error)

func (*LoginStatus) MarshalTo

func (m *LoginStatus) MarshalTo(dAtA []byte) (int, error)

func (*LoginStatus) ProtoMessage

func (*LoginStatus) ProtoMessage()

func (*LoginStatus) Reset

func (m *LoginStatus) Reset()

func (*LoginStatus) Size

func (m *LoginStatus) Size() (n int)

func (*LoginStatus) String

func (m *LoginStatus) String() string

func (*LoginStatus) Unmarshal

func (m *LoginStatus) Unmarshal(dAtA []byte) error

func (*LoginStatus) XXX_DiscardUnknown

func (m *LoginStatus) XXX_DiscardUnknown()

func (*LoginStatus) XXX_Marshal

func (m *LoginStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*LoginStatus) XXX_Merge

func (dst *LoginStatus) XXX_Merge(src proto.Message)

func (*LoginStatus) XXX_Size

func (m *LoginStatus) XXX_Size() int

func (*LoginStatus) XXX_Unmarshal

func (m *LoginStatus) XXX_Unmarshal(b []byte) error

type MarshalConfig

type MarshalConfig struct {
	// Version specifies particular version we should marshal resources with
	Version string

	// SkipValidation is used to skip schema validation.
	SkipValidation bool

	// ID is a record ID to assign
	ID int64

	// PreserveResourceID preserves resource IDs in resource
	// specs when marshaling
	PreserveResourceID bool

	// Expires is an optional expiry time
	Expires time.Time
}

MarshalConfig specifies marshalling options

func CollectOptions

func CollectOptions(opts []MarshalOption) (*MarshalConfig, error)

CollectOptions collects all options from functional arg and returns config

func (*MarshalConfig) GetVersion

func (m *MarshalConfig) GetVersion() string

GetVersion returns explicitly provided version or sets latest as default

type MarshalOption

type MarshalOption func(c *MarshalConfig) error

MarshalOption sets marshalling option

func AddOptions

func AddOptions(opts []MarshalOption, add ...MarshalOption) []MarshalOption

AddOptions adds marshal options and returns a new copy

func PreserveResourceID

func PreserveResourceID() MarshalOption

PreserveResourceID preserves resource ID when marshaling value

func SkipValidation

func SkipValidation() MarshalOption

SkipValidation is used to disable schema validation.

func WithExpires

func WithExpires(expires time.Time) MarshalOption

WithExpires assigns expiry value

func WithResourceID

func WithResourceID(id int64) MarshalOption

WithResourceID assigns ID to the resource

func WithVersion

func WithVersion(v string) MarshalOption

WithVersion sets marshal version

type Metadata

type Metadata struct {
	// Name is an object name
	Name string `protobuf:"bytes,1,opt,name=Name,proto3" json:"name"`
	// Namespace is object namespace. The field should be called "namespace"
	// when it returns in Teleport 2.4.
	Namespace string `protobuf:"bytes,2,opt,name=Namespace,proto3" json:"-"`
	// Description is object description
	Description string `protobuf:"bytes,3,opt,name=Description,proto3" json:"description,omitempty"`
	// Labels is a set of labels
	Labels map[string]string `` /* 146-byte string literal not displayed */
	// Expires is a global expiry time header can be set on any resource in the system.
	Expires *time.Time `protobuf:"bytes,6,opt,name=Expires,stdtime" json:"expires,omitempty"`
	// ID is a record ID
	ID                   int64    `protobuf:"varint,7,opt,name=ID,proto3" json:"id,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

Metadata is resource metadata

func (*Metadata) CheckAndSetDefaults

func (m *Metadata) CheckAndSetDefaults() error

CheckAndSetDefaults checks validity of all parameters and sets defaults

func (*Metadata) Descriptor

func (*Metadata) Descriptor() ([]byte, []int)

func (*Metadata) Expiry

func (m *Metadata) Expiry() time.Time

Expiry returns object expiry setting.

func (*Metadata) GetID

func (m *Metadata) GetID() int64

GetID returns resource ID

func (*Metadata) GetMetadata

func (m *Metadata) GetMetadata() Metadata

GetMetadata returns object metadata

func (*Metadata) GetName

func (m *Metadata) GetName() string

GetName returns the name of the resource

func (*Metadata) Marshal

func (m *Metadata) Marshal() (dAtA []byte, err error)

func (*Metadata) MarshalTo

func (m *Metadata) MarshalTo(dAtA []byte) (int, error)

func (*Metadata) ProtoMessage

func (*Metadata) ProtoMessage()

func (*Metadata) Reset

func (m *Metadata) Reset()

func (*Metadata) SetExpiry

func (m *Metadata) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*Metadata) SetID

func (m *Metadata) SetID(id int64)

SetID sets resource ID

func (*Metadata) SetName

func (m *Metadata) SetName(name string)

SetName sets the name of the resource

func (*Metadata) SetTTL

func (m *Metadata) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*Metadata) Size

func (m *Metadata) Size() (n int)

func (*Metadata) String

func (m *Metadata) String() string

func (*Metadata) Unmarshal

func (m *Metadata) Unmarshal(dAtA []byte) error

func (*Metadata) XXX_DiscardUnknown

func (m *Metadata) XXX_DiscardUnknown()

func (*Metadata) XXX_Marshal

func (m *Metadata) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Metadata) XXX_Merge

func (dst *Metadata) XXX_Merge(src proto.Message)

func (*Metadata) XXX_Size

func (m *Metadata) XXX_Size() int

func (*Metadata) XXX_Unmarshal

func (m *Metadata) XXX_Unmarshal(b []byte) error

type Namespace

type Namespace struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version"`
	// Metadata is User metadata
	Metadata Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata"`
	// Spec is a namespace spec
	Spec                 NamespaceSpec `protobuf:"bytes,5,opt,name=Spec" json:"spec"`
	XXX_NoUnkeyedLiteral struct{}      `json:"-"`
	XXX_unrecognized     []byte        `json:"-"`
	XXX_sizecache        int32         `json:"-"`
}

Namespace represents namespace resource specification

func NewNamespace

func NewNamespace(name string) Namespace

NewNamespace returns new namespace

func UnmarshalNamespace

func UnmarshalNamespace(data []byte, opts ...MarshalOption) (*Namespace, error)

UnmarshalNamespace unmarshals role from JSON or YAML, sets defaults and checks the schema

func (*Namespace) CheckAndSetDefaults

func (n *Namespace) CheckAndSetDefaults() error

Check checks validity of all parameters and sets defaults

func (*Namespace) Descriptor

func (*Namespace) Descriptor() ([]byte, []int)

func (*Namespace) Expiry

func (n *Namespace) Expiry() time.Time

Expires returns object expiry setting

func (*Namespace) GetKind

func (n *Namespace) GetKind() string

GetKind returns resource kind

func (*Namespace) GetMetadata

func (n *Namespace) GetMetadata() Metadata

GetMetadata returns object metadata

func (*Namespace) GetName

func (n *Namespace) GetName() string

GetName returns the name of the cluster.

func (*Namespace) GetResourceID

func (n *Namespace) GetResourceID() int64

GetResourceID returns resource ID

func (*Namespace) GetSubKind

func (n *Namespace) GetSubKind() string

GetSubKind returns resource sub kind

func (*Namespace) GetVersion

func (n *Namespace) GetVersion() string

GetVersion returns resource version

func (*Namespace) Marshal

func (m *Namespace) Marshal() (dAtA []byte, err error)

func (*Namespace) MarshalTo

func (m *Namespace) MarshalTo(dAtA []byte) (int, error)

func (*Namespace) ProtoMessage

func (*Namespace) ProtoMessage()

func (*Namespace) Reset

func (m *Namespace) Reset()

func (*Namespace) SetExpiry

func (n *Namespace) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*Namespace) SetName

func (n *Namespace) SetName(e string)

SetName sets the name of the cluster.

func (*Namespace) SetResourceID

func (n *Namespace) SetResourceID(id int64)

SetResourceID sets resource ID

func (*Namespace) SetSubKind

func (n *Namespace) SetSubKind(sk string)

SetSubKind sets resource subkind

func (*Namespace) SetTTL

func (n *Namespace) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*Namespace) Size

func (m *Namespace) Size() (n int)

func (*Namespace) String

func (m *Namespace) String() string

func (*Namespace) Unmarshal

func (m *Namespace) Unmarshal(dAtA []byte) error

func (*Namespace) XXX_DiscardUnknown

func (m *Namespace) XXX_DiscardUnknown()

func (*Namespace) XXX_Marshal

func (m *Namespace) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Namespace) XXX_Merge

func (dst *Namespace) XXX_Merge(src proto.Message)

func (*Namespace) XXX_Size

func (m *Namespace) XXX_Size() int

func (*Namespace) XXX_Unmarshal

func (m *Namespace) XXX_Unmarshal(b []byte) error

type NamespaceSpec

type NamespaceSpec struct {
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

NamespaceSpec is a namespace specificateion

func (*NamespaceSpec) Descriptor

func (*NamespaceSpec) Descriptor() ([]byte, []int)

func (*NamespaceSpec) Marshal

func (m *NamespaceSpec) Marshal() (dAtA []byte, err error)

func (*NamespaceSpec) MarshalTo

func (m *NamespaceSpec) MarshalTo(dAtA []byte) (int, error)

func (*NamespaceSpec) ProtoMessage

func (*NamespaceSpec) ProtoMessage()

func (*NamespaceSpec) Reset

func (m *NamespaceSpec) Reset()

func (*NamespaceSpec) Size

func (m *NamespaceSpec) Size() (n int)

func (*NamespaceSpec) String

func (m *NamespaceSpec) String() string

func (*NamespaceSpec) Unmarshal

func (m *NamespaceSpec) Unmarshal(dAtA []byte) error

func (*NamespaceSpec) XXX_DiscardUnknown

func (m *NamespaceSpec) XXX_DiscardUnknown()

func (*NamespaceSpec) XXX_Marshal

func (m *NamespaceSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*NamespaceSpec) XXX_Merge

func (dst *NamespaceSpec) XXX_Merge(src proto.Message)

func (*NamespaceSpec) XXX_Size

func (m *NamespaceSpec) XXX_Size() int

func (*NamespaceSpec) XXX_Unmarshal

func (m *NamespaceSpec) XXX_Unmarshal(b []byte) error

type NewParserFn

type NewParserFn func(ctx RuleContext) (predicate.Parser, error)

NewParserFn returns function that creates parser of 'where' section in access rules

func GetActionsParserFn

func GetActionsParserFn() NewParserFn

GetActionsParserFn returns global function that creates where parsers this function is used in external tools to override and extend actions in rules

func GetWhereParserFn

func GetWhereParserFn() NewParserFn

GetWhereParserFn returns global function that creates where parsers this function is used in external tools to override and extend 'where' in rules

type NewProxyWatcherFunc

type NewProxyWatcherFunc func() (*ProxyWatcher, error)

NewProxyWatcherFunc creates a new instance of proxy watcher, used in tests

type OIDCAuthRequest added in v1.0.0

type OIDCAuthRequest struct {
	// ConnectorID is ID of OIDC connector this request uses
	ConnectorID string `json:"connector_id"`

	// Type is opaque string that helps callbacks identify the request type
	Type string `json:"type"`

	// CheckUser tells validator if it should expect and check user
	CheckUser bool `json:"check_user"`

	// StateToken is generated by service and is used to validate
	// reuqest coming from
	StateToken string `json:"state_token"`

	// CSRFToken is associated with user web session token
	CSRFToken string `json:"csrf_token"`

	// RedirectURL will be used by browser
	RedirectURL string `json:"redirect_url"`

	// PublicKey is an optional public key, users want these
	// keys to be signed by auth servers user CA in case
	// of successful auth
	PublicKey []byte `json:"public_key"`

	// CertTTL is the TTL of the certificate user wants to get
	CertTTL time.Duration `json:"cert_ttl"`

	// CreateWebSession indicates if user wants to generate a web
	// session after successful authentication
	CreateWebSession bool `json:"create_web_session"`

	// ClientRedirectURL is a URL client wants to be redirected
	// after successful authentication
	ClientRedirectURL string `json:"client_redirect_url"`

	// Compatibility specifies OpenSSH compatibility flags.
	Compatibility string `json:"compatibility,omitempty"`
}

OIDCAuthRequest is a request to authenticate with OIDC provider, the state about request is managed by auth server

func (*OIDCAuthRequest) Check added in v1.0.0

func (i *OIDCAuthRequest) Check() error

Check returns nil if all parameters are great, err otherwise

type OIDCConnector added in v1.0.0

type OIDCConnector interface {
	// Resource provides common methods for objects
	Resource
	// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
	GetIssuerURL() string
	// ClientID is id for authentication client (in our case it's our Auth server)
	GetClientID() string
	// ClientSecret is used to authenticate our client and should not
	// be visible to end user
	GetClientSecret() string
	// RedirectURL - Identity provider will use this URL to redirect
	// client's browser back to it after successful authentication
	// Should match the URL on Provider's side
	GetRedirectURL() string
	// GetACR returns the Authentication Context Class Reference (ACR) value.
	GetACR() string
	// GetProvider returns the identity provider.
	GetProvider() string
	// Display - Friendly name for this provider.
	GetDisplay() string
	// Scope is additional scopes set by provder
	GetScope() []string
	// ClaimsToRoles specifies dynamic mapping from claims to roles
	GetClaimsToRoles() []ClaimMapping
	// GetClaims returns list of claims expected by mappings
	GetClaims() []string
	// MapClaims maps claims to roles
	MapClaims(claims jose.Claims) []string
	// Check checks OIDC connector for errors
	Check() error
	// CheckAndSetDefaults checks and set default values for any missing fields.
	CheckAndSetDefaults() error
	// SetClientSecret sets client secret to some value
	SetClientSecret(secret string)
	// SetClientID sets id for authentication client (in our case it's our Auth server)
	SetClientID(string)
	// SetIssuerURL sets the endpoint of the provider
	SetIssuerURL(string)
	// SetRedirectURL sets RedirectURL
	SetRedirectURL(string)
	// SetACR sets the Authentication Context Class Reference (ACR) value.
	SetACR(string)
	// SetProvider sets the identity provider.
	SetProvider(string)
	// SetScope sets additional scopes set by provider
	SetScope([]string)
	// SetClaimsToRoles sets dynamic mapping from claims to roles
	SetClaimsToRoles([]ClaimMapping)
	// SetDisplay sets friendly name for this provider.
	SetDisplay(string)
	// GetGoogleServiceAccountURI returns path to google service account URI
	GetGoogleServiceAccountURI() string
	// GetGoogleAdminEmail returns a google admin user email
	// https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
	// "Note: Although you can use service accounts in applications that run from a G Suite domain, service accounts are not members of your G Suite account and aren’t subject to domain policies set by G Suite administrators. For example, a policy set in the G Suite admin console to restrict the ability of G Suite end users to share documents outside of the domain would not apply to service accounts."
	GetGoogleAdminEmail() string
}

OIDCConnector specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation

func NewOIDCConnector

func NewOIDCConnector(name string, spec OIDCConnectorSpecV2) OIDCConnector

NewOIDCConnector returns a new OIDCConnector based off a name and OIDCConnectorSpecV2.

type OIDCConnectorMarshaler

type OIDCConnectorMarshaler interface {
	// UnmarshalOIDCConnector unmarshals connector from binary representation
	UnmarshalOIDCConnector(bytes []byte, opts ...MarshalOption) (OIDCConnector, error)
	// MarshalOIDCConnector marshals connector to binary representation
	MarshalOIDCConnector(c OIDCConnector, opts ...MarshalOption) ([]byte, error)
}

OIDCConnectorMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions

func GetOIDCConnectorMarshaler

func GetOIDCConnectorMarshaler() OIDCConnectorMarshaler

GetOIDCConnectorMarshaler returns currently set user marshaler

type OIDCConnectorSpecV2

type OIDCConnectorSpecV2 struct {
	// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
	IssuerURL string `json:"issuer_url"`
	// ClientID is id for authentication client (in our case it's our Auth server)
	ClientID string `json:"client_id"`
	// ClientSecret is used to authenticate our client and should not
	// be visible to end user
	ClientSecret string `json:"client_secret"`
	// RedirectURL - Identity provider will use this URL to redirect
	// client's browser back to it after successful authentication
	// Should match the URL on Provider's side
	RedirectURL string `json:"redirect_url"`
	// ACR is an Authentication Context Class Reference value. The meaning of the ACR
	// value is context-specific and varies for identity providers.
	ACR string `json:"acr_values,omitempty"`
	// Provider is the external identity provider.
	Provider string `json:"provider,omitempty"`
	// Display - Friendly name for this provider.
	Display string `json:"display,omitempty"`
	// Scope is additional scopes set by provder
	Scope []string `json:"scope,omitempty"`
	// ClaimsToRoles specifies dynamic mapping from claims to roles
	ClaimsToRoles []ClaimMapping `json:"claims_to_roles,omitempty"`
	// GoogleServiceAccountURI is a path to google service account uri
	GoogleServiceAccountURI string `json:"google_service_account_uri,omitempty"`
	// GoogleAdminEmail is email of google admin to impersonate
	GoogleAdminEmail string `json:"google_admin_email,omitempty"`
}

OIDCConnectorSpecV2 specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation

type OIDCConnectorV1

type OIDCConnectorV1 struct {
	// ID is a provider id, 'e.g.' google, used internally
	ID string `json:"id"`
	// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
	IssuerURL string `json:"issuer_url"`
	// ClientID is id for authentication client (in our case it's our Auth server)
	ClientID string `json:"client_id"`
	// ClientSecret is used to authenticate our client and should not
	// be visible to end user
	ClientSecret string `json:"client_secret"`
	// RedirectURL - Identity provider will use this URL to redirect
	// client's browser back to it after successful authentication
	// Should match the URL on Provider's side
	RedirectURL string `json:"redirect_url"`
	// Display - Friendly name for this provider.
	Display string `json:"display"`
	// Scope is additional scopes set by provder
	Scope []string `json:"scope"`
	// ClaimsToRoles specifies dynamic mapping from claims to roles
	ClaimsToRoles []ClaimMapping `json:"claims_to_roles"`
}

OIDCConnectorV1 specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation

func (*OIDCConnectorV1) V1

V1 returns V1 version of the resource

func (*OIDCConnectorV1) V2

V2 returns V2 version of the connector

type OIDCConnectorV2

type OIDCConnectorV2 struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`
	// Version is version
	Version string `json:"version"`
	// Metadata is connector metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains connector specification
	Spec OIDCConnectorSpecV2 `json:"spec"`
}

OIDCConnectorV2 is version 1 resource spec for OIDC connector

func (*OIDCConnectorV2) Check

func (o *OIDCConnectorV2) Check() error

Check returns nil if all parameters are great, err otherwise

func (*OIDCConnectorV2) CheckAndSetDefaults

func (o *OIDCConnectorV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and set default values for any missing fields.

func (*OIDCConnectorV2) Expiry

func (o *OIDCConnectorV2) Expiry() time.Time

Expires returns object expiry setting

func (*OIDCConnectorV2) GetACR

func (o *OIDCConnectorV2) GetACR() string

GetACR returns the Authentication Context Class Reference (ACR) value.

func (*OIDCConnectorV2) GetClaims

func (o *OIDCConnectorV2) GetClaims() []string

GetClaims returns list of claims expected by mappings

func (*OIDCConnectorV2) GetClaimsToRoles

func (o *OIDCConnectorV2) GetClaimsToRoles() []ClaimMapping

ClaimsToRoles specifies dynamic mapping from claims to roles

func (*OIDCConnectorV2) GetClientID

func (o *OIDCConnectorV2) GetClientID() string

ClientID is id for authentication client (in our case it's our Auth server)

func (*OIDCConnectorV2) GetClientSecret

func (o *OIDCConnectorV2) GetClientSecret() string

ClientSecret is used to authenticate our client and should not be visible to end user

func (*OIDCConnectorV2) GetDisplay

func (o *OIDCConnectorV2) GetDisplay() string

Display - Friendly name for this provider.

func (*OIDCConnectorV2) GetGoogleAdminEmail

func (o *OIDCConnectorV2) GetGoogleAdminEmail() string

GetGoogleAdminEmail returns a google admin user email

func (*OIDCConnectorV2) GetGoogleServiceAccountURI

func (o *OIDCConnectorV2) GetGoogleServiceAccountURI() string

GetGoogleServiceAccountFile returns an optional path to google service account file

func (*OIDCConnectorV2) GetIssuerURL

func (o *OIDCConnectorV2) GetIssuerURL() string

Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com

func (*OIDCConnectorV2) GetKind

func (o *OIDCConnectorV2) GetKind() string

GetKind returns resource kind

func (*OIDCConnectorV2) GetMetadata

func (o *OIDCConnectorV2) GetMetadata() Metadata

GetMetadata returns object metadata

func (*OIDCConnectorV2) GetName

func (o *OIDCConnectorV2) GetName() string

GetName returns the name of the connector

func (*OIDCConnectorV2) GetProvider

func (o *OIDCConnectorV2) GetProvider() string

GetProvider returns the identity provider.

func (*OIDCConnectorV2) GetRedirectURL

func (o *OIDCConnectorV2) GetRedirectURL() string

RedirectURL - Identity provider will use this URL to redirect client's browser back to it after successful authentication Should match the URL on Provider's side

func (*OIDCConnectorV2) GetResourceID

func (o *OIDCConnectorV2) GetResourceID() int64

GetResourceID returns resource ID

func (*OIDCConnectorV2) GetScope

func (o *OIDCConnectorV2) GetScope() []string

Scope is additional scopes set by provder

func (*OIDCConnectorV2) GetSubKind

func (o *OIDCConnectorV2) GetSubKind() string

GetSubKind returns resource sub kind

func (*OIDCConnectorV2) GetVersion

func (o *OIDCConnectorV2) GetVersion() string

GetVersion returns resource version

func (*OIDCConnectorV2) MapClaims

func (o *OIDCConnectorV2) MapClaims(claims jose.Claims) []string

MapClaims maps claims to roles

func (*OIDCConnectorV2) SetACR

func (o *OIDCConnectorV2) SetACR(acrValue string)

SetACR sets the Authentication Context Class Reference (ACR) value.

func (*OIDCConnectorV2) SetClaimsToRoles

func (o *OIDCConnectorV2) SetClaimsToRoles(claims []ClaimMapping)

SetClaimsToRoles sets dynamic mapping from claims to roles

func (*OIDCConnectorV2) SetClientID

func (o *OIDCConnectorV2) SetClientID(clintID string)

SetClientID sets id for authentication client (in our case it's our Auth server)

func (*OIDCConnectorV2) SetClientSecret

func (o *OIDCConnectorV2) SetClientSecret(secret string)

SetClientSecret sets client secret to some value

func (*OIDCConnectorV2) SetDisplay

func (o *OIDCConnectorV2) SetDisplay(display string)

SetDisplay sets friendly name for this provider.

func (*OIDCConnectorV2) SetExpiry

func (o *OIDCConnectorV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*OIDCConnectorV2) SetIssuerURL

func (o *OIDCConnectorV2) SetIssuerURL(issuerURL string)

SetIssuerURL sets client secret to some value

func (*OIDCConnectorV2) SetName

func (o *OIDCConnectorV2) SetName(name string)

SetName sets client secret to some value

func (*OIDCConnectorV2) SetProvider

func (o *OIDCConnectorV2) SetProvider(identityProvider string)

SetProvider sets the identity provider.

func (*OIDCConnectorV2) SetRedirectURL

func (o *OIDCConnectorV2) SetRedirectURL(redirectURL string)

SetRedirectURL sets client secret to some value

func (*OIDCConnectorV2) SetResourceID

func (o *OIDCConnectorV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*OIDCConnectorV2) SetScope

func (o *OIDCConnectorV2) SetScope(scope []string)

SetScope sets additional scopes set by provider

func (*OIDCConnectorV2) SetSubKind

func (o *OIDCConnectorV2) SetSubKind(s string)

SetSubKind sets resource subkind

func (*OIDCConnectorV2) SetTTL

func (o *OIDCConnectorV2) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*OIDCConnectorV2) V1

V1 converts OIDCConnectorV2 to OIDCConnectorV1 format

func (*OIDCConnectorV2) V2

V2 returns V2 version of the resource

type Presence added in v1.0.0

type Presence interface {
	// UpsertLocalClusterName upserts local domain
	UpsertLocalClusterName(name string) error

	// GetLocalClusterName upserts local domain
	GetLocalClusterName() (string, error)

	// GetNodes returns a list of registered servers. Schema validation can be
	// skipped to improve performance.
	GetNodes(namespace string, opts ...MarshalOption) ([]Server, error)

	// DeleteAllNodes deletes all nodes in a namespace.
	DeleteAllNodes(namespace string) error

	// DeleteNode deletes node in a namespace
	DeleteNode(namespace, name string) error

	// UpsertNode registers node presence, permanently if TTL is 0 or for the
	// specified duration with second resolution if it's >= 1 second.
	UpsertNode(server Server) (*KeepAlive, error)

	// UpsertNodes bulk inserts nodes.
	UpsertNodes(namespace string, servers []Server) error

	// KeepAliveNode updates node TTL in the storage
	KeepAliveNode(ctx context.Context, h KeepAlive) error

	// GetAuthServers returns a list of registered servers
	GetAuthServers() ([]Server, error)

	// UpsertAuthServer registers auth server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertAuthServer(server Server) error

	// DeleteAuthServer deletes auth server by name
	DeleteAuthServer(name string) error

	// DeleteAllAuthServers deletes all auth servers
	DeleteAllAuthServers() error

	// UpsertProxy registers proxy server presence, permanently if ttl is 0 or
	// for the specified duration with second resolution if it's >= 1 second
	UpsertProxy(server Server) error

	// ProxyGetter gets a list of proxies
	ProxyGetter

	// DeleteProxy deletes proxy by name
	DeleteProxy(name string) error

	// DeleteAllProxies deletes all proxies
	DeleteAllProxies() error

	// UpsertReverseTunnel upserts reverse tunnel entry temporarily or permanently
	UpsertReverseTunnel(tunnel ReverseTunnel) error

	// GetReverseTunnel returns reverse tunnel by name
	GetReverseTunnel(name string, opts ...MarshalOption) (ReverseTunnel, error)

	// GetReverseTunnels returns a list of registered servers
	GetReverseTunnels(opts ...MarshalOption) ([]ReverseTunnel, error)

	// DeleteReverseTunnel deletes reverse tunnel by it's domain name
	DeleteReverseTunnel(domainName string) error

	// DeleteAllReverseTunnels deletes all reverse tunnels
	DeleteAllReverseTunnels() error

	// GetNamespaces returns a list of namespaces
	GetNamespaces() ([]Namespace, error)

	// GetNamespace returns namespace by name
	GetNamespace(name string) (*Namespace, error)

	// DeleteAllNamespaces deletes all namespaces
	DeleteAllNamespaces() error

	// UpsertNamespace upserts namespace
	UpsertNamespace(Namespace) error

	// DeleteNamespace deletes namespace by name
	DeleteNamespace(name string) error

	// UpsertTrustedCluster creates or updates a TrustedCluster in the backend.
	UpsertTrustedCluster(TrustedCluster) (TrustedCluster, error)

	// GetTrustedCluster returns a single TrustedCluster by name.
	GetTrustedCluster(string) (TrustedCluster, error)

	// GetTrustedClusters returns all TrustedClusters in the backend.
	GetTrustedClusters() ([]TrustedCluster, error)

	// DeleteTrustedCluster removes a TrustedCluster from the backend by name.
	DeleteTrustedCluster(string) error

	// UpsertTunnelConnection upserts tunnel connection
	UpsertTunnelConnection(TunnelConnection) error

	// GetTunnelConnections returns tunnel connections for a given cluster
	GetTunnelConnections(clusterName string, opts ...MarshalOption) ([]TunnelConnection, error)

	// GetAllTunnelConnections returns all tunnel connections
	GetAllTunnelConnections(opts ...MarshalOption) ([]TunnelConnection, error)

	// DeleteTunnelConnection deletes tunnel connection by name
	DeleteTunnelConnection(clusterName string, connName string) error

	// DeleteTunnelConnections deletes all tunnel connections for cluster
	DeleteTunnelConnections(clusterName string) error

	// DeleteAllTunnelConnections deletes all tunnel connections for cluster
	DeleteAllTunnelConnections() error

	// CreateRemoteCluster creates a remote cluster
	CreateRemoteCluster(RemoteCluster) error

	// GetRemoteClusters returns a list of remote clusters
	GetRemoteClusters(opts ...MarshalOption) ([]RemoteCluster, error)

	// GetRemoteCluster returns a remote cluster by name
	GetRemoteCluster(clusterName string) (RemoteCluster, error)

	// DeleteRemoteCluster deletes remote cluster by name
	DeleteRemoteCluster(clusterName string) error

	// DeleteAllRemoteClusters deletes all remote clusters
	DeleteAllRemoteClusters() error
}

Presence records and reports the presence of all components of the cluster - Nodes, Proxies and SSH nodes

type ProvisionToken

type ProvisionToken interface {
	Resource
	// GetRoles returns a list of teleport roles
	// that will be granted to the user of the token
	// in the crendentials
	GetRoles() teleport.Roles
	// SetRoles sets teleport roles
	SetRoles(teleport.Roles)
	// V1 returns V1 version of the resource
	V1() *ProvisionTokenV1
	// String returns user friendly representation of the resource
	String() string
	// CheckAndSetDefaults checks parameters and sets default values
	CheckAndSetDefaults() error
}

ProvisionToken is a provisioning token

func MustCreateProvisionToken

func MustCreateProvisionToken(token string, roles teleport.Roles, expires time.Time) ProvisionToken

MustCreateProvisionToken returns a new valid provision token or panics, used in testes

func NewProvisionToken

func NewProvisionToken(token string, roles teleport.Roles, expires time.Time) (ProvisionToken, error)

NewProvisionToken returns a new instance of provision token resource

func ProvisionTokensFromV1

func ProvisionTokensFromV1(in []ProvisionTokenV1) []ProvisionToken

ProvisionTokensFromV1 converts V1 provision tokens to resource list

func UnmarshalProvisionToken

func UnmarshalProvisionToken(data []byte, opts ...MarshalOption) (ProvisionToken, error)

UnmarshalProvisionToken unmarshals provision token from JSON or YAML, sets defaults and checks the schema

type ProvisionTokenSpecV2

type ProvisionTokenSpecV2 struct {
	// Roles is a list of roles associated with the token,
	// that will be converted to metadata in the SSH and X509
	// certificates issued to the user of the token
	Roles                []github_com_gravitational_teleport.Role `protobuf:"bytes,1,rep,name=Roles,casttype=github.com/gravitational/teleport.Role" json:"roles"`
	XXX_NoUnkeyedLiteral struct{}                                 `json:"-"`
	XXX_unrecognized     []byte                                   `json:"-"`
	XXX_sizecache        int32                                    `json:"-"`
}

ProvisionTokenSpecV2 is a specification for V2 token

func (*ProvisionTokenSpecV2) Descriptor

func (*ProvisionTokenSpecV2) Descriptor() ([]byte, []int)

func (*ProvisionTokenSpecV2) Marshal

func (m *ProvisionTokenSpecV2) Marshal() (dAtA []byte, err error)

func (*ProvisionTokenSpecV2) MarshalTo

func (m *ProvisionTokenSpecV2) MarshalTo(dAtA []byte) (int, error)

func (*ProvisionTokenSpecV2) ProtoMessage

func (*ProvisionTokenSpecV2) ProtoMessage()

func (*ProvisionTokenSpecV2) Reset

func (m *ProvisionTokenSpecV2) Reset()

func (*ProvisionTokenSpecV2) Size

func (m *ProvisionTokenSpecV2) Size() (n int)

func (*ProvisionTokenSpecV2) String

func (m *ProvisionTokenSpecV2) String() string

func (*ProvisionTokenSpecV2) Unmarshal

func (m *ProvisionTokenSpecV2) Unmarshal(dAtA []byte) error

func (*ProvisionTokenSpecV2) XXX_DiscardUnknown

func (m *ProvisionTokenSpecV2) XXX_DiscardUnknown()

func (*ProvisionTokenSpecV2) XXX_Marshal

func (m *ProvisionTokenSpecV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ProvisionTokenSpecV2) XXX_Merge

func (dst *ProvisionTokenSpecV2) XXX_Merge(src proto.Message)

func (*ProvisionTokenSpecV2) XXX_Size

func (m *ProvisionTokenSpecV2) XXX_Size() int

func (*ProvisionTokenSpecV2) XXX_Unmarshal

func (m *ProvisionTokenSpecV2) XXX_Unmarshal(b []byte) error

type ProvisionTokenV1

type ProvisionTokenV1 struct {
	// Roles is a list of roles associated with the token,
	// that will be converted to metadata in the SSH and X509
	// certificates issued to the user of the token
	Roles []github_com_gravitational_teleport.Role `protobuf:"bytes,1,rep,name=Roles,casttype=github.com/gravitational/teleport.Role" json:"roles"`
	// Expires is a global expiry time header can be set on any resource in the system.
	Expires time.Time `protobuf:"bytes,2,opt,name=Expires,stdtime" json:"expires,omitempty"`
	// Token is a token name
	Token                string   `protobuf:"bytes,3,opt,name=Token,proto3" json:"token"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

ProvisionTokenV1 is a provisioning token V1

func ProvisionTokensToV1

func ProvisionTokensToV1(in []ProvisionToken) []ProvisionTokenV1

ProvisionTokensToV1 converts provision tokens to V1 list

func (*ProvisionTokenV1) Descriptor

func (*ProvisionTokenV1) Descriptor() ([]byte, []int)

func (*ProvisionTokenV1) Marshal

func (m *ProvisionTokenV1) Marshal() (dAtA []byte, err error)

func (*ProvisionTokenV1) MarshalTo

func (m *ProvisionTokenV1) MarshalTo(dAtA []byte) (int, error)

func (*ProvisionTokenV1) ProtoMessage

func (*ProvisionTokenV1) ProtoMessage()

func (*ProvisionTokenV1) Reset

func (m *ProvisionTokenV1) Reset()

func (*ProvisionTokenV1) Size

func (m *ProvisionTokenV1) Size() (n int)

func (ProvisionTokenV1) String

func (p ProvisionTokenV1) String() string

String returns the human readable representation of a provisioning token.

func (*ProvisionTokenV1) Unmarshal

func (m *ProvisionTokenV1) Unmarshal(dAtA []byte) error

func (*ProvisionTokenV1) V1

V1 returns V1 version of the resource

func (*ProvisionTokenV1) V2

V2 returns V2 version of the resource

func (*ProvisionTokenV1) XXX_DiscardUnknown

func (m *ProvisionTokenV1) XXX_DiscardUnknown()

func (*ProvisionTokenV1) XXX_Marshal

func (m *ProvisionTokenV1) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ProvisionTokenV1) XXX_Merge

func (dst *ProvisionTokenV1) XXX_Merge(src proto.Message)

func (*ProvisionTokenV1) XXX_Size

func (m *ProvisionTokenV1) XXX_Size() int

func (*ProvisionTokenV1) XXX_Unmarshal

func (m *ProvisionTokenV1) XXX_Unmarshal(b []byte) error

type ProvisionTokenV2

type ProvisionTokenV2 struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version"`
	// Metadata is User metadata
	Metadata Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata"`
	// Spec is a provisioning token V2 spec
	Spec                 ProvisionTokenSpecV2 `protobuf:"bytes,5,opt,name=Spec" json:"spec"`
	XXX_NoUnkeyedLiteral struct{}             `json:"-"`
	XXX_unrecognized     []byte               `json:"-"`
	XXX_sizecache        int32                `json:"-"`
}

ProvisionTokenV2 specifies provisioning token

func (*ProvisionTokenV2) CheckAndSetDefaults

func (p *ProvisionTokenV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and set default values for any missing fields.

func (*ProvisionTokenV2) Descriptor

func (*ProvisionTokenV2) Descriptor() ([]byte, []int)

func (*ProvisionTokenV2) Expiry

func (s *ProvisionTokenV2) Expiry() time.Time

Expires returns object expiry setting

func (*ProvisionTokenV2) GetKind

func (p *ProvisionTokenV2) GetKind() string

GetKind returns resource kind

func (*ProvisionTokenV2) GetMetadata

func (p *ProvisionTokenV2) GetMetadata() Metadata

GetMetadata returns metadata

func (*ProvisionTokenV2) GetName

func (p *ProvisionTokenV2) GetName() string

GetName returns server name

func (*ProvisionTokenV2) GetResourceID

func (p *ProvisionTokenV2) GetResourceID() int64

GetResourceID returns resource ID

func (*ProvisionTokenV2) GetRoles

func (p *ProvisionTokenV2) GetRoles() teleport.Roles

GetRoles returns a list of teleport roles that will be granted to the user of the token in the crendentials

func (*ProvisionTokenV2) GetSubKind

func (p *ProvisionTokenV2) GetSubKind() string

GetSubKind returns resource sub kind

func (*ProvisionTokenV2) GetVersion

func (p *ProvisionTokenV2) GetVersion() string

GetVersion returns resource version

func (*ProvisionTokenV2) Marshal

func (m *ProvisionTokenV2) Marshal() (dAtA []byte, err error)

func (*ProvisionTokenV2) MarshalTo

func (m *ProvisionTokenV2) MarshalTo(dAtA []byte) (int, error)

func (*ProvisionTokenV2) ProtoMessage

func (*ProvisionTokenV2) ProtoMessage()

func (*ProvisionTokenV2) Reset

func (m *ProvisionTokenV2) Reset()

func (*ProvisionTokenV2) SetExpiry

func (p *ProvisionTokenV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*ProvisionTokenV2) SetName

func (p *ProvisionTokenV2) SetName(e string)

SetName sets the name of the TrustedCluster.

func (*ProvisionTokenV2) SetResourceID

func (p *ProvisionTokenV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*ProvisionTokenV2) SetRoles

func (p *ProvisionTokenV2) SetRoles(r teleport.Roles)

SetRoles sets teleport roles

func (*ProvisionTokenV2) SetSubKind

func (p *ProvisionTokenV2) SetSubKind(s string)

SetSubKind sets resource subkind

func (*ProvisionTokenV2) SetTTL

func (p *ProvisionTokenV2) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*ProvisionTokenV2) Size

func (m *ProvisionTokenV2) Size() (n int)

func (ProvisionTokenV2) String

func (p ProvisionTokenV2) String() string

String returns the human readable representation of a provisioning token.

func (*ProvisionTokenV2) Unmarshal

func (m *ProvisionTokenV2) Unmarshal(dAtA []byte) error

func (*ProvisionTokenV2) V1

V1 returns V1 version of the resource

func (*ProvisionTokenV2) V2

V2 returns V2 version of the resource

func (*ProvisionTokenV2) XXX_DiscardUnknown

func (m *ProvisionTokenV2) XXX_DiscardUnknown()

func (*ProvisionTokenV2) XXX_Marshal

func (m *ProvisionTokenV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ProvisionTokenV2) XXX_Merge

func (dst *ProvisionTokenV2) XXX_Merge(src proto.Message)

func (*ProvisionTokenV2) XXX_Size

func (m *ProvisionTokenV2) XXX_Size() int

func (*ProvisionTokenV2) XXX_Unmarshal

func (m *ProvisionTokenV2) XXX_Unmarshal(b []byte) error

type Provisioner added in v1.0.0

type Provisioner interface {
	// UpsertToken adds provisioning tokens for the auth server
	UpsertToken(ProvisionToken) error

	// GetToken finds and returns token by id
	GetToken(token string) (ProvisionToken, error)

	// DeleteToken deletes provisioning token
	DeleteToken(token string) error

	// DeleteAllTokens deletes all provisioning tokens
	DeleteAllTokens() error

	// GetTokens returns all non-expired tokens
	GetTokens(opts ...MarshalOption) ([]ProvisionToken, error)
}

Provisioner governs adding new nodes to the cluster

type ProxyGetter

type ProxyGetter interface {
	// GetProxies returns a list of registered proxies
	GetProxies() ([]Server, error)
}

ProxyGetter is an service that gets proxies

type ProxyWatcher

type ProxyWatcher struct {
	*sync.RWMutex
	log.FieldLogger
	ProxyWatcherConfig
	// contains filtered or unexported fields
}

ProxyWatcher is a resource built on top of the events, it monitors the additions and deletions to the proxies

func NewProxyWatcher

func NewProxyWatcher(cfg ProxyWatcherConfig) (*ProxyWatcher, error)

NewProxyWatcher returns a new instance of changeset

func (*ProxyWatcher) Close

func (p *ProxyWatcher) Close() error

Close closes proxy watcher and cancells all the functions

func (*ProxyWatcher) Done

func (p *ProxyWatcher) Done() <-chan struct{}

Done returns a channel that signals proxy watcher closure

func (*ProxyWatcher) GetCurrent

func (p *ProxyWatcher) GetCurrent() []Server

GetCurrent returns a list of currently active proxies

type ProxyWatcherClient

type ProxyWatcherClient interface {
	ProxyGetter
	Events
}

ProxyWatcherClient is used by changeset to fetch a list of proxies and subscribe to updates

type ProxyWatcherConfig

type ProxyWatcherConfig struct {
	// Context is a parent context
	// controlling the lifecycle of the changeset
	Context context.Context
	// Component is a component used in logs
	Component string
	// RetryPeriod is a retry period on failed watchers
	RetryPeriod time.Duration
	// ReloadPeriod is a failed period on failed watches
	ReloadPeriod time.Duration
	// Client is used by changeset to monitor proxy updates
	Client ProxyWatcherClient
	// Entry is a logging entry
	Entry log.FieldLogger
	// ProxiesC is a channel that will be used
	// by the watcher to push updated list,
	// it will always receive a fresh list on the start
	// and the subsequent list of new values
	// whenever an addition or deletion to the list is detected
	ProxiesC chan []Server
}

ProxyWatcherConfig configures proxy watcher

func (*ProxyWatcherConfig) CheckAndSetDefaults

func (cfg *ProxyWatcherConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values

type Ref

type Ref struct {
	Kind string
	Name string
}

Ref is a resource reference

func ParseRef

func ParseRef(ref string) (*Ref, error)

ParseRef parses resource reference eg daemonsets/ds1

func (*Ref) IsEmpty

func (r *Ref) IsEmpty() bool

IsEmpty checks whether the provided resource name is empty

func (*Ref) Set

func (r *Ref) Set(v string) error

Set sets the name of the resource

func (*Ref) String

func (r *Ref) String() string

type Refs

type Refs []Ref

Refs is a set of resource references

func ParseRefs

func ParseRefs(refs string) (Refs, error)

ParseRefs parses a comma-separated string of resource references (eg "users/alice,users/bob")

func (*Refs) IsAll

func (r *Refs) IsAll() bool

Check if refs is special wildcard case `all`.

func (*Refs) Set

func (r *Refs) Set(v string) error

Set sets the value of `r` from a comma-separated string of resource references (in-place equivalent of `ParseRefs`).

func (*Refs) String

func (r *Refs) String() string

type RemoteCluster

type RemoteCluster interface {
	// Resource provides common resource properties
	Resource
	// GetConnectionStatus returns connection status
	GetConnectionStatus() string
	// SetConnectionStatus sets connection  status
	SetConnectionStatus(string)

	// GetLastHeartbeat returns last heartbeat of the cluster
	GetLastHeartbeat() time.Time
	// SetLastHeartbeat sets last heartbeat of the cluster
	SetLastHeartbeat(t time.Time)

	// CheckAndSetDefaults checks and sets default values
	CheckAndSetDefaults() error
}

RemoteCluster represents a remote cluster that has connected via reverse tunnel to this lcuster

func NewRemoteCluster

func NewRemoteCluster(name string) (RemoteCluster, error)

NewRemoteCluster is a convenience wa to create a RemoteCluster resource.

func UnmarshalRemoteCluster

func UnmarshalRemoteCluster(bytes []byte, opts ...MarshalOption) (RemoteCluster, error)

UnmarshalRemoteCluster unmarshals remote cluster from JSON or YAML.

type RemoteClusterStatusV3

type RemoteClusterStatusV3 struct {
	// Connection represents connection status, online or offline
	Connection string `json:"connection"`
	// LastHeartbeat records last heartbeat of the cluster
	LastHeartbeat time.Time `json:"last_heartbeat"`
}

RemoteClusterSpecV3 represents status of the remote cluster

type RemoteClusterV3

type RemoteClusterV3 struct {
	// Kind is a resource kind - always resource.
	Kind string `json:"kind"`

	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`

	// Version is a resource version.
	Version string `json:"version"`

	// Metadata is metadata about the resource.
	Metadata Metadata `json:"metadata"`

	// Sstatus is read only status of the remote cluster
	Status RemoteClusterStatusV3 `json:"status"`
}

RemoteClusterV3 implements RemoteCluster.

func (*RemoteClusterV3) CheckAndSetDefaults

func (c *RemoteClusterV3) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values

func (*RemoteClusterV3) Expiry

func (c *RemoteClusterV3) Expiry() time.Time

Expires returns object expiry setting

func (*RemoteClusterV3) GetConnectionStatus

func (c *RemoteClusterV3) GetConnectionStatus() string

GetConnectionStatus returns connection status

func (*RemoteClusterV3) GetKind

func (c *RemoteClusterV3) GetKind() string

GetKind returns resource kind

func (*RemoteClusterV3) GetLastHeartbeat

func (c *RemoteClusterV3) GetLastHeartbeat() time.Time

GetLastHeartbeat returns last heartbeat of the cluster

func (*RemoteClusterV3) GetMetadata

func (c *RemoteClusterV3) GetMetadata() Metadata

GetMetadata returns object metadata

func (*RemoteClusterV3) GetName

func (c *RemoteClusterV3) GetName() string

GetName returns the name of the RemoteCluster.

func (*RemoteClusterV3) GetResourceID

func (c *RemoteClusterV3) GetResourceID() int64

GetResourceID returns resource ID

func (*RemoteClusterV3) GetSubKind

func (c *RemoteClusterV3) GetSubKind() string

GetSubKind returns resource sub kind

func (*RemoteClusterV3) GetVersion

func (c *RemoteClusterV3) GetVersion() string

GetVersion returns resource version

func (*RemoteClusterV3) SetConnectionStatus

func (c *RemoteClusterV3) SetConnectionStatus(status string)

SetConnectionStatus sets connection status

func (*RemoteClusterV3) SetExpiry

func (c *RemoteClusterV3) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*RemoteClusterV3) SetLastHeartbeat

func (c *RemoteClusterV3) SetLastHeartbeat(t time.Time)

SetLastHeartbeat sets last heartbeat of the cluster

func (*RemoteClusterV3) SetName

func (c *RemoteClusterV3) SetName(e string)

SetName sets the name of the RemoteCluster.

func (*RemoteClusterV3) SetResourceID

func (c *RemoteClusterV3) SetResourceID(id int64)

SetResourceID sets resource ID

func (*RemoteClusterV3) SetSubKind

func (c *RemoteClusterV3) SetSubKind(s string)

SetSubKind sets resource subkind

func (*RemoteClusterV3) SetTTL

func (c *RemoteClusterV3) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*RemoteClusterV3) String

func (r *RemoteClusterV3) String() string

String represents a human readable version of remote cluster settings.

type RequestIDs

type RequestIDs struct {
	AccessRequests []string `json:"access_requests,omitempty"`
}

RequestIDs is a collection of IDs for privelege escalation requests.

func (*RequestIDs) Check

func (r *RequestIDs) Check() error

func (*RequestIDs) IsEmpty

func (r *RequestIDs) IsEmpty() bool

func (*RequestIDs) Marshal

func (r *RequestIDs) Marshal() ([]byte, error)

func (*RequestIDs) Unmarshal

func (r *RequestIDs) Unmarshal(data []byte) error

type RequestState

type RequestState int32

RequestState represents the state of a request for escalated privilege.

const (
	// NONE variant exists to allow RequestState to be explicitly omitted
	// in certain circumstances (e.g. in an AccessRequestFilter).
	RequestState_NONE RequestState = 0
	// PENDING variant is the default for newly created requests.
	RequestState_PENDING RequestState = 1
	// APPROVED variant indicates that a request has been accepted by
	// an administrating party.
	RequestState_APPROVED RequestState = 2
	// DENIED variant indicates that a request has been rejected by
	// an administrating party.
	RequestState_DENIED RequestState = 3
)

func (RequestState) EnumDescriptor

func (RequestState) EnumDescriptor() ([]byte, []int)

func (RequestState) IsApproved

func (s RequestState) IsApproved() bool

func (RequestState) IsDenied

func (s RequestState) IsDenied() bool

func (RequestState) IsNone

func (s RequestState) IsNone() bool

func (RequestState) IsPending

func (s RequestState) IsPending() bool

func (*RequestState) Parse

func (s *RequestState) Parse(val string) error

Parse attempts to interpret a value as a string representation of a RequestState.

func (RequestState) String

func (x RequestState) String() string

type Resource

type Resource interface {
	// GetKind returns resource kind
	GetKind() string
	// GetSubKind returns resource subkind
	GetSubKind() string
	// SetSubKind sets resource subkind
	SetSubKind(string)
	// GetVersion returns resource version
	GetVersion() string
	// GetName returns the name of the resource
	GetName() string
	// SetName sets the name of the resource
	SetName(string)
	// Expiry returns object expiry setting
	Expiry() time.Time
	// SetExpiry sets object expiry
	SetExpiry(time.Time)
	// SetTTL sets Expires header using current clock
	SetTTL(clock clockwork.Clock, ttl time.Duration)
	// GetMetadata returns object metadata
	GetMetadata() Metadata
	// GetResourceID returns resource ID
	GetResourceID() int64
	// SetResourceID sets resource ID
	SetResourceID(int64)
}

Resource represents common properties for resources

func UnmarshalResource

func UnmarshalResource(kind string, raw []byte, opts ...MarshalOption) (Resource, error)

UnmarshalResource attempts to unmarshal a resource dynamically, returning NotImplementedError if not unmarshaler has been registered.

NOTE: This function only supports the subset of resources which may be imported/exported by users (e.g. via `tctl get`).

type ResourceHeader

type ResourceHeader struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind,omitempty"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version,omitempty"`
	// Metadata is User metadata
	Metadata             Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

ResorceHeader is a shared resource header used in cases when only type and name is known

func (*ResourceHeader) Descriptor

func (*ResourceHeader) Descriptor() ([]byte, []int)

func (*ResourceHeader) Expiry

func (h *ResourceHeader) Expiry() time.Time

Expiry returns object expiry setting

func (*ResourceHeader) GetKind

func (h *ResourceHeader) GetKind() string

GetKind returns resource kind

func (*ResourceHeader) GetMetadata

func (h *ResourceHeader) GetMetadata() Metadata

GetMetadata returns object metadata

func (*ResourceHeader) GetName

func (h *ResourceHeader) GetName() string

GetName returns the name of the resource

func (*ResourceHeader) GetResourceID

func (h *ResourceHeader) GetResourceID() int64

GetResourceID returns resource ID

func (*ResourceHeader) GetSubKind

func (h *ResourceHeader) GetSubKind() string

GetSubKind returns resource subkind

func (*ResourceHeader) GetVersion

func (h *ResourceHeader) GetVersion() string

GetVersion returns resource version

func (*ResourceHeader) Marshal

func (m *ResourceHeader) Marshal() (dAtA []byte, err error)

func (*ResourceHeader) MarshalTo

func (m *ResourceHeader) MarshalTo(dAtA []byte) (int, error)

func (*ResourceHeader) ProtoMessage

func (*ResourceHeader) ProtoMessage()

func (*ResourceHeader) Reset

func (m *ResourceHeader) Reset()

func (*ResourceHeader) SetExpiry

func (h *ResourceHeader) SetExpiry(t time.Time)

SetExpiry sets object expiry

func (*ResourceHeader) SetName

func (h *ResourceHeader) SetName(v string)

SetName sets the name of the resource

func (*ResourceHeader) SetResourceID

func (h *ResourceHeader) SetResourceID(id int64)

SetResourceID sets resource ID

func (*ResourceHeader) SetSubKind

func (h *ResourceHeader) SetSubKind(s string)

SetSubKind sets resource subkind

func (*ResourceHeader) SetTTL

func (h *ResourceHeader) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using current clock

func (*ResourceHeader) Size

func (m *ResourceHeader) Size() (n int)

func (*ResourceHeader) String

func (m *ResourceHeader) String() string

func (*ResourceHeader) Unmarshal

func (m *ResourceHeader) Unmarshal(dAtA []byte) error

func (*ResourceHeader) XXX_DiscardUnknown

func (m *ResourceHeader) XXX_DiscardUnknown()

func (*ResourceHeader) XXX_Marshal

func (m *ResourceHeader) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ResourceHeader) XXX_Merge

func (dst *ResourceHeader) XXX_Merge(src proto.Message)

func (*ResourceHeader) XXX_Size

func (m *ResourceHeader) XXX_Size() int

func (*ResourceHeader) XXX_Unmarshal

func (m *ResourceHeader) XXX_Unmarshal(b []byte) error

type ResourceMarshaler

type ResourceMarshaler func(Resource, ...MarshalOption) ([]byte, error)

ResourceMarshaler handles marshaling of a specific resource type.

type ResourceUnmarshaler

type ResourceUnmarshaler func([]byte, ...MarshalOption) (Resource, error)

ResourceUnmarshaler handles unmarshaling of a specific resource type.

type ReverseTunnel added in v1.0.0

type ReverseTunnel interface {
	// Resource provides common methods for resource objects
	Resource
	// GetClusterName returns name of the cluster
	GetClusterName() string
	// SetClusterName sets cluster name
	SetClusterName(name string)
	// GetType gets the type of ReverseTunnel.
	GetType() TunnelType
	// SetType sets the type of ReverseTunnel.
	SetType(TunnelType)
	// GetDialAddrs returns list of dial addresses for this cluster
	GetDialAddrs() []string
	// Check checks tunnel for errors
	Check() error
	// CheckAndSetDefaults checks and set default values for any missing fields.
	CheckAndSetDefaults() error
}

ReverseTunnel is SSH reverse tunnel established between a local Proxy and a remote Proxy. It helps to bypass firewall restrictions, so local clusters don't need to have the cluster involved

func NewReverseTunnel

func NewReverseTunnel(clusterName string, dialAddrs []string) ReverseTunnel

NewReverseTunnel returns new version of reverse tunnel

func UnmarshalReverseTunnel

func UnmarshalReverseTunnel(data []byte, opts ...MarshalOption) (ReverseTunnel, error)

UnmarshalReverseTunnel unmarshals reverse tunnel from JSON or YAML, sets defaults and checks the schema

type ReverseTunnelMarshaler

type ReverseTunnelMarshaler interface {
	// UnmarshalReverseTunnel unmarshals reverse tunnel from binary representation
	UnmarshalReverseTunnel(bytes []byte, opts ...MarshalOption) (ReverseTunnel, error)
	// MarshalReverseTunnel marshals reverse tunnel to binary representation
	MarshalReverseTunnel(ReverseTunnel, ...MarshalOption) ([]byte, error)
}

ReverseTunnelMarshaler implements marshal/unmarshal of reverse tunnel implementations

func GetReverseTunnelMarshaler

func GetReverseTunnelMarshaler() ReverseTunnelMarshaler

type ReverseTunnelSpecV2

type ReverseTunnelSpecV2 struct {
	// ClusterName is a domain name of remote cluster we are connecting to
	ClusterName string `protobuf:"bytes,1,opt,name=ClusterName,proto3" json:"cluster_name"`
	// DialAddrs is a list of remote address to establish a connection to
	// it's always SSH over TCP
	DialAddrs []string `protobuf:"bytes,2,rep,name=DialAddrs" json:"dial_addrs,omitempty"`
	// Type is the type of reverse tunnel, either proxy or node.
	Type                 TunnelType `protobuf:"bytes,3,opt,name=Type,proto3,casttype=TunnelType" json:"type"`
	XXX_NoUnkeyedLiteral struct{}   `json:"-"`
	XXX_unrecognized     []byte     `json:"-"`
	XXX_sizecache        int32      `json:"-"`
}

ReverseTunnelSpecV2 is a specification for V2 reverse tunnel

func (*ReverseTunnelSpecV2) Descriptor

func (*ReverseTunnelSpecV2) Descriptor() ([]byte, []int)

func (*ReverseTunnelSpecV2) Marshal

func (m *ReverseTunnelSpecV2) Marshal() (dAtA []byte, err error)

func (*ReverseTunnelSpecV2) MarshalTo

func (m *ReverseTunnelSpecV2) MarshalTo(dAtA []byte) (int, error)

func (*ReverseTunnelSpecV2) ProtoMessage

func (*ReverseTunnelSpecV2) ProtoMessage()

func (*ReverseTunnelSpecV2) Reset

func (m *ReverseTunnelSpecV2) Reset()

func (*ReverseTunnelSpecV2) Size

func (m *ReverseTunnelSpecV2) Size() (n int)

func (*ReverseTunnelSpecV2) String

func (m *ReverseTunnelSpecV2) String() string

func (*ReverseTunnelSpecV2) Unmarshal

func (m *ReverseTunnelSpecV2) Unmarshal(dAtA []byte) error

func (*ReverseTunnelSpecV2) XXX_DiscardUnknown

func (m *ReverseTunnelSpecV2) XXX_DiscardUnknown()

func (*ReverseTunnelSpecV2) XXX_Marshal

func (m *ReverseTunnelSpecV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ReverseTunnelSpecV2) XXX_Merge

func (dst *ReverseTunnelSpecV2) XXX_Merge(src proto.Message)

func (*ReverseTunnelSpecV2) XXX_Size

func (m *ReverseTunnelSpecV2) XXX_Size() int

func (*ReverseTunnelSpecV2) XXX_Unmarshal

func (m *ReverseTunnelSpecV2) XXX_Unmarshal(b []byte) error

type ReverseTunnelV1

type ReverseTunnelV1 struct {
	// DomainName is a domain name of remote cluster we are connecting to
	DomainName string `json:"domain_name"`
	// DialAddrs is a list of remote address to establish a connection to
	// it's always SSH over TCP
	DialAddrs []string `json:"dial_addrs"`
}

ReverseTunnelV1 is V1 version of reverse tunnel

func (*ReverseTunnelV1) V1

V1 returns V1 version of the resource

func (*ReverseTunnelV1) V2

V2 returns V2 version of reverse tunnel

type ReverseTunnelV2

type ReverseTunnelV2 struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version"`
	// Metadata is a resource metadata
	Metadata Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata"`
	// Spec is a reverse tunnel specification
	Spec                 ReverseTunnelSpecV2 `protobuf:"bytes,5,opt,name=Spec" json:"spec"`
	XXX_NoUnkeyedLiteral struct{}            `json:"-"`
	XXX_unrecognized     []byte              `json:"-"`
	XXX_sizecache        int32               `json:"-"`
}

ReverseTunnelV2 is version 2 of the resource spec of the reverse tunnel

func (*ReverseTunnelV2) Check

func (r *ReverseTunnelV2) Check() error

Check returns nil if all parameters are good, error otherwise

func (*ReverseTunnelV2) CheckAndSetDefaults

func (r *ReverseTunnelV2) CheckAndSetDefaults() error

func (*ReverseTunnelV2) Descriptor

func (*ReverseTunnelV2) Descriptor() ([]byte, []int)

func (*ReverseTunnelV2) Expiry

func (r *ReverseTunnelV2) Expiry() time.Time

Expires returns object expiry setting

func (*ReverseTunnelV2) GetClusterName

func (r *ReverseTunnelV2) GetClusterName() string

GetClusterName returns name of the cluster

func (*ReverseTunnelV2) GetDialAddrs

func (r *ReverseTunnelV2) GetDialAddrs() []string

GetDialAddrs returns list of dial addresses for this cluster

func (*ReverseTunnelV2) GetKind

func (r *ReverseTunnelV2) GetKind() string

GetKind returns resource kind

func (*ReverseTunnelV2) GetMetadata

func (r *ReverseTunnelV2) GetMetadata() Metadata

GetMetadata returns object metadata

func (*ReverseTunnelV2) GetName

func (r *ReverseTunnelV2) GetName() string

GetName returns the name of the User

func (*ReverseTunnelV2) GetResourceID

func (r *ReverseTunnelV2) GetResourceID() int64

GetResourceID returns resource ID

func (*ReverseTunnelV2) GetSubKind

func (r *ReverseTunnelV2) GetSubKind() string

GetSubKind returns resource sub kind

func (*ReverseTunnelV2) GetType

func (r *ReverseTunnelV2) GetType() TunnelType

GetType gets the type of ReverseTunnel.

func (*ReverseTunnelV2) GetVersion

func (r *ReverseTunnelV2) GetVersion() string

GetVersion returns resource version

func (*ReverseTunnelV2) Marshal

func (m *ReverseTunnelV2) Marshal() (dAtA []byte, err error)

func (*ReverseTunnelV2) MarshalTo

func (m *ReverseTunnelV2) MarshalTo(dAtA []byte) (int, error)

func (*ReverseTunnelV2) ProtoMessage

func (*ReverseTunnelV2) ProtoMessage()

func (*ReverseTunnelV2) Reset

func (m *ReverseTunnelV2) Reset()

func (*ReverseTunnelV2) SetClusterName

func (r *ReverseTunnelV2) SetClusterName(name string)

SetClusterName sets name of a cluster

func (*ReverseTunnelV2) SetExpiry

func (r *ReverseTunnelV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*ReverseTunnelV2) SetName

func (r *ReverseTunnelV2) SetName(e string)

SetName sets the name of the User

func (*ReverseTunnelV2) SetResourceID

func (r *ReverseTunnelV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*ReverseTunnelV2) SetSubKind

func (o *ReverseTunnelV2) SetSubKind(s string)

SetSubKind sets resource subkind

func (*ReverseTunnelV2) SetTTL

func (r *ReverseTunnelV2) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*ReverseTunnelV2) SetType

func (r *ReverseTunnelV2) SetType(tt TunnelType)

SetType sets the type of ReverseTunnel.

func (*ReverseTunnelV2) Size

func (m *ReverseTunnelV2) Size() (n int)

func (*ReverseTunnelV2) String

func (m *ReverseTunnelV2) String() string

func (*ReverseTunnelV2) Unmarshal

func (m *ReverseTunnelV2) Unmarshal(dAtA []byte) error

func (*ReverseTunnelV2) V1

V1 returns V1 version of the resource

func (*ReverseTunnelV2) V2

V2 returns V2 version of the resource

func (*ReverseTunnelV2) XXX_DiscardUnknown

func (m *ReverseTunnelV2) XXX_DiscardUnknown()

func (*ReverseTunnelV2) XXX_Marshal

func (m *ReverseTunnelV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ReverseTunnelV2) XXX_Merge

func (dst *ReverseTunnelV2) XXX_Merge(src proto.Message)

func (*ReverseTunnelV2) XXX_Size

func (m *ReverseTunnelV2) XXX_Size() int

func (*ReverseTunnelV2) XXX_Unmarshal

func (m *ReverseTunnelV2) XXX_Unmarshal(b []byte) error

type Role

type Role interface {
	// Resource provides common resource methods.
	Resource
	// CheckAndSetDefaults checks and set default values for any missing fields.
	CheckAndSetDefaults() error
	// Equals returns true if the roles are equal. Roles are equal if options and
	// conditions match.
	Equals(other Role) bool
	// ApplyTraits applies the passed in traits to any variables within the role
	// and returns itself.
	ApplyTraits(map[string][]string) Role

	// GetOptions gets role options.
	GetOptions() RoleOptions
	// SetOptions sets role options
	SetOptions(opt RoleOptions)

	// GetLogins gets *nix system logins for allow or deny condition.
	GetLogins(RoleConditionType) []string
	// SetLogins sets *nix system logins for allow or deny condition.
	SetLogins(RoleConditionType, []string)

	// GetNamespaces gets a list of namespaces this role is allowed or denied access to.
	GetNamespaces(RoleConditionType) []string
	// GetNamespaces sets a list of namespaces this role is allowed or denied access to.
	SetNamespaces(RoleConditionType, []string)

	// GetNodeLabels gets the map of node labels this role is allowed or denied access to.
	GetNodeLabels(RoleConditionType) Labels
	// SetNodeLabels sets the map of node labels this role is allowed or denied access to.
	SetNodeLabels(RoleConditionType, Labels)

	// GetRules gets all allow or deny rules.
	GetRules(rct RoleConditionType) []Rule
	// SetRules sets an allow or deny rule.
	SetRules(rct RoleConditionType, rules []Rule)

	// GetKubeGroups returns kubernetes groups
	GetKubeGroups(RoleConditionType) []string
	// SetKubeGroups sets kubernetes groups for allow or deny condition.
	SetKubeGroups(RoleConditionType, []string)

	// GetAccessRequestConditions gets allow/deny conditions for access requests.
	GetAccessRequestConditions(RoleConditionType) AccessRequestConditions
	// SetAccessRequestConditions sets allow/deny conditions for access requests.
	SetAccessRequestConditions(RoleConditionType, AccessRequestConditions)
}

Role contains a set of permissions or settings

func ApplyTraits

func ApplyTraits(r Role, traits map[string][]string) Role

ApplyTraits applies the passed in traits to any variables within the role and returns itself.

func NewAdminRole

func NewAdminRole() Role

NewAdminRole is the default admin role for all local users if another role is not explicitly assigned (this role applies to all users in OSS version).

func NewImplicitRole

func NewImplicitRole() Role

NewImplicitRole is the default implicit role that gets added to all RoleSets.

func NewRole

func NewRole(name string, spec RoleSpecV3) (Role, error)

NewRole constructs new standard role

func RoleForCertAuthority

func RoleForCertAuthority(ca CertAuthority) Role

RoleForCertauthority creates role using services.CertAuthority.

func RoleForUser

func RoleForUser(u User) Role

RoleForUser creates an admin role for a services.User.

type RoleConditionType

type RoleConditionType bool

RoleConditionType specifies if it's an allow rule (true) or deny rule (false).

const (
	// Allow is the set of conditions that allow access.
	Allow RoleConditionType = true
	// Deny is the set of conditions that prevent access.
	Deny RoleConditionType = false
)

type RoleConditions

type RoleConditions struct {
	// Logins is a list of *nix system logins.
	Logins []string `protobuf:"bytes,1,rep,name=Logins" json:"logins"`
	// Namespaces is a list of namespaces (used to partition a cluster). The
	// field should be called "namespaces" when it returns in Teleport 2.4.
	Namespaces []string `protobuf:"bytes,2,rep,name=Namespaces" json:"-"`
	// NodeLabels is a map of node labels (used to dynamically grant access to nodes).
	NodeLabels Labels `protobuf:"bytes,3,opt,name=NodeLabels,customtype=Labels" json:"node_labels,omitempty"`
	// Rules is a list of rules and their access levels. Rules are a high level
	// construct used for access control.
	Rules []Rule `protobuf:"bytes,4,rep,name=Rules" json:"rules,omitempty"`
	// KubeGroups is a list of kubernetes groups
	KubeGroups           []string                 `protobuf:"bytes,5,rep,name=KubeGroups" json:"kubernetes_groups,omitempty"`
	Request              *AccessRequestConditions `protobuf:"bytes,6,opt,name=Request" json:"request,omitempty"`
	XXX_NoUnkeyedLiteral struct{}                 `json:"-"`
	XXX_unrecognized     []byte                   `json:"-"`
	XXX_sizecache        int32                    `json:"-"`
}

RoleConditions is a set of conditions that must all match to be allowed or denied access.

func (*RoleConditions) Descriptor

func (*RoleConditions) Descriptor() ([]byte, []int)

func (*RoleConditions) Equals

func (r *RoleConditions) Equals(o RoleConditions) bool

Equals returns true if the role conditions (logins, namespaces, labels, and rules) are equal and false if they are not.

func (*RoleConditions) Marshal

func (m *RoleConditions) Marshal() (dAtA []byte, err error)

func (*RoleConditions) MarshalTo

func (m *RoleConditions) MarshalTo(dAtA []byte) (int, error)

func (*RoleConditions) ProtoMessage

func (*RoleConditions) ProtoMessage()

func (*RoleConditions) Reset

func (m *RoleConditions) Reset()

func (*RoleConditions) Size

func (m *RoleConditions) Size() (n int)

func (*RoleConditions) String

func (m *RoleConditions) String() string

func (*RoleConditions) Unmarshal

func (m *RoleConditions) Unmarshal(dAtA []byte) error

func (*RoleConditions) XXX_DiscardUnknown

func (m *RoleConditions) XXX_DiscardUnknown()

func (*RoleConditions) XXX_Marshal

func (m *RoleConditions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*RoleConditions) XXX_Merge

func (dst *RoleConditions) XXX_Merge(src proto.Message)

func (*RoleConditions) XXX_Size

func (m *RoleConditions) XXX_Size() int

func (*RoleConditions) XXX_Unmarshal

func (m *RoleConditions) XXX_Unmarshal(b []byte) error

type RoleGetter

type RoleGetter interface {
	// GetRole returns role by name
	GetRole(name string) (Role, error)
}

RoleGetter is an interface that defines GetRole method

type RoleMap

type RoleMap []RoleMapping

RoleMap is a list of mappings

func (RoleMap) Check

func (r RoleMap) Check() error

Check checks RoleMap for errors

func (RoleMap) Equals

func (r RoleMap) Equals(o RoleMap) bool

Equals checks if the two role maps are equal.

func (RoleMap) Map

func (r RoleMap) Map(remoteRoles []string) ([]string, error)

Map maps local roles to remote roles

func (RoleMap) String

func (r RoleMap) String() string

String prints user friendly representation of role mapping

type RoleMapping

type RoleMapping struct {
	// Remote specifies remote role name to map from
	Remote string `protobuf:"bytes,1,opt,name=Remote,proto3" json:"remote"`
	// Local specifies local roles to map to
	Local                []string `protobuf:"bytes,2,rep,name=Local" json:"local"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

RoleMappping provides mapping of remote roles to local roles for trusted clusters

func (*RoleMapping) Descriptor

func (*RoleMapping) Descriptor() ([]byte, []int)

func (RoleMapping) Equals

func (r RoleMapping) Equals(o RoleMapping) bool

Equals checks if the two role mappings are equal.

func (*RoleMapping) Marshal

func (m *RoleMapping) Marshal() (dAtA []byte, err error)

func (*RoleMapping) MarshalTo

func (m *RoleMapping) MarshalTo(dAtA []byte) (int, error)

func (*RoleMapping) ProtoMessage

func (*RoleMapping) ProtoMessage()

func (*RoleMapping) Reset

func (m *RoleMapping) Reset()

func (*RoleMapping) Size

func (m *RoleMapping) Size() (n int)

func (*RoleMapping) String

func (m *RoleMapping) String() string

func (*RoleMapping) Unmarshal

func (m *RoleMapping) Unmarshal(dAtA []byte) error

func (*RoleMapping) XXX_DiscardUnknown

func (m *RoleMapping) XXX_DiscardUnknown()

func (*RoleMapping) XXX_Marshal

func (m *RoleMapping) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*RoleMapping) XXX_Merge

func (dst *RoleMapping) XXX_Merge(src proto.Message)

func (*RoleMapping) XXX_Size

func (m *RoleMapping) XXX_Size() int

func (*RoleMapping) XXX_Unmarshal

func (m *RoleMapping) XXX_Unmarshal(b []byte) error

type RoleMarshaler

type RoleMarshaler interface {
	// UnmarshalRole from binary representation
	UnmarshalRole(bytes []byte, opts ...MarshalOption) (Role, error)
	// MarshalRole to binary representation
	MarshalRole(u Role, opts ...MarshalOption) ([]byte, error)
}

RoleMarshaler implements marshal/unmarshal of Role implementations mostly adds support for extended versions

func GetRoleMarshaler

func GetRoleMarshaler() RoleMarshaler

type RoleOptions

type RoleOptions struct {
	// ForwardAgent is SSH agent forwarding.
	ForwardAgent Bool `protobuf:"varint,1,opt,name=ForwardAgent,proto3,casttype=Bool" json:"forward_agent"`
	// MaxSessionTTL defines how long a SSH session can last for.
	MaxSessionTTL Duration `protobuf:"varint,2,opt,name=MaxSessionTTL,proto3,casttype=Duration" json:"max_session_ttl,omitempty"`
	// PortForwarding defines if the certificate will have "permit-port-forwarding"
	// in the certificate. PortForwarding is "yes" if not set,
	// that's why this is a pointer
	PortForwarding *BoolOption `protobuf:"bytes,3,opt,name=PortForwarding,customtype=BoolOption" json:"port_forwarding,omitempty"`
	// CertificateFormat defines the format of the user certificate to allow
	// compatibility with older versions of OpenSSH.
	CertificateFormat string `protobuf:"bytes,4,opt,name=CertificateFormat,proto3" json:"cert_format"`
	// ClientIdleTimeout sets disconnect clients on idle timeout behavior,
	// if set to 0 means do not disconnect, otherwise is set to the idle
	// duration.
	ClientIdleTimeout Duration `protobuf:"varint,5,opt,name=ClientIdleTimeout,proto3,casttype=Duration" json:"client_idle_timeout,omitempty"`
	// DisconnectExpiredCert sets disconnect clients on expired certificates.
	DisconnectExpiredCert Bool `protobuf:"varint,6,opt,name=DisconnectExpiredCert,proto3,casttype=Bool" json:"disconnect_expired_cert,omitempty"`
	// BPF defines what events to record for the BPF-based session recorder.
	BPF                  []string `protobuf:"bytes,7,rep,name=BPF" json:"enhanced_recording,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

RoleOptions is a set of role options

func (*RoleOptions) Descriptor

func (*RoleOptions) Descriptor() ([]byte, []int)

func (RoleOptions) Equals

func (o RoleOptions) Equals(other RoleOptions) bool

Equals checks if all the key/values in the RoleOptions map match.

func (*RoleOptions) Marshal

func (m *RoleOptions) Marshal() (dAtA []byte, err error)

func (*RoleOptions) MarshalTo

func (m *RoleOptions) MarshalTo(dAtA []byte) (int, error)

func (*RoleOptions) ProtoMessage

func (*RoleOptions) ProtoMessage()

func (*RoleOptions) Reset

func (m *RoleOptions) Reset()

func (*RoleOptions) Size

func (m *RoleOptions) Size() (n int)

func (*RoleOptions) String

func (m *RoleOptions) String() string

func (*RoleOptions) Unmarshal

func (m *RoleOptions) Unmarshal(dAtA []byte) error

func (*RoleOptions) XXX_DiscardUnknown

func (m *RoleOptions) XXX_DiscardUnknown()

func (*RoleOptions) XXX_Marshal

func (m *RoleOptions) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*RoleOptions) XXX_Merge

func (dst *RoleOptions) XXX_Merge(src proto.Message)

func (*RoleOptions) XXX_Size

func (m *RoleOptions) XXX_Size() int

func (*RoleOptions) XXX_Unmarshal

func (m *RoleOptions) XXX_Unmarshal(b []byte) error

type RoleSet

type RoleSet []Role

RoleSet is a set of roles that implements access control functionality

func FetchRoles

func FetchRoles(roleNames []string, access RoleGetter, traits map[string][]string) (RoleSet, error)

FetchRoles fetches roles by their names, applies the traits to role variables, and returns the RoleSet. Adds runtime roles like the default implicit role to RoleSet.

func FromSpec

func FromSpec(name string, spec RoleSpecV3) (RoleSet, error)

FromSpec returns new RoleSet created from spec

func NewRoleSet

func NewRoleSet(roles ...Role) RoleSet

NewRoleSet returns new RoleSet based on the roles

func (RoleSet) AdjustClientIdleTimeout

func (set RoleSet) AdjustClientIdleTimeout(timeout time.Duration) time.Duration

AdjustClientIdleTimeout adjusts requested idle timeout to the lowest max allowed timeout, the most restrictive option will be picked, negative values will be assumed as 0

func (RoleSet) AdjustDisconnectExpiredCert

func (set RoleSet) AdjustDisconnectExpiredCert(disconnect bool) bool

AdjustDisconnectExpiredCert adjusts the value based on the role set the most restrictive option will be picked

func (RoleSet) AdjustSessionTTL

func (set RoleSet) AdjustSessionTTL(ttl time.Duration) time.Duration

AdjustSessionTTL will reduce the requested ttl to lowest max allowed TTL for this role set, otherwise it returns ttl unchanged

func (RoleSet) CanForwardAgents

func (set RoleSet) CanForwardAgents() bool

CanForwardAgents returns true if role set allows forwarding agents.

func (RoleSet) CanPortForward

func (set RoleSet) CanPortForward() bool

CanPortForward returns true if a role in the RoleSet allows port forwarding.

func (RoleSet) CertificateFormat

func (set RoleSet) CertificateFormat() string

CertificateFormat returns the most permissive certificate format in a RoleSet.

func (RoleSet) CheckAccessToRule

func (set RoleSet) CheckAccessToRule(ctx RuleContext, namespace string, resource string, verb string, silent bool) error

func (RoleSet) CheckAccessToServer

func (set RoleSet) CheckAccessToServer(login string, s Server) error

CheckAccessToServer checks if a role has access to a node. Deny rules are checked first then allow rules. Access to a node is determined by namespaces, labels, and logins.

Note, logging in this function only happens in debug mode, this is because adding logging to this function (which is called on every server returned by GetNodes) can slow down this function by 50x for large clusters!

func (RoleSet) CheckAgentForward

func (set RoleSet) CheckAgentForward(login string) error

CheckAgentForward checks if the role can request to forward the SSH agent for this user.

func (RoleSet) CheckKubeGroups

func (set RoleSet) CheckKubeGroups(ttl time.Duration) ([]string, error)

CheckKubeGroups check if role can login into kubernetes and returns a combined list of allowed groups

func (RoleSet) CheckLoginDuration

func (set RoleSet) CheckLoginDuration(ttl time.Duration) ([]string, error)

CheckLoginDuration checks if role set can login up to given duration and returns a combined list of allowed logins.

func (RoleSet) EnhancedRecordingSet

func (set RoleSet) EnhancedRecordingSet() map[string]bool

EnhancedRecordingSet returns the set of enhanced session recording events to capture for thi role set.

func (RoleSet) HasRole

func (set RoleSet) HasRole(role string) bool

HasRole checks if the role set has the role

func (RoleSet) RoleNames

func (set RoleSet) RoleNames() []string

RoleNames returns a slice with role names. Removes runtime roles like the default implicit role.

func (RoleSet) String

func (set RoleSet) String() string

type RoleSpecV2

type RoleSpecV2 struct {
	// MaxSessionTTL is a maximum SSH or Web session TTL
	MaxSessionTTL Duration `json:"max_session_ttl" yaml:"max_session_ttl"`
	// Logins is a list of linux logins allowed for this role
	Logins []string `json:"logins,omitempty" yaml:"logins,omitempty"`
	// NodeLabels is a set of matching labels that users of this role
	// will be allowed to access
	NodeLabels map[string]string `json:"node_labels,omitempty" yaml:"node_labels,omitempty"`
	// Namespaces is a list of namespaces, guarding access to resources
	Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
	// Resources limits access to resources
	Resources map[string][]string `json:"resources,omitempty" yaml:"resources,omitempty"`
	// ForwardAgent permits SSH agent forwarding if requested by the client
	ForwardAgent bool `json:"forward_agent" yaml:"forward_agent"`
}

RoleSpecV2 is role specification for RoleV2

type RoleSpecV3

type RoleSpecV3 struct {
	// Options is for OpenSSH options like agent forwarding.
	Options RoleOptions `protobuf:"bytes,1,opt,name=Options" json:"options,omitempty"`
	// Allow is the set of conditions evaluated to grant access.
	Allow RoleConditions `protobuf:"bytes,2,opt,name=Allow" json:"allow,omitempty"`
	// Deny is the set of conditions evaluated to deny access. Deny takes priority over allow.
	Deny                 RoleConditions `protobuf:"bytes,3,opt,name=Deny" json:"deny,omitempty"`
	XXX_NoUnkeyedLiteral struct{}       `json:"-"`
	XXX_unrecognized     []byte         `json:"-"`
	XXX_sizecache        int32          `json:"-"`
}

RoleSpecV3 is role specification for RoleV3.

func (*RoleSpecV3) Descriptor

func (*RoleSpecV3) Descriptor() ([]byte, []int)

func (*RoleSpecV3) Marshal

func (m *RoleSpecV3) Marshal() (dAtA []byte, err error)

func (*RoleSpecV3) MarshalTo

func (m *RoleSpecV3) MarshalTo(dAtA []byte) (int, error)

func (*RoleSpecV3) ProtoMessage

func (*RoleSpecV3) ProtoMessage()

func (*RoleSpecV3) Reset

func (m *RoleSpecV3) Reset()

func (*RoleSpecV3) Size

func (m *RoleSpecV3) Size() (n int)

func (*RoleSpecV3) String

func (m *RoleSpecV3) String() string

func (*RoleSpecV3) Unmarshal

func (m *RoleSpecV3) Unmarshal(dAtA []byte) error

func (*RoleSpecV3) XXX_DiscardUnknown

func (m *RoleSpecV3) XXX_DiscardUnknown()

func (*RoleSpecV3) XXX_Marshal

func (m *RoleSpecV3) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*RoleSpecV3) XXX_Merge

func (dst *RoleSpecV3) XXX_Merge(src proto.Message)

func (*RoleSpecV3) XXX_Size

func (m *RoleSpecV3) XXX_Size() int

func (*RoleSpecV3) XXX_Unmarshal

func (m *RoleSpecV3) XXX_Unmarshal(b []byte) error

type RoleV2

type RoleV2 struct {
	// Kind is a resource kind - always resource
	Kind string `json:"kind"`
	// SubKind is a resource subkind
	SubKind string `json:"sub_kind,omitempty"`
	// Version is a resource version
	Version string `json:"version"`
	// Metadata is Role metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains role specification
	Spec RoleSpecV2 `json:"spec"`
}

RoleV2 represents role resource specification

func (*RoleV2) CanForwardAgent

func (r *RoleV2) CanForwardAgent() bool

CanForwardAgent returns true if this role is allowed to request agent forwarding

func (*RoleV2) CheckAndSetDefaults

func (r *RoleV2) CheckAndSetDefaults() error

Check checks validity of all parameters and sets defaults

func (*RoleV2) Equals

func (r *RoleV2) Equals(other Role) bool

Equals test roles for equality. Roles are considered equal if all resources, logins, namespaces, labels, and options match.

func (*RoleV2) Expiry

func (r *RoleV2) Expiry() time.Time

Expires returns object expiry setting

func (*RoleV2) GetKind

func (r *RoleV2) GetKind() string

GetKind returns resource kind

func (*RoleV2) GetLogins

func (r *RoleV2) GetLogins() []string

GetLogins returns a list of linux logins allowed for this role

func (*RoleV2) GetMaxSessionTTL

func (r *RoleV2) GetMaxSessionTTL() Duration

GetMaxSessionTTL is a maximum SSH or Web session TTL

func (*RoleV2) GetMetadata

func (r *RoleV2) GetMetadata() Metadata

GetMetadata returns role metadata

func (*RoleV2) GetName

func (r *RoleV2) GetName() string

GetName returns role name and is a shortcut for GetMetadata().Name

func (*RoleV2) GetNamespaces

func (r *RoleV2) GetNamespaces() []string

GetNamespaces returns a list of namespaces this role has access to

func (*RoleV2) GetNodeLabels

func (r *RoleV2) GetNodeLabels() map[string]string

GetNodeLabels returns a list of matchign nodes this role has access to

func (*RoleV2) GetResourceID

func (r *RoleV2) GetResourceID() int64

GetResourceID returns resource ID

func (*RoleV2) GetResources

func (r *RoleV2) GetResources() map[string][]string

GetResources returns access to resources

func (*RoleV2) GetSubKind

func (r *RoleV2) GetSubKind() string

GetSubKind returns resource sub kind

func (*RoleV2) GetVersion

func (r *RoleV2) GetVersion() string

GetVersion returns resource version

func (*RoleV2) RemoveResource

func (r *RoleV2) RemoveResource(kind string)

RemoveResource deletes resource entry

func (*RoleV2) SetExpiry

func (r *RoleV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*RoleV2) SetForwardAgent

func (r *RoleV2) SetForwardAgent(forwardAgent bool)

SetForwardAgent sets forward agent property

func (*RoleV2) SetLogins

func (r *RoleV2) SetLogins(logins []string)

SetLogins sets logins for role

func (*RoleV2) SetMaxSessionTTL

func (r *RoleV2) SetMaxSessionTTL(duration time.Duration)

SetMaxSessionTTL sets a maximum TTL for SSH or Web session

func (*RoleV2) SetName

func (r *RoleV2) SetName(s string)

SetName is a shortcut for SetMetadata().Name

func (*RoleV2) SetNamespaces

func (r *RoleV2) SetNamespaces(namespaces []string)

SetNamespaces sets a list of namespaces this role has access to

func (*RoleV2) SetNodeLabels

func (r *RoleV2) SetNodeLabels(labels map[string]string)

SetNodeLabels sets node labels for role

func (*RoleV2) SetResource

func (r *RoleV2) SetResource(kind string, actions []string)

SetResource sets resource rule

func (*RoleV2) SetResourceID

func (r *RoleV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*RoleV2) SetSubKind

func (r *RoleV2) SetSubKind(s string)

SetSubKind sets resource subkind

func (*RoleV2) SetTTL

func (r *RoleV2) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*RoleV2) String

func (r *RoleV2) String() string

func (*RoleV2) V3

func (r *RoleV2) V3() *RoleV3

type RoleV3

type RoleV3 struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version"`
	// Metadata is User metadata
	Metadata Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata"`
	// Spec is a role specification
	Spec                 RoleSpecV3 `protobuf:"bytes,5,opt,name=Spec" json:"spec"`
	XXX_NoUnkeyedLiteral struct{}   `json:"-"`
	XXX_unrecognized     []byte     `json:"-"`
	XXX_sizecache        int32      `json:"-"`
}

RoleV3 represents role resource specification

func UnmarshalRole

func UnmarshalRole(data []byte, opts ...MarshalOption) (*RoleV3, error)

UnmarshalRole unmarshals role from JSON, sets defaults, and checks schema.

func (*RoleV3) ApplyTraits

func (r *RoleV3) ApplyTraits(traits map[string][]string) Role

ApplyTraits applies the passed in traits to any variables within the role and returns itself.

func (*RoleV3) CheckAndSetDefaults

func (r *RoleV3) CheckAndSetDefaults() error

Check checks validity of all parameters and sets defaults

func (*RoleV3) Descriptor

func (*RoleV3) Descriptor() ([]byte, []int)

func (*RoleV3) Equals

func (r *RoleV3) Equals(other Role) bool

Equals returns true if the roles are equal. Roles are equal if options, namespaces, logins, labels, and conditions match.

func (*RoleV3) Expiry

func (r *RoleV3) Expiry() time.Time

Expiry returns the expiry time for the object.

func (*RoleV3) GetAccessRequestConditions

func (r *RoleV3) GetAccessRequestConditions(rct RoleConditionType) AccessRequestConditions

GetAccessRequestConditions gets conditions for access requests.

func (*RoleV3) GetKind

func (r *RoleV3) GetKind() string

GetKind returns resource kind

func (*RoleV3) GetKubeGroups

func (r *RoleV3) GetKubeGroups(rct RoleConditionType) []string

GetKubeGroups returns kubernetes groups

func (*RoleV3) GetLogins

func (r *RoleV3) GetLogins(rct RoleConditionType) []string

GetLogins gets system logins for allow or deny condition.

func (*RoleV3) GetMetadata

func (r *RoleV3) GetMetadata() Metadata

GetMetadata returns role metadata.

func (*RoleV3) GetName

func (r *RoleV3) GetName() string

GetName gets the role name and is a shortcut for GetMetadata().Name.

func (*RoleV3) GetNamespaces

func (r *RoleV3) GetNamespaces(rct RoleConditionType) []string

GetNamespaces gets a list of namespaces this role is allowed or denied access to.

func (*RoleV3) GetNodeLabels

func (r *RoleV3) GetNodeLabels(rct RoleConditionType) Labels

GetNodeLabels gets the map of node labels this role is allowed or denied access to.

func (*RoleV3) GetOptions

func (r *RoleV3) GetOptions() RoleOptions

GetOptions gets role options.

func (*RoleV3) GetResourceID

func (r *RoleV3) GetResourceID() int64

GetResourceID returns resource ID

func (*RoleV3) GetRules

func (r *RoleV3) GetRules(rct RoleConditionType) []Rule

GetRules gets all allow or deny rules.

func (*RoleV3) GetSubKind

func (r *RoleV3) GetSubKind() string

GetSubKind returns resource sub kind

func (*RoleV3) GetVersion

func (r *RoleV3) GetVersion() string

GetVersion returns resource version

func (*RoleV3) Marshal

func (m *RoleV3) Marshal() (dAtA []byte, err error)

func (*RoleV3) MarshalTo

func (m *RoleV3) MarshalTo(dAtA []byte) (int, error)

func (*RoleV3) ProtoMessage

func (*RoleV3) ProtoMessage()

func (*RoleV3) Reset

func (m *RoleV3) Reset()

func (*RoleV3) SetAccessRequestConditions

func (r *RoleV3) SetAccessRequestConditions(rct RoleConditionType, cond AccessRequestConditions)

SetAccessRequestConditions sets allow/deny conditions for access requests.

func (*RoleV3) SetExpiry

func (r *RoleV3) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object.

func (*RoleV3) SetKubeGroups

func (r *RoleV3) SetKubeGroups(rct RoleConditionType, groups []string)

SetKubeGroups sets kubernetes groups for allow or deny condition.

func (*RoleV3) SetLogins

func (r *RoleV3) SetLogins(rct RoleConditionType, logins []string)

SetLogins sets system logins for allow or deny condition.

func (*RoleV3) SetName

func (r *RoleV3) SetName(s string)

SetName sets the role name and is a shortcut for SetMetadata().Name.

func (*RoleV3) SetNamespaces

func (r *RoleV3) SetNamespaces(rct RoleConditionType, namespaces []string)

GetNamespaces sets a list of namespaces this role is allowed or denied access to.

func (*RoleV3) SetNodeLabels

func (r *RoleV3) SetNodeLabels(rct RoleConditionType, labels Labels)

SetNodeLabels sets the map of node labels this role is allowed or denied access to.

func (*RoleV3) SetOptions

func (r *RoleV3) SetOptions(options RoleOptions)

SetOptions sets role options.

func (*RoleV3) SetResourceID

func (r *RoleV3) SetResourceID(id int64)

SetResourceID sets resource ID

func (*RoleV3) SetRules

func (r *RoleV3) SetRules(rct RoleConditionType, in []Rule)

SetRules sets an allow or deny rule.

func (*RoleV3) SetSubKind

func (r *RoleV3) SetSubKind(s string)

SetSubKind sets resource subkind

func (*RoleV3) SetTTL

func (r *RoleV3) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets TTL header using realtime clock.

func (*RoleV3) Size

func (m *RoleV3) Size() (n int)

func (*RoleV3) String

func (r *RoleV3) String() string

String returns the human readable representation of a role.

func (*RoleV3) Unmarshal

func (m *RoleV3) Unmarshal(dAtA []byte) error

func (*RoleV3) XXX_DiscardUnknown

func (m *RoleV3) XXX_DiscardUnknown()

func (*RoleV3) XXX_Marshal

func (m *RoleV3) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*RoleV3) XXX_Merge

func (dst *RoleV3) XXX_Merge(src proto.Message)

func (*RoleV3) XXX_Size

func (m *RoleV3) XXX_Size() int

func (*RoleV3) XXX_Unmarshal

func (m *RoleV3) XXX_Unmarshal(b []byte) error

type Rotation

type Rotation struct {
	// State could be one of "init" or "in_progress".
	State string `protobuf:"bytes,1,opt,name=State,proto3" json:"state,omitempty"`
	// Phase is the current rotation phase.
	Phase string `protobuf:"bytes,2,opt,name=Phase,proto3" json:"phase,omitempty"`
	// Mode sets manual or automatic rotation mode.
	Mode string `protobuf:"bytes,3,opt,name=Mode,proto3" json:"mode,omitempty"`
	// CurrentID is the ID of the rotation operation
	// to differentiate between rotation attempts.
	CurrentID string `protobuf:"bytes,4,opt,name=CurrentID,proto3" json:"current_id"`
	// Started is set to the time when rotation has been started
	// in case if the state of the rotation is "in_progress".
	Started time.Time `protobuf:"bytes,5,opt,name=Started,stdtime" json:"started,omitempty"`
	// GracePeriod is a period during which old and new CA
	// are valid for checking purposes, but only new CA is issuing certificates.
	GracePeriod Duration `protobuf:"varint,6,opt,name=GracePeriod,proto3,casttype=Duration" json:"grace_period,omitempty"`
	// LastRotated specifies the last time of the completed rotation.
	LastRotated time.Time `protobuf:"bytes,7,opt,name=LastRotated,stdtime" json:"last_rotated,omitempty"`
	// Schedule is a rotation schedule - used in
	// automatic mode to switch beetween phases.
	Schedule             RotationSchedule `protobuf:"bytes,8,opt,name=Schedule" json:"schedule,omitempty"`
	XXX_NoUnkeyedLiteral struct{}         `json:"-"`
	XXX_unrecognized     []byte           `json:"-"`
	XXX_sizecache        int32            `json:"-"`
}

Rotation is a status of the rotation of the certificate authority

func (*Rotation) CheckAndSetDefaults

func (r *Rotation) CheckAndSetDefaults(clock clockwork.Clock) error

CheckAndSetDefaults checks and sets default rotation parameters.

func (*Rotation) Descriptor

func (*Rotation) Descriptor() ([]byte, []int)

func (*Rotation) LastRotatedDescription

func (r *Rotation) LastRotatedDescription() string

LastRotatedDescription returns human friendly description.

func (*Rotation) Marshal

func (m *Rotation) Marshal() (dAtA []byte, err error)

func (*Rotation) MarshalTo

func (m *Rotation) MarshalTo(dAtA []byte) (int, error)

func (*Rotation) Matches

func (s *Rotation) Matches(rotation Rotation) bool

Matches returns true if this state rotation matches external rotation state, phase and rotation ID should match, notice that matches does not behave like Equals because it does not require all fields to be the same.

func (*Rotation) PhaseDescription

func (r *Rotation) PhaseDescription() string

PhaseDescription returns human friendly description of a current rotation phase.

func (*Rotation) ProtoMessage

func (*Rotation) ProtoMessage()

func (*Rotation) Reset

func (m *Rotation) Reset()

func (*Rotation) Size

func (m *Rotation) Size() (n int)

func (*Rotation) String

func (r *Rotation) String() string

String returns user friendly information about certificate authority.

func (*Rotation) Unmarshal

func (m *Rotation) Unmarshal(dAtA []byte) error

func (*Rotation) XXX_DiscardUnknown

func (m *Rotation) XXX_DiscardUnknown()

func (*Rotation) XXX_Marshal

func (m *Rotation) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Rotation) XXX_Merge

func (dst *Rotation) XXX_Merge(src proto.Message)

func (*Rotation) XXX_Size

func (m *Rotation) XXX_Size() int

func (*Rotation) XXX_Unmarshal

func (m *Rotation) XXX_Unmarshal(b []byte) error

type RotationSchedule

type RotationSchedule struct {
	// UpdateClients specifies time to switch to the "Update clients" phase
	UpdateClients time.Time `protobuf:"bytes,1,opt,name=UpdateClients,stdtime" json:"update_clients,omitempty"`
	// UpdateServers specifies time to switch to the "Update servers" phase.
	UpdateServers time.Time `protobuf:"bytes,2,opt,name=UpdateServers,stdtime" json:"update_servers,omitempty"`
	// Standby specifies time to switch to the "Standby" phase.
	Standby              time.Time `protobuf:"bytes,3,opt,name=Standby,stdtime" json:"standby,omitempty"`
	XXX_NoUnkeyedLiteral struct{}  `json:"-"`
	XXX_unrecognized     []byte    `json:"-"`
	XXX_sizecache        int32     `json:"-"`
}

RotationSchedule is a rotation schedule setting time switches for different phases.

func GenerateSchedule

func GenerateSchedule(clock clockwork.Clock, gracePeriod time.Duration) (*RotationSchedule, error)

GenerateSchedule generates schedule based on the time period, using even time periods between rotation phases.

func (*RotationSchedule) CheckAndSetDefaults

func (s *RotationSchedule) CheckAndSetDefaults(clock clockwork.Clock) error

CheckAndSetDefaults checks and sets default values of the rotation schedule.

func (*RotationSchedule) Descriptor

func (*RotationSchedule) Descriptor() ([]byte, []int)

func (*RotationSchedule) Marshal

func (m *RotationSchedule) Marshal() (dAtA []byte, err error)

func (*RotationSchedule) MarshalTo

func (m *RotationSchedule) MarshalTo(dAtA []byte) (int, error)

func (*RotationSchedule) ProtoMessage

func (*RotationSchedule) ProtoMessage()

func (*RotationSchedule) Reset

func (m *RotationSchedule) Reset()

func (*RotationSchedule) Size

func (m *RotationSchedule) Size() (n int)

func (*RotationSchedule) String

func (m *RotationSchedule) String() string

func (*RotationSchedule) Unmarshal

func (m *RotationSchedule) Unmarshal(dAtA []byte) error

func (*RotationSchedule) XXX_DiscardUnknown

func (m *RotationSchedule) XXX_DiscardUnknown()

func (*RotationSchedule) XXX_Marshal

func (m *RotationSchedule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*RotationSchedule) XXX_Merge

func (dst *RotationSchedule) XXX_Merge(src proto.Message)

func (*RotationSchedule) XXX_Size

func (m *RotationSchedule) XXX_Size() int

func (*RotationSchedule) XXX_Unmarshal

func (m *RotationSchedule) XXX_Unmarshal(b []byte) error

type Rule

type Rule struct {
	// Resources is a list of resources
	Resources []string `protobuf:"bytes,1,rep,name=Resources" json:"resources,omitempty"`
	// Verbs is a list of verbs
	Verbs []string `protobuf:"bytes,2,rep,name=Verbs" json:"verbs,omitempty"`
	// Where specifies optional advanced matcher
	Where string `protobuf:"bytes,3,opt,name=Where,proto3" json:"where,omitempty"`
	// Actions specifies optional actions taken when this rule matches
	Actions              []string `protobuf:"bytes,4,rep,name=Actions" json:"actions,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

Rule represents allow or deny rule that is executed to check if user or service have access to resource

func CopyRulesSlice

func CopyRulesSlice(in []Rule) []Rule

CopyRulesSlice copies input slice of Rules and returns the copy

func NewRule

func NewRule(resource string, verbs []string) Rule

NewRule creates a rule based on a resource name and a list of verbs

func (*Rule) CheckAndSetDefaults

func (r *Rule) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults for this rule

func (*Rule) Descriptor

func (*Rule) Descriptor() ([]byte, []int)

func (*Rule) Equals

func (r *Rule) Equals(other Rule) bool

Equals returns true if the rule equals to another

func (*Rule) HasResource

func (r *Rule) HasResource(resource string) bool

HasResource returns true if the rule has the specified resource.

func (*Rule) HasVerb

func (r *Rule) HasVerb(verb string) bool

HasVerb returns true if the rule has verb, this method also matches wildcard

func (*Rule) IsMoreSpecificThan

func (r *Rule) IsMoreSpecificThan(o Rule) bool

IsMoreSpecificThan returns true if the rule is more specific than the other.

* nRule matching wildcard resource is less specific than same rule matching specific resource. * Rule that has wildcard verbs is less specific than the same rules matching specific verb. * Rule that has where section is more specific than the same rule without where section. * Rule that has actions list is more specific than rule without actions list.

func (*Rule) Marshal

func (m *Rule) Marshal() (dAtA []byte, err error)

func (*Rule) MarshalTo

func (m *Rule) MarshalTo(dAtA []byte) (int, error)

func (*Rule) MatchesWhere

func (r *Rule) MatchesWhere(parser predicate.Parser) (bool, error)

MatchesWhere returns true if Where rule matches Empty Where block always matches

func (*Rule) ProcessActions

func (r *Rule) ProcessActions(parser predicate.Parser) error

ProcessActions processes actions specified for this rule

func (*Rule) ProtoMessage

func (*Rule) ProtoMessage()

func (*Rule) Reset

func (m *Rule) Reset()

func (*Rule) Size

func (m *Rule) Size() (n int)

func (*Rule) String

func (m *Rule) String() string

func (*Rule) Unmarshal

func (m *Rule) Unmarshal(dAtA []byte) error

func (*Rule) XXX_DiscardUnknown

func (m *Rule) XXX_DiscardUnknown()

func (*Rule) XXX_Marshal

func (m *Rule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Rule) XXX_Merge

func (dst *Rule) XXX_Merge(src proto.Message)

func (*Rule) XXX_Size

func (m *Rule) XXX_Size() int

func (*Rule) XXX_Unmarshal

func (m *Rule) XXX_Unmarshal(b []byte) error

type RuleContext

type RuleContext interface {
	// GetIdentifier returns identifier defined in a context
	GetIdentifier(fields []string) (interface{}, error)
	// String returns human friendly representation of a context
	String() string
	// GetResource returns resource if specified in the context,
	// if unpecified, returns error.
	GetResource() (Resource, error)
}

RuleContext specifies context passed to the rule processing matcher, and contains information about current session, e.g. current user

type RuleSet

type RuleSet map[string][]Rule

RuleSet maps resource to a set of rules defined for it

func MakeRuleSet

func MakeRuleSet(rules []Rule) RuleSet

MakeRuleSet converts slice of rules to the set of rules

func (RuleSet) Match

func (set RuleSet) Match(whereParser predicate.Parser, actionsParser predicate.Parser, resource string, verb string) (bool, error)

MatchRule tests if the resource name and verb are in a given list of rules. More specific rules will be matched first. See Rule.IsMoreSpecificThan for exact specs on whether the rule is more or less specific.

Specifying order solves the problem on having multiple rules, e.g. one wildcard rule can override more specific rules with 'where' sections that can have 'actions' lists with side effects that will not be triggered otherwise.

func (RuleSet) Slice

func (set RuleSet) Slice() []Rule

Slice returns slice from a set

type SAMLAuthRequest

type SAMLAuthRequest struct {
	// ID is a unique request ID
	ID string `json:"id"`

	// ConnectorID is ID of OIDC connector this request uses
	ConnectorID string `json:"connector_id"`

	// Type is opaque string that helps callbacks identify the request type
	Type string `json:"type"`

	// CheckUser tells validator if it should expect and check user
	CheckUser bool `json:"check_user"`

	// RedirectURL will be used by browser
	RedirectURL string `json:"redirect_url"`

	// PublicKey is an optional public key, users want these
	// keys to be signed by auth servers user CA in case
	// of successful auth
	PublicKey []byte `json:"public_key"`

	// CertTTL is the TTL of the certificate user wants to get
	CertTTL time.Duration `json:"cert_ttl"`

	// CSRFToken is associated with user web session token
	CSRFToken string `json:"csrf_token"`

	// CreateWebSession indicates if user wants to generate a web
	// session after successful authentication
	CreateWebSession bool `json:"create_web_session"`

	// ClientRedirectURL is a URL client wants to be redirected
	// after successful authentication
	ClientRedirectURL string `json:"client_redirect_url"`

	// Compatibility specifies OpenSSH compatibility flags.
	Compatibility string `json:"compatibility,omitempty"`
}

SAMLAuthRequest is a request to authenticate with OIDC provider, the state about request is managed by auth server

func (*SAMLAuthRequest) Check

func (i *SAMLAuthRequest) Check() error

Check returns nil if all parameters are great, err otherwise

type SAMLConnector

type SAMLConnector interface {
	// Resource provides common methods for objects
	Resource
	// GetDisplay returns display - friendly name for this provider.
	GetDisplay() string
	// SetDisplay sets friendly name for this provider.
	SetDisplay(string)
	// GetAttributesToRoles returns attributes to roles mapping
	GetAttributesToRoles() []AttributeMapping
	// SetAttributesToRoles sets attributes to roles mapping
	SetAttributesToRoles(mapping []AttributeMapping)
	// GetAttributes returns list of attributes expected by mappings
	GetAttributes() []string
	// MapAttributes maps attributes to roles
	MapAttributes(assertionInfo saml2.AssertionInfo) []string
	// Check checks SAML connector for errors
	CheckAndSetDefaults() error
	// SetIssuer sets issuer
	SetIssuer(issuer string)
	// GetIssuer returns issuer
	GetIssuer() string
	// GetSigningKeyPair returns signing key pair
	GetSigningKeyPair() *SigningKeyPair
	// GetSigningKeyPair sets signing key pair
	SetSigningKeyPair(k *SigningKeyPair)
	// Equals returns true if the connectors are identical
	Equals(other SAMLConnector) bool
	// GetSSO returns SSO service
	GetSSO() string
	// SetSSO sets SSO service
	SetSSO(string)
	// GetEntityDescriptor returns XML entity descriptor of the service
	GetEntityDescriptor() string
	// SetEntityDescriptor sets entity descritor of the service
	SetEntityDescriptor(v string)
	// GetEntityDescriptorURL returns the URL to obtain the entity descriptor.
	GetEntityDescriptorURL() string
	// SetEntityDescriptorURL sets the entity descriptor url.
	SetEntityDescriptorURL(string)
	// GetCert returns identity provider checking x509 certificate
	GetCert() string
	// SetCert sets identity provider checking certificate
	SetCert(string)
	// GetServiceProviderIssuer returns service provider issuer
	GetServiceProviderIssuer() string
	// SetServiceProviderIssuer sets service provider issuer
	SetServiceProviderIssuer(v string)
	// GetAudience returns audience
	GetAudience() string
	// SetAudience sets audience
	SetAudience(v string)
	// GetServiceProvider initialises service provider spec from settings
	GetServiceProvider(clock clockwork.Clock) (*saml2.SAMLServiceProvider, error)
	// GetAssertionConsumerService returns assertion consumer service URL
	GetAssertionConsumerService() string
	// SetAssertionConsumerService sets assertion consumer service URL
	SetAssertionConsumerService(v string)
	// GetProvider returns the identity provider.
	GetProvider() string
	// SetProvider sets the identity provider.
	SetProvider(string)
}

SAMLConnector specifies configuration for SAML 2.0 dentity providers

func NewSAMLConnector

func NewSAMLConnector(name string, spec SAMLConnectorSpecV2) SAMLConnector

NewSAMLConnector returns a new SAMLConnector based off a name and SAMLConnectorSpecV2.

type SAMLConnectorMarshaler

type SAMLConnectorMarshaler interface {
	// UnmarshalSAMLConnector unmarshals connector from binary representation
	UnmarshalSAMLConnector(bytes []byte, opts ...MarshalOption) (SAMLConnector, error)
	// MarshalSAMLConnector marshals connector to binary representation
	MarshalSAMLConnector(c SAMLConnector, opts ...MarshalOption) ([]byte, error)
}

SAMLConnectorMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions

func GetSAMLConnectorMarshaler

func GetSAMLConnectorMarshaler() SAMLConnectorMarshaler

GetSAMLConnectorMarshaler returns currently set user marshaler

type SAMLConnectorSpecV2

type SAMLConnectorSpecV2 struct {
	// Issuer is identity provider issuer
	Issuer string `json:"issuer"`
	// SSO is URL of the identity provider SSO service
	SSO string `json:"sso"`
	// Cert is identity provider certificate PEM
	// IDP signs <Response> responses using this certificate
	Cert string `json:"cert"`
	// Display controls how this connector is displayed
	Display string `json:"display"`
	// AssertionConsumerService is a URL for assertion consumer service
	// on the service provider (Teleport's side)
	AssertionConsumerService string `json:"acs"`
	// Audience uniquely identifies our service provider
	Audience string `json:"audience"`
	// SertviceProviderIssuer is the issuer of the service provider (Teleport)
	ServiceProviderIssuer string `json:"service_provider_issuer"`
	// EntityDescriptor is XML with descriptor, can be used to supply configuration
	// parameters in one XML files vs supplying them in the individual elelemtns
	EntityDescriptor string `json:"entity_descriptor"`
	// EntityDescriptor points to a URL that supplies a configuration XML.
	EntityDescriptorURL string `json:"entity_descriptor_url"`
	// AttriburesToRoles is a list of mappings of attribute statements to roles
	AttributesToRoles []AttributeMapping `json:"attributes_to_roles"`
	// SigningKeyPair is x509 key pair used to sign AuthnRequest
	SigningKeyPair *SigningKeyPair `json:"signing_key_pair,omitempty"`
	// Provider is the external identity provider.
	Provider string `json:"provider,omitempty"`
}

SAMLConnectorSpecV2 specifies configuration for Open ID Connect compatible external identity provider, e.g. google in some organisation

type SAMLConnectorV2

type SAMLConnectorV2 struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`
	// Version is version
	Version string `json:"version"`
	// Metadata is connector metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains connector specification
	Spec SAMLConnectorSpecV2 `json:"spec"`
}

SAMLConnectorV2 is version 1 resource spec for SAML connector

func (*SAMLConnectorV2) CheckAndSetDefaults

func (o *SAMLConnectorV2) CheckAndSetDefaults() error

func (*SAMLConnectorV2) Equals

func (o *SAMLConnectorV2) Equals(other SAMLConnector) bool

Equals returns true if the connectors are identical

func (*SAMLConnectorV2) Expiry

func (o *SAMLConnectorV2) Expiry() time.Time

Expires returns object expiry setting

func (*SAMLConnectorV2) GetAssertionConsumerService

func (o *SAMLConnectorV2) GetAssertionConsumerService() string

GetAssertionConsumerService returns assertion consumer service URL

func (*SAMLConnectorV2) GetAttributes

func (o *SAMLConnectorV2) GetAttributes() []string

GetAttributes returns list of attributes expected by mappings

func (*SAMLConnectorV2) GetAttributesToRoles

func (o *SAMLConnectorV2) GetAttributesToRoles() []AttributeMapping

GetAttributesToRoles returns attributes to roles mapping

func (*SAMLConnectorV2) GetAudience

func (o *SAMLConnectorV2) GetAudience() string

GetAudience returns audience

func (*SAMLConnectorV2) GetCert

func (o *SAMLConnectorV2) GetCert() string

GetCert returns identity provider checking x509 certificate

func (*SAMLConnectorV2) GetDisplay

func (o *SAMLConnectorV2) GetDisplay() string

Display - Friendly name for this provider.

func (*SAMLConnectorV2) GetEntityDescriptor

func (o *SAMLConnectorV2) GetEntityDescriptor() string

GetEntityDescriptor returns XML entity descriptor of the service

func (*SAMLConnectorV2) GetEntityDescriptorURL

func (o *SAMLConnectorV2) GetEntityDescriptorURL() string

GetEntityDescriptorURL returns the URL to obtain the entity descriptor.

func (*SAMLConnectorV2) GetIssuer

func (o *SAMLConnectorV2) GetIssuer() string

GetIssuer returns issuer

func (*SAMLConnectorV2) GetKind

func (o *SAMLConnectorV2) GetKind() string

GetKind returns resource kind

func (*SAMLConnectorV2) GetMetadata

func (o *SAMLConnectorV2) GetMetadata() Metadata

GetMetadata returns object metadata

func (*SAMLConnectorV2) GetName

func (o *SAMLConnectorV2) GetName() string

GetName returns the name of the connector

func (*SAMLConnectorV2) GetProvider

func (o *SAMLConnectorV2) GetProvider() string

GetProvider returns the identity provider.

func (*SAMLConnectorV2) GetResourceID

func (o *SAMLConnectorV2) GetResourceID() int64

GetResourceID returns resource ID

func (*SAMLConnectorV2) GetSSO

func (o *SAMLConnectorV2) GetSSO() string

GetSSO returns SSO service

func (*SAMLConnectorV2) GetServiceProvider

func (o *SAMLConnectorV2) GetServiceProvider(clock clockwork.Clock) (*saml2.SAMLServiceProvider, error)

GetServiceProvider initialises service provider spec from settings

func (*SAMLConnectorV2) GetServiceProviderIssuer

func (o *SAMLConnectorV2) GetServiceProviderIssuer() string

GetServiceProviderIssuer returns service provider issuer

func (*SAMLConnectorV2) GetSigningKeyPair

func (o *SAMLConnectorV2) GetSigningKeyPair() *SigningKeyPair

GetSigningKeyPair returns signing key pair

func (*SAMLConnectorV2) GetSubKind

func (o *SAMLConnectorV2) GetSubKind() string

GetSubKind returns resource sub kind

func (*SAMLConnectorV2) GetVersion

func (o *SAMLConnectorV2) GetVersion() string

GetVersion returns resource version

func (*SAMLConnectorV2) MapAttributes

func (o *SAMLConnectorV2) MapAttributes(assertionInfo saml2.AssertionInfo) []string

MapClaims maps SAML attributes to roles

func (*SAMLConnectorV2) SetAssertionConsumerService

func (o *SAMLConnectorV2) SetAssertionConsumerService(v string)

SetAssertionConsumerService sets assertion consumer service URL

func (*SAMLConnectorV2) SetAttributesToRoles

func (o *SAMLConnectorV2) SetAttributesToRoles(mapping []AttributeMapping)

SetAttributesToRoles sets attributes to roles mapping

func (*SAMLConnectorV2) SetAudience

func (o *SAMLConnectorV2) SetAudience(v string)

SetAudience sets audience

func (*SAMLConnectorV2) SetCert

func (o *SAMLConnectorV2) SetCert(cert string)

SetCert sets identity provider checking certificate

func (*SAMLConnectorV2) SetDisplay

func (o *SAMLConnectorV2) SetDisplay(display string)

SetDisplay sets friendly name for this provider.

func (*SAMLConnectorV2) SetEntityDescriptor

func (o *SAMLConnectorV2) SetEntityDescriptor(v string)

SetEntityDescriptor sets entity descritor of the service

func (*SAMLConnectorV2) SetEntityDescriptorURL

func (o *SAMLConnectorV2) SetEntityDescriptorURL(v string)

SetEntityDescriptorURL sets the entity descriptor url.

func (*SAMLConnectorV2) SetExpiry

func (o *SAMLConnectorV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*SAMLConnectorV2) SetIssuer

func (o *SAMLConnectorV2) SetIssuer(issuer string)

SetIssuer sets issuer

func (*SAMLConnectorV2) SetName

func (o *SAMLConnectorV2) SetName(name string)

SetName sets client secret to some value

func (*SAMLConnectorV2) SetProvider

func (o *SAMLConnectorV2) SetProvider(identityProvider string)

SetProvider sets the identity provider.

func (*SAMLConnectorV2) SetResourceID

func (o *SAMLConnectorV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*SAMLConnectorV2) SetSSO

func (o *SAMLConnectorV2) SetSSO(sso string)

SetSSO sets SSO service

func (*SAMLConnectorV2) SetServiceProviderIssuer

func (o *SAMLConnectorV2) SetServiceProviderIssuer(v string)

SetServiceProviderIssuer sets service provider issuer

func (*SAMLConnectorV2) SetSigningKeyPair

func (o *SAMLConnectorV2) SetSigningKeyPair(k *SigningKeyPair)

GetSigningKeyPair sets signing key pair

func (*SAMLConnectorV2) SetSubKind

func (o *SAMLConnectorV2) SetSubKind(sk string)

SetSubKind sets resource subkind

func (*SAMLConnectorV2) SetTTL

func (o *SAMLConnectorV2) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*SAMLConnectorV2) V2

V2 returns V2 version of the resource

type Server

type Server interface {
	// Resource provides common resource headers
	Resource
	// GetAddr return server address
	GetAddr() string
	// GetHostname returns server hostname
	GetHostname() string
	// GetNamespace returns server namespace
	GetNamespace() string
	// GetAllLabels returns server's static and dynamic label values merged together
	GetAllLabels() map[string]string
	// GetLabels returns server's static label key pairs
	GetLabels() map[string]string
	// GetCmdLabels returns command labels
	GetCmdLabels() map[string]CommandLabel
	// GetPublicAddr is an optional field that returns the public address this cluster can be reached at.
	GetPublicAddr() string
	// GetRotation gets the state of certificate authority rotation.
	GetRotation() Rotation
	// SetRotation sets the state of certificate authority rotation.
	SetRotation(Rotation)
	// GetUseTunnel gets if a reverse tunnel should be used to connect to this node.
	GetUseTunnel() bool
	// SetUseTunnel sets if a reverse tunnel should be used to connect to this node.
	SetUseTunnel(bool)
	// String returns string representation of the server
	String() string
	// SetAddr sets server address
	SetAddr(addr string)
	// SetPublicAddr sets the public address this cluster can be reached at.
	SetPublicAddr(string)
	// SetNamespace sets server namespace
	SetNamespace(namespace string)
	// V1 returns V1 version for backwards compatibility
	V1() *ServerV1
	// MatchAgainst takes a map of labels and returns True if this server
	// has ALL of them
	//
	// Any server matches against an empty label set
	MatchAgainst(labels map[string]string) bool
	// LabelsString returns a comma separated string with all node's labels
	LabelsString() string
	// CheckAndSetDefaults checks and set default values for any missing fields.
	CheckAndSetDefaults() error
}

Server represents a Node, Proxy or Auth server in a Teleport cluster

func UnmarshalServerResource

func UnmarshalServerResource(data []byte, kind string, cfg *MarshalConfig) (Server, error)

UnmarshalServerResource unmarshals role from JSON or YAML, sets defaults and checks the schema

type ServerMarshaler

type ServerMarshaler interface {
	// UnmarshalServer from binary representation.
	UnmarshalServer(bytes []byte, kind string, opts ...MarshalOption) (Server, error)

	// MarshalServer to binary representation.
	MarshalServer(Server, ...MarshalOption) ([]byte, error)

	// UnmarshalServers is used to unmarshal multiple servers from their
	// binary representation.
	UnmarshalServers(bytes []byte) ([]Server, error)

	// MarshalServers is used to marshal multiple servers to their binary
	// representation.
	MarshalServers([]Server) ([]byte, error)
}

ServerMarshaler implements marshal/unmarshal of Role implementations mostly adds support for extended versions

func GetServerMarshaler

func GetServerMarshaler() ServerMarshaler

type ServerSpecV2

type ServerSpecV2 struct {
	// Addr is server host:port address
	Addr string `protobuf:"bytes,1,opt,name=Addr,proto3" json:"addr"`
	// PublicAddr is the public address this cluster can be reached at.
	PublicAddr string `protobuf:"bytes,2,opt,name=PublicAddr,proto3" json:"public_addr,omitempty"`
	// Hostname is server hostname
	Hostname string `protobuf:"bytes,3,opt,name=Hostname,proto3" json:"hostname"`
	// CmdLabels is server dynamic labels
	CmdLabels map[string]CommandLabelV2 `` /* 146-byte string literal not displayed */
	// Rotation specifies server rotation
	Rotation Rotation `protobuf:"bytes,5,opt,name=Rotation" json:"rotation,omitempty"`
	// UseTunnel indicates that connections to this server should occur over a
	// reverse tunnel.
	UseTunnel            bool     `protobuf:"varint,6,opt,name=UseTunnel,proto3" json:"use_tunnel,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

ServerSpecV2 is a specification for V2 Server

func (*ServerSpecV2) Descriptor

func (*ServerSpecV2) Descriptor() ([]byte, []int)

func (*ServerSpecV2) Marshal

func (m *ServerSpecV2) Marshal() (dAtA []byte, err error)

func (*ServerSpecV2) MarshalTo

func (m *ServerSpecV2) MarshalTo(dAtA []byte) (int, error)

func (*ServerSpecV2) ProtoMessage

func (*ServerSpecV2) ProtoMessage()

func (*ServerSpecV2) Reset

func (m *ServerSpecV2) Reset()

func (*ServerSpecV2) Size

func (m *ServerSpecV2) Size() (n int)

func (*ServerSpecV2) String

func (m *ServerSpecV2) String() string

func (*ServerSpecV2) Unmarshal

func (m *ServerSpecV2) Unmarshal(dAtA []byte) error

func (*ServerSpecV2) XXX_DiscardUnknown

func (m *ServerSpecV2) XXX_DiscardUnknown()

func (*ServerSpecV2) XXX_Marshal

func (m *ServerSpecV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ServerSpecV2) XXX_Merge

func (dst *ServerSpecV2) XXX_Merge(src proto.Message)

func (*ServerSpecV2) XXX_Size

func (m *ServerSpecV2) XXX_Size() int

func (*ServerSpecV2) XXX_Unmarshal

func (m *ServerSpecV2) XXX_Unmarshal(b []byte) error

type ServerV1

type ServerV1 struct {
	Kind      string                    `json:"kind"`
	ID        string                    `json:"id"`
	Addr      string                    `json:"addr"`
	Hostname  string                    `json:"hostname"`
	Namespace string                    `json:"namespace"`
	Labels    map[string]string         `json:"labels"`
	CmdLabels map[string]CommandLabelV1 `json:"cmd_labels"`
}

ServerV1 represents V1 spec of the server

func ServersToV1

func ServersToV1(in []Server) []ServerV1

ServersToV1 converts list of servers to slice of V1 style ones

func (*ServerV1) V1

func (s *ServerV1) V1() *ServerV1

V1 returns V1 version of the resource

func (*ServerV1) V2

func (s *ServerV1) V2() *ServerV2

V2 returns V2 version of the resource

type ServerV2

type ServerV2 struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version"`
	// Metadata is User metadata
	Metadata Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata"`
	// Spec is a server spec
	Spec                 ServerSpecV2 `protobuf:"bytes,5,opt,name=Spec" json:"spec"`
	XXX_NoUnkeyedLiteral struct{}     `json:"-"`
	XXX_unrecognized     []byte       `json:"-"`
	XXX_sizecache        int32        `json:"-"`
}

ServerV2 represents a Node, Proxy or Auth server in a Teleport cluster

func (*ServerV2) CheckAndSetDefaults

func (s *ServerV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and set default values for any missing fields.

func (*ServerV2) Descriptor

func (*ServerV2) Descriptor() ([]byte, []int)

func (*ServerV2) Expiry

func (s *ServerV2) Expiry() time.Time

Expires returns object expiry setting

func (*ServerV2) GetAddr

func (s *ServerV2) GetAddr() string

GetAddr return server address

func (*ServerV2) GetAllLabels

func (s *ServerV2) GetAllLabels() map[string]string

GetAllLabels returns the full key:value map of both static labels and "command labels"

func (*ServerV2) GetCmdLabels

func (s *ServerV2) GetCmdLabels() map[string]CommandLabel

GetCmdLabels returns command labels

func (*ServerV2) GetHostname

func (s *ServerV2) GetHostname() string

GetHostname returns server hostname

func (*ServerV2) GetKind

func (s *ServerV2) GetKind() string

GetKind returns resource kind

func (*ServerV2) GetLabels

func (s *ServerV2) GetLabels() map[string]string

GetLabels returns server's static label key pairs

func (*ServerV2) GetMetadata

func (s *ServerV2) GetMetadata() Metadata

GetMetadata returns metadata

func (*ServerV2) GetName

func (s *ServerV2) GetName() string

GetName returns server name

func (*ServerV2) GetNamespace

func (s *ServerV2) GetNamespace() string

GetNamespace returns server namespace

func (*ServerV2) GetPublicAddr

func (s *ServerV2) GetPublicAddr() string

GetPublicAddr is an optional field that returns the public address this cluster can be reached at.

func (*ServerV2) GetResourceID

func (s *ServerV2) GetResourceID() int64

GetResourceID returns resource ID

func (*ServerV2) GetRotation

func (s *ServerV2) GetRotation() Rotation

GetRotation gets the state of certificate authority rotation.

func (*ServerV2) GetSubKind

func (s *ServerV2) GetSubKind() string

GetSubKind returns resource sub kind

func (*ServerV2) GetUseTunnel

func (s *ServerV2) GetUseTunnel() bool

GetUseTunnel gets if a reverse tunnel should be used to connect to this node.

func (*ServerV2) GetVersion

func (s *ServerV2) GetVersion() string

GetVersion returns resource version

func (*ServerV2) LabelsString

func (s *ServerV2) LabelsString() string

LabelsString returns a comma separated string with all node's labels

func (*ServerV2) Marshal

func (m *ServerV2) Marshal() (dAtA []byte, err error)

func (*ServerV2) MarshalTo

func (m *ServerV2) MarshalTo(dAtA []byte) (int, error)

func (*ServerV2) MatchAgainst

func (s *ServerV2) MatchAgainst(labels map[string]string) bool

MatchAgainst takes a map of labels and returns True if this server has ALL of them

Any server matches against an empty label set

func (*ServerV2) ProtoMessage

func (*ServerV2) ProtoMessage()

func (*ServerV2) Reset

func (m *ServerV2) Reset()

func (*ServerV2) SetAddr

func (s *ServerV2) SetAddr(addr string)

SetAddr sets server address

func (*ServerV2) SetExpiry

func (s *ServerV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*ServerV2) SetName

func (s *ServerV2) SetName(e string)

SetName sets the name of the TrustedCluster.

func (*ServerV2) SetNamespace

func (s *ServerV2) SetNamespace(namespace string)

SetNamespace sets server namespace

func (*ServerV2) SetPublicAddr

func (s *ServerV2) SetPublicAddr(addr string)

SetPublicAddr sets the public address this cluster can be reached at.

func (*ServerV2) SetResourceID

func (s *ServerV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*ServerV2) SetRotation

func (s *ServerV2) SetRotation(r Rotation)

SetRotation sets the state of certificate authority rotation.

func (*ServerV2) SetSubKind

func (s *ServerV2) SetSubKind(sk string)

SetSubKind sets resource subkind

func (*ServerV2) SetTTL

func (s *ServerV2) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*ServerV2) SetUseTunnel

func (s *ServerV2) SetUseTunnel(useTunnel bool)

SetUseTunnel sets if a reverse tunnel should be used to connect to this node.

func (*ServerV2) Size

func (m *ServerV2) Size() (n int)

func (*ServerV2) String

func (s *ServerV2) String() string

func (*ServerV2) Unmarshal

func (m *ServerV2) Unmarshal(dAtA []byte) error

func (*ServerV2) V1

func (s *ServerV2) V1() *ServerV1

V1 returns V1 version of the resource

func (*ServerV2) V2

func (s *ServerV2) V2() *ServerV2

V2 returns version 2 of the resource, itself

func (*ServerV2) XXX_DiscardUnknown

func (m *ServerV2) XXX_DiscardUnknown()

func (*ServerV2) XXX_Marshal

func (m *ServerV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*ServerV2) XXX_Merge

func (dst *ServerV2) XXX_Merge(src proto.Message)

func (*ServerV2) XXX_Size

func (m *ServerV2) XXX_Size() int

func (*ServerV2) XXX_Unmarshal

func (m *ServerV2) XXX_Unmarshal(b []byte) error

type Services

Services collects all services

type SigningKeyPair

type SigningKeyPair struct {
	// PrivateKey is PEM encoded x509 private key
	PrivateKey string `json:"private_key"`
	// Cert is certificate in OpenSSH authorized keys format
	Cert string `json:"cert"`
}

SigningKeyPair is a key pair used to sign SAML AuthnRequest

type SignupToken

type SignupToken struct {
	Token     string    `json:"token"`
	User      UserV1    `json:"user"`
	OTPKey    string    `json:"otp_key"`
	OTPQRCode []byte    `json:"otp_qr_code"`
	Expires   time.Time `json:"expires"`
}

SignupToken stores metadata about user signup token is stored and generated when tctl add user is executed

type Site added in v1.0.0

type Site struct {
	Name          string    `json:"name"`
	LastConnected time.Time `json:"lastconnected"`
	Status        string    `json:"status"`
}

Site represents a cluster of teleport nodes who collectively trust the same certificate authority (CA) and have a common name.

The CA is represented by an auth server (or multiple auth servers, if running in HA mode)

type SortedLoginAttempts

type SortedLoginAttempts []LoginAttempt

SortedLoginAttempts sorts login attempts by time

func (SortedLoginAttempts) Len

func (s SortedLoginAttempts) Len() int

Len returns length of a role list

func (SortedLoginAttempts) Less

func (s SortedLoginAttempts) Less(i, j int) bool

Less stacks latest attempts to the end of the list

func (SortedLoginAttempts) Swap

func (s SortedLoginAttempts) Swap(i, j int)

Swap swaps two attempts

type SortedNamespaces

type SortedNamespaces []Namespace

SortedNamespaces sorts namespaces

func (SortedNamespaces) Len

func (s SortedNamespaces) Len() int

Len returns length of a role list

func (SortedNamespaces) Less

func (s SortedNamespaces) Less(i, j int) bool

Less compares roles by name

func (SortedNamespaces) Swap

func (s SortedNamespaces) Swap(i, j int)

Swap swaps two roles in a list

type SortedReverseTunnels

type SortedReverseTunnels []ReverseTunnel

SortedReverseTunnels sorts reverse tunnels by cluster name

func (SortedReverseTunnels) Len

func (s SortedReverseTunnels) Len() int

func (SortedReverseTunnels) Less

func (s SortedReverseTunnels) Less(i, j int) bool

func (SortedReverseTunnels) Swap

func (s SortedReverseTunnels) Swap(i, j int)

type SortedRoles

type SortedRoles []Role

SortedRoles sorts roles by name

func (SortedRoles) Len

func (s SortedRoles) Len() int

Len returns length of a role list

func (SortedRoles) Less

func (s SortedRoles) Less(i, j int) bool

Less compares roles by name

func (SortedRoles) Swap

func (s SortedRoles) Swap(i, j int)

Swap swaps two roles in a list

type SortedServers

type SortedServers []Server

SortedServers is a sort wrapper that sorts servers by name

func (SortedServers) Len

func (s SortedServers) Len() int

func (SortedServers) Less

func (s SortedServers) Less(i, j int) bool

func (SortedServers) Swap

func (s SortedServers) Swap(i, j int)

type SortedTrustedCluster

type SortedTrustedCluster []TrustedCluster

SortedTrustedCluster sorts clusters by name

func (SortedTrustedCluster) Len

func (s SortedTrustedCluster) Len() int

Len returns the length of a list.

func (SortedTrustedCluster) Less

func (s SortedTrustedCluster) Less(i, j int) bool

Less compares items by name.

func (SortedTrustedCluster) Swap

func (s SortedTrustedCluster) Swap(i, j int)

Swap swaps two items in a list.

type StaticTokens

type StaticTokens interface {
	// Resource provides common resource properties.
	Resource

	// SetStaticTokens sets the list of static tokens used to provision nodes.
	SetStaticTokens([]ProvisionToken)
	// GetStaticTokens gets the list of static tokens used to provision nodes.
	GetStaticTokens() []ProvisionToken

	// CheckAndSetDefaults checks and set default values for missing fields.
	CheckAndSetDefaults() error
}

StaticTokens define a list of static []ProvisionToken used to provision a node. StaticTokens is a configuration resource, never create more than one instance of it.

func DefaultStaticTokens

func DefaultStaticTokens() StaticTokens

DefaultStaticTokens is used to get the default static tokens (empty list) when nothing is specified in file configuration.

func NewStaticTokens

func NewStaticTokens(spec StaticTokensSpecV2) (StaticTokens, error)

NewStaticTokens is a convenience wrapper to create a StaticTokens resource.

type StaticTokensMarshaler

type StaticTokensMarshaler interface {
	Marshal(c StaticTokens, opts ...MarshalOption) ([]byte, error)
	Unmarshal(bytes []byte, opts ...MarshalOption) (StaticTokens, error)
}

StaticTokensMarshaler implements marshal/unmarshal of StaticTokens implementations mostly adds support for extended versions.

func GetStaticTokensMarshaler

func GetStaticTokensMarshaler() StaticTokensMarshaler

GetStaticTokensMarshaler gets the marshaler.

type StaticTokensSpecV2

type StaticTokensSpecV2 struct {
	// StaticTokens is a list of tokens that can be used to add nodes to the
	// cluster.
	StaticTokens         []ProvisionTokenV1 `protobuf:"bytes,1,rep,name=StaticTokens" json:"static_tokens"`
	XXX_NoUnkeyedLiteral struct{}           `json:"-"`
	XXX_unrecognized     []byte             `json:"-"`
	XXX_sizecache        int32              `json:"-"`
}

StaticTokensSpecV2 is the actual data we care about for StaticTokensSpecV2.

func (*StaticTokensSpecV2) Descriptor

func (*StaticTokensSpecV2) Descriptor() ([]byte, []int)

func (*StaticTokensSpecV2) Marshal

func (m *StaticTokensSpecV2) Marshal() (dAtA []byte, err error)

func (*StaticTokensSpecV2) MarshalTo

func (m *StaticTokensSpecV2) MarshalTo(dAtA []byte) (int, error)

func (*StaticTokensSpecV2) ProtoMessage

func (*StaticTokensSpecV2) ProtoMessage()

func (*StaticTokensSpecV2) Reset

func (m *StaticTokensSpecV2) Reset()

func (*StaticTokensSpecV2) Size

func (m *StaticTokensSpecV2) Size() (n int)

func (*StaticTokensSpecV2) String

func (m *StaticTokensSpecV2) String() string

func (*StaticTokensSpecV2) Unmarshal

func (m *StaticTokensSpecV2) Unmarshal(dAtA []byte) error

func (*StaticTokensSpecV2) XXX_DiscardUnknown

func (m *StaticTokensSpecV2) XXX_DiscardUnknown()

func (*StaticTokensSpecV2) XXX_Marshal

func (m *StaticTokensSpecV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*StaticTokensSpecV2) XXX_Merge

func (dst *StaticTokensSpecV2) XXX_Merge(src proto.Message)

func (*StaticTokensSpecV2) XXX_Size

func (m *StaticTokensSpecV2) XXX_Size() int

func (*StaticTokensSpecV2) XXX_Unmarshal

func (m *StaticTokensSpecV2) XXX_Unmarshal(b []byte) error

type StaticTokensV2

type StaticTokensV2 struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version"`
	// Metadata is User metadata
	Metadata Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata"`
	// Spec is a provisioning token V2 spec
	Spec                 StaticTokensSpecV2 `protobuf:"bytes,5,opt,name=Spec" json:"spec"`
	XXX_NoUnkeyedLiteral struct{}           `json:"-"`
	XXX_unrecognized     []byte             `json:"-"`
	XXX_sizecache        int32              `json:"-"`
}

StaticTokensV2 implements the StaticTokens interface.

func (*StaticTokensV2) CheckAndSetDefaults

func (c *StaticTokensV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks validity of all parameters and sets defaults.

func (*StaticTokensV2) Descriptor

func (*StaticTokensV2) Descriptor() ([]byte, []int)

func (*StaticTokensV2) Expiry

func (c *StaticTokensV2) Expiry() time.Time

Expires returns object expiry setting

func (*StaticTokensV2) GetKind

func (c *StaticTokensV2) GetKind() string

GetKind returns resource kind

func (*StaticTokensV2) GetMetadata

func (c *StaticTokensV2) GetMetadata() Metadata

GetMetadata returns object metadata

func (*StaticTokensV2) GetName

func (c *StaticTokensV2) GetName() string

GetName returns the name of the StaticTokens resource.

func (*StaticTokensV2) GetResourceID

func (c *StaticTokensV2) GetResourceID() int64

GetResourceID returns resource ID

func (*StaticTokensV2) GetStaticTokens

func (c *StaticTokensV2) GetStaticTokens() []ProvisionToken

GetStaticTokens gets the list of static tokens used to provision nodes.

func (*StaticTokensV2) GetSubKind

func (c *StaticTokensV2) GetSubKind() string

GetSubKind returns resource sub kind

func (*StaticTokensV2) GetVersion

func (c *StaticTokensV2) GetVersion() string

GetVersion returns resource version

func (*StaticTokensV2) Marshal

func (m *StaticTokensV2) Marshal() (dAtA []byte, err error)

func (*StaticTokensV2) MarshalTo

func (m *StaticTokensV2) MarshalTo(dAtA []byte) (int, error)

func (*StaticTokensV2) ProtoMessage

func (*StaticTokensV2) ProtoMessage()

func (*StaticTokensV2) Reset

func (m *StaticTokensV2) Reset()

func (*StaticTokensV2) SetExpiry

func (c *StaticTokensV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*StaticTokensV2) SetName

func (c *StaticTokensV2) SetName(e string)

SetName sets the name of the StaticTokens resource.

func (*StaticTokensV2) SetResourceID

func (c *StaticTokensV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*StaticTokensV2) SetStaticTokens

func (c *StaticTokensV2) SetStaticTokens(s []ProvisionToken)

SetStaticTokens sets the list of static tokens used to provision nodes.

func (*StaticTokensV2) SetSubKind

func (c *StaticTokensV2) SetSubKind(sk string)

SetSubKind sets resource subkind

func (*StaticTokensV2) SetTTL

func (c *StaticTokensV2) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*StaticTokensV2) Size

func (m *StaticTokensV2) Size() (n int)

func (*StaticTokensV2) String

func (c *StaticTokensV2) String() string

String represents a human readable version of static provisioning tokens.

func (*StaticTokensV2) Unmarshal

func (m *StaticTokensV2) Unmarshal(dAtA []byte) error

func (*StaticTokensV2) XXX_DiscardUnknown

func (m *StaticTokensV2) XXX_DiscardUnknown()

func (*StaticTokensV2) XXX_Marshal

func (m *StaticTokensV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*StaticTokensV2) XXX_Merge

func (dst *StaticTokensV2) XXX_Merge(src proto.Message)

func (*StaticTokensV2) XXX_Size

func (m *StaticTokensV2) XXX_Size() int

func (*StaticTokensV2) XXX_Unmarshal

func (m *StaticTokensV2) XXX_Unmarshal(b []byte) error

type TLSKeyPair

type TLSKeyPair struct {
	// Cert is a PEM encoded TLS cert
	Cert []byte `protobuf:"bytes,1,opt,name=Cert,proto3" json:"cert,omitempty"`
	// Key is a PEM encoded TLS key
	Key                  []byte   `protobuf:"bytes,2,opt,name=Key,proto3" json:"key,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

TLSKeyPair is a TLS key pair

func (*TLSKeyPair) Descriptor

func (*TLSKeyPair) Descriptor() ([]byte, []int)

func (*TLSKeyPair) Marshal

func (m *TLSKeyPair) Marshal() (dAtA []byte, err error)

func (*TLSKeyPair) MarshalTo

func (m *TLSKeyPair) MarshalTo(dAtA []byte) (int, error)

func (*TLSKeyPair) ProtoMessage

func (*TLSKeyPair) ProtoMessage()

func (*TLSKeyPair) Reset

func (m *TLSKeyPair) Reset()

func (*TLSKeyPair) Size

func (m *TLSKeyPair) Size() (n int)

func (*TLSKeyPair) String

func (m *TLSKeyPair) String() string

func (*TLSKeyPair) Unmarshal

func (m *TLSKeyPair) Unmarshal(dAtA []byte) error

func (*TLSKeyPair) XXX_DiscardUnknown

func (m *TLSKeyPair) XXX_DiscardUnknown()

func (*TLSKeyPair) XXX_Marshal

func (m *TLSKeyPair) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*TLSKeyPair) XXX_Merge

func (dst *TLSKeyPair) XXX_Merge(src proto.Message)

func (*TLSKeyPair) XXX_Size

func (m *TLSKeyPair) XXX_Size() int

func (*TLSKeyPair) XXX_Unmarshal

func (m *TLSKeyPair) XXX_Unmarshal(b []byte) error

type TeamMapping

type TeamMapping struct {
	// Organization is a Github organization a user belongs to
	Organization string `json:"organization"`
	// Team is a team within the organization a user belongs to
	Team string `json:"team"`
	// Logins is a list of allowed logins for this org/team
	Logins []string `json:"logins,omitempty"`
	// KubeGroups is a list of allowed kubernetes groups for this org/team
	KubeGroups []string `json:"kubernetes_groups,omitempty"`
}

TeamMapping represents a single team membership mapping

type TeleportAuthPreferenceMarshaler

type TeleportAuthPreferenceMarshaler struct{}

func (*TeleportAuthPreferenceMarshaler) Marshal

Marshal marshals role to JSON or YAML.

func (*TeleportAuthPreferenceMarshaler) Unmarshal

func (t *TeleportAuthPreferenceMarshaler) Unmarshal(bytes []byte, opts ...MarshalOption) (AuthPreference, error)

Unmarshal unmarshals role from JSON or YAML.

type TeleportCertAuthorityMarshaler

type TeleportCertAuthorityMarshaler struct{}

func (*TeleportCertAuthorityMarshaler) GenerateCertAuthority

func (*TeleportCertAuthorityMarshaler) GenerateCertAuthority(ca CertAuthority) (CertAuthority, error)

GenerateCertAuthority is used to generate new cert authority based on standard teleport one and is used to add custom parameters and extend it in extensions of teleport

func (*TeleportCertAuthorityMarshaler) MarshalCertAuthority

func (*TeleportCertAuthorityMarshaler) MarshalCertAuthority(ca CertAuthority, opts ...MarshalOption) ([]byte, error)

MarshalCertAuthority marshalls cert authority into JSON

func (*TeleportCertAuthorityMarshaler) UnmarshalCertAuthority

func (*TeleportCertAuthorityMarshaler) UnmarshalCertAuthority(bytes []byte, opts ...MarshalOption) (CertAuthority, error)

UnmarshalCertAuthority unmarshals cert authority from JSON

type TeleportClusterConfigMarshaler

type TeleportClusterConfigMarshaler struct{}

TeleportClusterConfigMarshaler is used to marshal and unmarshal ClusterConfig.

func (*TeleportClusterConfigMarshaler) Marshal

Marshal marshals ClusterConfig to JSON.

func (*TeleportClusterConfigMarshaler) Unmarshal

func (t *TeleportClusterConfigMarshaler) Unmarshal(bytes []byte, opts ...MarshalOption) (ClusterConfig, error)

Unmarshal unmarshals ClusterConfig from JSON.

type TeleportClusterNameMarshaler

type TeleportClusterNameMarshaler struct{}

TeleportClusterNameMarshaler is used to marshal and unmarshal ClusterName.

func (*TeleportClusterNameMarshaler) Marshal

func (t *TeleportClusterNameMarshaler) Marshal(c ClusterName, opts ...MarshalOption) ([]byte, error)

Marshal marshals ClusterName to JSON.

func (*TeleportClusterNameMarshaler) Unmarshal

func (t *TeleportClusterNameMarshaler) Unmarshal(bytes []byte, opts ...MarshalOption) (ClusterName, error)

Unmarshal unmarshals ClusterName from JSON.

type TeleportGithubConnectorMarshaler

type TeleportGithubConnectorMarshaler struct{}

TeleportGithubConnectorMarshaler is the default Github connector marshaler

func (*TeleportGithubConnectorMarshaler) Marshal

MarshalGithubConnector marshals Github connector to JSON

func (*TeleportGithubConnectorMarshaler) Unmarshal

UnmarshalGithubConnector unmarshals Github connector from JSON

type TeleportOIDCConnectorMarshaler

type TeleportOIDCConnectorMarshaler struct{}

func (*TeleportOIDCConnectorMarshaler) MarshalOIDCConnector

func (*TeleportOIDCConnectorMarshaler) MarshalOIDCConnector(c OIDCConnector, opts ...MarshalOption) ([]byte, error)

MarshalUser marshals OIDC connector into JSON

func (*TeleportOIDCConnectorMarshaler) UnmarshalOIDCConnector

func (*TeleportOIDCConnectorMarshaler) UnmarshalOIDCConnector(bytes []byte, opts ...MarshalOption) (OIDCConnector, error)

UnmarshalOIDCConnector unmarshals connector from

type TeleportRoleMarshaler

type TeleportRoleMarshaler struct{}

func (*TeleportRoleMarshaler) MarshalRole

func (*TeleportRoleMarshaler) MarshalRole(r Role, opts ...MarshalOption) ([]byte, error)

MarshalRole marshalls role into JSON.

func (*TeleportRoleMarshaler) UnmarshalRole

func (*TeleportRoleMarshaler) UnmarshalRole(bytes []byte, opts ...MarshalOption) (Role, error)

UnmarshalRole unmarshals role from JSON.

type TeleportSAMLConnectorMarshaler

type TeleportSAMLConnectorMarshaler struct{}

func (*TeleportSAMLConnectorMarshaler) MarshalSAMLConnector

func (*TeleportSAMLConnectorMarshaler) MarshalSAMLConnector(c SAMLConnector, opts ...MarshalOption) ([]byte, error)

MarshalUser marshals SAML connector into JSON

func (*TeleportSAMLConnectorMarshaler) UnmarshalSAMLConnector

func (*TeleportSAMLConnectorMarshaler) UnmarshalSAMLConnector(bytes []byte, opts ...MarshalOption) (SAMLConnector, error)

UnmarshalSAMLConnector unmarshals connector from

type TeleportServerMarshaler

type TeleportServerMarshaler struct{}

func (*TeleportServerMarshaler) MarshalServer

func (*TeleportServerMarshaler) MarshalServer(s Server, opts ...MarshalOption) ([]byte, error)

MarshalServer marshals server into JSON.

func (*TeleportServerMarshaler) MarshalServers

func (*TeleportServerMarshaler) MarshalServers(s []Server) ([]byte, error)

MarshalServers is used to marshal multiple servers to their binary representation.

func (*TeleportServerMarshaler) UnmarshalServer

func (*TeleportServerMarshaler) UnmarshalServer(bytes []byte, kind string, opts ...MarshalOption) (Server, error)

UnmarshalServer unmarshals server from JSON

func (*TeleportServerMarshaler) UnmarshalServers

func (*TeleportServerMarshaler) UnmarshalServers(bytes []byte) ([]Server, error)

UnmarshalServers is used to unmarshal multiple servers from their binary representation.

type TeleportStaticTokensMarshaler

type TeleportStaticTokensMarshaler struct{}

TeleportStaticTokensMarshaler is used to marshal and unmarshal StaticTokens.

func (*TeleportStaticTokensMarshaler) Marshal

Marshal marshals StaticTokens to JSON.

func (*TeleportStaticTokensMarshaler) Unmarshal

func (t *TeleportStaticTokensMarshaler) Unmarshal(bytes []byte, opts ...MarshalOption) (StaticTokens, error)

Unmarshal unmarshals StaticTokens from JSON.

type TeleportTrustedClusterMarshaler

type TeleportTrustedClusterMarshaler struct{}

func (*TeleportTrustedClusterMarshaler) Marshal

Marshal marshals role to JSON or YAML.

func (*TeleportTrustedClusterMarshaler) Unmarshal

func (t *TeleportTrustedClusterMarshaler) Unmarshal(bytes []byte, opts ...MarshalOption) (TrustedCluster, error)

Unmarshal unmarshals role from JSON or YAML.

type TeleportTunnelMarshaler

type TeleportTunnelMarshaler struct{}

func (*TeleportTunnelMarshaler) MarshalReverseTunnel

func (*TeleportTunnelMarshaler) MarshalReverseTunnel(rt ReverseTunnel, opts ...MarshalOption) ([]byte, error)

MarshalRole marshalls role into JSON

func (*TeleportTunnelMarshaler) UnmarshalReverseTunnel

func (*TeleportTunnelMarshaler) UnmarshalReverseTunnel(bytes []byte, opts ...MarshalOption) (ReverseTunnel, error)

UnmarshalReverseTunnel unmarshals reverse tunnel from JSON or YAML

type TeleportUserMarshaler

type TeleportUserMarshaler struct{}

func (*TeleportUserMarshaler) GenerateUser

func (*TeleportUserMarshaler) GenerateUser(in User) (User, error)

GenerateUser generates new user

func (*TeleportUserMarshaler) MarshalUser

func (*TeleportUserMarshaler) MarshalUser(u User, opts ...MarshalOption) ([]byte, error)

MarshalUser marshalls user into JSON

func (*TeleportUserMarshaler) UnmarshalUser

func (*TeleportUserMarshaler) UnmarshalUser(bytes []byte, opts ...MarshalOption) (User, error)

UnmarshalUser unmarshals user from JSON

type TeleportWebSessionMarshaler

type TeleportWebSessionMarshaler struct{}

func (*TeleportWebSessionMarshaler) ExtendWebSession

func (*TeleportWebSessionMarshaler) ExtendWebSession(ws WebSession) (WebSession, error)

ExtendWebSession renews web session and is used to inject additional data in extenstions when session is getting renewed

func (*TeleportWebSessionMarshaler) GenerateWebSession

func (*TeleportWebSessionMarshaler) GenerateWebSession(ws WebSession) (WebSession, error)

GenerateWebSession generates new web session and is used to inject additional data in extenstions

func (*TeleportWebSessionMarshaler) MarshalWebSession

func (*TeleportWebSessionMarshaler) MarshalWebSession(ws WebSession, opts ...MarshalOption) ([]byte, error)

MarshalWebSession marshals web session into on-disk representation

func (*TeleportWebSessionMarshaler) UnmarshalWebSession

func (*TeleportWebSessionMarshaler) UnmarshalWebSession(bytes []byte) (WebSession, error)

UnmarshalWebSession unmarshals web session from on-disk byte format

type Trust added in v1.0.0

type Trust interface {
	// CreateCertAuthority inserts a new certificate authority
	CreateCertAuthority(ca CertAuthority) error

	// UpsertCertAuthority updates or inserts a new certificate authority
	UpsertCertAuthority(ca CertAuthority) error

	// CompareAndSwapCertAuthority updates the cert authority value
	// if existing value matches existing parameter,
	// returns nil if succeeds, trace.CompareFailed otherwise
	CompareAndSwapCertAuthority(new, existing CertAuthority) error

	// DeleteCertAuthority deletes particular certificate authority
	DeleteCertAuthority(id CertAuthID) error

	// DeleteAllCertAuthorities deletes cert authorities of a certain type
	DeleteAllCertAuthorities(caType CertAuthType) error

	// GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys
	// controls if signing keys are loaded
	GetCertAuthority(id CertAuthID, loadSigningKeys bool, opts ...MarshalOption) (CertAuthority, error)

	// GetCertAuthorities returns a list of authorities of a given type
	// loadSigningKeys controls whether signing keys should be loaded or not
	GetCertAuthorities(caType CertAuthType, loadSigningKeys bool, opts ...MarshalOption) ([]CertAuthority, error)

	// ActivateCertAuthority moves a CertAuthority from the deactivated list to
	// the normal list.
	ActivateCertAuthority(id CertAuthID) error

	// DeactivateCertAuthority moves a CertAuthority from the normal list to
	// the deactivated list.
	DeactivateCertAuthority(id CertAuthID) error
}

Trust is responsible for managing certificate authorities Each authority is managing some domain, e.g. example.com

There are two type of authorities, local and remote. Local authorities have both private and public keys, so they can sign public keys of users and hosts

Remote authorities have only public keys available, so they can be only used to validate

type TrustedCluster

type TrustedCluster interface {
	// Resource provides common resource properties
	Resource
	// GetEnabled returns the state of the TrustedCluster.
	GetEnabled() bool
	// SetEnabled enables (handshake and add ca+reverse tunnel) or disables TrustedCluster.
	SetEnabled(bool)
	// CombinedMapping is used to specify combined mapping from legacy property Roles
	// and new property RoleMap
	CombinedMapping() RoleMap
	// GetRoleMap returns role map property
	GetRoleMap() RoleMap
	// SetRoleMap sets role map
	SetRoleMap(m RoleMap)
	// GetRoles returns the roles for the certificate authority.
	GetRoles() []string
	// SetRoles sets the roles for the certificate authority.
	SetRoles([]string)
	// GetToken returns the authorization and authentication token.
	GetToken() string
	// SetToken sets the authorization and authentication.
	SetToken(string)
	// GetProxyAddress returns the address of the proxy server.
	GetProxyAddress() string
	// SetProxyAddress sets the address of the proxy server.
	SetProxyAddress(string)
	// GetReverseTunnelAddress returns the address of the reverse tunnel.
	GetReverseTunnelAddress() string
	// SetReverseTunnelAddress sets the address of the reverse tunnel.
	SetReverseTunnelAddress(string)
	// CheckAndSetDefaults checks and set default values for missing fields.
	CheckAndSetDefaults() error
	// CanChangeStateTo checks the TrustedCluster can transform into another.
	CanChangeStateTo(TrustedCluster) error
}

TrustedCluster holds information needed for a cluster that can not be directly accessed (maybe be behind firewall without any open ports) to join a parent cluster.

func NewTrustedCluster

func NewTrustedCluster(name string, spec TrustedClusterSpecV2) (TrustedCluster, error)

NewTrustedCluster is a convenience wa to create a TrustedCluster resource.

type TrustedClusterMarshaler

type TrustedClusterMarshaler interface {
	Marshal(c TrustedCluster, opts ...MarshalOption) ([]byte, error)
	Unmarshal(bytes []byte, opts ...MarshalOption) (TrustedCluster, error)
}

TrustedClusterMarshaler implements marshal/unmarshal of TrustedCluster implementations mostly adds support for extended versions.

func GetTrustedClusterMarshaler

func GetTrustedClusterMarshaler() TrustedClusterMarshaler

type TrustedClusterSpecV2

type TrustedClusterSpecV2 struct {
	// Enabled is a bool that indicates if the TrustedCluster is enabled or disabled.
	// Setting Enabled to false has a side effect of deleting the user and host
	// certificate authority (CA).
	Enabled bool `json:"enabled"`

	// Roles is a list of roles that users will be assuming when connecting to this cluster.
	Roles []string `json:"roles,omitempty"`

	// Token is the authorization token provided by another cluster needed by
	// this cluster to join.
	Token string `json:"token"`

	// ProxyAddress is the address of the web proxy server of the cluster to join. If not set,
	// it is derived from <metadata.name>:<default web proxy server port>.
	ProxyAddress string `json:"web_proxy_addr"`

	// ReverseTunnelAddress is the address of the SSH proxy server of the cluster to join. If
	// not set, it is derived from <metadata.name>:<default reverse tunnel port>.
	ReverseTunnelAddress string `json:"tunnel_addr"`

	// RoleMap specifies role mappings to remote roles
	RoleMap RoleMap `json:"role_map,omitempty"`
}

TrustedClusterSpecV2 is the actual data we care about for TrustedClusterSpecV2.

type TrustedClusterV2

type TrustedClusterV2 struct {
	// Kind is a resource kind - always resource.
	Kind string `json:"kind"`

	// SubKind is a resource sub kind
	SubKind string `json:"sub_kind,omitempty"`

	// Version is a resource version.
	Version string `json:"version"`

	// Metadata is metadata about the resource.
	Metadata Metadata `json:"metadata"`

	// Spec is the specification of the resource.
	Spec TrustedClusterSpecV2 `json:"spec"`
}

TrustedClusterV2 implements TrustedCluster.

func (*TrustedClusterV2) CanChangeStateTo

func (c *TrustedClusterV2) CanChangeStateTo(t TrustedCluster) error

CanChangeState checks if the state change is allowed or not. If not, returns an error explaining the reason.

func (*TrustedClusterV2) CheckAndSetDefaults

func (c *TrustedClusterV2) CheckAndSetDefaults() error

Check checks validity of all parameters and sets defaults

func (*TrustedClusterV2) CombinedMapping

func (c *TrustedClusterV2) CombinedMapping() RoleMap

CombinedMapping is used to specify combined mapping from legacy property Roles and new property RoleMap

func (*TrustedClusterV2) Expiry

func (c *TrustedClusterV2) Expiry() time.Time

Expires returns object expiry setting

func (*TrustedClusterV2) GetEnabled

func (c *TrustedClusterV2) GetEnabled() bool

GetEnabled returns the state of the TrustedCluster.

func (*TrustedClusterV2) GetKind

func (c *TrustedClusterV2) GetKind() string

GetKind returns resource kind

func (*TrustedClusterV2) GetMetadata

func (c *TrustedClusterV2) GetMetadata() Metadata

GetMetadata returns object metadata

func (*TrustedClusterV2) GetName

func (c *TrustedClusterV2) GetName() string

GetName returns the name of the TrustedCluster.

func (*TrustedClusterV2) GetProxyAddress

func (c *TrustedClusterV2) GetProxyAddress() string

GetProxyAddress returns the address of the proxy server.

func (*TrustedClusterV2) GetResourceID

func (c *TrustedClusterV2) GetResourceID() int64

GetResourceID returns resource ID

func (*TrustedClusterV2) GetReverseTunnelAddress

func (c *TrustedClusterV2) GetReverseTunnelAddress() string

GetReverseTunnelAddress returns the address of the reverse tunnel.

func (*TrustedClusterV2) GetRoleMap

func (c *TrustedClusterV2) GetRoleMap() RoleMap

GetRoleMap returns role map property

func (*TrustedClusterV2) GetRoles

func (c *TrustedClusterV2) GetRoles() []string

GetRoles returns the roles for the certificate authority.

func (*TrustedClusterV2) GetSubKind

func (c *TrustedClusterV2) GetSubKind() string

GetSubKind returns resource sub kind

func (*TrustedClusterV2) GetToken

func (c *TrustedClusterV2) GetToken() string

GetToken returns the authorization and authentication token.

func (*TrustedClusterV2) GetVersion

func (c *TrustedClusterV2) GetVersion() string

GetVersion returns resource version

func (*TrustedClusterV2) SetEnabled

func (c *TrustedClusterV2) SetEnabled(e bool)

SetEnabled enables (handshake and add ca+reverse tunnel) or disables TrustedCluster.

func (*TrustedClusterV2) SetExpiry

func (c *TrustedClusterV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*TrustedClusterV2) SetName

func (c *TrustedClusterV2) SetName(e string)

SetName sets the name of the TrustedCluster.

func (*TrustedClusterV2) SetProxyAddress

func (c *TrustedClusterV2) SetProxyAddress(e string)

SetProxyAddress sets the address of the proxy server.

func (*TrustedClusterV2) SetResourceID

func (c *TrustedClusterV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*TrustedClusterV2) SetReverseTunnelAddress

func (c *TrustedClusterV2) SetReverseTunnelAddress(e string)

SetReverseTunnelAddress sets the address of the reverse tunnel.

func (*TrustedClusterV2) SetRoleMap

func (c *TrustedClusterV2) SetRoleMap(m RoleMap)

SetRoleMap sets role map

func (*TrustedClusterV2) SetRoles

func (c *TrustedClusterV2) SetRoles(e []string)

SetRoles sets the roles for the certificate authority.

func (*TrustedClusterV2) SetSubKind

func (c *TrustedClusterV2) SetSubKind(s string)

SetSubKind sets resource subkind

func (*TrustedClusterV2) SetTTL

func (c *TrustedClusterV2) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*TrustedClusterV2) SetToken

func (c *TrustedClusterV2) SetToken(e string)

SetToken sets the authorization and authentication.

func (*TrustedClusterV2) String

func (c *TrustedClusterV2) String() string

String represents a human readable version of trusted cluster settings.

type TunnelConnection

type TunnelConnection interface {
	// Resource provides common methods for resource objects
	Resource
	// GetClusterName returns name of the cluster this connection is for.
	GetClusterName() string
	// GetProxyName returns the proxy name this connection is established to
	GetProxyName() string
	// GetLastHeartbeat returns time of the last heartbeat received from
	// the tunnel over the connection
	GetLastHeartbeat() time.Time
	// SetLastHeartbeat sets last heartbeat time
	SetLastHeartbeat(time.Time)
	// GetType gets the type of ReverseTunnel.
	GetType() TunnelType
	// SetType sets the type of ReverseTunnel.
	SetType(TunnelType)
	// Check checks tunnel for errors
	Check() error
	// CheckAndSetDefaults checks and set default values for any missing fields.
	CheckAndSetDefaults() error
	// String returns user friendly representation of this connection
	String() string
	// Clone returns a copy of this tunnel connection
	Clone() TunnelConnection
}

TunnelConnection is SSH reverse tunnel connection established to reverse tunnel proxy

func LatestTunnelConnection

func LatestTunnelConnection(conns []TunnelConnection) (TunnelConnection, error)

LatestTunnelConnection returns latest tunnel connection from the list of tunnel connections, if no connections found, returns NotFound error

func MustCreateTunnelConnection

func MustCreateTunnelConnection(name string, spec TunnelConnectionSpecV2) TunnelConnection

MustCreateTunnelConnection returns new connection from V2 spec or panics if parameters are incorrect

func NewTunnelConnection

func NewTunnelConnection(name string, spec TunnelConnectionSpecV2) (TunnelConnection, error)

NewTunnelConnection returns new connection from V2 spec

func UnmarshalTunnelConnection

func UnmarshalTunnelConnection(data []byte, opts ...MarshalOption) (TunnelConnection, error)

UnmarshalTunnelConnection unmarshals reverse tunnel from JSON or YAML, sets defaults and checks the schema

type TunnelConnectionSpecV2

type TunnelConnectionSpecV2 struct {
	// ClusterName is a name of the cluster
	ClusterName string `protobuf:"bytes,1,opt,name=ClusterName,proto3" json:"cluster_name"`
	// ProxyName is the name of the proxy server
	ProxyName string `protobuf:"bytes,2,opt,name=ProxyName,proto3" json:"proxy_name"`
	// LastHeartbeat is a time of the last heartbeat
	LastHeartbeat time.Time `protobuf:"bytes,3,opt,name=LastHeartbeat,stdtime" json:"last_heartbeat,omitempty"`
	// Type is the type of reverse tunnel, either proxy or node.
	Type                 TunnelType `protobuf:"bytes,4,opt,name=Type,proto3,casttype=TunnelType" json:"type"`
	XXX_NoUnkeyedLiteral struct{}   `json:"-"`
	XXX_unrecognized     []byte     `json:"-"`
	XXX_sizecache        int32      `json:"-"`
}

TunnelConnectionSpecV2 is a specification for V2 tunnel connection

func (*TunnelConnectionSpecV2) Descriptor

func (*TunnelConnectionSpecV2) Descriptor() ([]byte, []int)

func (*TunnelConnectionSpecV2) Marshal

func (m *TunnelConnectionSpecV2) Marshal() (dAtA []byte, err error)

func (*TunnelConnectionSpecV2) MarshalTo

func (m *TunnelConnectionSpecV2) MarshalTo(dAtA []byte) (int, error)

func (*TunnelConnectionSpecV2) ProtoMessage

func (*TunnelConnectionSpecV2) ProtoMessage()

func (*TunnelConnectionSpecV2) Reset

func (m *TunnelConnectionSpecV2) Reset()

func (*TunnelConnectionSpecV2) Size

func (m *TunnelConnectionSpecV2) Size() (n int)

func (*TunnelConnectionSpecV2) String

func (m *TunnelConnectionSpecV2) String() string

func (*TunnelConnectionSpecV2) Unmarshal

func (m *TunnelConnectionSpecV2) Unmarshal(dAtA []byte) error

func (*TunnelConnectionSpecV2) XXX_DiscardUnknown

func (m *TunnelConnectionSpecV2) XXX_DiscardUnknown()

func (*TunnelConnectionSpecV2) XXX_Marshal

func (m *TunnelConnectionSpecV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*TunnelConnectionSpecV2) XXX_Merge

func (dst *TunnelConnectionSpecV2) XXX_Merge(src proto.Message)

func (*TunnelConnectionSpecV2) XXX_Size

func (m *TunnelConnectionSpecV2) XXX_Size() int

func (*TunnelConnectionSpecV2) XXX_Unmarshal

func (m *TunnelConnectionSpecV2) XXX_Unmarshal(b []byte) error

type TunnelConnectionV2

type TunnelConnectionV2 struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version"`
	// Metadata is a resource metadata
	Metadata Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata"`
	// Spec is a tunnel specification
	Spec                 TunnelConnectionSpecV2 `protobuf:"bytes,5,opt,name=Spec" json:"spec"`
	XXX_NoUnkeyedLiteral struct{}               `json:"-"`
	XXX_unrecognized     []byte                 `json:"-"`
	XXX_sizecache        int32                  `json:"-"`
}

TunnelConnectionV2 is version 2 of the resource spec of the tunnel connection

func (*TunnelConnectionV2) Check

func (r *TunnelConnectionV2) Check() error

Check returns nil if all parameters are good, error otherwise

func (*TunnelConnectionV2) CheckAndSetDefaults

func (r *TunnelConnectionV2) CheckAndSetDefaults() error

func (*TunnelConnectionV2) Clone

Clone returns a copy of this tunnel connection

func (*TunnelConnectionV2) Descriptor

func (*TunnelConnectionV2) Descriptor() ([]byte, []int)

func (*TunnelConnectionV2) Expiry

func (r *TunnelConnectionV2) Expiry() time.Time

Expires returns object expiry setting

func (*TunnelConnectionV2) GetClusterName

func (r *TunnelConnectionV2) GetClusterName() string

GetClusterName returns name of the cluster

func (*TunnelConnectionV2) GetKind

func (r *TunnelConnectionV2) GetKind() string

GetKind returns resource kind

func (*TunnelConnectionV2) GetLastHeartbeat

func (r *TunnelConnectionV2) GetLastHeartbeat() time.Time

GetLastHeartbeat returns last heartbeat

func (*TunnelConnectionV2) GetMetadata

func (r *TunnelConnectionV2) GetMetadata() Metadata

GetMetadata returns object metadata

func (*TunnelConnectionV2) GetName

func (r *TunnelConnectionV2) GetName() string

GetName returns the name of the User

func (*TunnelConnectionV2) GetProxyName

func (r *TunnelConnectionV2) GetProxyName() string

GetProxyName returns the name of the proxy

func (*TunnelConnectionV2) GetResourceID

func (r *TunnelConnectionV2) GetResourceID() int64

GetResourceID returns resource ID

func (*TunnelConnectionV2) GetSubKind

func (r *TunnelConnectionV2) GetSubKind() string

GetSubKind returns resource sub kind

func (*TunnelConnectionV2) GetType

func (r *TunnelConnectionV2) GetType() TunnelType

GetType gets the type of ReverseTunnel.

func (*TunnelConnectionV2) GetVersion

func (r *TunnelConnectionV2) GetVersion() string

GetVersion returns resource version

func (*TunnelConnectionV2) Marshal

func (m *TunnelConnectionV2) Marshal() (dAtA []byte, err error)

func (*TunnelConnectionV2) MarshalTo

func (m *TunnelConnectionV2) MarshalTo(dAtA []byte) (int, error)

func (*TunnelConnectionV2) ProtoMessage

func (*TunnelConnectionV2) ProtoMessage()

func (*TunnelConnectionV2) Reset

func (m *TunnelConnectionV2) Reset()

func (*TunnelConnectionV2) SetExpiry

func (r *TunnelConnectionV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*TunnelConnectionV2) SetLastHeartbeat

func (r *TunnelConnectionV2) SetLastHeartbeat(tm time.Time)

SetLastHeartbeat sets last heartbeat time

func (*TunnelConnectionV2) SetName

func (r *TunnelConnectionV2) SetName(e string)

SetName sets the name of the User

func (*TunnelConnectionV2) SetResourceID

func (r *TunnelConnectionV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*TunnelConnectionV2) SetSubKind

func (r *TunnelConnectionV2) SetSubKind(s string)

SetSubKind sets resource subkind

func (*TunnelConnectionV2) SetTTL

func (r *TunnelConnectionV2) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*TunnelConnectionV2) SetType

func (r *TunnelConnectionV2) SetType(tt TunnelType)

SetType sets the type of ReverseTunnel.

func (*TunnelConnectionV2) Size

func (m *TunnelConnectionV2) Size() (n int)

func (*TunnelConnectionV2) String

func (r *TunnelConnectionV2) String() string

String returns user-friendly description of this connection

func (*TunnelConnectionV2) Unmarshal

func (m *TunnelConnectionV2) Unmarshal(dAtA []byte) error

func (*TunnelConnectionV2) V2

V2 returns V2 version of the resource

func (*TunnelConnectionV2) XXX_DiscardUnknown

func (m *TunnelConnectionV2) XXX_DiscardUnknown()

func (*TunnelConnectionV2) XXX_Marshal

func (m *TunnelConnectionV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*TunnelConnectionV2) XXX_Merge

func (dst *TunnelConnectionV2) XXX_Merge(src proto.Message)

func (*TunnelConnectionV2) XXX_Size

func (m *TunnelConnectionV2) XXX_Size() int

func (*TunnelConnectionV2) XXX_Unmarshal

func (m *TunnelConnectionV2) XXX_Unmarshal(b []byte) error

type TunnelType

type TunnelType string

TunnelType is the type of tunnel. Either node or proxy.

const (
	// NodeTunnel is a tunnel where the node connects to the proxy (dial back).
	NodeTunnel TunnelType = "node"

	// ProxyTunnel is a tunnel where a proxy connects to the proxy (trusted cluster).
	ProxyTunnel TunnelType = "proxy"
)

type U2F added in v1.3.0

type U2F struct {
	// AppID returns the application ID for universal second factor.
	AppID string `json:"app_id,omitempty"`

	// Facets returns the facets for universal second factor.
	Facets []string `json:"facets,omitempty"`
}

U2F defines settings for U2F device.

type U2FRegistrationData

type U2FRegistrationData struct {
	// Raw is the serialized registration data as received from the token
	Raw []byte `protobuf:"bytes,1,opt,name=Raw,proto3" json:"raw"`
	// KeyHandle uniquely identifies a key on a device
	KeyHandle []byte `protobuf:"bytes,2,opt,name=KeyHandle,proto3" json:"key_handle"`
	// PubKey is an DER encoded ecdsa public key
	PubKey               []byte   `protobuf:"bytes,3,opt,name=PubKey,proto3" json:"pubkey"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

U2FRegistrationData encodes the universal second factor registration payload.

func (*U2FRegistrationData) Check

func (reg *U2FRegistrationData) Check() error

Check validates basic u2f registration values

func (*U2FRegistrationData) Descriptor

func (*U2FRegistrationData) Descriptor() ([]byte, []int)

func (*U2FRegistrationData) Equals

func (lhs *U2FRegistrationData) Equals(rhs *U2FRegistrationData) bool

Equals checks equality (nil safe).

func (*U2FRegistrationData) GetPubKeyDecoded

func (reg *U2FRegistrationData) GetPubKeyDecoded() (*ecdsa.PublicKey, error)

GetPubKeyDecoded decodes the DER encoded PubKey field into an `ecdsa.PublicKey` instance.

func (*U2FRegistrationData) Marshal

func (m *U2FRegistrationData) Marshal() (dAtA []byte, err error)

func (*U2FRegistrationData) MarshalTo

func (m *U2FRegistrationData) MarshalTo(dAtA []byte) (int, error)

func (*U2FRegistrationData) ProtoMessage

func (*U2FRegistrationData) ProtoMessage()

func (*U2FRegistrationData) Reset

func (m *U2FRegistrationData) Reset()

func (*U2FRegistrationData) Size

func (m *U2FRegistrationData) Size() (n int)

func (*U2FRegistrationData) String

func (m *U2FRegistrationData) String() string

func (*U2FRegistrationData) Unmarshal

func (m *U2FRegistrationData) Unmarshal(dAtA []byte) error

func (*U2FRegistrationData) XXX_DiscardUnknown

func (m *U2FRegistrationData) XXX_DiscardUnknown()

func (*U2FRegistrationData) XXX_Marshal

func (m *U2FRegistrationData) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*U2FRegistrationData) XXX_Merge

func (dst *U2FRegistrationData) XXX_Merge(src proto.Message)

func (*U2FRegistrationData) XXX_Size

func (m *U2FRegistrationData) XXX_Size() int

func (*U2FRegistrationData) XXX_Unmarshal

func (m *U2FRegistrationData) XXX_Unmarshal(b []byte) error

type UnknownResource

type UnknownResource struct {
	ResourceHeader
	// Raw is raw representation of the resource
	Raw []byte
}

UnknownResource is used to detect resources

func (*UnknownResource) UnmarshalJSON

func (u *UnknownResource) UnmarshalJSON(raw []byte) error

UnmarshalJSON unmarshals header and captures raw state

type User added in v1.0.0

type User interface {
	// Resource provides common resource properties
	Resource
	// GetOIDCIdentities returns a list of connected OIDC identities
	GetOIDCIdentities() []ExternalIdentity
	// GetSAMLIdentities returns a list of connected SAML identities
	GetSAMLIdentities() []ExternalIdentity
	// GetGithubIdentities returns a list of connected Github identities
	GetGithubIdentities() []ExternalIdentity
	// Get local authentication secrets (may be nil).
	GetLocalAuth() *LocalAuthSecrets
	// Set local authentication secrets (use nil to delete).
	SetLocalAuth(auth *LocalAuthSecrets)
	// GetRoles returns a list of roles assigned to user
	GetRoles() []string
	// String returns user
	String() string
	// Equals checks if user equals to another
	Equals(other User) bool
	// GetStatus return user login status
	GetStatus() LoginStatus
	// SetLocked sets login status to locked
	SetLocked(until time.Time, reason string)
	// SetRoles sets user roles
	SetRoles(roles []string)
	// AddRole adds role to the users' role list
	AddRole(name string)
	// GetCreatedBy returns information about user
	GetCreatedBy() CreatedBy
	// SetCreatedBy sets created by information
	SetCreatedBy(CreatedBy)
	// Check checks basic user parameters for errors
	Check() error
	// WebSessionInfo returns web session information about user
	WebSessionInfo(allowedLogins []string) interface{}
	// GetTraits gets the trait map for this user used to populate role variables.
	GetTraits() map[string][]string
	// GetTraits sets the trait map for this user used to populate role variables.
	SetTraits(map[string][]string)
	// CheckAndSetDefaults checks and set default values for any missing fields.
	CheckAndSetDefaults() error
}

User represents teleport embedded user or external user

func NewUser

func NewUser(name string) (User, error)

NewUser creates new empty user

type UserAndRoleGetter

type UserAndRoleGetter interface {
	UserGetter
	RoleGetter
}

type UserCertParams

type UserCertParams struct {
	// PrivateCASigningKey is the private key of the CA that will sign the public key of the user
	PrivateCASigningKey []byte
	// PublicUserKey is the public key of the user
	PublicUserKey []byte
	// TTL defines how long a certificate is valid for
	TTL time.Duration
	// Username is teleport username
	Username string
	// AllowedLogins is a list of SSH principals
	AllowedLogins []string
	// PermitAgentForwarding permits agent forwarding for this cert
	PermitAgentForwarding bool
	// PermitPortForwarding permits port forwarding.
	PermitPortForwarding bool
	// Roles is a list of roles assigned to this user
	Roles []string
	// CertificateFormat is the format of the SSH certificate.
	CertificateFormat string
	// RouteToCluster specifies the target cluster
	// if present in the certificate, will be used
	// to route the requests to
	RouteToCluster string
	// Traits hold claim data used to populate a role at runtime.
	Traits wrappers.Traits
	// ActiveRequests tracks privilege escalation requests applied during
	// certificate construction.
	ActiveRequests RequestIDs
}

UserCertParams defines OpenSSH user certificate parameters

type UserGetter

type UserGetter interface {
	// GetUser returns a user by name
	GetUser(user string, withSecrets bool) (User, error)
}

UserGetter is responsible for getting users

type UserMarshaler

type UserMarshaler interface {
	// UnmarshalUser from binary representation
	UnmarshalUser(bytes []byte, opts ...MarshalOption) (User, error)
	// MarshalUser to binary representation
	MarshalUser(u User, opts ...MarshalOption) ([]byte, error)
	// GenerateUser generates new user based on standard teleport user
	// it gives external implementations to add more app-specific
	// data to the user
	GenerateUser(User) (User, error)
}

UserMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions

func GetUserMarshaler

func GetUserMarshaler() UserMarshaler

GetUserMarshaler returns currently set user marshaler

type UserRef

type UserRef struct {
	// Name is name of the user
	Name                 string   `protobuf:"bytes,1,opt,name=Name,proto3" json:"name"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

UserRef holds references to user

func (*UserRef) Descriptor

func (*UserRef) Descriptor() ([]byte, []int)

func (*UserRef) Marshal

func (m *UserRef) Marshal() (dAtA []byte, err error)

func (*UserRef) MarshalTo

func (m *UserRef) MarshalTo(dAtA []byte) (int, error)

func (*UserRef) ProtoMessage

func (*UserRef) ProtoMessage()

func (*UserRef) Reset

func (m *UserRef) Reset()

func (*UserRef) Size

func (m *UserRef) Size() (n int)

func (*UserRef) String

func (m *UserRef) String() string

func (*UserRef) Unmarshal

func (m *UserRef) Unmarshal(dAtA []byte) error

func (*UserRef) XXX_DiscardUnknown

func (m *UserRef) XXX_DiscardUnknown()

func (*UserRef) XXX_Marshal

func (m *UserRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*UserRef) XXX_Merge

func (dst *UserRef) XXX_Merge(src proto.Message)

func (*UserRef) XXX_Size

func (m *UserRef) XXX_Size() int

func (*UserRef) XXX_Unmarshal

func (m *UserRef) XXX_Unmarshal(b []byte) error

type UserSpecV2

type UserSpecV2 struct {
	// OIDCIdentities lists associated OpenID Connect identities
	// that let user log in using externally verified identity
	OIDCIdentities []ExternalIdentity `protobuf:"bytes,1,rep,name=OIDCIdentities" json:"oidc_identities,omitempty"`
	// SAMLIdentities lists associated SAML identities
	// that let user log in using externally verified identity
	SAMLIdentities []ExternalIdentity `protobuf:"bytes,2,rep,name=SAMLIdentities" json:"saml_identities,omitempty"`
	// GithubIdentities list associated Github OAuth2 identities
	// that let user log in using externally verified identity
	GithubIdentities []ExternalIdentity `protobuf:"bytes,3,rep,name=GithubIdentities" json:"github_identities,omitempty"`
	// Roles is a list of roles assigned to user
	Roles []string `protobuf:"bytes,4,rep,name=Roles" json:"roles,omitempty"`
	// Traits are key/value pairs received from an identity provider (through
	// OIDC claims or SAML assertions) or from a system administrator for local
	// accounts. Traits are used to populate role variables.
	Traits github_com_gravitational_teleport_lib_wrappers.Traits `protobuf:"bytes,5,opt,name=Traits,customtype=github.com/gravitational/teleport/lib/wrappers.Traits" json:"traits,omitempty"`
	// Status is a login status of the user
	Status LoginStatus `protobuf:"bytes,6,opt,name=Status" json:"status,omitempty"`
	// Expires if set sets TTL on the user
	Expires time.Time `protobuf:"bytes,7,opt,name=Expires,stdtime" json:"expires"`
	// CreatedBy holds information about agent or person created this user
	CreatedBy CreatedBy `protobuf:"bytes,8,opt,name=CreatedBy" json:"created_by,omitempty"`
	// LocalAuths hold sensitive data necessary for performing local authentication
	LocalAuth            *LocalAuthSecrets `protobuf:"bytes,9,opt,name=LocalAuth" json:"local_auth,omitempty"`
	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
	XXX_unrecognized     []byte            `json:"-"`
	XXX_sizecache        int32             `json:"-"`
}

UserSpecV2 is a specification for V2 user

func (*UserSpecV2) Descriptor

func (*UserSpecV2) Descriptor() ([]byte, []int)

func (*UserSpecV2) Marshal

func (m *UserSpecV2) Marshal() (dAtA []byte, err error)

func (*UserSpecV2) MarshalTo

func (m *UserSpecV2) MarshalTo(dAtA []byte) (int, error)

func (*UserSpecV2) ProtoMessage

func (*UserSpecV2) ProtoMessage()

func (*UserSpecV2) Reset

func (m *UserSpecV2) Reset()

func (*UserSpecV2) Size

func (m *UserSpecV2) Size() (n int)

func (*UserSpecV2) String

func (m *UserSpecV2) String() string

func (*UserSpecV2) Unmarshal

func (m *UserSpecV2) Unmarshal(dAtA []byte) error

func (*UserSpecV2) XXX_DiscardUnknown

func (m *UserSpecV2) XXX_DiscardUnknown()

func (*UserSpecV2) XXX_Marshal

func (m *UserSpecV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*UserSpecV2) XXX_Merge

func (dst *UserSpecV2) XXX_Merge(src proto.Message)

func (*UserSpecV2) XXX_Size

func (m *UserSpecV2) XXX_Size() int

func (*UserSpecV2) XXX_Unmarshal

func (m *UserSpecV2) XXX_Unmarshal(b []byte) error

type UserV1

type UserV1 struct {
	// Name is a user name
	Name string `json:"name"`

	// AllowedLogins represents a list of OS users this teleport
	// user is allowed to login as
	AllowedLogins []string `json:"allowed_logins"`

	// KubeGroups represents a list of kubernetes groups
	// this teleport user is allowed to assume
	KubeGroups []string `json:"kubernetes_groups,omitempty"`

	// OIDCIdentities lists associated OpenID Connect identities
	// that let user log in using externally verified identity
	OIDCIdentities []ExternalIdentity `json:"oidc_identities"`

	// Status is a login status of the user
	Status LoginStatus `json:"status"`

	// Expires if set sets TTL on the user
	Expires time.Time `json:"expires"`

	// CreatedBy holds information about agent or person created this usre
	CreatedBy CreatedBy `json:"created_by"`

	// Roles is a list of roles
	Roles []string `json:"roles"`
}

UserV1 is V1 version of the user

func (*UserV1) Check

func (u *UserV1) Check() error

Check checks validity of all parameters

func (*UserV1) V1

func (u *UserV1) V1() *UserV1

V1 returns itself

func (*UserV1) V2

func (u *UserV1) V2() *UserV2

V2 converts UserV1 to UserV2 format

type UserV2

type UserV2 struct {
	// Kind is a resource kind
	Kind string `protobuf:"bytes,1,opt,name=Kind,proto3" json:"kind"`
	// SubKind is an optional resource sub kind, used in some resources
	SubKind string `protobuf:"bytes,2,opt,name=SubKind,proto3" json:"sub_kind,omitempty"`
	// Version is version
	Version string `protobuf:"bytes,3,opt,name=Version,proto3" json:"version"`
	// Metadata is User metadata
	Metadata Metadata `protobuf:"bytes,4,opt,name=Metadata" json:"metadata"`
	// Spec is a user specification
	Spec                 UserSpecV2 `protobuf:"bytes,5,opt,name=Spec" json:"spec"`
	XXX_NoUnkeyedLiteral struct{}   `json:"-"`
	XXX_unrecognized     []byte     `json:"-"`
	XXX_sizecache        int32      `json:"-"`
}

UserV2 is version 2 resource spec of the user

func (*UserV2) AddRole

func (u *UserV2) AddRole(name string)

AddRole adds a role to user's role list

func (*UserV2) Check

func (u *UserV2) Check() error

Check checks validity of all parameters

func (*UserV2) CheckAndSetDefaults

func (u *UserV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and set default values for any missing fields.

func (*UserV2) Descriptor

func (*UserV2) Descriptor() ([]byte, []int)

func (*UserV2) Equals

func (u *UserV2) Equals(other User) bool

Equals checks if user equals to another

func (*UserV2) Expiry

func (u *UserV2) Expiry() time.Time

Expiry returns expiry time for temporary users. Prefer expires from metadata, if it does not exist, fall back to expires in spec.

func (*UserV2) GetCreatedBy

func (u *UserV2) GetCreatedBy() CreatedBy

GetCreatedBy returns information about who created user

func (*UserV2) GetGithubIdentities

func (u *UserV2) GetGithubIdentities() []ExternalIdentity

GetGithubIdentities returns a list of connected Github identities

func (*UserV2) GetKind

func (u *UserV2) GetKind() string

GetKind returns resource kind

func (*UserV2) GetLocalAuth

func (u *UserV2) GetLocalAuth() *LocalAuthSecrets

Get local authentication secrets (may be nil).

func (*UserV2) GetMetadata

func (u *UserV2) GetMetadata() Metadata

GetMetadata returns object metadata

func (*UserV2) GetName

func (u *UserV2) GetName() string

GetName returns the name of the User

func (*UserV2) GetOIDCIdentities

func (u *UserV2) GetOIDCIdentities() []ExternalIdentity

GetOIDCIdentities returns a list of connected OIDC identities

func (*UserV2) GetResourceID

func (u *UserV2) GetResourceID() int64

GetResourceID returns resource ID

func (*UserV2) GetRoles

func (u *UserV2) GetRoles() []string

GetRoles returns a list of roles assigned to user

func (*UserV2) GetSAMLIdentities

func (u *UserV2) GetSAMLIdentities() []ExternalIdentity

GetSAMLIdentities returns a list of connected SAML identities

func (*UserV2) GetStatus

func (u *UserV2) GetStatus() LoginStatus

GetStatus returns login status of the user

func (*UserV2) GetSubKind

func (u *UserV2) GetSubKind() string

GetSubKind returns resource sub kind

func (*UserV2) GetTraits

func (u *UserV2) GetTraits() map[string][]string

GetTraits gets the trait map for this user used to populate role variables.

func (*UserV2) GetVersion

func (u *UserV2) GetVersion() string

GetVersion returns resource version

func (*UserV2) Marshal

func (m *UserV2) Marshal() (dAtA []byte, err error)

func (*UserV2) MarshalTo

func (m *UserV2) MarshalTo(dAtA []byte) (int, error)

func (*UserV2) ProtoMessage

func (*UserV2) ProtoMessage()

func (*UserV2) Reset

func (m *UserV2) Reset()

func (*UserV2) SetCreatedBy

func (u *UserV2) SetCreatedBy(b CreatedBy)

SetCreatedBy sets created by information

func (*UserV2) SetExpiry

func (u *UserV2) SetExpiry(expires time.Time)

SetExpiry sets expiry time for the object

func (*UserV2) SetLocalAuth

func (u *UserV2) SetLocalAuth(auth *LocalAuthSecrets)

Set local authentication secrets (use nil to delete).

func (*UserV2) SetLocked

func (u *UserV2) SetLocked(until time.Time, reason string)

func (*UserV2) SetName

func (u *UserV2) SetName(e string)

SetName sets the name of the User

func (*UserV2) SetResourceID

func (u *UserV2) SetResourceID(id int64)

SetResourceID sets resource ID

func (*UserV2) SetRoles

func (u *UserV2) SetRoles(roles []string)

SetRoles sets a list of roles for user

func (*UserV2) SetSubKind

func (u *UserV2) SetSubKind(s string)

SetSubKind sets resource subkind

func (*UserV2) SetTTL

func (u *UserV2) SetTTL(clock clockwork.Clock, ttl time.Duration)

SetTTL sets Expires header using realtime clock

func (*UserV2) SetTraits

func (u *UserV2) SetTraits(traits map[string][]string)

SetTraits sets the trait map for this user used to populate role variables.

func (*UserV2) Size

func (m *UserV2) Size() (n int)

func (*UserV2) String

func (u *UserV2) String() string

func (*UserV2) Unmarshal

func (m *UserV2) Unmarshal(dAtA []byte) error

func (*UserV2) V1

func (u *UserV2) V1() *UserV1

V1 converts UserV2 to UserV1 format

func (*UserV2) V2

func (u *UserV2) V2() *UserV2

V2 converts UserV2 to UserV2 format

func (*UserV2) WebSessionInfo

func (u *UserV2) WebSessionInfo(allowedLogins []string) interface{}

WebSessionInfo returns web session information about user

func (*UserV2) XXX_DiscardUnknown

func (m *UserV2) XXX_DiscardUnknown()

func (*UserV2) XXX_Marshal

func (m *UserV2) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*UserV2) XXX_Merge

func (dst *UserV2) XXX_Merge(src proto.Message)

func (*UserV2) XXX_Size

func (m *UserV2) XXX_Size() int

func (*UserV2) XXX_Unmarshal

func (m *UserV2) XXX_Unmarshal(b []byte) error

type Users added in v1.0.0

type Users []User

Users represents a slice of users, makes it sort compatible (sorts by username)

func (Users) Len added in v1.0.0

func (u Users) Len() int

func (Users) Less added in v1.0.0

func (u Users) Less(i, j int) bool

func (Users) Swap added in v1.0.0

func (u Users) Swap(i, j int)

type UsersService

type UsersService interface {
	UserGetter
	// UpsertUser updates parameters about user
	UpsertUser(user User) error
	// DeleteUser deletes a user with all the keys from the backend
	DeleteUser(user string) error
	// GetUsers returns a list of users registered with the local auth server
	GetUsers(withSecrets bool) ([]User, error)
	// DeleteAllUsers deletes all users
	DeleteAllUsers() error
}

UserService is reponsible for basic user management

type Watch

type Watch struct {
	// Name is used for debugging purposes
	Name string

	// Kinds specifies kinds of objects to watch
	// and whether to load secret data for them
	Kinds []WatchKind

	// QueueSize is an optional queue size
	QueueSize int

	// MetricComponent is used for reporting
	MetricComponent string
}

Watch sets up watch on the event

type WatchKind

type WatchKind struct {
	// Kind is a resource kind to watch
	Kind string
	// Name is an optional specific resource type to watch,
	// if specified only the events with a specific resource
	// name will be sent
	Name string
	// LoadSecrets specifies whether to load secrets
	LoadSecrets bool
	// Filter supplies custom event filter parameters that differ by
	// resource (e.g. "state":"pending" for access requests).
	Filter map[string]string
}

WatchKind specifies resource kind to watch

type Watcher

type Watcher interface {
	// Events returns channel with events
	Events() <-chan Event

	// Done returns the channel signalling the closure
	Done() <-chan struct{}

	// Close closes the watcher and releases
	// all associated resources
	Close() error

	// Error returns error associated with watcher
	Error() error
}

Watcher returns watcher

type WebSession

type WebSession interface {
	GetMetadata() Metadata
	// GetShortName returns visible short name used in logging
	GetShortName() string
	// GetName returns session name
	GetName() string
	// GetUser returns the user this session is associated with
	GetUser() string
	// SetName sets session name
	SetName(string)
	// SetUser sets user associated with this session
	SetUser(string)
	// GetPub is returns public certificate signed by auth server
	GetPub() []byte
	// GetPriv returns private OpenSSH key used to auth with SSH nodes
	GetPriv() []byte
	// SetPriv sets private key
	SetPriv([]byte)
	// GetTLSCert returns PEM encoded TLS certificate associated with session
	GetTLSCert() []byte
	// BearerToken is a special bearer token used for additional
	// bearer authentication
	GetBearerToken() string
	// SetBearerTokenExpiryTime sets bearer token expiry time
	SetBearerTokenExpiryTime(time.Time)
	// SetExpiryTime sets session expiry time
	SetExpiryTime(time.Time)
	// GetBearerTokenExpiryTime - absolute time when token expires
	GetBearerTokenExpiryTime() time.Time
	// GetExpiryTime - absolute time when web session expires
	GetExpiryTime() time.Time
	// V1 returns V1 version of the resource
	V1() *WebSessionV1
	// V2 returns V2 version of the resource
	V2() *WebSessionV2
	// WithoutSecrets returns copy of the web session but without private keys
	WithoutSecrets() WebSession
	// CheckAndSetDefaults checks and set default values for any missing fields.
	CheckAndSetDefaults() error
}

WebSession stores key and value used to authenticate with SSH notes on behalf of user

func NewWebSession

func NewWebSession(name string, spec WebSessionSpecV2) WebSession

NewWebSession returns new instance of the web session based on the V2 spec

type WebSessionMarshaler

type WebSessionMarshaler interface {
	// UnmarshalWebSession unmarhsals cert authority from binary representation
	UnmarshalWebSession(bytes []byte) (WebSession, error)
	// MarshalWebSession to binary representation
	MarshalWebSession(c WebSession, opts ...MarshalOption) ([]byte, error)
	// GenerateWebSession generates new web session and is used to
	// inject additional data in extenstions
	GenerateWebSession(WebSession) (WebSession, error)
	// ExtendWebSession extends web session and is used to
	// inject additional data in extenstions when session is getting renewed
	ExtendWebSession(WebSession) (WebSession, error)
}

WebSessionMarshaler implements marshal/unmarshal of User implementations mostly adds support for extended versions

func GetWebSessionMarshaler

func GetWebSessionMarshaler() WebSessionMarshaler

GetWebSessionMarshaler returns currently set user marshaler

type WebSessionSpecV2

type WebSessionSpecV2 struct {
	// User is a user this web session belongs to
	User string `json:"user"`
	// Pub is a public certificate signed by auth server
	Pub []byte `json:"pub"`
	// Priv is a private OpenSSH key used to auth with SSH nodes
	Priv []byte `json:"priv,omitempty"`
	// TLSCert is a TLS certificate used to auth with auth server
	TLSCert []byte `json:"tls_cert,omitempty"`
	// BearerToken is a special bearer token used for additional
	// bearer authentication
	BearerToken string `json:"bearer_token"`
	// BearerTokenExpires - absolute time when token expires
	BearerTokenExpires time.Time `json:"bearer_token_expires"`
	// Expires - absolute time when session expires
	Expires time.Time `json:"expires"`
}

WebSessionSpecV2 is a spec for V2 session

type WebSessionV1

type WebSessionV1 struct {
	// ID is session ID
	ID string `json:"id"`
	// User is a user this web session is associated with
	User string `json:"user"`
	// Pub is a public certificate signed by auth server
	Pub []byte `json:"pub"`
	// Priv is a private OpenSSH key used to auth with SSH nodes
	Priv []byte `json:"priv,omitempty"`
	// BearerToken is a special bearer token used for additional
	// bearer authentication
	BearerToken string `json:"bearer_token"`
	// Expires - absolute time when token expires
	Expires time.Time `json:"expires"`
}

WebSession stores key and value used to authenticate with SSH nodes on behalf of user

func (*WebSessionV1) GetBearerToken

func (ws *WebSessionV1) GetBearerToken() string

BearerToken is a special bearer token used for additional bearer authentication

func (*WebSessionV1) GetBearerTokenExpiryTime

func (ws *WebSessionV1) GetBearerTokenExpiryTime() time.Time

GetBearerRoken - absolute time when token expires

func (*WebSessionV1) GetExpiryTime

func (ws *WebSessionV1) GetExpiryTime() time.Time

Expires - absolute time when token expires

func (*WebSessionV1) GetName

func (ws *WebSessionV1) GetName() string

GetName returns session name

func (*WebSessionV1) GetPriv

func (ws *WebSessionV1) GetPriv() []byte

GetPriv returns private OpenSSH key used to auth with SSH nodes

func (*WebSessionV1) GetPub

func (ws *WebSessionV1) GetPub() []byte

GetPub is returns public certificate signed by auth server

func (*WebSessionV1) GetShortName

func (ws *WebSessionV1) GetShortName() string

GetShortName returns visible short name used in logging

func (*WebSessionV1) GetUser

func (ws *WebSessionV1) GetUser() string

GetUser returns the user this session is associated with

func (*WebSessionV1) SetBearerTokenExpiryTime

func (ws *WebSessionV1) SetBearerTokenExpiryTime(tm time.Time)

SetBearerTokenExpiryTime sets session expiry time

func (*WebSessionV1) SetExpiryTime

func (ws *WebSessionV1) SetExpiryTime(tm time.Time)

SetExpiryTime sets session expiry time

func (*WebSessionV1) SetName

func (ws *WebSessionV1) SetName(name string)

SetName sets session name

func (*WebSessionV1) SetUser

func (ws *WebSessionV1) SetUser(u string)

SetUser sets user associated with this session

func (*WebSessionV1) V1

func (s *WebSessionV1) V1() *WebSessionV1

V1 returns V1 version of the resource

func (*WebSessionV1) V2

func (s *WebSessionV1) V2() *WebSessionV2

V2 returns V2 version of the resource

func (*WebSessionV1) WithoutSecrets

func (ws *WebSessionV1) WithoutSecrets() WebSession

WithoutSecrets returns copy of the web session but without private keys

type WebSessionV2

type WebSessionV2 struct {
	// Kind is a resource kind
	Kind string `json:"kind"`
	// Version is version
	Version string `json:"version"`
	// Metadata is connector metadata
	Metadata Metadata `json:"metadata"`
	// Spec contains cert authority specification
	Spec WebSessionSpecV2 `json:"spec"`
}

WebSessionV2 is version 2 spec for session

func (*WebSessionV2) CheckAndSetDefaults

func (ws *WebSessionV2) CheckAndSetDefaults() error

CheckAndSetDefaults checks and set default values for any missing fields.

func (*WebSessionV2) GetBearerToken

func (ws *WebSessionV2) GetBearerToken() string

BearerToken is a special bearer token used for additional bearer authentication

func (*WebSessionV2) GetBearerTokenExpiryTime

func (ws *WebSessionV2) GetBearerTokenExpiryTime() time.Time

GetBearerTokenExpiryTime - absolute time when token expires

func (*WebSessionV2) GetExpiryTime

func (ws *WebSessionV2) GetExpiryTime() time.Time

GetExpiryTime - absolute time when web session expires

func (*WebSessionV2) GetMetadata

func (ws *WebSessionV2) GetMetadata() Metadata

GetMetadata returns metadata

func (*WebSessionV2) GetName

func (ws *WebSessionV2) GetName() string

GetName returns session name

func (*WebSessionV2) GetPriv

func (ws *WebSessionV2) GetPriv() []byte

GetPriv returns private OpenSSH key used to auth with SSH nodes

func (*WebSessionV2) GetPub

func (ws *WebSessionV2) GetPub() []byte

GetPub is returns public certificate signed by auth server

func (*WebSessionV2) GetShortName

func (ws *WebSessionV2) GetShortName() string

GetShortName returns visible short name used in logging

func (*WebSessionV2) GetTLSCert

func (ws *WebSessionV2) GetTLSCert() []byte

GetTLSCert returns PEM encoded TLS certificate associated with session

func (*WebSessionV2) GetUser

func (ws *WebSessionV2) GetUser() string

GetUser returns the user this session is associated with

func (*WebSessionV2) SetBearerTokenExpiryTime

func (ws *WebSessionV2) SetBearerTokenExpiryTime(tm time.Time)

SetBearerTokenExpiryTime sets bearer token expiry time

func (*WebSessionV2) SetExpiryTime

func (ws *WebSessionV2) SetExpiryTime(tm time.Time)

SetExpiryTime sets session expiry time

func (*WebSessionV2) SetName

func (ws *WebSessionV2) SetName(name string)

SetName sets session name

func (*WebSessionV2) SetPriv

func (ws *WebSessionV2) SetPriv(priv []byte)

SetPriv sets private key

func (*WebSessionV2) SetUser

func (ws *WebSessionV2) SetUser(u string)

SetUser sets user associated with this session

func (*WebSessionV2) V1

func (ws *WebSessionV2) V1() *WebSessionV1

V1 returns V1 version of the object

func (*WebSessionV2) V2

func (ws *WebSessionV2) V2() *WebSessionV2

V2 returns V2 version of the resource

func (*WebSessionV2) WithoutSecrets

func (ws *WebSessionV2) WithoutSecrets() WebSession

WithoutSecrets returns copy of the object but without secrets

Directories

Path Synopsis
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL